Access Protected SAP Analytics Cloud Resources with OAuth Two-Legged Flow
- How to configure secure access to SAP Analytics Cloud resources with a two-legged OAuth flow
- The roles involved in the two- and three-legged OAuth flows
Prerequisites
- An administrator account on an SAP Analytics Cloud tenant
- An administrator account in the SAP Cloud Identity Authentication service tenant
- An administrator account on SAP Business Technology Platform
SAP Analytics Cloud (SAC) leverages the OAuth 2.0 framework to provide secure access to its resources exposed via REST APIs, for example, story APIs. SAC provides support for both two-legged and three-legged OAuth flows.
Both flows involve the following roles:
Resource Owner: User
The resource owner is the user who authorizes an application to access his or her account. The application’s access to the user account is limited to the “scope” of the authorization granted – for example, read or write access.
Client: Application
The client is the application that wants to access the user account. Before it can do so, the user must authorize the access, and the API must validate the authorization.
Resource / Authorization Server: API
The resource server hosts the protected user accounts. The authorization server verifies the identity of the user and, then, issues access tokens to the application.
Three-Legged versus Two-Legged OAuth 2.0 Flows
In the three-legged flow, all three roles are actively involved. For example, the user must explicitly authorize the client application to access the resources that the user owns.
In the two-legged flow, on the other hand, the user is not actively involved. Instead, the SAML bearer assertion token obtained during the login to the client application is exchanged with the SAP Analytic Cloud OAuth token behind the scenes.
An important factor to consider when you choose between the three-legged and two-legged flows is the customer landscape. Typically, you find a central IDP in an enterprise landscape. The purpose of a central IDP within an enterprise is to manage Identity federation and provide an SSO experience to end users across different applications. With this landscape, you should implement the two-legged flow to ensure a seamless OEM experience.
Overview of the Two-Legged Flow
The two-legged flow requires heavy configuration so before you start, review the following diagram and description for an overview of what you want to accomplish:
- Fetch the SAML bearer assertion token.
- The user tries to access the sample web application. The web application (or service provider) redirects the user to the IDP (Identity Provider).
- The IDP provides a login page where the user enters access credentials. After validating the credentials, the IDP generates a SAML bearer assertion token and sends it to the service provider.
- Exchange the SAML bearer assertion token with the OAuth token.
- The service provider that embeds the SAP Analytics Cloud resources via REST API acts as an OAuth Client and sends the SAML bearer assertion token to fetch the OAuth token.
- The web application requests the protected resource from SAP Analytics Cloud by presenting the access token. SAC validates the access token, and, if valid, serves the request. The access token is sent in the authorization request header field using bearer authentication scheme.