search

SAP-docs / btp-connectivity

Markdown source for the SAP BTP Connectivity documentation. Enables feedback and contributions to improve the documentation.
https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/connectivity
Creative Commons Attribution 4.0 International
0 stars 2 forks source link

Please provide an example of a destination property to add custom SAML attributes #8

Closed piejanssens closed 3 months ago

piejanssens commented 3 months ago

Issue description

I want to have a destination of the type OAuth2SAMLBearerAssertion that requires a custom SAML attribute. This is required to request a learning-only user OAuth access token from the SuccessFactors OAuth token server (see bottom https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/2abbb39286994389bb0f1f4418773a7c/4e27e8f6ae2748ab9f23228dd6a31b06.html).

From the documentation it is not clear to me how I can add an "additional property" in the destination.

I tried adding a combination of the properties below, but it's not working as expected and it's not clear that this would be indeed the way to do this.

Feedback Type (Optional)

clarity

Page Title on SAP Help Portal (prefilled)

SAML Assertion Authentication

Page URL on SAP Help Portal (prefilled)

https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/saml-assertion-authentication

Frank1Mueller commented 3 months ago

Dear Pieter,

thanks a lot for reaching out. We'll analyze the issue and get back to you soon.

Best regards

Frank

Frank1Mueller commented 3 months ago

Hi Peter,

we have now had a look at your issue.

Basically, adding the additional parameter to the destination seems to be correct as you described it.

However, the additional parameter only works if the attribute is part of the data in the XSUAA (aka SAP UAA) service. If so, it will already be in the assertion as long as the user token has the additional user_attributes scope. If it is not known to XSUAA, it cannot be part of the assertion.

For more information see also:

https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/consuming-destination-service?q=xsuaa https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/user-propagation-via-saml-2-0-bearer-assertion-flow?q=user_attributes%20scope

Best regards Frank

piejanssens commented 3 months ago

Hi Frank,

I appreciate the clarification. In our use case, we are using the "systemUser" attribute so no UAA data coming in. I'll do some tests using a JWT containing the user_attributes instead.

Best regards,

Pieter