Outbound Authentication with SAP Cloud Integration

When we talk about outbound communication where SAP Cloud Integration acts as a client, we must mention that SAP Cloud Integration doesn’t offer any choices about how the user associated with the outbound request should be authorized to execute certain actions in the receiver system. and also can know by SAP Fico Training

Therefore, as an integration developer, you can’t specify any authorization options. This situation is plausible for the following reason: How the permissions of a calling entity are checked can only be defined by the technical capabilities of the server (in the outbound communication case, the receiver system). Because SAP Cloud Integration (as a client in this case) can’t decide which technical capabilities are offered by the receiver system, SAP Cloud Integration cannot allow you to specify any authorization options in a receiver adapter.

However, in a receiver adapter, you can specify the Authentication option supported by the client (SAP Cloud Integration, in this case). You can easily verify this fact by creating a receiver channel that supports HTTP communication (e.g., a receiver HTTP adapter), as shown below.

Specifying an Authentication option makes sense because SAP Cloud Integration can provide the required artifacts for each authentication option.

The sections below summarize the different authentication options available and provide information on the related integration artifacts to considering when configuring each communication option.

Basic
SAP Cloud Integration is authenticated against a receiver system based on user credentials (user name and password). When you configure basic authentication for outbound communication, you need to complement the related receiver adapter setting by defining a security artifact that contains the credentials (a User Credentials artifact).

This option is supported by the following receiver adapter types: AS2, AS4, OData V2, OData V4, HTTPS, IDoc, ODC, SOAP SAP RM, SOAP 1.X, SuccessFactors OData V2, XI.

Client Certificate
SAP Cloud Integration is authenticated against a receiver system based on a client certificate. A client certificate (including public and private key) and a receiver server root certificate, which is accepted by the receiver, need to be part of the Keystore deployed on the tenant. In the receiver adapter settings of the integration low, the private key alias of the certificate can be modified to indicate a specific key pair must be used for this step. If you don’t specify a private key alias, any appropriate key in the Keystore is used. This option is supported by the following receiver adapter types: Ariba, AS2, AS4, OData V2, HTTP, IDoc, SOAP SAP RM, SOAP 1x, XI.

Principal Propagation
SAP Cloud Integration is authenticated against a receiver system by forwarding the identity (principal) of the user (associated with the inbound request) to the SAP Cloud Connectivity service and from there to the receiver system (which can be, e.g., an on-premise SAP system).

Consequently, this option can only be selected when you’ve chosen On-Premise for the Proxy Type option, meaning you’ve configured outbound connectivity to an on-premise system through the SAP Cloud Connectivity service.

The following adapter settings are relevant in the context of configuring Authentication setting Principal Propagation.

In most HTTP-based adapters (e.g., the SOAP and IDoc adapters), you’ll find the attribute Proxy Type. In the scenarios we cover in this book, we always kept the default setting of this attribute (Internet), which ensures that the tenant can connect to another system through the Internet (e.g., over HTTP).

The other option for the Proxy Type attribute is On-Premise. Using this option, the tenant can connect to an on-premise system through the SAP Connectivity service.

When setting up such a scenario, you’ll also need to install an additional component, the SAP Connectivity service, referred to as the cloud connector, in your on-premise landscape, that acts as a proxy for requests that try to access your on-premise system coming from the Internet. See how to set up the cloud connector in this post.

If you use multiple cloud connector instances in your system landscape, you’ll also need to specify a Location ID. With this attribute, you can identify the cloud connector instance you want to use for your connection.

You might have noticed that, when you select On-Premise from the Proxy Type dropdown list, the Authentication option Client Certificate is deactivated. This expresses the fact that when using the SAP Connectivity service, this authentication option isn’t supported in the respective receiver adapter. If client certificate authentication is nevertheless required for such a connection, you’ll need to configure this authentication option when setting up the SAP Connectivity service.

Setting up a scenario with this authentication option requires comprehensive configuration steps at the inbound and outbound side of SAP Cloud Integration, as well as in the SAP Cloud Connectivity service and the receiver back-end system.