Logging In and Logging Out Using Service Layer API

Objective

After completing this lesson, you will be able to log in and log out using the Service Layer API

Login and Logout Types

The Service Layer enforces secure connection via HTTPS encryption with TLS version 1.2 or 1.3.

The Service Layer needs a valid X509 format certificate. The certificate is stored at: <Installation Folder>/ServiceLayer/Conf/server.crt and the private key is stored at: <Installation Folder>/ServiceLayer/Conf/server.key. By default, the Service Layer uses a self-signed certificate. However, for security reasons, we strongly recommend that you specify a valid certificate during the installation process. For further information, refer to SAP Business One Administrator’s Guide.

Before you perform any operation in the Service Layer, you must log in.

Service Layer supports two types of authentication schemes:

  • Basic Authentication
  • OAuth Authentication

Basic Authentication

SAP Business One Service Layer supports a Basic authentication scheme. With the HTTPs TLS encryption and security certificates, you can use an SAP Business One user ID and password to sign in to the SAP Business One database. This is the most widely used authentication scheme.

There are several advantages of using Basic Authentication over OAuth Authentication. For example, it is simple to implement and good for internal or low-security applications.

However, Basic Authentication is:

  • Less secure (credentials sent with every request).
  • Harder to manage sessions.
  • Not ideal for public-facing or third-party integrated applications.

The following graphic and information demonstrates the interaction between a Service Layer Application and a Service Layer Service during an authentication process.

The authentication process between a Service Layer Application and a Service Layer Service. It includes steps like sending a GET request, receiving a 401 Unauthorized response, requesting user credentials, resending the GET request with credentials, and the service responding with either 200 OK or 401 Unauthorized.
  1. The Service Layer Application sends a GET request (HTTP/1.1) to the Service Layer Service.
  2. The Service Layer Service responds with HTTP/1.1 401 Unauthorized.
  3. The Service Layer Application asks the user for credentials.
  4. The Service Layer Application sends another GET request (HTTP/1.1) with the provided credentials to the Service Layer Service.
  5. The Service Layer Service checks the credentials.
  6. If the credentials are valid, the Service Layer Service responds with HTTP/1.1 200 OK.
  7. If the credentials are not valid, the Service Layer Service responds with HTTP/1.1 401 Unauthorized.

How to Use Basic Authentication Using Service Layer API

This video shows you how to both login and log out using Basic Authentication.

Note

For more information on different connection methods through Service Layer, refer to SAP Help Portal - Service Layer Connection References.

Complete a Session Life Cycle Using Login and Logout

In this exercise, you practice logging in and logging out using Basic Authentication. Before starting this exercise, make sure you have installed a REST API client tool, such as Postman.

Steps

  1. Disable all the OIDC IDP (Identity providers) from your SLD (https://<sldserver>:40000/ControlCenter/)

  2. Set up the user in SAP Business One (for example, manager). Make sure the password reset is done after the first login.

  3. Amend the following HTTP sample request and send for login:

    4. Sample request

    Code Snippet
    12
    POST https://localhost:50000/b1s/v2/Login 
{"CompanyDB": "DemoDB", "UserName": "manager", "Password": "1234abce!"}

    Note

    The sample request above follows this syntax:

    POST https://<Server Name/IP>:<Port>/b1s/v2/Login

    {"CompanyDB": "<Databasename>", "UserName": "<userid>", "Password": "<password>"}

    • <Server Name/IP> is the Service Layer sever name. You can get this information on the SAP Business One SLD Services tab.
    • <Port> is the Service Layer port. You can get this information you SAP Business One SLD Services tab.
    • <Databasename> You can get this information on the SAP Business One SLD DB Instances and Companies tabunder companies list. The name is case sensitive and should match exactly as mentioned in the SLD.
    • <userid> SAP Business One userID.
    • <password> SAP Business One password.

  4. Check the response:

    1. Check the response code - it should be 200 if the HTTP request for login was successful.

    2. Check the response content - it should contain the link to the metadata and the SessionId.

  5. Amend the following HTTP sample request and send it to retrieve metadata for OData v4:

    6. Sample request

    Code Snippet
    1
    GET https://localhost:50000/b1s/v2/$metadata

  6. Check the response:

    1. Check the response code - it should be 200.

    2. Check the response content - it should contain the metadata in XML format.

    3. Check the SessionId in the request header - it should contain the same string as received in the login request.

  7. Amend the following HTTP sample request and send it to retrieve metadata for OData v3:

    8. Sample request

    Code Snippet
    1
    GET https://localhost:50000/b1s/v1/$metadata

  8. Check the response:

    1. Check the response code - there is no session established for v1 from login, so this request will fail. It should be 401.

    2. Check the response content - ""Invalid session or session already timeout." will be returned.

  9. Amend the following HTTP sample request and send it to logout:

    10. Sample request

    Code Snippet
    1
    GET https://localhost:50000/b1s/v2/Logout

  10. Check the response:

    1. Check the response code - it should be 204.

    2. Check the response content - no content will be returned.

  11. Amend the following HTTP sample request with the sessionID (which was logout in the previous request) and send it to retrieve metadata for OData v4:

    12. Sample request

    Code Snippet
    1
    GET https://localhost:50000/b1s/v2/$metadata

  12. Check the response:

    1. Check the response code - since the session is closed using logout this request will fail. It should be 401.

    2. Check the response content - "Invalid session or session already timeout." will be returned.

Result

You have performed a login/logout operation using basic authentication and checked how the session is used for subsequent requests.

OAuth Authentication

Service Layer also supports OpenID Connect (OIDC), which is an interoperable authentication protocol based on the OAuth 2.0 framework.

OIDC allows clients to confirm an end user’s identity using authentication by an authorization server. With OIDC, you can use a single and existing account (from identity providers such as SAP IAS) to sign into SAP Business One and further strengthen security by using IDP’s features, such as two-factor authentication (2FA), without ever needing to create another username and password.

There are several advantages to using OAuth Authentication over Basic Authentication:

  • Higher security
  • Token-based
  • Supports session management
  • Granular control over access
  • Better for external integration

Disadvantages include:

  • More complex to implement.
  • Requires managing tokens.
  • Typically requires more setup.

The following graphic and information demonstrates OAuth authentication flow in Service layer implementation.

This image shows the OAuth 2.0 authorization flow in six steps between a client and various services, including the Authentication Service, IDP Service, and Service Layer. The steps involve exchanging authorization requests, grants, access tokens, and protected resources.
  1. User sends as e-mail ID for verification.
  2. If the ID matches, it redirects the user for authentication to the respective IDP.
  3. User authenticates by providing the userID and password.
  4. If authentication is successful, an access token is sent back to Service Layer application.
  5. User application can use the access token to request Service Layer.
  6. If the access token is valid, the Service Layer provides a response for the request.

How to Use OAuth Authentication Using Service Layer API

This video shows you how to generate OAuth access tokens using Postman tool and use them in Service Layer API.

You’ll learn more about OIDC configuration related to SAP Business One in the SAP BTP course in this learning journey. You can also refer to the following resources:

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn