使用App-To-App SSO向S / 4进行主要传播
[英]Principal Propagation to S/4 with App-To-App SSO
问题描述
I'm unable to call S/4 with Principal Propagation when coming from an App-To-App SSO request. 
来自App-To-App SSO请求时,我无法使用Principal Propag调用S / 4。 Is this scenario supported by the SDK? SDK是否支持此方案?
We have an HTML5 app in SCP Neo, and a Java app in the same subaccount. 我们在SCP Neo中有一个HTML5应用程序,在同一个子帐户中有一个Java应用程序。 Our intention is to let the HTML5 app fetch the SAML2 token (from an external IdP), then forward the token to the Java app using App-To-App SSO, and ultimately call S/4 using Principal Propagation using the original SAML2 token (from the IdP). 我们的目的是让HTML5应用程序获取SAML2令牌(来自外部IdP),然后使用App-To-App SSO将令牌转发到Java应用程序,最后使用原始SAML2令牌使用Principal Propagation调用S / 4(来自IdP)。
Summarizing, the following is the request flow: 总结一下,以下是请求流程:
- HTML5 app gets SAML2 token from external IdP HTML5应用从外部IdP获取SAML2令牌
- HTML5 app calls Java app via destination with App-To-App SSO HTML5应用程序使用App-To-App SSO通过目标调用Java应用程序
- Java app calls S/4 via destination with Principal Propagation Java应用程序使用Principal Propagation通过目标调用S / 4
Our expectation is that on step 3, the request to S/4 would use the SAML2 token from step 1. Instead, is seems SCP creates another SAML2 token when calling destination with App-To-App SSO. 我们期望在步骤3中,对S / 4的请求将使用步骤1中的SAML2令牌。相反,似乎SCP在使用App-To-App SSO调用目标时创建另一个SAML2令牌。
With this configuration, the S/4 SDK is not able to fetch the metadata, and it doesn't even reach cloud connector. 使用此配置,S / 4 SDK无法获取元数据,甚至无法访问云连接器。 Instead, it fails to build the Principal Propagation header, raising an exception as presented in the stack trace below: 相反,它无法构建Principal Propagation标头,引发了下面的堆栈跟踪中显示的异常:
2019 06 13 14:21:05#+00#ERROR#com.sap.cloud.sdk.odatav2.connectivity.internal.ODataConnectivityUtil##anonymous#hystrix-***OMITTED***.persistence.CreateChangeMasterCommand\#t=\#u=-1#na#***OMITTED***#***OMITTED***#web#***OMITTED***#na#na#na#na#Error occurred during create operation of Type : com.sap.cloud.sdk.odatav2.connectivity.ODataException: Unable to fetch the metadata : Error fetching the metadata |
2019 06 13 14:21:05#+00#ERROR#com.sap.cloud.sdk.odatav2.connectivity.cache.metadata.GuavaMetadataCache##anonymous#hystrix-***OMITTED***.changemaster.persistence.CreateChangeMasterCommand\#t=\#u=-1#na#***OMITTED***#***OMITTED***#web#***OMITTED***#na#na#na#na#Error occurred while populating metadata : com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: Failed to get the request headers for destination 'srv_Fiori_PP' (request URI: http://fiorisrvpp:8200/sap/opu/odata/sap/API_CHANGEMASTER;v=2/$metadata).
at com.sap.cloud.sdk.cloudplatform.connectivity.ScpNeoDestination.getAuthenticationHeaders(ScpNeoDestination.java:317)
at com.sap.cloud.sdk.cloudplatform.connectivity.ScpNeoDestination.getHeaders(ScpNeoDestination.java:388)
at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.wrapRequest(HttpClientWrapper.java:88)
at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.execute(HttpClientWrapper.java:99)
at com.sap.cloud.sdk.odatav2.connectivity.cache.metadata.GuavaMetadataCache.getEdm(GuavaMetadataCache.java:236)
at com.sap.cloud.sdk.odatav2.connectivity.cache.metadata.GuavaMetadataCache.getEdm(GuavaMetadataCache.java:155)
at com.sap.cloud.sdk.odatav2.connectivity.internal.ODataConnectivityUtil.readMetadataWithCSRF(ODataConnectivityUtil.java:65)
at com.sap.cloud.sdk.odatav2.connectivity.impl.ODataCreateRequestImpl.create(ODataCreateRequestImpl.java:193)
at com.sap.cloud.sdk.odatav2.connectivity.impl.ODataCreateRequestImpl.handleExecute(ODataCreateRequestImpl.java:391)
at com.sap.cloud.sdk.odatav2.connectivity.impl.ODataCreateRequestImpl.execute(ODataCreateRequestImpl.java:140)
at com.sap.cloud.sdk.odatav2.connectivity.impl.ODataCreateRequestImpl.execute(ODataCreateRequestImpl.java:361)
at com.sap.cloud.sdk.s4hana.datamodel.odata.helper.FluentHelperCreate.execute(FluentHelperCreate.java:163)
at ***OMITTED***.changemaster.persistence.CreateChangeMasterCommand.run(CreateChangeMasterCommand.java:42)
at ***OMITTED***.changemaster.persistence.CreateChangeMasterCommand.run(CreateChangeMasterCommand.java:14)
at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:302)
at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:298)
at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:46)
at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:35)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:51)
at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:35)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OnSubscribeDoOnEach.call(OnSubscribeDoOnEach.java:41)
at rx.internal.operators.OnSubscribeDoOnEach.call(OnSubscribeDoOnEach.java:30)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OperatorSubscribeOn$SubscribeOnSubscriber.call(OperatorSubscribeOn.java:100)
at com.netflix.hystrix.strategy.concurrency.HystrixContexSchedulerAction$1.call(HystrixContexSchedulerAction.java:56)
at com.netflix.hystrix.strategy.concurrency.HystrixContexSchedulerAction$1.call(HystrixContexSchedulerAction.java:47)
at com.sap.cloud.sdk.cloudplatform.concurrency.ScpNeoUserSessionCallable.call(ScpNeoUserSessionCallable.java:78)
at com.sap.core.tenant.service.impl.TenantServiceImpl.execute(TenantServiceImpl.java:126)
at com.sap.cloud.account.impl.TenantContextImpl.execute(TenantContextImpl.java:49)
at com.sap.cloud.sdk.cloudplatform.concurrency.ScpNeoTenantCallable.call(ScpNeoTenantCallable.java:98)
at com.netflix.hystrix.strategy.concurrency.HystrixContexSchedulerAction.call(HystrixContexSchedulerAction.java:69)
at rx.internal.schedulers.ScheduledAction.run(ScheduledAction.java:55)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:836)
Caused by: com.netflix.hystrix.exception.HystrixRuntimeException: com.sap.cloud.sdk.cloudplatform.connectivity.GetAuthHeadersCommand\#t=d1055fe8-b703-4672-aaf8-e84fd0456508\#u=\#srv_Fiori_PP failed and fallback disabled.
at com.netflix.hystrix.AbstractCommand.handleFallbackDisabledByEmittingError(AbstractCommand.java:1052)
at com.netflix.hystrix.AbstractCommand.getFallbackOrThrowException(AbstractCommand.java:878)
at com.netflix.hystrix.AbstractCommand.handleFailureViaFallback(AbstractCommand.java:1034)
at com.netflix.hystrix.AbstractCommand.access$700(AbstractCommand.java:60)
at com.netflix.hystrix.AbstractCommand$12.call(AbstractCommand.java:621)
at com.netflix.hystrix.AbstractCommand$12.call(AbstractCommand.java:601)
at rx.internal.operators.OperatorOnErrorResumeNextViaFunction$4.onError(OperatorOnErrorResumeNextViaFunction.java:140)
at rx.internal.operators.OnSubscribeDoOnEach$DoOnEachSubscriber.onError(OnSubscribeDoOnEach.java:87)
at rx.internal.operators.OnSubscribeDoOnEach$DoOnEachSubscriber.onError(OnSubscribeDoOnEach.java:87)
at com.netflix.hystrix.AbstractCommand$HystrixObservableTimeoutOperator$3.onError(AbstractCommand.java:1194)
at rx.internal.operators.OperatorSubscribeOn$SubscribeOnSubscriber.onError(OperatorSubscribeOn.java:80)
at rx.observers.Subscribers$5.onError(Subscribers.java:230)
at rx.internal.operators.OnSubscribeDoOnEach$DoOnEachSubscriber.onError(OnSubscribeDoOnEach.java:87)
at rx.observers.Subscribers$5.onError(Subscribers.java:230)
at com.netflix.hystrix.AbstractCommand$DeprecatedOnRunHookApplication$1.onError(AbstractCommand.java:1431)
at com.netflix.hystrix.AbstractCommand$ExecutionHookApplication$1.onError(AbstractCommand.java:1362)
at rx.observers.Subscribers$5.onError(Subscribers.java:230)
at rx.observers.Subscribers$5.onError(Subscribers.java:230)
at rx.internal.operators.OnSubscribeThrow.call(OnSubscribeThrow.java:44)
at rx.internal.operators.OnSubscribeThrow.call(OnSubscribeThrow.java:28)
at rx.Observable.unsafeSubscribe(Observable.java:10327)
at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:51)
... 30 common frames omitted
Caused by: com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: java.lang.IllegalArgumentException: No logged-in user
at com.sap.cloud.sdk.cloudplatform.connectivity.GetAuthHeadersCommand.getAuthenticationHeaders(GetAuthHeadersCommand.java:242)
at com.sap.cloud.sdk.cloudplatform.connectivity.GetAuthHeadersCommand.run(GetAuthHeadersCommand.java:125)
at com.sap.cloud.sdk.cloudplatform.connectivity.GetAuthHeadersCommand.run(GetAuthHeadersCommand.java:41)
at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:302)
at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:298)
at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:46)
... 30 common frames omitted
Caused by: java.lang.IllegalArgumentException: No logged-in user
at com.sap.core.connectivity.apiext.impl.authentication.PrincipalInformationProvider.getGenericCredentials(PrincipalInformationProvider.java:125)
at com.sap.core.connectivity.apiext.impl.authentication.PrincipalInformationProvider.getPrincipalCredentials(PrincipalInformationProvider.java:51)
at com.sap.core.connectivity.apiext.impl.authentication.AuthenticationHeaderProviderImpl.getPrincipalPropagationHeader(AuthenticationHeaderProviderImpl.java:53)
at com.sap.cloud.sdk.cloudplatform.connectivity.GetAuthHeadersCommand.getAuthenticationHeaders(GetAuthHeadersCommand.java:198)
... 35 common frames omitted
I'm certain the cloud connector configuration (including trust configuration) is correct, since Principal Propagation works perfectly if I call the Java app directly. 我确定云连接器配置(包括信任配置)是正确的,因为如果我直接调用Java应用程序,则Principal Propagation可以正常工作。 The issue only happens if the request comes from the HTML5 app. 只有当请求来自HTML5应用程序时才会出现此问题。
Could you please help me understand why this scenario isn't working? 你能帮我理解为什么这种情况不起作用? Thank you. 谢谢。
1 个解决方案
解决方案1
1 2019-07-01 11:16:40
After consulting the SAP Cloud Platform team, I got the confirmation that this behavior is what is to be expected. 咨询了SAP Cloud Platform团队后,我得到了确认这种行为是预期的。
The following resources should provide more insight: 以下资源应提供更多见解:
- https://cloudplatform.sap.com/scenarios/usecases/principal-propagation.html https://cloudplatform.sap.com/scenarios/usecases/principal-propagation.html
- https://blogs.sap.com/2018/11/07/principal-propagation-setup-between-cloud-platform-and-on-premise-backend-system-part-2/ https://blogs.sap.com/2018/11/07/principal-propagation-setup-between-cloud-platform-and-on-premise-backend-system-part-2/
- https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/c84d4d0b12d34890b334998185f49e88.html https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/c84d4d0b12d34890b334998185f49e88.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
无法通过邮递员在我的s4sdk应用程序上运行更新,创建和删除查询 - unable to run update, create & delete query on my s4sdk app via postman
错误:找不到文件/home/vcap/app/xs-app.json - Error: File not found /home/vcap/app/xs-app.json
无法在本地环境中运行Java应用 - Unable to run the Java app in local environment
s4sdk-无法连接到NodeJS微服务 - s4sdk - Cannot connect to NodeJS microservice
无法通过Cloud SDK连接到S / 4 Hana - Failure connecting to S/4 Hana via Cloud SDK
使用S / 4HANA SDK使用SalesOrderItem API - Consuming SalesOrderItem API using S/4HANA SDK
CloudLoggerFactory的Sanitized Logger显示了Veracode Scan中的CRLF Injection漏洞 - CloudLoggerFactory's Sanitized Logger shows CRLF Injection vulnerability in Veracode Scan
无法使用最新的s4sdk启动SCP Neo构建的webapp - unable to start webapp on SCP Neo build with latest s4sdk
SAP S / 4HANA Cloud SDK请求语言 - SAP S/4HANA Cloud SDK Request language
S4/HANA的JS SDK如何获取附件内容? - How to get the content of an attachment with the JS SDK for S4/HANA?
相关标签