I have some problems to understand the Login with a SAPUI5 App connected with the OData to a SAP-Server.
First of all, the idea is like a time recognition where i login with the user id or username and password. than i check if it is in the SAP backend system and if it is. i want to show only the records for the staff number.
I am doing it with filters? or there are some other ways?
It should be a basic authentication, when I open the app there is a popup where I need to enter my sap-system username and password, but how I can make this as a login page and how can I get the parameters (every username has a staff number)?
first of all I think you need to understand some basic concepts/architecture settings.
There are two possibilities deploying SAPUI5 apps:
hosted on your SAP NW GW onPremise (no matter if central hub or not)
hosted on SAP Cloud Plattform
Case A: deploying on SAP NW GW onPremise
in this case you could override the ICF classes to achieve custom login and logout explained here: https://blogs.sap.com/2016/11/25/sapui5-application-with-custom-login-and-logout-option/ | I will not explain this is further depth
Case B: hosting a SAPUI5 App on SAP Cloud Platform
in this case your need to understand the architecture to determine what you want
If your SAP Cloud Platform hosts the SAPUI5 application your can read data from an SAP Backend using SAP Cloud Platform Destination Services (which means a destination, using the SAP Cloud Connector to connect to your SAP System)
In your case: First of all, the idea is like a time recognition where i login with the user id or username and password.. than i check if it is in the sapbackend system and if it is.. i want to show ONLY the records for the staffnumber..
--> I would recommend the following: If the app is hosted on SAP CP you need an S-User to access it or a respective single sign on mechanism to replace s-user. You will not be able to replace the login from Cloud Platform with anything individual not breaking security terms. Then you need a SAP NW GW OData Service in your SAP Backend. You further need SAP Cloud Connector paired with your SAP System and with your SAP CP instance. Having both things in place requires creating a destination pointing to your OData Service. If you got these things in place you could easily select the destination when creating an SAPUI5 Application via templates.
Help Links:
SSO for SAP CP:
https://blogs.sap.com/2017/04/13/configure-saml-sso-for-sap-cloud-platform-using-an-external-identity-provider/
Destinations in SAP CP:
https://www.sap.com/developer/tutorials/hcp-create-destination.html
https://blogs.sap.com/2018/03/09/understanding-destination-types-available-in-sap-cloud-platform-mobile-service/
https://www.sap.com/developer/tutorials/teched-2016-3.html
Cloud Connector Setup:
https://www.sap.com/developer/tutorials/hcp-cloud-connector-setup.html
SAP NW GW OData Service
https://blogs.sap.com/2016/05/31/odata-service-development-with-sap-gateway-code-based-service-development/
Have fun
Related
I would like to set up a oauth access for a node-red deployed on bluemix and access a multiuser dashboard. I think it should be done via the IBM Cloud Function API and use IBM Cloud App ID to protect it with the IBM Cloud API Gateway- that said - theres no way to connect those gateway functions to the dashboard webpages through bluemix that I can see. Has this use of node-red been done?
Note I am not trying to provide access to node-red flows only secure the Dashboard pages created with the multi-user node.
I have multi-user multi-sessions dashboard running but theres no current nodes to secure this - or flows that offer this functionality - I'm not even sure you could build oauth using flows. Perhaps a dedicated node that is built to provide ...perhaps fussing with bluemix-settings.js
I've researched Node-red capacity especially when deployed in IBM cloud and this is adequate. Node-red provides easy to provision cloudant access as well as dashboard functionality that I want to embed in a consumer mobile app.
So the point is to provide oauth for the public access of the dashboard and to protect the cloudant endpoints. As well as keep the functionality in the cloud rather than in the mobile app.
This is preferably a code-less solution.
Can you provide more information on dashboards? What do you mean by Dashboard pages created with the multi-user node?
There are node-red OAuth2.0 and OIDC plugins that can be integrated into the flows to secure them.
https://www.npmjs.com/package/node-red-contrib-openid
https://www.npmjs.com/package/node-red-contrib-auth-oidc
https://www.npmjs.com/package/node-red-contrib-simple-oauth2
We implemented an application which is onboarded in the C8Y server : DM (Device Management) application.
The end user connects to the tenant-related C8Y server and selects the DM application.
The DM application consists of two parts :
Front end (html, javascript)
Back end (Java-spring boot which exposes a rest api). The back end communicates with our custom IoT product.
the backend of our DM application is today located in MZ but can be hosted in DMZ.
Issue description :
The front end (javascript) of the DM application cannot communicate with the backend part of the DM application as the client security requirements :
Does not allow us to set up a http proxy in the DMZ.
Does not allow us to hard code the rest api user (and pwd) in the javascript
Solution (My suggestion) :
When the end user logs in into the C8Y server, We think C8Y server validates the user which is stored in a C8Y database.
We suggests to use the same user credentials(authentication) - which has been used to login in the C8Y portal - to access this rest api.
Then, the back end of the DM application needs to validate this rest api user, by this way the DM application can also validate the user by a single login for the whole C8Y application.
To implement this solution:
We need :
to get the username/password in the frontend.
Or we need the authenticated token in the frontend if any.
We need to know the API that C8Y uses to validate the user from the backend.
Need support to register this as an micro-service where authentication is taken care by C8Y.
Questions:
What do you think about the suggestion to solve the issue?
And also there is one micro-service already registered to the account, so how can we add another micro-service.
In case if there is no support for multiple micro-services, kindly suggest us an work around to let this DM application run as a second micro-service as this is very critical and an blocker issue for our customer.
please check this (new) documenation: http://www.cumulocity.com/guides/concepts/applications/ . I hope that should answer some of your questions.
In detail:
Yes, you can register multiple microservices.
Authentication is handled automatically by Cumulocity, i.e. requests send /service/yourMS are authenticated by Cumulocity and then forwarded to the microservice.
BR, Stefan
Following situation:
An SAP OnPremise system is connected over cloud connector to SAP HCP
In the cloud version of the SAP mobile plattform (SMP) I configured the system
I have a hybrid app (using SAP Kapsel SDK) and try to connect to
a) SMP itself (registring)
b) also to the real backend sytem with the data needed
User name of SMP and backend system is not the same
Does anyone have a good tutorial / documentation link how to setup this correct?
I found a very good tutorial about the Kapsel plugins:
- https://blogs.sap.com/2016/10/20/getting-started-kapsel-part-1-sp13/
With a trial account and a trial backend account (same user name) it seems somehow working. But in my situation it is more complex.
Problem in other words (Edit)
I am searching for a way to use user & password from OnPremise system to authenticate against HCPms over a Hybrid app.
May I ask why you require two different users at all? From a usability point of view, it is very awkward for a user to give two sets of credentials for an app. I'd typically recommend to either
configure SCIM in Mobile Services. This would allow you to register with Mobile Services using your back-end credentials
configure no-auth in Mobile Services. While users still need to give their credentials for back-end access, they can register with Mobile Services without credentials at all
The rest depends on your back-end configuration. For example, if it requires Basic auth, configure your back-end connection accordingly and leave the user/password fields empty. When you supply those with your client requests, they will be forwarded to your back-end.
Edit: I misread the question and thought you were using "SAP Cloud Platform Mobile Service", the cloud equivalent of the SAP Mobile Platform. The answer basically remains the same, only the terminology changes (italic):
configure HTTP(s)-based Basic Authentication SSO in Mobile Platform. This would allow you to register with Mobile Platform using your back-end credentials.
configure no-auth in Mobile Platform. While users still need to give their credentials for back-end access, they can register with Mobile Platform without credentials at all
Either way, SCIM for Mobile Service is described in the documentation, and so is Basic authentication for Mobile Platform.
New on Dynamics CRM 2013, Unified Service Desk, aka USD, is a composite application framework for the development of call center and, of course, service desk, applications.
The application has it's own login form. While very flexible for development scenarios, it's not what I'd expect to have on a production environment - for instance, it asks for the address of the CRM instance that you are going to connect to.
So far, I haven't found any way to change this login form.
The login form is of the Unified Service Desk client application, and cannot be changed. Moreover, Unified Service Desk requires an instance of Microsoft Dynamics CRM, so the login form will always prompt you to specify the connection information to a CRM instance where you have deployed the core USD solutions (DynamicsBase and UII). The things that you can customize in the agent desktop are the features and layouts within the application.
You can however configure the sign-in experience to pre-populate values in the sign-in dialog box. For more information, see the Configure sign-in information section in the Connect to CRM instance using the Unified Service Desk client topic.
Unified Service Desk uses the XRM tooling common login control to define the login form. If you are building your "own" Windows client application for CRM, you can use the XRM tooling common login control, which provides The code for CRM authentication, credential storage and retrieval, and diagnostic logging so that you can quickly leverage these capabilities in your Windows client applications for CRM. More information about this: Use the XRM tooling common login control in your client applications.
Thanks,
Vivek
There was a login control provided in XRM.Tooling.connector namespace. This might be a start point to give it a thought..
Please refer to ..https://msdn.microsoft.com/en-gb/library/dn689071.aspx
You can default the configuration information for the connection experience in USD. The documentation on how to do that is in the Microsoft.Xrm.Tooling.Connector SDK Doc's. Effectively you need to add the default settings to the UnifiedServiceDesk.exe.config before you provide the client to your users. that will preload the dialog with connection information, and in the case of OnPremise / AD it can attempt an autologin and never show this dialog.
Also,
Regarding the comment above about storing passwords for login. USD does do this. it uses the Windows Credential vault to store the Password data and other encrypted stores to store other aspects of its configuration. The Windows Credential vault can be managed by Windows Admin's and flushed if necessary.
You can also tell USD to not store passwords with a setting in the UnifiedServiceDesk.exe.config file. The byproduct of which is that the user is required to key their password each and every time the shell connects to CRM.
We are looking to host our product on Azure- the intent behind using Azure is that we get to focus on the core product, and are fine with the standard cloud features that Azure offers without needing to understand too much of the internals- not exactly the power users!
One thought was that if Azure had an authentication functionality- profiles, logins, password reset/ reminder etc, it would save us time from building what is essentially a commodity
Any guidance on this?
Azure offers the Access Control Service, which is a Federated Authentication service. It's already preconfigured with support for Live ID, Google and Yahoo authentication, but you can also add your own security token service (such as ADFS).
Windows Azure does not have a built in login feature. However,App Fabric Access Control Service(ACS) does; see the ACS tutorial here for example usage.