Connector for OData / Connector for SAP Gateway
Name
Enter the name of the connection here.
Description
You can provide the connection with a description here.
Authentication
Method
None
For anonymous access.
Simple
With this method (HTTP Basic), the login information will be requested. The user entered here will only be needed to access the service metadata in the Portal Manager.
Intrexx
This method is useful for services provided via the Intrexx OData provider. Login information will be transferred encrypted here. To access the metadata, enter an Intrexx user and corresponding password here as well.
Kerberos / Kerberos (HTTP Basic)
These methods are available in Windows environments for using Windows Integrated Authentication for Single Sign-On. The second option for "HTTP Basic" enables authentication for clients that do not support the Kerberos protocol. Please note the following basic requirements for successful authentication with Kerberos:
The Intrexx portal must be run with integrated authentication.
The users from your Active Directory must have been imported into your portal. Please make sure that at least one user is included in the Administrators group, so that the system may continue to be managed.
The server on which Intrexx is installed requires the group policy "Delegation".
All clients and servers must be members of the same domain. In Internet Explorer, the security settings for the zone used must have the user authentication setting of "Automatic login with current user name and password". Additionally, the option for "Enable Integrated Windows authentication" must be selected in the advanced settings.
Using Kerberos authentication provides you and your users with true Single Sign-on access to the OData service that uses the Integrated Windows Authentication. If a user cannot be authenticated, the second option will automatically use the standard login method. For successful authentication, it is necessary to specify a Service Principal Name (SPN). The SPN contains information about the service for which a Kerberos ticket should be created. This ticket is required for the Internet Information Server used by the Intrexx Portal Server. The SPN is generally constructed as follows: http/<computer-DNS-name>@<KERBEROS_REALM> Computer-DNS-name: Fully qualified host name (such as "mycomputer.mycompany.com">) KERBEROS_REALM: Generally the domain in uppercase letters (such as "MYCOMPANY.COM"). The SPN from the example above would look like this: http/mycomputer.mycompany.com@MYCOMPANY.COM
Kerberos (Intrexx Token Service)
Click here for more information.
X.509
With this method, a certificate store in PKCS12 format can be uploaded. Later, each user can upload their own certificate store using a login form. For authentication with X.509 certification, the root certificate of the authentication authority, which is responsible for issuing the client certificates, must previously have been imported into Intrexx. Restart the portal service afterwards.
OAuth2/OpenID Connect (from Intrexx 8 with Online-Update 05)
The method "OAuth2" supports services that require an OAuth2 authorization for users. Should the service support an auto approval of the user, the login of a user can be specified here for the metadata. If this is not possible, the metadata document must first of all be saved as a local file and stored in portal directory internal/cfg/odata with the file name: <SERVICE_GUID>.edmx. Currently, the actual configuration of the OAuth2 authorization must be performed in the XML configuration file of the OData consumer directly in the portal directory internal/cfg/odata with the file name <SERVICEGUID>.xml. The following properties are relevant here:
<property name="authenticationType" value="OAUTH2"/> // value has to be OAUTH2
<property name="oauth2.scope" value="<OAuth scopes>"/>
<property name="oauth2.authenticationScheme" value="<Schema>"/>
<property name="oauth2.clientId" value="<Client ID>"/>
<property name="oauth2.grantType" value="<Grant Type>"/>
<property name="oauth2.clientAuthenticationScheme" value="<Client Schema>"/>
<property name="oauth2.userAuthorizationUri value="<end point for the authentication>"/>
<property name="oauth2.clientSecret"value="<Client Secret>"/>
<property name="oauth2.redirectUri" value="<Redirect URL>"/>
<property name="oauth2.accessTokenUri" value="<end point for the request of a token>"/>
In the following, excerpts of some example configurations for commonly used OAuth2 services are listed. Many of these services cannot be used as OData services. Despite this, the OAuth2 authentication can be used for direct HTTP accesses to the service in Groovy scripts.
Spring Security OAuth2 Identity Provider
<?xml version="1.0" encoding="UTF-8"?>
<odata xmlns="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg consumer.xsd">
<consumer description="" guid="30378A6DEDA601F69D525C7FCAFA7E12CEC114C8" name="SpringOAuth2">
<property name="authenticationType" value="OAUTH2"/>
<property name="additionalAuthenticationTypes" value=""/>
<property name="userName" value="user"/>
<property name="password" value="E54F94C0106981A41312FC14955B164C"/>
<property name="servicePrincipalName" value=""/>
<property name="isSharePointService" value="false"/>
<property name="isSapService" value="false"/>
<property name="sapUseDefaultClientId" value="false"/>
<property name="sapClientId" value=""/>
<property name="sapNetweaverGatewayHost" value=""/>
<property name="sapNetweaverGatewayPort" value=""/>
<property name="sapNetweaverGatewayUseSSL" value="false"/>
<property name="sapSolutionManagerRegistered" value="false"/>
<property name="authTypeSource" value=""/>
<property name="authLoginSource" value=""/>
<property name="authPasswordSource" value=""/>
<property name="authSapClientIdSource" value=""/>
<property name="oauth2.grantType" value="authorization_code"/>
<property name="oauth2.clientAuthenticationScheme" value="form"/>
<property name="oauth2.accessTokenUri" value="https://localhost:9999/uaa/oauth/token"/>
<property name="oauth2.userAuthorizationUri" value="https://localhost:9999/uaa/oauth/authorize"/>
<property name="oauth2.scope" value="openid"/>
<property name="oauth2.clientId" value="acme"/>
<property name="oauth2.clientSecret" value="acmesecret"/>
<property name="oauth2.redirectUri" value="https://localhost/devportal/oauth2"/>
<services>
<service guid="E2050082619BBD33EEDEA97BDCC9223B25244191" name="SpringOauth2" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="https://localhost:8888/res/" useSSL="false"/>
</services>
<userMappings/>
</consumer>
</odata>
Values shown in italics need to be modified. Further information is available here: https://spshell.blogspot.de/2015/03/sharepoint-online-o365-oauth.html
Microsoft Outlook Online (only http, no OData)
<property name="authenticationType" value="OAUTH2"/> // value has to be OAUTH2
<property name="oauth2.scope" value="https://outlook.office.com/mail.read"/>
<property name="oauth2.authenticationScheme" value="form"/>
<property name="oauth2.clientId" value="<Client ID>"/>
<property name="oauth2.grantType" value="authorization_code"/>
<property name="oauth2.clientAuthenticationScheme" value="form"/>
<property name="oauth2.userAuthorizationUri value="https://login.microsoftonline.com/common/oauth2/v2.0/authorize"/>
<property name="oauth2.clientSecret"value="<Client Secret>"/>
<property name="oauth2.redirectUri" value="https://localhost/devportal/oauth2"/>
<property name="oauth2.accessTokenUri" value= "https://login.microsoftonline.com/common/oauth2/v2.0/token"/>
<services>
<service guid="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" name="Outlook" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="https://outlook.office.com/api/v2.0/me/messages" useSSL="true"/>
</services>
GoogleMail (only http, no OData)
<property name="authenticationType" value="OAUTH2"/> // value has to be OAUTH2
<property name="oauth2.scope" value="https://mail.google.com/"/>
<property name="oauth2.authenticationScheme" value="header"/>
<property name="oauth2.clientId" value="<Client ID>"/>
<property name="oauth2.grantType" value="authorization_code"/>
<property name="oauth2.clientAuthenticationScheme" value="header"/>
<property name="oauth2.userAuthorizationUri value="https://accounts.google.com/o/oauth2/auth"/>
<property name="oauth2.clientSecret"value="<Client Secret>"/>
<property name="oauth2.redirectUri" value="https://localhost/devportal/oauth2"/>
<property name="oauth2.accessTokenUri" value= "https://accounts.google.com/o/oauth2/token"/>
<services>
<service guid="XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" name="GMail Inbox" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="https://www.googleapis.com/gmail/v1/users/firstname.lastname@googlemail.com/messages/" useSSL="true"/>
</services>
SharePoint forms-based
Click here for more information about forms-based authentication for Microsoft SharePoint connections.
SharePoint Fed Auth (SAML)
Click here for more information about forms-based authentication with identity providers conforming to SAML for Microsoft SharePoint connections.
Connection timeout
Timeout
Enter how long the connection should be maintained in milliseconds, seconds, minutes or hours.
Active
With this setting, the defined timeout will take effect.
Connector for SharePoint
Name
Enter the name of the new connection here.
Description
You can enter a short description here.
Authentication
User / Password
Enter the username and password for the user you want to use to access SharePoint. The user entered here will only be needed to access the service metadata in the Portal Manager.
OAuth2/OpenID Connect (from Intrexx 8 with Online-Update 05)
The method "OAuth2" supports services that require an OAuth2 authorization for users. Should the service support an auto approval of the user, the login of a user can be specified here for the metadata. If this is not possible, the metadata document must first of all be saved as a local file and stored in portal directory internal/cfg/odata with the file name: <SERVICE_GUID>.edmx. Currently, the actual configuration of the OAuth2 authorization must be performed in the XML configuration file of the OData consumer directly in the portal directory internal/cfg/odata with the file name <SERVICEGUID>.xml. The following properties are relevant here:
<property name="authenticationType" value="OAUTH2"/> // value has to be OAUTH2
<property name="oauth2.scope" value="<OAuth Scopes>"/>
<property name="oauth2.authenticationScheme" value="<Schema>"/>
<property name="oauth2.clientId" value="<Client ID>"/>
<property name="oauth2.grantType" value="<Grant Type>"/>
<property name="oauth2.clientAuthenticationScheme" value="<Client Schema>"/>
<property name="oauth2.userAuthorizationUri value="<end point for the authentication>"/>
<property name="oauth2.clientSecret"value="<Client Secret>"/>
<property name="oauth2.redirectUri" value="<Redirect URL>"/>
<property name="oauth2.accessTokenUri" value="<end point for the request of a token>"/>
In the following, excerpts of some example configurations for commonly used OAuth2 services are listed. Many of these services cannot be used as OData services. Despite this, the OAuth2 authentication can be used for direct HTTP accesses to the service in Groovy scripts.
Microsoft SharePoint 365 (OAuth2 via AzureAD)
<?xml version="1.0" encoding="UTF-8"?>
<odata xmlns="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg consumer.xsd">
<consumer description="" guid="A07EFC374A42F1A4C2C0BEDB60E5B99B2F89F660" name="SharePoint365">
<property name="authenticationType" value="OAUTH2"/>
<property name="oauth2.scope" value="Site.Read Web.Read List.Write"/>
<property name="oauth2.clientId" value="CLIENT_ID"/>
<property name="oauth2.grantType" value="authorization_code"/>
<property name="oauth2.clientAuthenticationScheme" value="form"/>
<property name="oauth2.authenticationScheme" value="form"/>
<property name="oauth2.userAuthorizationUri" value="https://company.sharepoint.com/_layouts/15/OAuthAuthorize.aspx"/>
<property name="oauth2.clientSecret" value="CLIENT_SECRET"/>
<property name="oauth2.redirectUri" value="https://localhost/devportal/oauth2"/>
<property name="oauth2.accessTokenUri" value="https://accounts.accesscontrol.windows.net/TENANT_ID/tokens/OAuth/2"/>
<property name="sharePoint.oauth2.resource" value=".../company.sharepoint.com@TENANT_ID"/>
<property name="sharePoint.oauth2.realm" value="TENANT_ID"/>
<services>
<service guid="0EA408C8493C29D52921D6E78389A2A5CD1E2539" name="SharePoint365" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="https://company.sharepoint.com/_vti_bin/listdata.svc/" useEtag="true" useSSL="true"/>
</services>
<userMappings/>
</consumer>
</odata>
The following values must be adjusted:
- https://company.sharepoint.com/_layouts/15/OAuthAuthorize.aspx
- "CLIENT_SECRET"
- https://localhost/devportal/oauth2
- .../company
- TENANT_ID
Further information is available here: https://spshell.blogspot.de/2015/03/sharepoint-online-o365-oauth.html