OAuth configuration 4 – Add trusted OAuth Identity Provider
After creating an OAuth client user assigning the permissions to call the OAuth protected OData service, it is time to start the actual OAuth client configuration. First, add an OAuth Identity Provider (IdP).
The OAuth IdP NetWeaver ABAP accepts is a normal SAML 2.0 IdP. This is because NW ABAP uses the OAuth flow SAML2-Bearer. In that flow, the user authenticates at an SAML 2.0 IdP and sends the SAML 2 response to NW ABAP which validates it to see if the user authenticated successfully at the SAML 2.0 IdP.
Start adding a trusted OAuth IdP to NW ABAP by calling the web app saml2.
Tx: SOAUTH2
This will open your web browser and call the Web Dynpro app saml2. In NPL, the url is: https://vhcalnplci:44300/sap/bc/webdynpro/sap/saml2?TRUSTED_PROVIDER_TYPE=OA2#
Add a new Trusted IdP for OAuth by uploading the metadata of the IdP. I blogged about how to get the metadata from Keycloak.
Go through the setup wizard.
Keycloak includes one signing certificate. You can take a look at its details.
Click on finish and the OAuth 2.0 IdP gets imported.
The OAuth 2.0 IdP is not enabled yet. This will be done in my next blog.
3 Comments
Rafael Chagas · June 4, 2020 at 19:43
Great job!
Gregor · August 16, 2023 at 17:23
Hi Tobias,
you mention tx: SOAUTH2. But I think in this step the transaction code is SAML2 or?
CU
Gregor
Tobias Hofmann · August 18, 2023 at 17:56
There are two transactions: SAML2 for SAML 2.0 configuraiton, and SOAUTH2 for oAuth.
If I remember corretly, it doesn’t really matter which one you call. In the main screen of the UI you can select if you want to configure OAuth or SAML.
“To call the OAuth 2.0 administration screen, start transaction SOAUTH2. The OAuth 2.0 administration screen contains a section showing all inbound OAuth 2.0 clients and a details section.”
https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/8d/d7981f2fdf43049fde35ba68e97ad5/content.htm?no_cache=true