1

Does SAP S/4HANA on Premise support outbound communication with OAuth 2.0 client_Credentials to send an IDoc (or whatever) via http to an OAuth 2.0 protected endpoint?

The question is probably very simple but it seems like SAP is trying to do everything to hide the answer if you do not want to pay a lot of money.

Thanks in advance.

Sandra Rossi
  • 11,934
  • 5
  • 22
  • 48
emch2
  • 211
  • 2
  • 11

1 Answers1

0

Yes, indeed, it supports.

Here is the detailed guide how to do this with the sample implementation scenarios:

https://wiki.scn.sap.com/wiki/display/Security/OAuth+2.0+-+Integrating+access+protected+web+services+using+the+OAuth+2.0+Client

The core component of communication through OAuth is an OAuth 2.0 Client which is available since ABAP 740 and on all subsequent S4HANA releases, tcode OA2C_CONFIG.

For sending IDocs you should create HTTP destination with OAuth authentication in HANA SM59 and send IDocs to it in XML form (described here).

Creation of OAuth HTTP destination:

  1. Access the SM59 transaction.
  2. In the RFC Connections table, choose HTTP Connection to External Server. Then, choose Create, which is the paper icon.

  1. In the Technical Settings tab, proceed as follows:
  • In the Target Host field, fill out the URL
  • Enter 443 in the Service No. field.
  • Enter /oauth/token?grant_type=client_credentials in the Path Prefix field.


(source: sap.com)

  1. In the Logon & Security tab, Logon With User section, proceed as follows:

  • Choose Basic Authentication.

  • In the User field, enter your client ID from the Service Key

  • In the Password field, enter your client secret from the Service Key


(source: sap.com)

  1. [OPTIONAL] In the Logon & Security tab, Security Options section, proceed as follows:

  • Choose Active in the SSL option.

  • Choose DFAULT SSL Client (Standard) in the SSL Certificate dropdown list.


(source: sap.com)

  1. Click on Connection Test button to complete this task.

For consuming the OAuth-protected APIs in ABAP program you need to create OAuth Client profile with some additional steps. The communication model will be the following:

Here is the detailed example of implementation:

https://wiki.scn.sap.com/wiki/display/Security/Access+Google+APIs+using+the+OAuth+2.0+Client+API.

Due to the abundance of integration scenarios it's difficult to describe them all, every configuration is different.

P.S. Some of the points about S4Hana communication config were already given by me in your question 6 months ago.

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
Suncatcher
  • 10,355
  • 10
  • 52
  • 90
  • Hi suncatcher, thanks for the answer. What I am missing is how to connect the http destination to the oauth client. Unfortunately your link "create HTTP destination" does not work. And yes I remember your answer. Sorry for that. The world of SAP is still pretty fuzzy for me – emch2 Nov 26 '20 at 17:51
  • `Unfortunately your link "create HTTP destination"` Put the contents of the link into the answer. If you consume APIs from 3rd-party system you define OAuth parameters in [OAuth Client profile](https://wiki.scn.sap.com/wiki/download/attachments/391217972/OA2P%20-%20SE80.png?version=1&modificationDate=1407401405000&api=v2), the above destination is relevant only for IDocs – Suncatcher Nov 27 '20 at 09:12
  • Hi and thanks for the answer... I feel bad to ask you again. Is it possible that if you create an idoc of a special type, the destination is triggered and sends the idoc? I see you create a destination to get the credentials but in my understanding you need some abap code to glue that together. What I want is simply that new idocs of type ORDERS are send to an SAP Cloud Integration Iflow that is protected by OAuth... So the destination has to catch the credentials first and than make the request to another endpoint. – emch2 Dec 01 '20 at 15:27