AWS Security ChangesHomeSearch

AWS mcp-sap documentation change

Service: mcp-sap · 2026-06-25 · Documentation low

File: mcp-sap/latest/awsforsapmcp/deployment.md

Summary

Added documentation for 'ON_BEHALF_OF_TOKEN_EXCHANGE' authentication flow including parameter updates and deployment example

Security assessment

The changes introduce a new secure authentication pattern (token exchange) and provide deployment guidance. No evidence of fixing existing vulnerabilities; instead it expands security feature documentation for proper implementation of delegated authentication.

Diff

diff --git a/mcp-sap/latest/awsforsapmcp/deployment.md b/mcp-sap/latest/awsforsapmcp/deployment.md
index d670f4b95..facb43e62 100644
--- a//mcp-sap/latest/awsforsapmcp/deployment.md
+++ b//mcp-sap/latest/awsforsapmcp/deployment.md
@@ -7 +7 @@
-Summary of prerequisitesDeployment StepsExample: Basic Authentication DeploymentExample: Machine-to-Machine (M2M) Authentication DeploymentExample: User Federation Authentication DeploymentWhat to expectTroubleshooting deployment failures
+Summary of prerequisitesDeployment StepsExample: Basic Authentication DeploymentExample: Machine-to-Machine (M2M) Authentication DeploymentExample: User Federation Authentication DeploymentExample: On-Behalf-Of Token Exchange DeploymentWhat to expectTroubleshooting deployment failures
@@ -82 +82 @@ Parameter | Parameter Label | Description | Example
-The MCP Server supports three authentication flows for connecting to SAP. Choose the one that matches your SAP system setup.
+The MCP Server supports the following authentication flows for connecting to SAP. Choose the one that matches your SAP system setup.
@@ -84,7 +84,8 @@ The MCP Server supports three authentication flows for connecting to SAP. Choose
-Parameter | Parameter Label | Description | BASIC | M2M | USER_FEDERATION  
----|---|---|---|---|---  
-`AuthFlow` |  Authentication Flow |  Authentication flow to use: `BASIC`, `M2M`, or `USER_FEDERATION`. |  ✓ |  ✓ |  ✓  
-`SapCredentialsSecret` |  Auth Credentials Secret Name |  AWS Secrets Manager secret name containing SAP credentials (BASIC) or OAuth client credentials (M2M). |  Required |  Required |  Required  
-`SapAuthorizeUrl` |  Authorization Endpoint |  SAP OAuth2 authorization URL. |  — |  Required |  Required  
-`SapTokenUrl` |  Token Endpoint |  SAP OAuth2 token URL. |  — |  Required |  Required  
-`OauthScopes` |  Scope(s) |  OAuth scopes for SAP access. |  — |  Required |  Required  
+Parameter | Parameter Label | Description | BASIC | M2M | USER_FEDERATION | ON_BEHALF_OF_TOKEN_EXCHANGE  
+---|---|---|---|---|---|---  
+`AuthFlow` |  Authentication Flow |  Authentication flow to use: `BASIC`, `M2M`, `USER_FEDERATION`, or `ON_BEHALF_OF_TOKEN_EXCHANGE`. |  ✓ |  ✓ |  ✓ |  ✓  
+`SapCredentialsSecret` |  Auth Credentials Secret Name |  AWS Secrets Manager secret name containing SAP credentials (BASIC) or OAuth client credentials. |  Required |  Required |  Required |  Required  
+`SapAuthorizeUrl` |  Authorization Endpoint |  OAuth2 authorization URL. |  — |  Required |  Required |  —  
+`SapTokenUrl` |  Token Endpoint |  OAuth2 token URL. |  — |  Required |  Required |  —  
+`OauthScopes` |  Scope(s) |  OAuth scopes for SAP access. |  — |  Required |  Required |  Required  
+`AppCallbackEndpoint` |  Application Callback Endpoint |  Client application callback URL. |  — |  — |  Required |  —  
@@ -281,0 +283,36 @@ For machine-to-machine OAuth authentication, include the additional OAuth parame
+## Example: On-Behalf-Of Token Exchange Deployment
+    
+    
+    aws cloudformation create-stack \
+      --stack-name <your-stack-name> \
+      --template-url https://awsforsap-mcp-server-setup-<region>.s3.<region>.amazonaws.com/cfn-launch-template/latest/AwsForSapMcpServerStack.template.json \
+      --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \
+      --parameters \
+        ParameterKey=UniqueId,ParameterValue=<your-unique-id> \
+        ParameterKey=SapBaseUrl,ParameterValue=<your-sap-base-url> \
+        ParameterKey=SapSystemType,ParameterValue=S4HANA \
+        ParameterKey=SapClientNumber,ParameterValue=<your-client-number> \
+        ParameterKey=InboundAuthProvider,ParameterValue=EntraId \
+        ParameterKey=DiscoveryUrl,ParameterValue=<your-discovery-url> \
+        ParameterKey=AllowedAudiences,ParameterValue=<your-allowed-audiences> \
+        ParameterKey=AuthFlow,ParameterValue=ON_BEHALF_OF_TOKEN_EXCHANGE \
+        ParameterKey=SapCredentialsSecret,ParameterValue=<your-secret-name> \
+        ParameterKey=OauthScopes,ParameterValue=<your-oauth-scopes> \
+        ParameterKey=McpServerLogLevel,ParameterValue=INFO \
+        ParameterKey=McpServerReadEnabled,ParameterValue=true \
+        ParameterKey=McpServerWriteEnabled,ParameterValue=false \
+        ParameterKey=McpServerCreateEnabled,ParameterValue=false \
+        ParameterKey=McpServerUpdateEnabled,ParameterValue=false \
+        ParameterKey=McpServerDeleteEnabled,ParameterValue=false \
+        ParameterKey=McpServerFunctionImportEnabled,ParameterValue=false \
+        ParameterKey=UseSapCatalog,ParameterValue=true \
+        ParameterKey=McpServerCustomCatalogBucketUri,ParameterValue=None \
+        ParameterKey=McpServerServiceHintsS3Uri,ParameterValue=None \
+        ParameterKey=AllowedServicePrefixes,ParameterValue=None \
+        ParameterKey=McpServerVpcSecurityGroup,ParameterValue=<your-security-group-id> \
+        ParameterKey=McpServerNetworkSubnets,ParameterValue=<your-subnet-ids>
+
+###### Note
+
+`ON_BEHALF_OF_TOKEN_EXCHANGE` requires `SapCredentialsSecret`, `DiscoveryUrl`, and `AllowedAudiences`. `AppCallbackEndpoint` and `SapAuthorizeUrl`/`SapTokenUrl` are not required for this flow.
+