Configure ThingWorx Navigate with SAP to use OAuth 2.0

ThingWorx Navigate View PLM App Extension > Configuring ThingWorx Navigate View PLM App Extension with SAP systems > Configure ThingWorx Navigate with SAP to use OAuth 2.0

Prerequisites

ThingWorx is configured for SSL (Secure Sockets Layer) and SSO (Single Sign-on). Find more information in these sources:

• ThingWorx setup SSL / HTTPS on Tomcat with Self-Signed Certificate

• For information about Integration Configuration to SSL refer to Initial Setup of Integration Runtime Service for Integration Connectors

• PTC Single Sign-on Architecture and Configuration Overview Guide.

Role	Application
Service Provider (SP)	ThingWorx Navigate
SAML Central Auth Server	PingFederate
OAuth Authorization Server	SAP
Identity Provider (IdP)	IdP supporting SAML 2.0
Resource Provider (RP)	SAP

In this use case, the ThingWorx platform, on which ThingWorx Navigate runs, is configured to directly exchange access tokens with SAP to retrieve OAuth protected resources. PingFederate does not manage the exchange of access tokens between SAP and ThingWorx Navigate, however PingFederate is used to manage user login requests for ThingWorx Navigate. If you are using an IdP to manage SAP user accounts and a separate IdP to manage ThingWorx Navigate user accounts, then a ThingWorx Navigate user needs to initially perform a login to SAP in addition to a login to to ThingWorx Navigate. Once ThingWorx Navigate is permitted to access SAP, on subsequent logins to ThingWorx Navigate the user will not need to log in to SAP because ThingWorx Navigate has stored grants authorization.

PTC does not provide support for configuring OAuth in SAP. Refer to SAP documentation or customer support.

Before we can connect ThingWorx Navigate to SAP, there are some required steps to complete in ThingWorx.

At this point, you already have ThingWorx configured for single sign-on, but before we start defining the connection to SAP Netweaver Gateway, we need to complete some extra steps. These required steps will set up ThingWorx to access SAP using OAuth. Then, your SAP connection will work with your single sign-on configuration. Make sure to replace any values in brackets, such as <SAP CLIENT ID>, with the information or file paths for your organization.

Define the SAP server

First, we’ll enter the SAP server’s details.

1. Stop Apache Tomcat.

2. Browse to this file and open it: \ThingworxPlatform\ssoSecurityConfig\sso-settings.json

3. In the file, find the section called AuthorizationServersSettings, and then add the SAP authorization server to that section. Here is the information to include:

◦ clientId— ID created for your SAP instance

◦ clientSecret—Password for your SAP instance

◦ authorizeUri—SAP authorize URI from your SAP instance

◦ clientAuthScheme—Header

Here’s an example. Make sure to use the information for your SAP instance, and make sure the values do not contain spaces:

"AuthorizationServersSettings":{
"SAP_AuthorizationServerId1": {
"clientId": "<SAP_CLIENT_ID>",
"clientSecret": "<SAP_CLIENT_SECRET>",
"authorizeUri": "<https://SAPHostame:Port/sap/bc/sec/oauth2/authorize>",
"tokenUri": "https://SAPHostname:Port/sap/bc/sec/oauth2/token",
"clientAuthScheme": "header"}
}

Looking for more detailed reference information? See the topic “Configure sso-settings.json File” in the ThingWorx Help.

Add the SAP SSL certifications to the JVM cacerts. Make sure to use this JVM:

<JAVA_HOME>\jre\lib\security\cacerts

You have now completed the OAuth configuration for ThingWorx and SAP Netweaver Gateway. You can move on to the ThingWorx Navigate configuration. See Connect ThingWorx Navigate to SAP.