Are you a developer or administrator in SAP S/4HANA Cloud, public edition or SAP BTP, ABAP environment and need to implement or configure your custom outbound communication via communication user? You are not sure what authentication method to use? You have found a tutorial such as Call an External API and Parse the Response in SAP BTP ABAP Environment, but this does not show the authentication-specific details that are needed for your scenario? Let me try to close some of these gaps with this blog.
Before you start with your implementation, you need to think about what authentication method to use. Therefore, I have compiled a few hints on how you can derive the right authentication method for your use case. Once you have chosen the authentication method, you need to implement and configure it. The nice thing about outbound communication via communication user is, that it follows the same pattern: a developer creates a communication scenario and implements the outbound call using the scenario, and an administrator maintains a communication arrangement for the scenario for a specific communication partner. If you are not familiar with this pattern yet: I have summarized it below. Afterwards, I have listed the details that you need to maintain depending on the chosen authentication method.
The following aspects are not covered by this blog:
Before you start with your implementation project, you need to decide on the right authentication method. The right authentication method can be decided by answering the following questions:
The authentication method needs to be supported by both parties. Hence, check the authentication methods that are supported by the communication partner.
The following authentication methods are supported when calling an internet-facing service from ABAP Cloud:
When using Basic Authentication, a username and password is sent to the communication partner’s server for authentication. When using Client Certificate Authentication, an X.509 certificate is used. In both cases the credentials are sent to the communication partner’s server direct. However, when using OAuth 2.0, then two servers are involved: the authorization server and the resource server. Firstly, the ABAP Cloud system calls the token endpoint of the authorization server and provides an authorization grant to obtain an access token. To authenticate at the authorization server a client secret or an X.509 certificate can be used. The supported authorization grants are client credentials and SAML bearer assertion. Secondly, the ABAP Cloud system uses the access token to authenticate at the resource server.
Since SAP S/4HANA Cloud, public edition and SAP BTP, ABAP environment follow a different release cycle and run in different environments, there might be slight differences. Hence, check the supported authentication methods that are supported
Decide if the actions in the called communication partner shall be executed under a technical user independent from the user on the caller side who has triggered the call, or if the actions shall be performed under an individual user corresponding to the user on the caller side. In the latter case I speak of principal propagation.
If the service shall be processed as technical user, then choose one of the following authentication methods:
If the principal shall be propagated to the target, then use the following authentication method:
Certificate-based authentication is more secure than using a password-based authentication method: a password is a shared secret and is known by both communication partners, while certificate-based client authentication uses public key infrastructure and the private key, which is owned by the client, is not shared with the communication partner. Moreover, a synchronized password change between the communication partners is not possible, while this can be achieved with certificate-based authentication since the client can possess more than one certificate.
Hence, Client Certificate Authentication, OAuth 2.0 Client Credentials Grant with mTLS Client Authentication, and OAuth 2.0 SAML Bearer Assertion Grant with mTLS Client Authentication are preferred over Basic Authentication, OAuth 2.0 Client Credentials Grant with Client Secret Authentication, and OAuth 2.0 SAML Bearer Assertion Grant with Client Secret Authentication.
Client certificates can be maintained in the Maintain Client Certificates app. SAP S/4HANA Cloud, public edition comes with a ready-to-use client certificate: the client default certificate. SAP recommends using this certificate for certificate-based authentication. In SAP BTP, ABAP environment, however, you need to provide your own certificate currently. I will not go into detail regarding the maintenance of client certificates in this blog.
As described in
the flow to enable custom outbound communication via outbound communication always follows the same pattern:
As developer in the development system using ABAP Development tools:
As administrator in the development, test, or production system using the corresponding Fiori apps:
Although the pattern is generic, some details depend on the chosen authentication method. For instance, when using basic authentication as shown in the screenshots above, a username and password need to be provided for the user for outbound communication. I have listed the authentication method-specific steps for scenario, communication system, and communication arrangement per authentication method below.
Maintain outbound settings:
Add a user for outbound communication:
Maintain outbound communication:
Maintain outbound settings:
Add a user for outbound communication:
Maintain outbound communication:
Maintain outbound settings:
Add a user for outbound communication:
Maintain outbound communication:
Maintain outbound settings:
Maintain outbound OAuth 2.0 client settings:
Add a user for outbound communication:
Maintain outbound communication:
Maintain outbound OAuth 2.0 client settings:
Add a user for outbound communication:
Maintain outbound communication:
Maintain outbound settings:
Maintain outbound OAuth 2.0 client settings:
Add user for outbound communication:
Maintain outbound communication:
Maintain outbound OAuth 2.0 client settings:
Add a user for outbound communication:
Maintain outbound communication:
Before you start with your implementation, you need to think about what authentication method to use. Therefore, I have compiled a few hints on how you can derive the right authentication method for your use case. Once you have chosen the authentication method, you need to implement and configure it. The nice thing about outbound communication via communication user is, that it follows the same pattern: a developer creates a communication scenario and implements the outbound call using the scenario, and an administrator maintains a communication arrangement for the scenario for a specific communication partner. If you are not familiar with this pattern yet: I have summarized it below. Afterwards, I have listed the details that you need to maintain depending on the chosen authentication method.
The following aspects are not covered by this blog:
- Authentication via destination service (supported by the SAP BTP, ABAP environment).
- Authentication at services that are provided by an on-premises system and are protected by a firewall. To access such services, an SAP Cloud Connector needs to be installed and configured. If you need more details on how to use the SAP Cloud Connector, please check
- Integrating On-Premise Systems in SAP BTP, ABAP environment or
- Integrating On-Premise Systems in SAP S/4HANA Cloud, public edition.
Choosing the Right Authentication Method
Before you start with your implementation project, you need to decide on the right authentication method. The right authentication method can be decided by answering the following questions:
What Authentication Methods Are Supported Technically?
The authentication method needs to be supported by both parties. Hence, check the authentication methods that are supported by the communication partner.
The following authentication methods are supported when calling an internet-facing service from ABAP Cloud:
- No Authentication
- Basic Authentication (username & password)
- Client Certificate Authentication (X.509 certificate)
- OAuth 2.0 Client Credentials Grant
- Client Secret Authentication (client ID & secret)
- Mutual TLS (mTLS) Client Authentication (client ID & X.509 certificate)
- OAuth 2.0 SAML Bearer Assertion Grant
- Client Secret Authentication (client ID & secret)
- Mutual TLS (mTLS) Client Authentication (client ID & X.509 certificate)
When using Basic Authentication, a username and password is sent to the communication partner’s server for authentication. When using Client Certificate Authentication, an X.509 certificate is used. In both cases the credentials are sent to the communication partner’s server direct. However, when using OAuth 2.0, then two servers are involved: the authorization server and the resource server. Firstly, the ABAP Cloud system calls the token endpoint of the authorization server and provides an authorization grant to obtain an access token. To authenticate at the authorization server a client secret or an X.509 certificate can be used. The supported authorization grants are client credentials and SAML bearer assertion. Secondly, the ABAP Cloud system uses the access token to authenticate at the resource server.
Since SAP S/4HANA Cloud, public edition and SAP BTP, ABAP environment follow a different release cycle and run in different environments, there might be slight differences. Hence, check the supported authentication methods that are supported
- by SAP BTP, ABAP environment in Supported Protocols and Authentication Methods and
- by SAP S/4HANA Cloud, public edition in Supported Protocols and Authentication Methods.
Who Shall Be Acting?
Decide if the actions in the called communication partner shall be executed under a technical user independent from the user on the caller side who has triggered the call, or if the actions shall be performed under an individual user corresponding to the user on the caller side. In the latter case I speak of principal propagation.
If the service shall be processed as technical user, then choose one of the following authentication methods:
- Basic Authentication
- Client Certificate Authentication
- OAuth 2.0 Client Credentials Grant
If the principal shall be propagated to the target, then use the following authentication method:
- OAuth 2.0 SAML Bearer Assertion
How Strong Are the Security Requirements?
Certificate-based authentication is more secure than using a password-based authentication method: a password is a shared secret and is known by both communication partners, while certificate-based client authentication uses public key infrastructure and the private key, which is owned by the client, is not shared with the communication partner. Moreover, a synchronized password change between the communication partners is not possible, while this can be achieved with certificate-based authentication since the client can possess more than one certificate.
Hence, Client Certificate Authentication, OAuth 2.0 Client Credentials Grant with mTLS Client Authentication, and OAuth 2.0 SAML Bearer Assertion Grant with mTLS Client Authentication are preferred over Basic Authentication, OAuth 2.0 Client Credentials Grant with Client Secret Authentication, and OAuth 2.0 SAML Bearer Assertion Grant with Client Secret Authentication.
Client certificates can be maintained in the Maintain Client Certificates app. SAP S/4HANA Cloud, public edition comes with a ready-to-use client certificate: the client default certificate. SAP recommends using this certificate for certificate-based authentication. In SAP BTP, ABAP environment, however, you need to provide your own certificate currently. I will not go into detail regarding the maintenance of client certificates in this blog.
Understanding the Communication Management Pattern
As described in
- Communication Management for SAP BTP, ABAP environment, and in
- Communication Management for SAP S/4HANA Cloud, public edition,
the flow to enable custom outbound communication via outbound communication always follows the same pattern:
As developer in the development system using ABAP Development tools:
- Create an outbound service and specify the service type, such as HTTP.
- Create a communication scenario, assign the outbound service, and maintain the supported authentication methods, for instance basic authentication.
- Implement the call of the service by using the create_by_comm_arrangement method and providing the communication scenario and outbound service ID.
As administrator in the development, test, or production system using the corresponding Fiori apps:
- Create a communication system representing the communication partner and the technical information needed for the communication, such as the host name and port.
- Add a user for outbound communication to the communication system holding authentication-specific credentials, such as user name and password for basic authentication.
- Create a communication arrangement for the scenario and specify the communication system, user, and authentication method to be used.
Maintaining Authentication Method-Specific Details
Although the pattern is generic, some details depend on the chosen authentication method. For instance, when using basic authentication as shown in the screenshots above, a username and password need to be provided for the user for outbound communication. I have listed the authentication method-specific steps for scenario, communication system, and communication arrangement per authentication method below.
No Authentication
Communication Scenario
Maintain outbound settings:
- Select Unauthenticated as supported authentication method.
Communication System
Add a user for outbound communication:
- Select authentication method None.
Communication Arrangement
Maintain outbound communication:
- User Name: None
- Authentication Method: None
Basic Authentication
Communication Scenario
Maintain outbound settings:
- Select Basic as supported authentication method.
Communication System
Add a user for outbound communication:
- Select authentication method User Name and Password
- User Name: <user name of the user to be used in the target system>
- Password: <password of the user>
Communication Arrangement
Maintain outbound communication:
- User Name: <outbound user of communication system>
- Authentication Method: User ID and Password
Client Certificate Authentication
Communication Scenario
Maintain outbound settings:
- Select 509 as supported authentication method:
Communication System
Add a user for outbound communication:
- Select authentication method SSL Client Certificate
- Client Certificate: <client certificate that shall be used for authentication>
Communication Arrangement
Maintain outbound communication:
- Certificate: <outbound user of communication system>
- Authentication Method: SSL Client Certificate
OAuth 2.0 Client Credentials Grant
Communication Scenario
Maintain outbound settings:
- Select OAuth 2.0 as supported authentication method.
- OAuth 2.0 grant type: Client Credentials
Client Secret Authentication
Communication System
Maintain outbound OAuth 2.0 client settings:
- Token Endpoint: <token endpoint of the authorization server, for instance, mysubdomain.authentication.eu10.hana.ondemand.com/oauth/token>
Add a user for outbound communication:
- Select authentication method OAuth 2.0
- OAuth 2.0 Client ID: <enter ID of the OAuth 2.0 client>
- Client Secret: <provide secret of the OAuth 2.0 client>
Communication Arrangement
Maintain outbound communication:
- OAuth 2.0 Client ID: <outbound user of communication system>
- Authentication Method: OAuth 2.0
Mutual TLS (mTLS) Client Authentication
Communication System
Maintain outbound OAuth 2.0 client settings:
- mTLS Endpoint: <token endpoint of the authorization server for certificate-based authentication, for instance, mysubdomain.authentication.eu10.cert.hana.ondemand.com/oauth/token>
Add a user for outbound communication:
- Select the authentication method OAuth 2.0 mTLS
- OAuth 2.0 Client ID: < ID of the OAuth 2.0 client >
- Client Certificate: <client certificate that shall be used for authenticating the oauth client>
Communication Arrangement
Maintain outbound communication:
- OAuth 2.0 Client ID: <outbound user of communication system>
- Authentication Method: OAuth 2.0 (mTLS)
OAuth 2.0 SAML Bearer Assertion Grant
Communication Scenario
Maintain outbound settings:
- Select OAuth 2.0 as supported authentication method
- OAuth 2.0 grant type: SAML 2.0 Bearer Assertion
Client Secreted Authentication
Communication System
Maintain outbound OAuth 2.0 client settings:
- Token Endpoint: <token endpoint of the authorization server, for instance, my123456-api.s4hana.com/sap/bc/sec/oauth2/token>
- Audience: <intended audience for the SAML 2.0 assertion, for instance, https://my123456.s4hana.com >
Add user for outbound communication:
- Select authentication method OAuth 2.0
- OAuth 2.0 Client ID: <ID of the OAuth 2.0 client>
- Client Secret: <secret of the OAuth 2.0 client>
Communication Arrangement
Maintain outbound communication:
- OAuth 2.0 Client ID: <outbound user of communication system>
- Authentication Method: OAuth 2.0
- SAML2 Identifier: < attribute that shall be used as subject identifier in the SAML assertion, for instance, E-Mail>
Mutual TLS (mTLS) Client Authentication
Communication System
Maintain outbound OAuth 2.0 client settings:
- mTLS Endpoint: <token endpoint of the authorization server, for instance, my123456-api.s4hana.com/sap/bc/sec/oauth2/token>
- Audience: <intended audience for the SAML 2.0 assertion, for instance, https://my123456.s4hana.com >
Add a user for outbound communication:
- Select authentication method OAuth 2.0 mTLS
- OAuth 2.0 Client ID: <ID of the OAuth 2.0 client >
- Client Certificate: <client certificate that shall be used for authenticating the oauth client, for instance, Client Default>
Communication Arrangement
Maintain outbound communication:
- OAuth 2.0 Client ID: <outbound user of communication system>
- Authentication Method: OAuth 2.0 (mTLS)
- SAML2 Identifier: <attribute that shall be used as subject identifier in the SAML assertion, for instance, E-Mail>
- SAP Managed Tags:
