Principal Propagation to S/4 with App-To-App SSO

Question

I'm unable to call S/4 with Principal Propagation when coming from an App-To-App SSO request. Is this scenario supported by the SDK?

We have an HTML5 app in SCP Neo, and a Java app in the same subaccount. Our intention is to let the HTML5 app fetch the SAML2 token (from an external IdP), then forward the token to the Java app using App-To-App SSO, and ultimately call S/4 using Principal Propagation using the original SAML2 token (from the IdP).

Summarizing, the following is the request flow:

1. HTML5 app gets SAML2 token from external IdP
2. HTML5 app calls Java app via destination with App-To-App SSO
3. Java app calls S/4 via destination with Principal Propagation

Our expectation is that on step 3, the request to S/4 would use the SAML2 token from step 1. Instead, is seems SCP creates another SAML2 token when calling destination with App-To-App SSO.

With this configuration, the S/4 SDK is not able to fetch the metadata, and it doesn't even reach cloud connector. Instead, it fails to build the Principal Propagation header, raising an exception as presented in the stack trace below:

2019 06 13 14:21:05#+00#ERROR#com.sap.cloud.sdk.odatav2.connectivity.internal.ODataConnectivityUtil##anonymous#hystrix-***OMITTED***.persistence.CreateChangeMasterCommand\#t=\#u=-1#na#***OMITTED***#***OMITTED***#web#***OMITTED***#na#na#na#na#Error occurred during create operation of Type : com.sap.cloud.sdk.odatav2.connectivity.ODataException: Unable to fetch the metadata : Error fetching the metadata |

2019 06 13 14:21:05#+00#ERROR#com.sap.cloud.sdk.odatav2.connectivity.cache.metadata.GuavaMetadataCache##anonymous#hystrix-***OMITTED***.changemaster.persistence.CreateChangeMasterCommand\#t=\#u=-1#na#***OMITTED***#***OMITTED***#web#***OMITTED***#na#na#na#na#Error occurred while populating metadata :  com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: Failed to get the request headers for destination 'srv_Fiori_PP' (request URI: http://fiorisrvpp:8200/sap/opu/odata/sap/API_CHANGEMASTER;v=2/$metadata).
    at com.sap.cloud.sdk.cloudplatform.connectivity.ScpNeoDestination.getAuthenticationHeaders(ScpNeoDestination.java:317)
    at com.sap.cloud.sdk.cloudplatform.connectivity.ScpNeoDestination.getHeaders(ScpNeoDestination.java:388)
    at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.wrapRequest(HttpClientWrapper.java:88)
    at com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientWrapper.execute(HttpClientWrapper.java:99)
    at com.sap.cloud.sdk.odatav2.connectivity.cache.metadata.GuavaMetadataCache.getEdm(GuavaMetadataCache.java:236)
    at com.sap.cloud.sdk.odatav2.connectivity.cache.metadata.GuavaMetadataCache.getEdm(GuavaMetadataCache.java:155)
    at com.sap.cloud.sdk.odatav2.connectivity.internal.ODataConnectivityUtil.readMetadataWithCSRF(ODataConnectivityUtil.java:65)
    at com.sap.cloud.sdk.odatav2.connectivity.impl.ODataCreateRequestImpl.create(ODataCreateRequestImpl.java:193)
    at com.sap.cloud.sdk.odatav2.connectivity.impl.ODataCreateRequestImpl.handleExecute(ODataCreateRequestImpl.java:391)
    at com.sap.cloud.sdk.odatav2.connectivity.impl.ODataCreateRequestImpl.execute(ODataCreateRequestImpl.java:140)
    at com.sap.cloud.sdk.odatav2.connectivity.impl.ODataCreateRequestImpl.execute(ODataCreateRequestImpl.java:361)
    at com.sap.cloud.sdk.s4hana.datamodel.odata.helper.FluentHelperCreate.execute(FluentHelperCreate.java:163)
    at ***OMITTED***.changemaster.persistence.CreateChangeMasterCommand.run(CreateChangeMasterCommand.java:42)
    at ***OMITTED***.changemaster.persistence.CreateChangeMasterCommand.run(CreateChangeMasterCommand.java:14)
    at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:302)
    at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:298)
    at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:46)
    at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:35)
    at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
    at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
    at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
    at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
    at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
    at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
    at rx.Observable.unsafeSubscribe(Observable.java:10327)
    at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:51)
    at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:35)
    at rx.Observable.unsafeSubscribe(Observable.java:10327)
    at rx.internal.operators.OnSubscribeDoOnEach.call(OnSubscribeDoOnEach.java:41)
    at rx.internal.operators.OnSubscribeDoOnEach.call(OnSubscribeDoOnEach.java:30)
    at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
    at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
    at rx.Observable.unsafeSubscribe(Observable.java:10327)
    at rx.internal.operators.OperatorSubscribeOn$SubscribeOnSubscriber.call(OperatorSubscribeOn.java:100)
    at com.netflix.hystrix.strategy.concurrency.HystrixContexSchedulerAction$1.call(HystrixContexSchedulerAction.java:56)
    at com.netflix.hystrix.strategy.concurrency.HystrixContexSchedulerAction$1.call(HystrixContexSchedulerAction.java:47)
    at com.sap.cloud.sdk.cloudplatform.concurrency.ScpNeoUserSessionCallable.call(ScpNeoUserSessionCallable.java:78)
    at com.sap.core.tenant.service.impl.TenantServiceImpl.execute(TenantServiceImpl.java:126)
    at com.sap.cloud.account.impl.TenantContextImpl.execute(TenantContextImpl.java:49)
    at com.sap.cloud.sdk.cloudplatform.concurrency.ScpNeoTenantCallable.call(ScpNeoTenantCallable.java:98)
    at com.netflix.hystrix.strategy.concurrency.HystrixContexSchedulerAction.call(HystrixContexSchedulerAction.java:69)
    at rx.internal.schedulers.ScheduledAction.run(ScheduledAction.java:55)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:836)
Caused by: com.netflix.hystrix.exception.HystrixRuntimeException: com.sap.cloud.sdk.cloudplatform.connectivity.GetAuthHeadersCommand\#t=d1055fe8-b703-4672-aaf8-e84fd0456508\#u=\#srv_Fiori_PP failed and fallback disabled.
    at com.netflix.hystrix.AbstractCommand.handleFallbackDisabledByEmittingError(AbstractCommand.java:1052)
    at com.netflix.hystrix.AbstractCommand.getFallbackOrThrowException(AbstractCommand.java:878)
    at com.netflix.hystrix.AbstractCommand.handleFailureViaFallback(AbstractCommand.java:1034)
    at com.netflix.hystrix.AbstractCommand.access$700(AbstractCommand.java:60)
    at com.netflix.hystrix.AbstractCommand$12.call(AbstractCommand.java:621)
    at com.netflix.hystrix.AbstractCommand$12.call(AbstractCommand.java:601)
    at rx.internal.operators.OperatorOnErrorResumeNextViaFunction$4.onError(OperatorOnErrorResumeNextViaFunction.java:140)
    at rx.internal.operators.OnSubscribeDoOnEach$DoOnEachSubscriber.onError(OnSubscribeDoOnEach.java:87)
    at rx.internal.operators.OnSubscribeDoOnEach$DoOnEachSubscriber.onError(OnSubscribeDoOnEach.java:87)
    at com.netflix.hystrix.AbstractCommand$HystrixObservableTimeoutOperator$3.onError(AbstractCommand.java:1194)
    at rx.internal.operators.OperatorSubscribeOn$SubscribeOnSubscriber.onError(OperatorSubscribeOn.java:80)
    at rx.observers.Subscribers$5.onError(Subscribers.java:230)
    at rx.internal.operators.OnSubscribeDoOnEach$DoOnEachSubscriber.onError(OnSubscribeDoOnEach.java:87)
    at rx.observers.Subscribers$5.onError(Subscribers.java:230)
    at com.netflix.hystrix.AbstractCommand$DeprecatedOnRunHookApplication$1.onError(AbstractCommand.java:1431)
    at com.netflix.hystrix.AbstractCommand$ExecutionHookApplication$1.onError(AbstractCommand.java:1362)
    at rx.observers.Subscribers$5.onError(Subscribers.java:230)
    at rx.observers.Subscribers$5.onError(Subscribers.java:230)
    at rx.internal.operators.OnSubscribeThrow.call(OnSubscribeThrow.java:44)
    at rx.internal.operators.OnSubscribeThrow.call(OnSubscribeThrow.java:28)
    at rx.Observable.unsafeSubscribe(Observable.java:10327)
    at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:51)
    ... 30 common frames omitted
Caused by: com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: java.lang.IllegalArgumentException: No logged-in user
    at com.sap.cloud.sdk.cloudplatform.connectivity.GetAuthHeadersCommand.getAuthenticationHeaders(GetAuthHeadersCommand.java:242)
    at com.sap.cloud.sdk.cloudplatform.connectivity.GetAuthHeadersCommand.run(GetAuthHeadersCommand.java:125)
    at com.sap.cloud.sdk.cloudplatform.connectivity.GetAuthHeadersCommand.run(GetAuthHeadersCommand.java:41)
    at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:302)
    at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:298)
    at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:46)
    ... 30 common frames omitted
Caused by: java.lang.IllegalArgumentException: No logged-in user
    at com.sap.core.connectivity.apiext.impl.authentication.PrincipalInformationProvider.getGenericCredentials(PrincipalInformationProvider.java:125)
    at com.sap.core.connectivity.apiext.impl.authentication.PrincipalInformationProvider.getPrincipalCredentials(PrincipalInformationProvider.java:51)
    at com.sap.core.connectivity.apiext.impl.authentication.AuthenticationHeaderProviderImpl.getPrincipalPropagationHeader(AuthenticationHeaderProviderImpl.java:53)
    at com.sap.cloud.sdk.cloudplatform.connectivity.GetAuthHeadersCommand.getAuthenticationHeaders(GetAuthHeadersCommand.java:198)
    ... 35 common frames omitted

I'm certain the cloud connector configuration (including trust configuration) is correct, since Principal Propagation works perfectly if I call the Java app directly. The issue only happens if the request comes from the HTML5 app.

Could you please help me understand why this scenario isn't working? Thank you.

Answer 1

After consulting the SAP Cloud Platform team, I got the confirmation that this behavior is what is to be expected.

The following resources should provide more insight:

• https://cloudplatform.sap.com/scenarios/usecases/principal-propagation.html
• https://blogs.sap.com/2018/11/07/principal-propagation-setup-between-cloud-platform-and-on-premise-backend-system-part-2/
• https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/c84d4d0b12d34890b334998185f49e88.html