Package com.sap.core.connectivity.api.authentication

Interface AuthenticationHeaderProvider

public interface AuthenticationHeaderProvider
The AuthenticationHeaderProvider provided methods for generation of authentication headers for access to on-premise systems and applications deployed on the same SCP landscape.
Web applications can access AuthenticationHeaderProvider via JNDI lookup or resource injection.

  • Method Details

    • getAppToAppSSOHeader

      AuthenticationHeader getAppToAppSSOHeader(String requestURL)
      Generates authentication header for SSO with other applications on the same landscape. Generated header can be used only once and only for the specified request URL.
      SSO Header is valid only between applications which are working on behalf of one and the same account for which SSO is allowed.
      There are three prerequisites for using application-to-application SSO:
      • Both applications must reside in the same account
      • Principal Propagation must be enabled for the account
      • The receiving application must use SAML2 authentication
      Before adding this header ensure that there is no other header with the same name injected in the request. The name of AppToAppSSOHeader can be accessed via AuthenticationHeader.getName().
      Parameters:
      requestURL - the URL for which the generated headers will be used.
      Returns:
      Authentication header which can be used for SSO with other applications on the same landscape.
      Throws:
      IllegalArgumentException - if there is no logged-in user.
      IllegalStateException - if there are problems to get the AppToAppSSOHeader.

    • getApptoAppSSOHeader

      AuthenticationHeader getApptoAppSSOHeader(String requestURL, DestinationConfiguration destinationConfiguration)
      Generates authentication header for SSO with other applications or systems. Generated header can be used only once and only for the specified request URL.
      This method allows for example changing the audience attribute of the issued SAML2 assertion so that it can be sent to applications or systems outside of the current account.
      If the passed DestinationConfiguration has an attribute with name saml2_audience then its value will be set as the audience attribute of the issued SAML2 assertion. If not then calling this method will have return the same value as calling getAppToAppSSOHeader(String).

      There are three prerequisites for using application-to-application SSO:
      • The receiving system or application must use SAML2 authentication
      • The local configuration should be added as trusted SAML IDP in the receiving system or application
      • Principal Propagation must be enabled for the sending account
      Before adding this header ensure that there is no other header with the same name injected in the request. The name of AppToAppSSOHeader can be accessed via AuthenticationHeader.getName().
      Parameters:
      requestURL - the URL for which the generated headers will be used.
      destinationConfiguration - the destination configuration must be retrieved by com.sap.core.connectivity.destinations.configuration. ConfigurationProvider interface.
      Returns:
      Authentication header which can be used for SSO with other systems that trust the local configuration of the account.
      Throws:
      IllegalArgumentException - if configuration properties are not well configured, authentication type is not AppToAppSSO or there is no logged-in user.
      IllegalStateException - if there are problems to get the AppToAppSSOHeader.

    • getPrincipalPropagationHeader

      AuthenticationHeader getPrincipalPropagationHeader()
      Generates header for principal propagation to on-premise systems.
      Returns:
      Authentication header which can be used for principal propagation to on-premise systems.
      Throws:
      IllegalArgumentException - if there is no logged-in user.
      IllegalStateException - if there are problems to get the PrincipalPropagationHeader.

    • getSAPAssertionHeader

      AuthenticationHeader getSAPAssertionHeader(DestinationConfiguration destinationConfiguration)
      Generates authentication header for SAPAssertionSSO destination.
      SAP assertion ticket will be generated for destinations with authentication type SAPAssertionSSO in order to propagate the currently logged on user to a SAP back-end system. Note that generation of such assertion ticket is CPU intensive operation and should be generated only once per user session.
      Before adding this header ensure that there is no other header with the same name injected in the request. The name of SAPAssertionHeader can be accessed via AuthenticationHeader.getName().
      Parameters:
      destinationConfiguration - the SAPAssertionSSO destination for which an authentication header will be generated. Must be retrieved by com.sap.core.connectivity .destinations.configuration.ConfigurationProvider interface.
      Returns:
      the generated authentication header.
      Throws:
      IllegalArgumentException - if configuration properties are not well configured, authentication type is not SAPAssertionSSO or there is no logged-in user.
      IllegalStateException - if there are problems to get the SAPAssertionHeader.

    • getOAuth2SAMLBearerAssertionHeaders

      List<AuthenticationHeader> getOAuth2SAMLBearerAssertionHeaders(DestinationConfiguration destinationConfiguration)
      Generates authentication headers for OAuth2SAMLBearerAssertion destination.
      OAuth access token will be generated for destinations with authentication type OAuth2SAMLBearerAssertion in order OAuth-protected resources to be consumed. The generation of access tokens is time consuming operation. To avoid this issue there is a build-in user - token cache which takes care to auto-renovate tokens before they expire, i.e when a token is about to expire, a new token is created shortly before the expiration of the old one. The cache key is the value of the property specified in userIdSource. If userIdSource is not specified cache key is the userId of the logged in user. In case SystemUser is used it is also the cache key.
      Parameters:
      destinationConfiguration - the OAuth2SAMLBearerAssertion destination for which authentication headers will be generated. Must be retrieved by com.sap.core.connectivity.destinations.configuration. ConfigurationProvider interface.
      Returns:
      the generated authentication headers.
      Throws:
      IllegalArgumentException - if configuration properties are not well configured, authentication type is not OAuth2SAMLBearerAssertion or there is no logged-in user.
      IllegalStateException - if there are problems to get the OAuth2SAMLBearerAssertionHeaders.

    • getOAuth2ClientCredentialsHeader

      AuthenticationHeader getOAuth2ClientCredentialsHeader(DestinationConfiguration destinationConfiguration)
      Generates authentication header for OAuth2ClientCredentials destination.
      OAuth access token will be generated for destinations with authentication type OAuth2ClientCredentials in order OAuth-protected resources to be consumed. The generation of access tokens is time consuming operation. To avoid this issue there is a build-in client id - token cache which takes care to auto-renovate tokens before they expire, i.e when a token is about to expire, a new token is created shortly before the expiration of the old one.
      Parameters:
      destinationConfiguration - the OAuth2ClientCredentials destination for which authentication header will be generated. Must be retrieved by com.sap.core.connectivity.destinations.configuration. ConfigurationProvider interface.
      Returns:
      the generated authentication header.
      Throws:
      IllegalArgumentException - if configuration properties are not well configured or authentication type is not OAuth2ClientCredentials.
      IllegalStateException - if there are problems to get the OAuth2ClientCredentials.