Simplifying SAP BTP Authentication in Pipelines with SAP Passport and Playwright

Logging into SAP BTP through client certificate authentication, especially in automated pipelines, can be challenging. Although SAP Passport offers a secure way to authenticate, until now, this has been feasible primarily for local environments, as pipelines often struggled to handle certificate-based logins effectively. Leveraging Playwright's new client certificate handling feature, I created an npm package, playwright-client-certificate-login, to enable seamless SAP Passport-based logins, even in pipeline contexts.

Why SAP Passport for Pipeline Authentication?

SAP Passport is a client certificate that offers an alternative to password-based authentication for SAP services. However, due to the complexity of certificate management in headless and pipeline environments, the only alternative is currently username and password. Especially because the universal ID does not make the login process any easier, a certificate is of course much simpler here, especially in CI/CD pipelines. Playwright’s support for client certificates enables us to automate these logins effectively.

How does authentication with a certificate work in Playwright

Playwright enables client certificate-based authentication by setting certificates directly in the browser context. This allows automated authentication as part of the initial HTTPS request.

In CertificateAuthSession, certificate details are configured based on provided paths or buffers:

• PFX Certificate: For SAP Passport, a single PFX file (optionally encrypted) is read and attached to Playwright's context.

• PEM Certificate: Alternatively, Playwright supports PEM format, allowing both certificate and private key to be set separately.

The code sets up the context with the certificate:

This configuration allows Playwright to authenticate using the client certificate automatically when accessing the specified origin.

About the playwright-client-certificate-login package

The playwright-client-certificate-login (GitHub Repo) package abstracts the authentication process, letting you specify certificate details in multiple formats, navigate to SAP BTP, and handle session cookies and headers for subsequent API interactions. The actual abstraction is very simple, so you can simply develop it yourself.

Here’s a look at its core configuration options:

• origin: URL the certificate is valid for.

• url: Target URL for authentication.

• certPath/keyPath or pfxPath: Certificate file paths in PEM or PFX formats.

• passphrase: Passphrase for encrypted certificates.

• timeout: Page load timeout for authentication.

How to use the playwright-client-certificate-login package

A complete example can be found here in the GitHub repository:

https://github.com/marianfoo/sap-btp-cert-auth

To use the authentication package, the following steps must then be carried out

1. Get your SAP Passport

Follow the steps and download your pfx file:

https://support.sap.com/en/my-support/single-sign-on-passports.html

2. Installation

Install the package using npm in your project:

3. Environment Variables

Set the certificate passphrase as an environment variable for better security:

4. Configure the Certificate Session

If the login is successful, it is now possible to access the Playwright instance or the cookies and then execute requests with another framework (wdio, axios, fetch) if necessary

Setting Up GitHub Actions for SAP Passport Authentication

To extend the authentication process to a CI/CD pipeline on GitHub Actions, follow these steps:

1. Encode your PFX file in base64 format:

Save the base64-encoded certificate as a GitHub secret named SAPPFX_BASE64

2. Add Passphrase as another GitHub secret, named SAPPFX_PASSPHRASE.

3. Configure the GitHub Actions Workflow Here’s a sample configuration to set up, authenticate, and test SAP BTP access.

This workflow takes the current repository, installs playwright for authentication in the headless chromium browser, reads the base64 pfx file from the secret and executes the script with the passphrase

By leveraging Playwright’s client certificate capabilities and SAP Passport, we’ve simplified the process of authenticating to SAP BTP, even within automated CI/CD pipelines. The package provides an efficient and secure way to handle SAP Passport logins, taking advantage of Playwright’s robust feature set to streamline certificate-based authentication.