Browser-based access to the xLeave cloud application and AS end-user UI requires the configuration of additional identity federation settings to pass the user’s attributes to the application.
What to do What you will see
In the SAP HANA Cloud Cockpit, switch to the Trusted Identity Provider tab in the Trust settings of your account.
Click on the localidp entry to open its settings.
Switch back from the Android
emulator’s alias 10.0.2.2 to localhost by changing the Single Sign-on URL and Single Logout URL accordingly.
Switch to the Attributes tab in the localidp’s configuration settings.
Add on the link Add Assertion-Based Attribute to pass a new attribute from the SAML Assertion to the application.
Configure the new attribute:
Assertion Attribute: firstname Principal Attribute: firstname
Repeat the two previous steps for the following assertion attributes:
lastname lastname
email email
department department Click on Save & Close
To assign user jdoe the required web role in the Cloud, select
Authorizations from the menu.
In the User field of the Users tab, enter jdoe and click on Show Roles.
Click Assign
Select Application xleave and Role Employee.
Click Save.
Click Java Applications and select the xleave application from the list.
Click on the Application URL.
You are redirected to the local test IdP.
Enter the test user’s credentials for the user (jdoe) and password (Abcd1234).
Click Log in.
You are logged on at the xLeave application and authorized in role Employee.
From the table headline, you can also see that the assertion attributes for first name, last name and department have been successfully passed through.
In table, the leave request created in step 4 with the mobile client app is listed.
Click the Logout button in the upper right corner.
Next, you will revoke the OAuth access token for the xLeave Mobile client app with the AS end-user UI.
Go back to the browser tab with the SAP HANA Cloud Platform Cockpit.
Click on your account name, and select the link for the End User UI listed under OAuth URLs in the OAuth account-level settings.
A new browser tab opens, and you are again redirected to your account’s trusted IdP, the local test IdP.
Log on with the local test user jdoe, password Abcd1234.
Click Log in.
You are logged in to the AS end-user UI.
In the OAuth Tokens table, the access token issued to the xLeave Mobile Client app is listed.
To revoke the token, click on the Delete button in the column with label Actions.
Confirm the action with OK.
Next, try to retrieve the list of current leave requests with the xLeave mobile client app on the Android emulator.
An error message is shown that the leave requests could not be retrieved.
By revoking the access token, the client application is no longer authorized to receive the leave requests on the user’s behalf.
Going back to the SAP HANA Cloud Platform Cockpit, an administrator’s search in Authorizations Token for user jdoe’s access tokens also results in an empty list.
SUMMARY
This tutorial covered a complete end-to-end scenario for accessing an OAuth-protected web API of an SAP HANA Cloud Platform application. From a developer’s perspective, no additional code needs to be
implemented in the business application for supporting the OAuth authorization code grant flow, managing the user’s OAuth access tokens, and integrating with the central OAuth AS to verify a token received from an OAuth client application. This OAuth-as-a-Service is provided out-of-the box by the platform to the
applications running on top of it, and helps to simplify the implementation and security of modern, API-based web applications.
© 2013 SAP AG. All rights reserved.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if