AWS mcp-sap documentation change
Summary
Added documentation for 'ON_BEHALF_OF_TOKEN_EXCHANGE' authentication flow including parameter updates and deployment example
Security assessment
The changes introduce a new secure authentication pattern (token exchange) and provide deployment guidance. No evidence of fixing existing vulnerabilities; instead it expands security feature documentation for proper implementation of delegated authentication.
Diff
diff --git a/mcp-sap/latest/awsforsapmcp/deployment.md b/mcp-sap/latest/awsforsapmcp/deployment.md index d670f4b95..facb43e62 100644 --- a//mcp-sap/latest/awsforsapmcp/deployment.md +++ b//mcp-sap/latest/awsforsapmcp/deployment.md @@ -7 +7 @@ -Summary of prerequisitesDeployment StepsExample: Basic Authentication DeploymentExample: Machine-to-Machine (M2M) Authentication DeploymentExample: User Federation Authentication DeploymentWhat to expectTroubleshooting deployment failures +Summary of prerequisitesDeployment StepsExample: Basic Authentication DeploymentExample: Machine-to-Machine (M2M) Authentication DeploymentExample: User Federation Authentication DeploymentExample: On-Behalf-Of Token Exchange DeploymentWhat to expectTroubleshooting deployment failures @@ -82 +82 @@ Parameter | Parameter Label | Description | Example -The MCP Server supports three authentication flows for connecting to SAP. Choose the one that matches your SAP system setup. +The MCP Server supports the following authentication flows for connecting to SAP. Choose the one that matches your SAP system setup. @@ -84,7 +84,8 @@ The MCP Server supports three authentication flows for connecting to SAP. Choose -Parameter | Parameter Label | Description | BASIC | M2M | USER_FEDERATION ----|---|---|---|---|--- -`AuthFlow` | Authentication Flow | Authentication flow to use: `BASIC`, `M2M`, or `USER_FEDERATION`. | ✓ | ✓ | ✓ -`SapCredentialsSecret` | Auth Credentials Secret Name | AWS Secrets Manager secret name containing SAP credentials (BASIC) or OAuth client credentials (M2M). | Required | Required | Required -`SapAuthorizeUrl` | Authorization Endpoint | SAP OAuth2 authorization URL. | — | Required | Required -`SapTokenUrl` | Token Endpoint | SAP OAuth2 token URL. | — | Required | Required -`OauthScopes` | Scope(s) | OAuth scopes for SAP access. | — | Required | Required +Parameter | Parameter Label | Description | BASIC | M2M | USER_FEDERATION | ON_BEHALF_OF_TOKEN_EXCHANGE +---|---|---|---|---|---|--- +`AuthFlow` | Authentication Flow | Authentication flow to use: `BASIC`, `M2M`, `USER_FEDERATION`, or `ON_BEHALF_OF_TOKEN_EXCHANGE`. | ✓ | ✓ | ✓ | ✓ +`SapCredentialsSecret` | Auth Credentials Secret Name | AWS Secrets Manager secret name containing SAP credentials (BASIC) or OAuth client credentials. | Required | Required | Required | Required +`SapAuthorizeUrl` | Authorization Endpoint | OAuth2 authorization URL. | — | Required | Required | — +`SapTokenUrl` | Token Endpoint | OAuth2 token URL. | — | Required | Required | — +`OauthScopes` | Scope(s) | OAuth scopes for SAP access. | — | Required | Required | Required +`AppCallbackEndpoint` | Application Callback Endpoint | Client application callback URL. | — | — | Required | — @@ -281,0 +283,36 @@ For machine-to-machine OAuth authentication, include the additional OAuth parame +## Example: On-Behalf-Of Token Exchange Deployment + + + aws cloudformation create-stack \ + --stack-name <your-stack-name> \ + --template-url https://awsforsap-mcp-server-setup-<region>.s3.<region>.amazonaws.com/cfn-launch-template/latest/AwsForSapMcpServerStack.template.json \ + --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \ + --parameters \ + ParameterKey=UniqueId,ParameterValue=<your-unique-id> \ + ParameterKey=SapBaseUrl,ParameterValue=<your-sap-base-url> \ + ParameterKey=SapSystemType,ParameterValue=S4HANA \ + ParameterKey=SapClientNumber,ParameterValue=<your-client-number> \ + ParameterKey=InboundAuthProvider,ParameterValue=EntraId \ + ParameterKey=DiscoveryUrl,ParameterValue=<your-discovery-url> \ + ParameterKey=AllowedAudiences,ParameterValue=<your-allowed-audiences> \ + ParameterKey=AuthFlow,ParameterValue=ON_BEHALF_OF_TOKEN_EXCHANGE \ + ParameterKey=SapCredentialsSecret,ParameterValue=<your-secret-name> \ + ParameterKey=OauthScopes,ParameterValue=<your-oauth-scopes> \ + ParameterKey=McpServerLogLevel,ParameterValue=INFO \ + ParameterKey=McpServerReadEnabled,ParameterValue=true \ + ParameterKey=McpServerWriteEnabled,ParameterValue=false \ + ParameterKey=McpServerCreateEnabled,ParameterValue=false \ + ParameterKey=McpServerUpdateEnabled,ParameterValue=false \ + ParameterKey=McpServerDeleteEnabled,ParameterValue=false \ + ParameterKey=McpServerFunctionImportEnabled,ParameterValue=false \ + ParameterKey=UseSapCatalog,ParameterValue=true \ + ParameterKey=McpServerCustomCatalogBucketUri,ParameterValue=None \ + ParameterKey=McpServerServiceHintsS3Uri,ParameterValue=None \ + ParameterKey=AllowedServicePrefixes,ParameterValue=None \ + ParameterKey=McpServerVpcSecurityGroup,ParameterValue=<your-security-group-id> \ + ParameterKey=McpServerNetworkSubnets,ParameterValue=<your-subnet-ids> + +###### Note + +`ON_BEHALF_OF_TOKEN_EXCHANGE` requires `SapCredentialsSecret`, `DiscoveryUrl`, and `AllowedAudiences`. `AppCallbackEndpoint` and `SapAuthorizeUrl`/`SapTokenUrl` are not required for this flow. +