Logging In and Out Using Basic Authentication with Service Layer API

Objective

After completing this lesson, you will be able to securely authenticate and manage sessions with the Service Layer API using Basic Authentication.

Login and Logout Types

The Service Layer enforces secure connection via HTTPS encryption with TLS version 1.2 or 1.3.

The Service Layer needs a valid X509 format certificate. The certificate is stored at: <Installation Folder>/ServiceLayer/Conf/server.crt and the private key is stored at: <Installation Folder>/ServiceLayer/Conf/server.key. By default, the Service Layer uses a self-signed certificate. However, for security reasons, we strongly recommend that you specify a valid certificate during the installation process. For further information, refer to SAP Business One Administrator’s Guide.

Before you perform any operation in the Service Layer, you must log in.

Service Layer supports two types of authentication schemes:

  • Basic Authentication
  • OAuth Authentication

Basic Authentication

SAP Business One Service Layer supports a Basic authentication scheme. With the HTTPs TLS encryption and security certificates, you can use an SAP Business One user ID and password to sign in to the SAP Business One database. This is the most widely used authentication scheme.

There are several advantages of using Basic Authentication over OAuth Authentication. For example, it is simple to implement and good for internal or low-security applications.

However, Basic Authentication is:

  • Less secure (credentials sent with every request).
  • Harder to manage sessions.
  • Not ideal for public-facing or third-party integrated applications.

The following graphic and information demonstrates the interaction between a Service Layer Application and a Service Layer Service during an authentication process.

The authentication process between a Service Layer Application and a Service Layer Service. It includes steps like sending a GET request, receiving a 401 Unauthorized response, requesting user credentials, resending the GET request with credentials, and the service responding with either 200 OK or 401 Unauthorized.
  1. The Service Layer Application sends a GET request (HTTP/1.1) to the Service Layer Service.
  2. The Service Layer Service responds with HTTP/1.1 401 Unauthorized.
  3. The Service Layer Application asks the user for credentials.
  4. The Service Layer Application sends another GET request (HTTP/1.1) with the provided credentials to the Service Layer Service.
  5. The Service Layer Service checks the credentials.
  6. If the credentials are valid, the Service Layer Service responds with HTTP/1.1 200 OK.
  7. If the credentials are not valid, the Service Layer Service responds with HTTP/1.1 401 Unauthorized.

How to Use Basic Authentication Using Service Layer API

This video shows you how to both login and log out using Basic Authentication.

Note

For more information on different connection methods through Service Layer, refer to SAP Help Portal - Service Layer Connection References.

Complete a Session Life Cycle Using Login and Logout

In this exercise, you practice logging in and logging out using Basic Authentication. Before starting this exercise, make sure you have installed a REST API client tool, such as Postman.

Steps

  1. Disable all the OIDC IDP (Identity providers) from your SLD (https://<sldserver>:40000/ControlCenter/)

  2. Set up the user in SAP Business One (for example, manager). Make sure the password reset is done after the first login.

  3. Amend the following HTTP sample request and send for login:

    4. Sample request

    Code Snippet
    12
    POST https://localhost:50000/b1s/v2/Login 
{"CompanyDB": "DemoDB", "UserName": "manager", "Password": "1234abce!"}

    Note

    The sample request above follows this syntax:

    POST https://<Server Name/IP>:<Port>/b1s/v2/Login

    {"CompanyDB": "<Databasename>", "UserName": "<userid>", "Password": "<password>"}

    • <Server Name/IP> is the Service Layer sever name. You can get this information on the SAP Business One SLD Services tab.
    • <Port> is the Service Layer port. You can get this information you SAP Business One SLD Services tab.
    • <Databasename> You can get this information on the SAP Business One SLD DB Instances and Companies tabunder companies list. The name is case sensitive and should match exactly as mentioned in the SLD.
    • <userid> SAP Business One userID.
    • <password> SAP Business One password.

  4. Check the response:

    1. Check the response code - it should be 200 if the HTTP request for login was successful.

    2. Check the response content - it should contain the link to the metadata and the SessionId.

  5. Amend the following HTTP sample request and send it to retrieve metadata for OData v4:

    6. Sample request

    Code Snippet
    1
    GET https://localhost:50000/b1s/v2/$metadata

  6. Check the response:

    1. Check the response code - it should be 200.

    2. Check the response content - it should contain the metadata in XML format.

    3. Check the SessionId in the request header - it should contain the same string as received in the login request.

  7. Amend the following HTTP sample request and send it to retrieve metadata for OData v3:

    8. Sample request

    Code Snippet
    1
    GET https://localhost:50000/b1s/v1/$metadata

  8. Check the response:

    1. Check the response code - there is no session established for v1 from login, so this request will fail. It should be 401.

    2. Check the response content - ""Invalid session or session already timeout." will be returned.

  9. Amend the following HTTP sample request and send it to logout:

    10. Sample request

    Code Snippet
    1
    GET https://localhost:50000/b1s/v2/Logout

  10. Check the response:

    1. Check the response code - it should be 204.

    2. Check the response content - no content will be returned.

  11. Amend the following HTTP sample request with the sessionID (which was logout in the previous request) and send it to retrieve metadata for OData v4:

    12. Sample request

    Code Snippet
    1
    GET https://localhost:50000/b1s/v2/$metadata

  12. Check the response:

    1. Check the response code - since the session is closed using logout this request will fail. It should be 401.

    2. Check the response content - "Invalid session or session already timeout." will be returned.

Result

You have performed a login/logout operation using basic authentication and checked how the session is used for subsequent requests.

Summary

  • The Service Layer supports two authentication schemes: Basic Authentication and OAuth Authentication.

  • Basic Authentication uses user ID and password, while OAuth Authentication uses access tokens for secure authentication.

  • Session management through unique SessionID and ROUTEID cookies maintains authenticated state across multiple requests.

  • Login and logout operations establish and terminate sessions, with metadata access confirming successful authentication.

  • Authentication failures return HTTP 401 errors with clear error messages for troubleshooting access issues.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn