Configure ThingWorx Navigate with SAP to use OAuth 2.0
Prerequisites
ThingWorx is configured for SSL (Secure Sockets Layer) and SSO (Single Sign-on). Find more information in these sources:
Role
|
Application
|
Service Provider (SP)
|
ThingWorx Navigate
|
SAML Central Auth Server
|
PingFederate
|
OAuth Authorization Server
|
SAP
|
Identity Provider (IdP)
|
IdP supporting SAML 2.0
|
Resource Provider (RP)
|
SAP
|
In this use case, the ThingWorx platform, on which ThingWorx Navigate runs, is configured to directly exchange access tokens with SAP to retrieve OAuth protected resources. PingFederate does not manage the exchange of access tokens between SAP and ThingWorx Navigate, however PingFederate is used to manage user login requests for ThingWorx Navigate. If you are using an IdP to manage SAP user accounts and a separate IdP to manage ThingWorx Navigate user accounts, then a ThingWorx Navigate user needs to initially perform a login to SAP in addition to a login to to ThingWorx Navigate. Once ThingWorx Navigate is permitted to access SAP, on subsequent logins to ThingWorx Navigate the user will not need to log in to SAP because ThingWorx Navigate has stored grants authorization.
|
PTC does not provide support for configuring OAuth in SAP. Refer to SAP documentation or customer support.
|
Before we can connect ThingWorx Navigate to SAP, there are some required steps to complete in ThingWorx.
At this point, you already have ThingWorx configured for single sign-on, but before we start defining the connection to SAP Netweaver Gateway, we need to complete some extra steps. These required steps will set up ThingWorx to access SAP using OAuth. Then, your SAP connection will work with your single sign-on configuration. Make sure to replace any values in brackets, such as <SAP CLIENT ID>, with the information or file paths for your organization.
Define the SAP server
First, we’ll enter the SAP server’s details.
1. Stop Apache Tomcat.
2. Browse to this file and open it: \ThingworxPlatform\ssoSecurityConfig\sso-settings.json
3. In the file, find the section called AuthorizationServersSettings, and then add the SAP authorization server to that section. Here is the information to include:
◦ clientId— ID created for your SAP instance
◦ clientSecret—Password for your SAP instance
◦ authorizeUri—SAP authorize URI from your SAP instance
◦ clientAuthScheme—Header
Here’s an example. Make sure to use the information for your SAP instance, and make sure the values do not contain spaces:
"AuthorizationServersSettings":{
"SAP_AuthorizationServerId1": {
"clientId": "<SAP_CLIENT_ID>",
"clientSecret": "<SAP_CLIENT_SECRET>",
"authorizeUri": "<https://SAPHostame:Port/sap/bc/sec/oauth2/authorize>",
"tokenUri": "https://SAPHostname:Port/sap/bc/sec/oauth2/token",
"clientAuthScheme": "header"}
}
Looking for more detailed reference information? See the topic “
Configure sso-settings.json File” in the
ThingWorx Help.
|
Add the SAP SSL certifications to the JVM cacerts. Make sure to use this JVM:
<JAVA_HOME>\jre\lib\security\cacerts
|
You have now completed the OAuth configuration for
ThingWorx and
SAP Netweaver Gateway. You can move on to the
ThingWorx Navigate configuration. See
Connect ThingWorx Navigate to SAP.