Skip to main content

Overview

S4Kit supports multiple authentication methods for connecting to SAP systems. Authentication is configured at the instance or service level.

Authentication Types

Basic Authentication

Username and password authentication:
Use cases:
  • SAP GUI users with RFC access
  • Technical users
  • Simple integrations

OAuth 2.0 (Client Credentials)

OAuth authentication using client credentials flow:
Use cases:
  • S/4HANA Cloud
  • SAP BTP services
  • Modern integrations

API Key Header

Custom API key in a header:
Use cases:
  • Custom authentication gateways
  • Third-party API proxies

Custom Headers

Any custom headers:
Use cases:
  • Complex authentication schemes
  • Multi-header requirements

No Authentication

For public APIs:

Configuration Levels

Authentication can be configured at multiple levels:

Inheritance Chain

The platform uses the most specific configuration:
  1. Instance Service Auth: For a specific service on a specific instance
  2. System Service Auth: For a service across all instances
  3. Instance Default Auth: Fallback for the instance

Example Scenario

Configuring Authentication

Via Dashboard

  1. Navigate to Instances or Services
  2. Click Configure Authentication
  3. Select authentication type
  4. Enter credentials
  5. Click Save

Testing Configuration

After configuring:
  1. Click Test Connection
  2. Verify the connection succeeds
  3. Check the error message if it fails

OAuth 2.0 Configuration

S/4HANA Cloud Setup

  1. In SAP, create a Communication Arrangement
  2. Note the OAuth details:
    • Token URL
    • Client ID
    • Client Secret
    • Scopes
  3. Configure in S4Kit:

Token Caching

S4Kit automatically:
  • Caches OAuth tokens
  • Refreshes before expiration
  • Handles token renewal

Basic Auth Configuration

SAP User Setup

  1. Create a technical user in SAP
  2. Assign required authorizations:
    • OData service access
    • Business object authorizations
  3. Configure in S4Kit:

SAP Client

For multi-client systems:

Security

Credential Storage

All credentials are encrypted using libsodium:
  • Encryption key is separate from data
  • Credentials cannot be retrieved after saving
  • Only “update” or “remove” operations available

Credential Visibility

In the dashboard, sensitive values show:

Audit Trail

All authentication changes are logged:
  • Who made the change
  • When it was made
  • What was modified

Troubleshooting

401 Unauthorized

Possible causes:
  • Invalid credentials
  • User account locked
  • Missing authorizations
Solutions:
  1. Verify credentials in SAP
  2. Check user is not locked
  3. Verify OData service authorization

403 Forbidden

Possible causes:
  • Missing business authorizations
  • IP restrictions
  • License issues
Solutions:
  1. Check user’s SAP authorizations
  2. Verify IP allowlist if applicable
  3. Contact SAP basis team

OAuth Token Errors

Common issues:
  • Invalid client credentials
  • Wrong token URL
  • Missing scopes
Solutions:
  1. Regenerate client credentials
  2. Verify token URL matches SAP
  3. Add required scopes

Connection Timeout

Possible causes:
  • Network connectivity
  • Firewall blocking
  • SAP system down
Solutions:
  1. Verify network path to SAP
  2. Check firewall rules
  3. Confirm SAP system is running