Connector for OData – Consume data
Here you can find out how to configure a connection for the SAP Gateway connector. Information on configuring an SAP Gateway connection can be found here.
General properties
A new connection can be created in the "Integration" module via the main menu "OData / New data source". To do this, the connector for OData must be selected under "Consume data" in the left-hand area.
The configuration of SAP Gateway connections uses the same dialog as for general information. All information on configuring SAP Gateway connections can be found here.
In the general information for an OData connection, you can enter the following entries for our example:
-
Name: Dates
-
Authentication: HTTP Basic
-
User/password: User name and password of a user from the portal in which the service is provided. This user requires rights to the example application "Calendar1", from which the data in the example service originates.
In addition to the name and a description of the connection, the following authentication methods can be configured in general information:
Authentication
None
For anonymous access.
HTTP Basic
With this method (HTTP Basic), the login information will be requested. The user entered here will only be needed to access the service metadata in the Portal Manager.
If you select the "HTTP Basic" authentication method, you should definitely activate the "Use SSL" checkbox when creating the service later. If necessary, the certificate of the OData server must be imported into the certificate store in the consuming portal.
Intrexx (Legacy)
This method is suitable for services that are provided via the Intrexx OData provider. Login information will be transferred encrypted here. To access the metadata, enter an Intrexx user and corresponding password here as well.
Kerberos / Kerberos (HTTP Basic)
With these methods, integrated Windows authentication is available for single sign-on in Windows environments. The second option for ""HTTP Basic"" enables authentication for clients that do not support the Kerberos protocol. Please note the following basic requirements for successful authentication with Kerberos:
-
The Intrexx portal must be operated with integrated Windows authentication.
-
The users from your Active Directory must be imported into the portal accordingly. Please make sure that at least one user is included in the Administrators group, so that the system may continue to be managed.
-
The server on which Intrexx is installed requires the "Delegation" group policy.
-
All clients and servers must be members of the same domain. In Internet Explorer, "Automatic login with current user name and password" must be set in the security settings of the zone used for user authentication. In addition, the setting "Activate integrated Windows authentication" must be set in the advanced settings.
Using Kerberos authentication provides you and your users with true Single Sign-on access to the OData service that uses the Integrated Windows Authentication. If a user cannot be authenticated, the second option automatically activates the standard login. For successful authentication, it is necessary to specify a Service Principal Name (SPN). The SPN contains information about the service for which a Kerberos ticket should be created. This ticket is required for the Internet Information Server used by the Intrexx Portal Server. The SPN is usually structured as follows: http/<computer DNS name>@<KERBEROS_REALM>. Computer-DNS-name: Fully qualified host name (such as ""mycomputer.mycompany.com"") KERBEROS_REALM: Generally the domain in uppercase letters (such as ""MYCOMPANY.COM""). The SPN from the example above would look like this: http/mycomputer.mycompany.com@MYCOMPANY.COM
Kerberos (Intrexx Token Service)
You can find all the information here.
X.509
With this method, a certificate store in PKCS12 format can be uploaded. Later, each user can upload their own certificate store using a login form. For authentication with X.509 certification, it is required that the root certificate of the authentication authority responsible for issuing the client certificates has previously been imported into Intrexx. To do this, click on "Upload X.509 certificate store".
Certificate store
Enter the file name of the certificate and the password. Click on "Search" to open a dialog in which the certificate file (in PKCS12 format) can be selected. Click "Finish" to close the dialog again.
Restart the portal service after the import.
OAuth2/OpenID
This authentication method supports services that require OAuth2 authorization from the user. Should the service support an auto approval of the user, the login of a user can be specified here for the metadata. If this is not possible, the metadata document must first be saved manually as a local file and stored in the portal directory internal/cfg/odata with the file name <SERVICE_GUID>.edmx. The actual configuration of the OAuth2 authorization must currently still be carried out directly in the XML configuration file of the OData consumer in the portal directory internal/cfg/odata with the file name <SERVICE_GUID>.xml. The following properties are relevant here:
<property name="authenticationType" value="OAUTH2"/> // value has to be OAUTH2
<property name="oauth2.scope" value="<OAuth scopes>"/>
<property name="oauth2.authenticationScheme" value="<Schema>"/>
<property name="oauth2.clientId" value="<Client ID>"/>
<property name="oauth2.grantType" value="<Grant Type>"/>
<property name="oauth2.clientAuthenticationScheme" value="<Client Schema>"/>
<property name="oauth2.userAuthorizationUri value="<end point for the authentication>"/>
<property name="oauth2.clientSecret"value="<Client Secret>"/>
<property name="oauth2.redirectUri" value="<Redirect URL>"/>
<property name="oauth2.accessTokenUri" value="<end point for the request of a token>"/>
In the following, excerpts of some example configurations for commonly used OAuth2 services are listed. Many of these services cannot be used as OData services. Nevertheless, OAuth2 authentication can be used for direct HTTP access to the service in Groovy scripts.
Spring Security OAuth2 Identity Provider
<?xml version="1.0" encoding="UTF-8"?>
<odata xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-unitedplanet-de:lucy:server:odata:consumer:cfg consumer.xsd">
<consumer description="" guid="30378A6DEDA601F69D525C7FCAFA7E12CEC114C8" name="SpringOAuth2">
<property name="authenticationType" value="OAUTH2"/>
<property name="additionalAuthenticationTypes" value=""/>
<property name="userName" value="user"/>
<property name="password" value="E54F94C0106981A41312FC14955B164C"/>
<property name="servicePrincipalName" value=""/>
<property name="isSapService" value="false"/>
<property name="sapUseDefaultClientId" value="false"/>
<property name="sapClientId" value=""/>
<property name="sapNetweaverGatewayHost" value=""/>
<property name="sapNetweaverGatewayPort" value=""/>
<property name="sapNetweaverGatewayUseSSL" value="false"/>
<property name="sapSolutionManagerRegistered" value="false"/>
<property name="authTypeSource" value=""/>
<property name="authLoginSource" value=""/>
<property name="authPasswordSource" value=""/>
<property name="authSapClientIdSource" value=""/>
<property name="oauth2.grantType" value="authorization_code"/>
<property name="oauth2.clientAuthenticationScheme" value="form"/>
<property name="oauth2.accessTokenUri" value="https://localhost:9999/uaa/oauth/token"/>
<property name="oauth2.userAuthorizationUri" value="https://localhost:9999/uaa/oauth/authorize"/>
<property name="oauth2.scope" value="openid"/>
<property name="oauth2.clientId" value="acme"/>
<property name="oauth2.clientSecret" value="acmesecret"/>
<property name="oauth2.redirectUri" value="https://localhost/devportal/oauth2"/>
<services>
<service guid="E2050082619BBD33EEDEA97BDCC9223B25244191" name="SpringOauth2" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="https://localhost:8888/res/" useSSL="false"/>
</services>
<userMappings/>
</consumer>
</odata>
Values shown in italics need to be modified.
Microsoft Outlook Online (only http, no OData)
<property name="authenticationType" value="OAUTH2"/> // value has to be OAUTH2
<property name="oauth2.scope" value="https://outlook.office.com/mail.read"/>
<property name="oauth2.authenticationScheme" value="form"/>
<property name="oauth2.clientId" value="<Client ID>"/>
<property name="oauth2.grantType" value="authorization_code"/>
<property name="oauth2.clientAuthenticationScheme" value="form"/>
<property name="oauth2.userAuthorizationUri value="https://login.microsoftonline.com/common/oauth2/v2.0/authorize"/>
<property name="oauth2.clientSecret"value="<Client Secret>"/>
<property name="oauth2.redirectUri" value="https://localhost/devportal/oauth2"/>
<property name="oauth2.accessTokenUri" value= "https://login.microsoftonline.com/common/oauth2/v2.0/token"/>
<services>
<service guid="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" name="Outlook" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="https://outlook.office.com/api/v2.0/me/messages" useSSL="true"/>
</services>
GoogleMail (only http, no OData)
<property name="authenticationType" value="OAUTH2"/> // value has to be OAUTH2
<property name="oauth2.scope" value="https://mail.google.com/"/>
<property name="oauth2.authenticationScheme" value="header"/>
<property name="oauth2.clientId" value="<Client ID>"/>
<property name="oauth2.grantType" value="authorization_code"/>
<property name="oauth2.clientAuthenticationScheme" value="header"/>
<property name="oauth2.userAuthorizationUri value="https://accounts.google.com/o/oauth2/auth"/>
<property name="oauth2.clientSecret"value="<Client Secret>"/>
<property name="oauth2.redirectUri" value="https://localhost/devportal/oauth2"/>
<property name="oauth2.accessTokenUri" value= "https://accounts.google.com/o/oauth2/token"/>
<services>
<service guid="XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" name="GMail Inbox" odataSpecVersion="V2" sapCsrfTokenRequired="false" serviceRootURI="https://www.googleapis.com/gmail/v1/users/firstname.lastname@googlemail.com/messages/" useSSL="true"/>
</services>
Connection timeout
If the "Active" setting is set here, the desired connection timeout can be defined if required.
Click "Next".
OData services
In this dialog, you can create a new service by clicking on "Create new service".
Enter service
The same dialog is used in the configuration for SAP gateway connections. You can find all the information here.
If you want to use our example for the OData connection, enter the name "Termine" and the service URL in this dialog. You can find the endpoint URL in the general information in OData services you have created yourself. It can be adopted and entered here as a service URL.
Use SSL
Activate this setting if the service requires an SSL-encrypted connection.
Activate Etag
Activate this setting if so-called Etag headers must be set for the manipulation of data.
OData V4
With this setting, OData V4 services can be consumed. In this case, a subset of the OData V4 features, which corresponds to the range of functions for OData V2, is supported by Intrexx.
Click on "Finish".
The service settings can be edited by clicking on "Edit service".
"Remove service" deletes the currently selected service. Services can only be deleted if they are not already being used in an application or process.
Click "Next".
Registration information
Username / Password / SAP Client ID
From user management
With this option, the login name, password and SAP client ID are obtained from the user administration.
From web input
The login data is requested here when the application in which the connection is used is called up.
Click "Next".
Additional users
Additional users for service access can be defined here, e.g. for processes in which access to the service or the system should always take place under a specific user, regardless of the user currently logged into Intrexx.
Column "Intrexx user"
Displays the name of the user with the path from the user structure.
Service login" column
Displays the assigned service login.
Add additional user /
Edit additional user
Opens a dialog in which an additional user can be selected or edited.
User selection
Intrexx user
Displays the path and name of a selected user.
Search for user
Opens a dialog in which a user can be selected from the "User" module.
Depending on the authentication method, you can then specify a certificate file, service login and password.
File name
Displays the path and name of the certificate file.
Select file
Opens a dialog where the certificate file can be selected.
Service login
Enter the service login here.
Password
Enter the password.
Click "Finish" to save changes and close the dialog again.
Delete additional user
Removes the currently selected additional user from the list.
Click "Next".
Connection test
Click on "Test" to test the connection. Corresponding messages can be found in the output field. The configuration is completed by clicking on "Finish".
Edit connection
The connection is now shown on the right. Via the main menu "OData" or the context menu of the connection, you can access all functions for editing if the connection is selected.
Data groups" column
The number of data groups that are integrated with external data groups in applications is displayed here.
Kerberos (Intrexx Token Service)
The Intrexx Kerberos Token Provider is a Web service which an Intrexx Portal server can use to request Kerberos tokens for Single Sign On authentication for portal users with external systems. This service is primarily required if several accesses to an external system are required during the processing of a user request in the portal server, whereby each individual access requires a Kerberos ticket for authentication. Per Web request, only one ticket for each external system is available to the portal server. The portal server can use this to log in to the Intrexx Kerberos Token Provider in the context of a portal user and will then receive multiple tokens for processing each request for the external system.
System requirements
Integrated Windows authentication must be activated for the Intrexx portal and the Connector. This feature is supported by Windows Server version 2008 and upwards. The Internet Information Server and .NET 4.5 must be installed on the Intrexx server.
Installation and configuration
The web application for the Kerberos Token Service can be found as a ZIP file "ixkrbtokenservice.zip" in the installation directory "adapter/odata/kerberos". Unpack the files to a folder of your choice on the server e.g. ""C:\inetpub\wwwroot\ixkrbtokenservice"". Now create a new Web application in IIS with the following settings:
Select an application pool which supports .NET Framework Version 4.0.
The "Authentication" view must then be opened for the application. Deactivate all methods there except for "Windows authentication". Negotiate" must be set as the provider and kernel mode authentication must also be activated. The service can now be tested in the browser. To do this, call up the URL https://localhost/ixkrbservice/api/Token in your browser. In addition, the query parameter "spn" can be used to directly specify the service princpal name of the server in order to test the ticket request for this server. A message like the one below should appear in the browser:
Depending on the browser, the result can either appear as an XML or JSON document. The number of tickets to be generated can be set in the web.config file in the service directory using the "maxTokenCount" parameter. As a default, 5 tickets are generated per request.
Next steps
To use the data from the connection, integrate the connection into any application in the next step. You can find all the information here.