Authentication

​

Overview

​

Authentication Types

​

Basic Authentication

type: basic
username: SAP_USER
password: ********

• SAP GUI users with RFC access
• Technical users
• Simple integrations

​

OAuth 2.0 (Client Credentials)

type: oauth2
client_id: your-client-id
client_secret: ********
token_url: https://auth.s4hana.cloud.sap/oauth/token
scope: API_BUSINESS_PARTNER

• S/4HANA Cloud
• SAP BTP services
• Modern integrations

​

API Key Header

type: api_key
header_name: X-API-Key
header_value: ********

• Custom authentication gateways
• Third-party API proxies

​

Custom Headers

type: custom
headers:
  Authorization: Bearer token123
  X-Custom-Auth: custom-value
  sap-client: "100"

• Complex authentication schemes
• Multi-header requirements

​

No Authentication

type: none

​

Configuration Levels

┌─────────────────────────────────┐
│    Instance Service Auth        │  ← Most specific
├─────────────────────────────────┤
│    System Service Auth          │
├─────────────────────────────────┤
│    Instance Default Auth        │  ← Least specific
└─────────────────────────────────┘

​

Inheritance Chain

1. Instance Service Auth: For a specific service on a specific instance
2. System Service Auth: For a service across all instances
3. Instance Default Auth: Fallback for the instance

​

Example Scenario

Production Instance (Basic Auth: prod_user)
├── API_BUSINESS_PARTNER (inherits: prod_user)
├── API_SALES_ORDER_SRV (OAuth: oauth_client)  ← Override
└── API_CUSTOM_SERVICE (inherits: prod_user)

​

Configuring Authentication

​

Via Dashboard

1. Navigate to Instances or Services
2. Click Configure Authentication
3. Select authentication type
4. Enter credentials
5. Click Save

​

Testing Configuration

1. Click Test Connection
2. Verify the connection succeeds
3. Check the error message if it fails

​

OAuth 2.0 Configuration

​

S/4HANA Cloud Setup

1. In SAP, create a Communication Arrangement
2. Note the OAuth details:
   • Token URL
   • Client ID
   • Client Secret
   • Scopes
3. Configure in S4Kit:

type: oauth2
client_id: COMM_ARRANGEMENT_CLIENT
client_secret: ********
token_url: https://myXXXXXX-api.s4hana.cloud.sap/sap/bc/sec/oauth2/token
scope: API_BUSINESS_PARTNER_0001

​

Token Caching

• Caches OAuth tokens
• Refreshes before expiration
• Handles token renewal

​

Basic Auth Configuration

​

SAP User Setup

1. Create a technical user in SAP
2. Assign required authorizations:
   • OData service access
   • Business object authorizations
3. Configure in S4Kit:

type: basic
username: S4KIT_TECH_USER
password: ********

​

SAP Client

type: basic
username: S4KIT_TECH_USER
password: ********
additional_headers:
  sap-client: "100"

​

Security

​

Credential Storage

Original → Encrypt (libsodium) → Store (encrypted)

• Encryption key is separate from data
• Credentials cannot be retrieved after saving
• Only “update” or “remove” operations available

​

Credential Visibility

Password: ••••••••
Client Secret: ••••••••

​

Audit Trail

• Who made the change
• When it was made
• What was modified

​

Troubleshooting

​

401 Unauthorized

• Invalid credentials
• User account locked
• Missing authorizations

1. Verify credentials in SAP
2. Check user is not locked
3. Verify OData service authorization

​

403 Forbidden

• Missing business authorizations
• IP restrictions
• License issues

1. Check user’s SAP authorizations
2. Verify IP allowlist if applicable
3. Contact SAP basis team

​

OAuth Token Errors

• Invalid client credentials
• Wrong token URL
• Missing scopes

1. Regenerate client credentials
2. Verify token URL matches SAP
3. Add required scopes

​

Connection Timeout

• Network connectivity
• Firewall blocking
• SAP system down

1. Verify network path to SAP
2. Check firewall rules
3. Confirm SAP system is running