https://raw.githubusercontent.com/ajmaradiaga/feeds/main/scmt/members/sap-champions/Martin-Pankraz.xmlSAP Community - Martin Pankraz2025-01-20T01:00:03.146222+00:00python-feedgenMartin Pankraz in SAP Communityhttps://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services/bc-p/13660041#M171473Re: Provision users from Microsoft Azure AD to SAP Cloud Identity Services - Identity Authentication2024-04-05T09:27:20.407000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P>Hey <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/823618">@tskwin</a>,</P><P>not sure what your requirements are. If you need to synch groups you require SAP IPS. The mechanism described on our docs before is about mapping based on attributes like groups but actually re-creating them on the SAP side.</P><P>In general, like with any integration project, less redundancy and a single source of truth is beneficial.</P><P>KR Martin</P>2024-04-05T09:27:20.407000+02:00https://community.sap.com/t5/technology-blogs-by-sap/single-sign-on-to-sap-cloud-integration-cpi-runtime-from-an-external/bc-p/13666514#M171635Re: Single Sign On to SAP Cloud Integration (CPI runtime) from an external Identity Provider2024-04-11T08:59:38.676000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P>Thank you for sharing <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/216068">@vinayak_adkoli</a>! I am curious what scenarios require a people-based interactive authentication flow for CPI. Shouldn't this be solved on app layer rather than the iflow? SAP Principal Propagation would then be achieved through token exchange on CPI level.</P>2024-04-11T08:59:38.676000+02:00https://community.sap.com/t5/technology-blogs-by-members/it-has-never-been-easier-to-print-from-sap-with-microsoft-universal-print/ba-p/13672206It has never been easier to print from SAP with Microsoft Universal Print2024-04-16T17:06:26.850000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<TABLE border="1" width="100%"><TBODY><TR><TD width="100%"><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">đđż</span>back to<STRONG> </STRONG><SPAN><A href="https://learn.microsoft.com/azure/sap/workloads/universal-print-sap-frontend" target="_blank" rel="noopener nofollow noreferrer"><STRONG>Microsoft</STRONG></A></SPAN><SPAN><STRONG> Learn</STRONG></SPAN> or jump to <SPAN><A href="https://github.com/Azure/universal-print-for-sap-starter-pack" target="_blank" rel="noopener nofollow noreferrer">GitHub repos</A></SPAN>đ§đ˝â<span class="lia-unicode-emoji" title=":laptop_computer:">đť</span></TD></TR></TBODY></TABLE><P style=" text-align : justify; ">Dear community,</P><P style=" text-align : justify; ">Printing from SAP is rarely discussed with all the <a href="https://community.sap.com/t5/c-khhcw49343/SAP+S%25252F4HANA/pd-p/73554900100800000266" class="lia-product-mention" data-product="799-1">SAP S/4HANA</a> cloud migration chatter, AI bliss, and sustainability efforts to avoid printing at all (donât print this blog post<span class="lia-unicode-emoji" title=":smiling_face_with_horns:">đ</span>). For some of you it is similarly mission critical, nevertheless.</P><P style=" text-align : justify; ">For instance, consider a manufacturer that needs to print and attach labels to their products before they leave the factory. In case of disruption delivery is halted! It can be equally bad as an ERP outage.</P><P style=" text-align : justify; ">Printer management and driver software maintenance for the different vendors are among the causes of headaches. Anyone emotionally attached to print servers<span class="lia-unicode-emoji" title=":sparkling_heart:">đ</span>? I hope notâŚ</P><P style=" text-align : justify; ">Those days are gone now â you will see the future with cloud printing and <SPAN><A href="https://learn.microsoft.com/azure/sap/workloads/universal-print-sap-frontend" target="_blank" rel="noopener nofollow noreferrer">Microsoft Universal Print</A></SPAN> today! No more print servers!</P><P style=" text-align : justify; ">Crowd<span class="lia-unicode-emoji" title=":party_popper:">đ</span>: Yes, and no more laser cartridge changes or replenishing paper stacks!</P><P style=" text-align : justify; "><EM>Donât be ridiculous! Of course, you will still change cartridges and replenish paper! Till the robots come at least.</EM></P><P style=" text-align : justify; ">However, the drivers, print servers, and complicated setups are gone <span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">đ</span>And yes, it works with RISE, GROW, Azure, other hyperscalers, on-premises, and even down in your dark cellar where the poor âRaspberry Piesâ are ticking away legacy integrat<span class="lia-unicode-emoji" title=":mobile_phone:">đą</span> if they have Internet uplink.</P><P style=" text-align : justify; "> </P><H1 id="toc-hId-863440810">Enabling your SAP Business Users (Frontend Printing)</H1><P style=" text-align : justify; "><A href="https://help.sap.com/docs/SAP_NETWEAVER_750/290ce8983cbc4848a9d7b6f5e77491b9/4e96bc2a7e9e40fee10000000a421937.html" target="_blank" rel="noopener noreferrer">SAP front-end printing</A> sends an output to a printer available for the user on their front-end device. In other words, a printer accessible by the operating system. The same client computer runs SAP GUI, or a browser (Fiori, BTP apps, WebGUI, you name it). To use Universal Print, you need to have access to such printers.</P><UL><LI>Client OS with support for Universal Print</LI><LI>Add Universal Print printer to your Windows client</LI><LI>Able to print on Universal Print printer from OS</LI></UL><P style=" text-align : justify; ">See the <A href="https://learn.microsoft.com/en-us/universal-print/fundamentals/universal-print-getting-started#step-4-add-a-universal-print-printer-to-a-windows-device.md" target="_blank" rel="noopener nofollow noreferrer">Universal Print documentation</A> for details on these prerequisites.</P><P style=" text-align : justify; ">Find more details on the overall setup for SAP on the dedicated <A href="https://learn.microsoft.com/azure/sap/workloads/universal-print-sap-frontend" target="_blank" rel="noopener nofollow noreferrer">Microsoft Learn</A> page.</P><P style=" text-align : justify; "> </P><H1 id="toc-hId-666927305">Enabling unattended SAP processes (Backend Printing)</H1><P style=" text-align : justify; "><SPAN>SAP offers the standard OData service </SPAN><SPAN>as âPrint Queue Item - Read (A2X)â to enable 3rd party integration with SAP Print Queues. You will see the term: Output Management Systems (OMS) being referenced on other SAP sources and docs entries.</SPAN></P><P style=" text-align : justify; "><SPAN>In collaboration with SAP SE the capabilities of the communication scenario <A href="https://help.sap.com/docs/SAP_S4HANA_CLOUD/0f69f8fb28ac4bf48d2b57b9637e81fa/1e39bb68bbda4c48af4a79d35f5837e0.html?version=latest" target="_blank" rel="noopener noreferrer">SAP_COM_0466</A> âPrinting - Pull Integrationâ were made available to SAP NetWeaver SAP_BASIS releases 757 and upwards. Have a look at the <A href="https://help.sap.com/doc/abapdocu_latest_index_htm/latest/en-US/abennews-75.htm" target="_blank" rel="noopener noreferrer">SAP docs</A> to which ERP releases the components apply </SPAN><span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">đ</span><SPAN>At the time of publishing this blog that would be S/4HANA 2022 and upwards.</SPAN></P><P style=" text-align : justify; ">See the SAP note â<SPAN><A href="https://me.sap.com/notes/3420465" target="_blank" rel="noopener noreferrer">3420465 â Print queues in on-premise systems</A></SPAN>â to learn more about how to enable on your own SAP system.</P><P style=" text-align : justify; ">Given the above preparations you are ready to integrate the SAP print queues with the <SPAN><A href="https://learn.microsoft.com/graph/api/resources/print?view=graph-rest-1.0" target="_blank" rel="noopener nofollow noreferrer">Microsoft Graph API</A></SPAN> that powers Microsoft Universal Print. To get you started we shipped an open-source project on <SPAN><A href="https://github.com/Azure/universal-print-for-sap-starter-pack" target="_blank" rel="noopener nofollow noreferrer">GitHub</A></SPAN>. For ease of use, and CI/CD best practices, the app is terraform enabled. But of course, you could also deploy manually if needed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fig.1 Architecture Overview" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/132966iC33BB1C6608C5A22/image-size/large?v=v2&px=999" role="button" title="Picture1.png" alt="fig.1 Architecture Overview" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">fig.1 Architecture Overview</span></span></P><P> </P><UL><LI><SPAN>Kick-off your SAP backend print process however you prefer with SAP standard means (print function on SAPGUI screens, Spool requests etc.). The simplest means for an integration test would be printing the ALV screen from transaction <STRONG>SP02</STRONG>. Find the print button and choose your new print queue as Output Device.</SPAN></LI></UL><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fig.2 Screenshot of test print from SAP transaction SP02" style="width: 525px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/97108i2FCE7B10597974AF/image-dimensions/525x496?v=v2" width="525" height="496" role="button" title="Picture0.png" alt="fig.2 Screenshot of test print from SAP transaction SP02" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">fig.2 Screenshot of test print from SAP transaction SP02</span></span></SPAN></P><P> </P><P style=" text-align : justify; "><EM><SPAN>Note on the side: The new output device of type âQ: print via print queueâ can be maintained from transaction SPAD. Find the setting under âAccess Method -> Host Spool Access Methodâ.</SPAN></EM></P><P style=" text-align : justify; "><SPAN>On <a href="https://community.sap.com/t5/c-khhcw49343/SAP+S%25252F4HANA+Cloud+Public+Edition/pd-p/08e2a51b-1ce5-4367-8b33-4ae7e8b702e0" class="lia-product-mention" data-product="1199-1">SAP S/4HANA Cloud Public Edition</a> tenants that ship Fiori apps or donât offer SAPGUI access anymore use the app âMaintain Print Queuesâ and trigger âCreate Test Page</SPAN></P><P> <span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fig.3 Screenshot of Fiori app "Print Queue" to trigger test page print" style="width: 531px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/97110i2F8A0D7A5E7C659A/image-dimensions/531x388?v=v2" width="531" height="388" role="button" title="Picture2.png" alt="fig.3 Screenshot of Fiori app "Print Queue" to trigger test page print" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">fig.3 Screenshot of Fiori app "Print Queue" to trigger test page print</span></span></P><P> </P><UL><LI><SPAN>Our function app on Azure takes care of pulling the SAP print queue items, mapping the queues to your targeted Microsoft Universal Print cloud printer, securely managing the required credentials + identities, and handling robust upload of the print queue items to the cloud.</SPAN></LI><LI>Once your output device reports back to Universal Print, the app notifies the SAP print queue on NetWeaver about a successful print via OData again. This way the integration and status tracking work end-to-end.</LI></UL><P style=" text-align : justify; ">As a result, you will be greeted with a physical hard copy of a test page like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fig.4 Screenshot of printed test page" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/97112iEA188D9B958E29E7/image-size/medium?v=v2&px=400" role="button" title="Picture3.png" alt="fig.4 Screenshot of printed test page" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">fig.4 Screenshot of printed test page</span></span></P><P> </P><P style=" text-align : justify; ">Depending on your needs, the Azure services can be injected into isolated private virtual networks next to the SAP system for instance. Use <SPAN><A href="https://learn.microsoft.com/de-de/azure/azure-arc/overview" target="_blank" rel="noopener nofollow noreferrer">Azure ARC</A></SPAN> to deploy on-premises or to other hyperscalers.</P><P style=" text-align : justify; ">Not too bad, huh? <span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">đ</span></P><P style=" text-align : justify; ">Find the latest deployment instructions, SAP specific FAQ, and community discussion on our <SPAN><A href="https://github.com/Azure/universal-print-for-sap-starter-pack" target="_blank" rel="noopener nofollow noreferrer">GitHub repos</A></SPAN>. Your contributions are more than welcome!</P><P style=" text-align : justify; ">For general FAQ on Universal Print see <SPAN><A href="https://learn.microsoft.com/universal-print/fundamentals/universal-print-faqs" target="_blank" rel="noopener nofollow noreferrer">Microsoft Learn</A></SPAN>. In case you are looking to integrate special label printers have a look <SPAN><A href="https://learn.microsoft.com/universal-print/fundamentals/universal-print-label-printing" target="_blank" rel="noopener nofollow noreferrer">here</A></SPAN>.</P><P style=" text-align : justify; "> </P><H1 id="toc-hId-470413800">Thoughts on production readiness</H1><P style=" text-align : justify; ">Most <SPAN><A href="https://learn.microsoft.com/universal-print/fundamentals/universal-print-partner-integrations#universal-print-ready-printers" target="_blank" rel="noopener nofollow noreferrer">print device manufacturers</A></SPAN> already support Microsoft Universal Print. If they donât yet, check Microsoftâs <SPAN><A href="https://learn.microsoft.com/universal-print/fundamentals/universal-print-connector-overview" target="_blank" rel="noopener nofollow noreferrer">Universal Print connector</A></SPAN> to make them compatible.</P><P style=" text-align : justify; ">Looking for front end printing for SAP on MacOS? Here you <SPAN><A href="https://learn.microsoft.com/universal-print/macos/universal-print-macos" target="_blank" rel="noopener nofollow noreferrer">go</A></SPAN>.</P><P style=" text-align : justify; ">Availability from SAP NetWeaver SAP_BASIS releases 757 and upwards ensures decent coverage for more recent SAP ECC and S/4HANA installations <span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">đ</span></P><P style=" text-align : justify; ">Universal Print relies on the <SPAN><A href="https://learn.microsoft.com/graph/api/resources/print?view=graph-rest-1.0" target="_blank" rel="noopener nofollow noreferrer">Microsoft Graph API</A></SPAN> and the components involved in the integration use Azure PaaS services that power various mission critical workloads like O365 and M365 worldwide.</P><P style=" text-align : justify; ">See the latest info on SLA <SPAN><A href="https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services" target="_blank" rel="noopener nofollow noreferrer">here</A></SPAN>.</P><P style=" text-align : justify; ">You are all set for prime time with cloud printing with SAP<span class="lia-unicode-emoji" title=":rocket:">đ</span></P><P style=" text-align : justify; "> </P><H1 id="toc-hId-273900295">Partner solutions</H1><P style=" text-align : justify; "><SPAN>SAP and Microsoft partners offer packaged solutions or even managed service offerings for SAP printing. See below initial list to get started.</SPAN></P><UL style=" text-align : justify; "><LI><SPAN><A href="https://www.blue-zone.io/en/products/dom-zone/" target="_blank" rel="noopener nofollow noreferrer">DOM-Zone</A> from BLUE-ZONE</SPAN></LI><LI><SPAN><A href="https://lp.all-for-one.com/de/managed-services/rise-one-en/index.html" target="_blank" rel="noopener nofollow noreferrer">RISE ONE</A> from All for One Group</SPAN></LI><LI><SPAN><A href="https://kangoolutions.com/microsoft-azure-universal-print-with-the-sap-cloud-integration/" target="_blank" rel="noopener nofollow noreferrer">Universal Print integration with SAP using SAP Cloud Integration</A> from Kangoolutions</SPAN></LI></UL><P style=" text-align : justify; "><SPAN>By no means is the list complete. Anyone else looking to be listed or referenced, please leave a comment, or contact me directly.</SPAN></P><P style=" text-align : justify; "> </P><H1 id="toc-hId-77386790">Final Words</H1><P style=" text-align : justify; ">Thatâs a wrap <span class="lia-unicode-emoji" title=":burrito:">đŻ</span>you saw today how you can simplify your printing from SAP, reduce the device management overhead, and get rid of the need for print drivers.</P><P style=" text-align : justify; ">Cloud printing for SAP with Microsoft Universal print is applicable to your SAP Business Users (called frontend printing) from their own devices and browsers just as they are used to.</P><P style=" text-align : justify; ">For your SAP backend jobs and SAPâs standard OData API a community-driven open-source integration component is offered on <SPAN><A href="https://github.com/Azure/universal-print-for-sap-starter-pack" target="_blank" rel="noopener nofollow noreferrer">GitHub</A></SPAN>. Check the <SPAN><A href="https://azuremarketplace.microsoft.com/marketplace/apps" target="_blank" rel="noopener nofollow noreferrer">Azure marketplace</A></SPAN>, SAP store, and partner repositories for updates on partner offerings. Above list of partner solutions could get you started.</P><P style=" text-align : justify; "><SPAN>Let us know what you think and feel encouraged to participate in the community effor</SPAN><SPAN>t</SPAN><span class="lia-unicode-emoji" title=":raising_hands:">đ</span><SPAN>.</SPAN></P><P style=" text-align : justify; "><SPAN>Partners are welcome to reach out to build a marketplace or managed offering.</SPAN></P><P style=" text-align : justify; "> </P><P style=" text-align : justify; ">Last but not least: thank you to <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/775507">@timo_straub1</a> and amazing team for the great collaboration<span class="lia-unicode-emoji" title=":folded_hands:">đ</span></P><P style=" text-align : justify; "> </P><P style=" text-align : justify; ">Cheers</P><P style=" text-align : justify; ">Devansh and Martin</P>2024-04-16T17:06:26.850000+02:00https://community.sap.com/t5/technology-blogs-by-members/govern-sap-apis-living-in-various-api-management-gateways-in-a-single-place/ba-p/13682483Govern SAP APIs living in various API Management gateways in a single place with Azure API Center2024-04-26T12:33:48.591000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<TABLE border="1" width="100%"><TBODY><TR><TD width="100%"><P><EM>Find the GitHub repos associated with this post on Azure API Center </EM><SPAN><A href="https://github.com/Azure-Samples/azd-apic-sap/" target="_blank" rel="noopener nofollow noreferrer"><EM>here</EM></A></SPAN><EM>.</EM></P><P><EM><SPAN>Our engineering friends from SAP Integration Suiteâ in particular <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/194397">@Chaim_Bendelac</a> â published a nice âsister blogâ on supporting Azure API Management with the API Management capability of SAP Integration Suite </SPAN></EM><SPAN><A href="https://community.sap.com/t5/technology-blogs-by-sap/supporting-multiple-api-gateways-with-sap-api-management-using-azure-api/ba-p/13680433" target="_blank"><EM>here</EM></A><EM>.</EM></SPAN></P></TD></TR></TBODY></TABLE><P><SPAN>Dear community,</SPAN></P><P><SPAN>Many of you are heavily invested in APIs regarding your SAP ecosystem and the rest of your IT real estate. Given the integration specialization in the SAP space companies decide to use more than one integration tool to cater for SAP and non-SAP integrations. <A href="https://www.gartner.com/en/documents/3968032" target="_blank" rel="noopener nofollow noreferrer">Gartner</A> even says that 75% will use at least two different ones. For many of you that means SAP Integration Suite plus one for non-SAP.</SPAN></P><P><SPAN>Due to the fast-paced growth of APIs within organizations, inventory, governance, security, and management cannot keep up. The resulting fragmentation and inconsistency lead to adoption challenges, project delays, and security risks. Postmanâs <A href="https://www.postman.com/state-of-api/executing-on-apis/#frequency-of-api-security-incidents" target="_blank" rel="noopener nofollow noreferrer">State of APIs report 2023</A> shows that API security incidents happen frequently.</SPAN></P><P><SPAN>These challenges are summed up under the term âAPI Sprawlâ by the industry. Beware the API sprawl monster is upon you!</SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fig.1 Illustration of API Sprawl challenge" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/101890i296B6772C9A5260E/image-size/medium?v=v2&px=400" role="button" title="_34e58609-ed75-4d35-b822-969302c0ed9c.jpg" alt="fig.1 Illustration of API Sprawl challenge" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">fig.1 Illustration of API Sprawl challenge</span></span></SPAN></P><P><STRONG>Key to survival is automatic discovery</STRONG><SPAN> of available APIs and a single place to enforce guidelines from, or at least know these unmanaged APIs exist in your estate. Forgotten APIs are low hanging fruit for attackers. To drive home that argument: âImproper Inventory Managementâ made the <A href="https://owasp.org/API-Security/editions/2023/en/0xa9-improper-inventory-management/" target="_blank" rel="noopener nofollow noreferrer">OWASP top 10 list for API Security</A> in 2023.</SPAN></P><P><SPAN>Besides that on the human side of things: Which developer likes to develop duplicate functionality just because of the lack of shared API inventory to discover existing stuff?</SPAN></P><P><SPAN>The API Sprawl monster</SPAN>đŚ<SPAN> much hungry! âNomnom nomnom more food, yes more food!â.</SPAN></P><P><SPAN>Azure API Center embarked on the journey of taming the monster.</SPAN></P><P> </P><H1 id="toc-hId-864366498">What API solutions can be registered to Azure API Center?</H1><P><SPAN>Azure API Center applies to any API and any API management solution out there. Always remember that API Center is not an API Gateway! It doesnât expose the endpoints or apply policies to them. That stays with the API Management provider. API Center makes them discoverable and allows decorating APIs with additional info to improve governance.</SPAN></P><P><SPAN>Let that sink in.</SPAN></P><P><SPAN>My colleagues are building integrated experiences for the most interesting API and integration tool providers. However, API-based registration in API Center will always be possible.</SPAN></P><P><SPAN>Get it? APIs to register APIs to register APIs ... yah maybe to complicated for a joke.</SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fig.2 Azure API Center solution coverage overview" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/101888i27D6FD5DB73C6530/image-size/large?v=v2&px=999" role="button" title="apic-overview.png" alt="fig.2 Azure API Center solution coverage overview" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">fig.2 Azure API Center solution coverage overview</span></span></SPAN></P><P><SPAN>The focus of this blog post will be on inventorying APIs hosted by the API Management capability of SAP Integration Suite to mitigate SAP API sprawl. However, the approach described is applicable to all the other SAP APIs out there hosted on SAP Gateway, SAP Graph, SAP CAP, SAP RAP, CloudFoundry, Kyma, etc. too.</SPAN></P><P><SPAN>Another prominent SAP service would be SAP Cloud Integration (formerly CPI â Cloud Platform Integration). Many of you expose APIs internally or to business partners through SAP integration flows without fronting them with an API Management solution â you know who you are </SPAN><span class="lia-unicode-emoji" title=":winking_face:">đ</span><SPAN>.</SPAN><SPAN> Those can be registered too. Unfortunately, there is no built-in option to retrieve the definition of such an endpoint. You may generate an API definition for your http trigger using payload samples for instance. I found <A href="https://gist.github.com/0xdevalias/5fecf0db3bd9cc7465e42616061e1ab0" target="_blank" rel="noopener nofollow noreferrer">this repo</A> useful to get an overview on how to generate OpenAPI definitions from JSON payloads.</SPAN></P><P><SPAN>Even if you donât, putting the available metadata on the Azure API Center inventory still improves discoverability and enterprise-wide governance by magnitudes.</SPAN></P><P>But now on to SAP API Management.</P><P> </P><H1 id="toc-hId-667852993">Automagically registering SAP API Management APIs on Azure API Center</H1><P>Our starting point is the SAP BTP service <STRONG>apimanagement-devportal</STRONG>. Check SAPâs docs on the setup process <SPAN><A href="https://help.sap.com/docs/integration-suite/sap-integration-suite/api-access-plan-for-api-business-hub-enterprise" target="_blank" rel="noopener noreferrer">here</A>. Make sure you donât mistakenly choose apimanagement-apiportal.</SPAN></P><P>The API â<SPAN><A href="https://api.sap.com/api/DevPortal_DiscoveryService_CF/resource/APIs" target="_blank" rel="noopener noreferrer">API Business Hub Enterprise - Discovery Service (CF)</A>â enables querying all available APIs hosted on SAP API Management on that subaccount. It holds info about their OpenAPI definitions.</SPAN></P><P><SPAN>Authenticate on the service with any of the <A href="https://help.sap.com/docs/sap-api-management/sap-api-management/api-access-plan-for-api-business-hub-enterprise?version=Cloud#create-a-service-key" target="_blank" rel="noopener noreferrer">supported authentication mechanisms</A>. I chose OAuth2 client credentials grant (instance secret â without payload).</SPAN></P><P><SPAN>See below response from â/apidiscovery/v1/apisâ from my SAP BTP sandbox environment. Pay attention to the attributes of âapiDefinitionsâ and values for âoas-jsonâ.</SPAN></P><P> </P><P> </P><pre class="lia-code-sample language-json"><code>{
"@odata.context": "$metadata#apis",
"value": [
{
"name": "GWSAMPLE_BASIC",
"title": "GWSAMPLE_BASIC",
"version": "1",
"lastUpdated": "2024-01-24",
"releaseStatus": "PUBLIC",
"protocol": "ODATAV2",
"entryPoints": [
{
"name": "GWSAMPLE_BASIC",
"type": "PROD",
"url": "https://msftapim.test.apimanagement.eu10.hana.ondemand.com:443/GWSAMPLE_BASIC"
}
],
"apiDefinitions": [
{
"type": "oas-json",
"url": "https://eu10devportal.cfapps.eu10.hana.ondemand.com/odata/1.0/data.svc/APIMgmt.APIResourceDocumentations('2797A5F5-E18A-4FCC-826A-C833845303F5')/content/$value"
},
{
"type": "edmx",
"url": "https://msftapim.test.apimanagement.eu10.hana.ondemand.com:443/GWSAMPLE_BASIC/$metadata"
}
]
}</code></pre><P> </P><P> </P><P><SPAN>For your convenience we have provided a <A href="https://github.com/Azure-Samples/azd-apic-sap/" target="_blank" rel="noopener nofollow noreferrer">sample repo</A> that runs Infrastructure-as-Code scripting to register the SAP APIs using their OpenAPI definitions as highlighted above. On each SAP API definition we execute registration requests on Azure API Center.</SPAN></P><P><SPAN>You may also use Postman, or SAP Build Process Automation etc. to execute the REST API calls if you prefer. Find our collection <A href="https://github.com/Azure-Samples/azd-apic-sap/blob/main/sap-apim-scan.http" target="_blank" rel="noopener nofollow noreferrer">here</A>.</SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fig.3 Flow of automated API registration in Azure API Center" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/101894i6B0E80481BFFF330/image-size/large?v=v2&px=999" role="button" title="apic-register-flow.png" alt="fig.3 Flow of automated API registration in Azure API Center" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">fig.3 Flow of automated API registration in Azure API Center</span></span></SPAN></P><H1 id="toc-hId-471339488">Discover all your APIs where you code â see VS Code and GitHub Copilot in action</H1><P><SPAN>We developers like to stay within our flow. So, having the API inventory available at my fingertips in VSCode is a good step into that direction. Also generating http requests to poke around the service and API clients is nice </SPAN><span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">đ</span><SPAN><A href="https://github.com/microsoft/kiota" target="_blank" rel="noopener nofollow noreferrer">Kiota</A></SPAN> supports a multitude of languages for SDK generation.</P><P><SPAN>To get that going install the <A href="https://learn.microsoft.com/azure/api-center/use-vscode-extension" target="_blank" rel="noopener nofollow noreferrer">Azure API Center portal VSCode extension</A>.</SPAN></P><P><SPAN><div class="video-embed-center video-embed"><iframe class="embedly-embed" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2F62X0NALedCc%3Ffeature%3Doembed&display_name=YouTube&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D62X0NALedCc&image=https%3A%2F%2Fi.ytimg.com%2Fvi%2F62X0NALedCc%2Fhqdefault.jpg&type=text%2Fhtml&schema=youtube" width="400" height="225" scrolling="no" title="Introducing the VS Code extension for Azure API Center" frameborder="0" allow="autoplay; fullscreen; encrypted-media; picture-in-picture;" allowfullscreen="true"></iframe></div></SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fig.4 Screenshot of VSCode extension with example OpenAPI definition" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/101895i0F90ED42F7A3F97B/image-size/large?v=v2&px=999" role="button" title="apic-vsc-ext.png" alt="fig.4 Screenshot of VSCode extension with example OpenAPI definition" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">fig.4 Screenshot of VSCode extension with example OpenAPI definition</span></span></SPAN></P><P><SPAN>Please note that the authorize button (and respective authentication scheme) on the OpenAPI definition explorer is only available if present on the definition file. It looks like this for Basic Auth:</SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fig.5 Screenshot of auth definition in example OpenAPI spec for SAP OData service" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/101896i185F2B5F860C6AF7/image-size/medium?v=v2&px=400" role="button" title="apic-vsc-ext1.png" alt="fig.5 Screenshot of auth definition in example OpenAPI spec for SAP OData service" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">fig.5 Screenshot of auth definition in example OpenAPI spec for SAP OData service</span></span></SPAN></P><P>W<SPAN>hen using the http file and the <A href="https://marketplace.visualstudio.com/items?itemName=humao.rest-client" target="_blank" rel="noopener nofollow noreferrer">REST client extension</A> of your choice, you may simply provide the authentication header with Bearer token etc.</SPAN></P><P><SPAN>Next to the Azure API Center extension view before, you can also use <A href="https://learn.microsoft.com/azure/api-center/use-vscode-extension-copilot" target="_blank" rel="noopener nofollow noreferrer">GitHub Copilot Chat</A> to query available APIs from API Center. See <A href="https://learn.microsoft.com/azure/api-center/use-vscode-extension-copilot#search-for-apis-using-github-copilot-chat" target="_blank" rel="noopener nofollow noreferrer">Microsoft Learn</A> for more samples. You may search for APIs by key words like so:</SPAN></P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>@apicenter /search business-partner</code></pre><P> </P><P> </P><P><SPAN>Cherry on the cake </SPAN><span class="lia-unicode-emoji" title=":shortcake:">đ°</span>is the <SPAN><A href="https://learn.microsoft.com/azure/api-center/enable-api-center-portal" target="_blank" rel="noopener nofollow noreferrer">API Center portal</A></SPAN> for the classic developer portal experience across your whole registered API inventory wherever that is.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fig.6 Screenshot of Azure API Center portal API inventory view" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/101898iFEE25F515A582F66/image-size/large?v=v2&px=999" role="button" title="apic-portal.png" alt="fig.6 Screenshot of Azure API Center portal API inventory view" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">fig.6 Screenshot of Azure API Center portal API inventory view</span></span></P><P><SPAN>So far so good on registering APIs and working off the info their definitions provide. But how about governance? I know how desperately everyone wants to plaster cost centers, line-of-business info, and security labels on your interfaces. </SPAN><span class="lia-unicode-emoji" title=":smirking_face:">đ</span></P><P> </P><H1 id="toc-hId-274825983">Enforced API metadata is your second line of defense against API sprawl</H1><P><SPAN>In addition to simply registering APIs you may add custom properties to the object on Azure API Center. So, even if the info is not present on the API itself you can still govern it from Azure. See below sample that I created from the <A href="https://learn.microsoft.com/azure/api-center/add-metadata-properties" target="_blank" rel="noopener nofollow noreferrer">Microsoft Learn tutorial</A>.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="fig.7 Screenshot of Azure API Center metadata maintenance view" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/101899i08A674038B335754/image-size/large?v=v2&px=999" role="button" title="apic-custom-props.png" alt="fig.7 Screenshot of Azure API Center metadata maintenance view" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">fig.7 Screenshot of Azure API Center metadata maintenance view</span></span></P><P><SPAN>Knowing which APIs are public facing is useful, isnât it?</SPAN></P><P><SPAN>For everyone looking for more sophisticated security with less human error surface, have a look at <A href="https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-introduction" target="_blank" rel="noopener nofollow noreferrer">Defender for APIs</A>. I like the alert rule for âun-authenticated APIsâ and disabling endpoints that were not used in the past 60 days most â wait what? Those exist out there in the wild west of SAP on the Internet? </SPAN><span class="lia-unicode-emoji" title=":astonished_face:">đ˛</span>See the open-source automatic remediations repos <SPAN><A href="https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workflow%20automation/Defender%20for%20API" target="_blank" rel="noopener nofollow noreferrer">here</A></SPAN> to mitigate for Azure API Management.</P><P>Defender for API integration with <SPAN><A href="https://learn.microsoft.com/azure/defender-for-cloud/onboarding-guide-42crunch" target="_blank" rel="noopener nofollow noreferrer">42Crunch</A></SPAN> brings API security testing and hardening to your CI/CD pipeline.</P><P> </P><H1 id="toc-hId-78312478">API Linting gets you to the next level</H1><P><SPAN>OK, now letâs look at API style guide compliance. Is everyone playing by your rules? How do you make sure developers notice violations already during design phase rather than at later stages of deployment, release, or even months after the fact when audited?</SPAN></P><P><SPAN>Good automatic <A href="https://thenewstack.io/improve-the-quality-of-your-apis-with-spectral-linting/" target="_blank" rel="noopener nofollow noreferrer">API linting</A> creates much less hassle for everyone in the long run, less cost to fix API definitions after the fact, improved security posture, and a more rewarding experience for the people involved. See below video on the setup of the linting function for OpenAPI using <A href="https://github.com/stoplightio/spectral/blob/develop/docs/reference/openapi-rules.md" target="_blank" rel="noopener nofollow noreferrer">Spectral linting engine</A>.</SPAN></P><P><SPAN>Anyone aware of a great OData linter and would be curious to explore? Please share!</SPAN></P><P><div class="video-embed-center video-embed"><iframe class="embedly-embed" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2Fm0XATQaVhxA%3Ffeature%3Doembed&display_name=YouTube&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Dm0XATQaVhxA&image=https%3A%2F%2Fi.ytimg.com%2Fvi%2Fm0XATQaVhxA%2Fhqdefault.jpg&type=text%2Fhtml&schema=youtube" width="400" height="225" scrolling="no" title="Mastering API Governance with Azure API Center" frameborder="0" allow="autoplay; fullscreen; encrypted-media; picture-in-picture;" allowfullscreen="true"></iframe></div></P><P><SPAN>Get more details on API Linting for Azure API Center from <A href="https://learn.microsoft.com/azure/api-center/enable-api-analysis-linting?tabs=portal" target="_blank" rel="noopener nofollow noreferrer">this Microsoft Learn article</A>.</SPAN></P><P> </P><H1 id="toc-hId--118201027">Thoughts on production readiness</H1><P><SPAN>Azure API Center is in public preview but due for General Availability with the next wave of announcements, so completely ready for prime time. The same is true for the VS Code extensions and APIs used to orchestrate the integration between SAP API Management and Azure.</SPAN></P><P><SPAN>Intentionally registering APIs from SAP to Azure API Center improves API inventory management by magnitudes. However, shadow inventory thrives in places you donât actively look. To mitigate even more effectively the team is building automated discovery from your GitHub org, Azure DevOps, and other popular sources.</SPAN></P><P><SPAN><A href="https://marketplace.visualstudio.com/items?itemName=SAPSE.sap-ux-fiori-tools-extension-pack" target="_blank" rel="noopener nofollow noreferrer">SAP Fiori tools</A> on VSCode provided by SAP SE enable usage of the approach described in this blog out of the box. The same is true for <A href="https://developers.sap.com/tutorials/btp-app-prepare-dev-environment-cap.html" target="_blank" rel="noopener noreferrer">SAP CAP development</A> in VSCode.</SPAN></P><P> </P><H1 id="toc-hId--314714532">Final words</H1><P><SPAN>Thatâs a wrap</SPAN><span class="lia-unicode-emoji" title=":burrito:">đŻ</span>. You saw today how you can effectively <STRONG>counter API sprawl</STRONG> and its negative side effects that put your APIs and organizations at risk. A primary means to achieve that is <STRONG>creating a central API inventory </STRONG>hosted on all the different API Management solutions out there <STRONG>with Azure API Center</STRONG>.</P><P>This blog showed how to achieve that using the API Management capability of SAP Integration Suite as an example.</P><P>Furthermore, you learned about steps to improve API governance with custom properties and API linting. Eventually, you understood the difference between Azure API Center and an API Gateway.</P><P>Find the GitHub repos associated with this post <SPAN><A href="https://github.com/Azure-Samples/azd-apic-sap/" target="_blank" rel="noopener nofollow noreferrer">here</A></SPAN>. It gets you started in no time.</P><P>Big #Kudos to <SPAN><A href="https://www.linkedin.com/in/pascalvdheiden/" target="_blank" rel="noopener nofollow noreferrer">Pascal van der Heiden</A></SPAN> â my brother in crime on this effort. And of course, last but not least to <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/8446">@UdoPaltzer</a> and <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/216068">@vinayak_adkoli</a> for the great collaboration! <span class="lia-unicode-emoji" title=":raising_hands:">đ</span></P><P>Anyone curious to tap their toe into the waters where the API sprawl monster đŚ lives, just reach out to me and Chaim or leave a comment.</P><P>Cheers</P><P>Martin</P>2024-04-26T12:33:48.591000+02:00https://community.sap.com/t5/technology-blogs-by-members/govern-sap-apis-living-in-various-api-management-gateways-in-a-single-place/bc-p/13700868#M167481Re: Govern SAP APIs living in various API Management gateways in a single place with Azure API Cente2024-05-14T14:52:23.677000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P><a href="https://community.sap.com/t5/user/viewprofilepage/user-id/47313">@saurabhkumbhare</a> API Center went GA on the 6th of May: <A href="https://azure.microsoft.com/en-us/updates/general-availability-azure-api-center/" target="_blank" rel="nofollow noopener noreferrer">https://azure.microsoft.com/en-us/updates/general-availability-azure-api-center/</A></P>2024-05-14T14:52:23.677000+02:00https://community.sap.com/t5/technology-blogs-by-members/steps-to-access-azure-blob-storage-via-rest-api-from-sap-cpi-using-azure/bc-p/13708869#M167621Re: Steps to access Azure Blob Storage via REST API from SAP CPI using Azure Storage Adapter and SAP2024-05-22T09:11:36.362000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P>Hi <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/1385713">@Shemy</a>,</P><P>What is the reason you want to use http instead of AzureStorage adapter?</P><P>The blog above also described the needed parts for http. Find the official API reference <A href="https://learn.microsoft.com/en-us/rest/api/storageservices/" target="_blank" rel="noopener nofollow noreferrer">here</A>.</P><P>KR Martin</P>2024-05-22T09:11:36.362000+02:00https://community.sap.com/t5/technology-q-a/re-authenticating-an-api-using-saml-assertion-in-sap-api/qaq-p/13715415/comment-id/4831114#M4831114Re: Authenticating an API using SAML assertion in SAP API...2024-05-29T08:08:44.612000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P>Hi <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/185435">@giridhar_vegi</a>,</P><P>when generating the SAML assertion yourself in APIM you are essentially declaring it your identity provider. That is a severe security risk. Any error or exploitable gap would to lead to user compromise. Identity Providers are purpose-built for this. I am assuming you are bypassing another challenge by looking to implement this yourself. Feel free to share more, so the community can advise on solving the underlying challenge.</P><P>If you must explore further have a look at <A href="https://www.npmjs.com/package/saml2-js" target="_blank" rel="noopener nofollow noreferrer">this javascript library</A> and this <A href="https://www.googlecloudcommunity.com/gc/Apigee/How-do-I-use-the-SAML-policy-to-generate-a-SAML-assertion-with-a/m-p/65684" target="_blank" rel="noopener nofollow noreferrer">ApiGee article</A> how to generate your own in SAP APIM. Make sure to lock down access tightly. Either way, I highly discourage this.</P><P>KR Martin</P>2024-05-29T08:08:44.612000+02:00https://community.sap.com/t5/technology-q-a/re-sap-ai-core-azure-blob-storage-sas-token-response-403/qaq-p/13721668/comment-id/4831893#M4831893Re: SAP AI Core Azure Blob storage SAS token RESPONSE 403...2024-06-05T10:03:45.189000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P>Hi <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/764220">@thomasweckerbasf</a>,</P><P>sounds like encoding challenges. Encountered this in the CPI http adapter before. Have a look at this note <A href="https://me.sap.com/notes/0003131448" target="_blank" rel="noopener noreferrer">https://me.sap.com/notes/0003131448</A> to resolve with triple encoding .</P><P>KR Martin</P>2024-06-05T10:03:45.189000+02:00https://community.sap.com/t5/technology-blogs-by-members/nice-patch-sap-revisiting-your-sap-btp-security-measures-after-ai-core/ba-p/13770662Nice patch SAP! Revisiting your SAP BTP security measures after AI Core vulnerability fix2024-07-25T10:46:43.272000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P>Dear community,</P><P>SAP recently fixed a critical vulnerability in the SAP AI Core service that could have allowed attackers to access sensitive data in the multi-tenant environment. This issue, dubbed "SAPwned", was responsibly disclosed and publicly shared on July 18 after it was patched. You can read more about it <A href="https://thehackernews.com/2024/07/sap-ai-core-vulnerabilities-expose.html" target="_blank" rel="noopener nofollow noreferrer">here</A>.</P><P>Bottom line: SAP shows its commitment to security and timely patching of its cloud services. But remember, SAP BTP - like any cloud platform - is based on a shared responsibility model. That means you need to do your part to protect your data and applications too:</P><UL><LI>Pick secure authentication means (no Basic AUTH is not one of them!),</LI><LI>Be conscious that every endpoint exposed by SAP BTP like Microsoft365 lives on the Internet by design,</LI><LI>Scope Cloud Foundry + Kyma app access, and user roles to the minimum rights needed,</LI><LI>When using the popularâ OAuth2 client credentials grantâ with service keys rotate your secrets (at best automatically regularly)! Have your pick from app based solution <A href="https://github.com/Azure/AzureAD-AppSecretManager" target="_blank" rel="noopener nofollow noreferrer">like this</A>, PowerShell <A href="https://github.com/Azure/KeyVault-Secrets-Rotation-AADApp-PowerShell" target="_blank" rel="noopener nofollow noreferrer">module</A> and <A href="https://community.sap.com/t5/technology-blogs-by-members/automatic-sap-btp-trust-store-certificate-renewal-with-azure-key-vault-or/ba-p/13565138" target="_blank">blog on automatic cert renewal</A>.</LI><LI>Establish a continuous process to harden your SAP cloud workloads. It is not a one stop shop.</LI></UL><P>Ever heard about âMFA fatigueâ? Plain Multi-Factor-Authentication is not good enough anymore today. Additionally, enforce Conditional Access to SAP BTP service through integration the SAP ID Service or the SAP Identity Authentication Service with the corporate identity provider of your choice. See <A href="https://learn.microsoft.com/entra/fundamentals/scenario-azure-first-sap-identity-integration" target="_blank" rel="noopener nofollow noreferrer">here</A> how to do it with Microsoft Entra ID.</P><P> </P><P><div class="video-embed-center video-embed"><iframe class="embedly-embed" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2Frn3EMXX28EE%3Ffeature%3Doembed&display_name=YouTube&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Drn3EMXX28EE&image=https%3A%2F%2Fi.ytimg.com%2Fvi%2Frn3EMXX28EE%2Fhqdefault.jpg&type=text%2Fhtml&schema=youtube" width="400" height="225" scrolling="no" title="#208 - The one with Sentinel for SAP BTP (Will King, Yossi Hasson, Martin Pankraz) | SAP on Azure" frameborder="0" allow="autoplay; fullscreen; encrypted-media; picture-in-picture;" allowfullscreen="true"></iframe></div></P><P> </P><H1 id="toc-hId-892014405">Second line of defense: Automatic detections based on the SAP Audit Log Service</H1><P>Most of the <A href="https://help.sap.com/docs/btp/sap-business-technology-platform/security-events-logged-by-cf-services" target="_blank" rel="noopener noreferrer">BTP based services</A> in the Cloud Foundry environment provided by SAP automatically write to the SAP Audit Log Service. Each service lists the standardized events that are propagated.</P><P>SAP has a <A href="https://community.sap.com/t5/technology-blogs-by-sap/exploring-the-sap-audit-log-service/ba-p/13533521" target="_blank">nice video</A> on the general workings of the SAP Audit Log Service on BTP.</P><P><FONT size="4"><STRONG>This is a good start, but how useful are log entries that record a compromise if they are overlooked and hidden among countless normal entries?</STRONG></FONT></P><P data-unlink="true">I use the <A href="https://learn.microsoft.com/azure/sentinel/sap/sap-btp-solution-overview" target="_blank" rel="noopener nofollow noreferrer">Microsoft Sentinel for SAP BTP solution</A> - which went into General Availability state this week - as an example for running automatic detections via built-in analytic rules. It connects to your subaccounts and global account ingesting all audit logs that are written to your registered Audit Log Management service instances. Polling interval is 10mins when deployed from the Azure Portal by default. Configure down to 1 min if needed using <A href="https://learn.microsoft.com/azure/sentinel/data-connector-connection-rules-reference#request-configuration" target="_blank" rel="noopener nofollow noreferrer">ARM API</A>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Architecture diagram of Sentinel solution for SAP BTP" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/143381iB47BA18DBB0843B0/image-size/large?v=v2&px=999" role="button" title="Picture1.png" alt="Architecture diagram of Sentinel solution for SAP BTP" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Architecture diagram of Sentinel solution for SAP BTP</span></span></P><P> </P><P> </P><P> </P><P><SPAN>It comes with out-of-the-box content. Check out the alert âFailed access attempts across multiple Business Application Studio accountsâ for instance. Password spray attack anyone?</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of Sentinel for SAP BTP solution content with out-of-the-box detections and workbooks" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141134iB15E352F76DACEF1/image-size/large?v=v2&px=999" role="button" title="Picture1.png" alt="Screenshot of Sentinel for SAP BTP solution content with out-of-the-box detections and workbooks" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of Sentinel for SAP BTP solution content with out-of-the-box detections and workbooks</span></span></P><P>Once I have <A href="https://learn.microsoft.com/azure/sentinel/sap/deploy-sap-btp-solution" target="_blank" rel="noopener nofollow noreferrer">onboarded my subaccount</A> (I named it SAP-AI-Core-playground), I can go wild on the ingested log entries, apply the threat intel functions, and built analytic rules. Let's browse the entries via the Kusto query language. The standard table SAPBTPAuditLog_CL holds all audit log info for your registered SAP BTP subaccounts:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of simple KQL for SAP BTP" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141367i6D94B79A7A79F68B/image-size/large?v=v2&px=999" role="button" title="Picture1.png" alt="Screenshot of simple KQL for SAP BTP" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of simple KQL for SAP BTP</span></span></P><P>The Message contains the JSON payload BTP provides for each message as well as the involved BTP service identifier.</P><P><FONT size="4"><STRONG>Looking at audit messages is nice, but you may<SPAN> go one step further by applying automatic action like blocking the SAP BTP users.</SPAN></STRONG></FONT></P><P><SPAN>Below Screenshot shows the part of the process triggered by the included playbook. The SAP security team gets notified with evidence of the compromise, offering an approval option to block the user from a Microsoft Teams channel flow. Find more info </SPAN><A href="https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/from-zero-to-hero-security-coverage-with-microsoft-sentinel-for-your/ba-p/13557852" target="_blank">here</A><SPAN>. Below screenshot shows the adaptive card with a trigger from SAP Business Suite. The same is possible with triggers coming from BTP too.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of sap btp user block approval request to SAP security team on Microsoft Teams" style="width: 498px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141135i425AD2C35CD48194/image-size/large?v=v2&px=999" role="button" title="Picture2.png" alt="Screenshot of sap btp user block approval request to SAP security team on Microsoft Teams" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of sap btp user block approval request to SAP security team on Microsoft Teams</span></span></P><H1 id="toc-hId-695500900"> </H1><H1 id="toc-hId-498987395">The AI Core Service audit log entries alone are not useful</H1><P>Threat protection-wise correlation with other signals in your company is required, because a single SAP AI Core event like âSuccessful retrieval of object store secretâ does not tell you anything. See below a Kusto query working off the AI Core audit log info ingested by the Sentinel for SAP BTP solution.</P><P><EM>Note: SAP publishes the available events for all the Cloud Foundry based services <A href="https://help.sap.com/docs/sap-ai-core/sap-ai-core-service-guide/auditing-and-logging-information" target="_blank" rel="noopener noreferrer">here</A>. </EM></P><P>It identifies entries on my BTP subaccount related to AI Core activity and cross-references the IP address involved in the login and its country of origin. In my sample below I use the built-in function <A href="https://learn.microsoft.com/azure/data-explorer/kusto/query/geo-info-from-ip-address-function" target="_blank" rel="noopener nofollow noreferrer">geo_info_from_ip_address()</A> to learn if the BTP client remote address originated from Germany or not. Assumption here is that all my BTP developers are based there. Think about sanctioned countries lists etc.</P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-javascript"><code>//flag unexpected logins from countries other than Germany
let myBTPDevelopers = dynamic(['Germany']);
let login_messages = dynamic(['ClientAuthenticationSuccess','UserAuthenticationSuccess']);
SAPBTPAuditLog_CL
| where SubaccountName == "SAP-AI-Core-playground"
| where Message has_any (login_messages)
| extend ip_ = tostring(Message.ip)
| extend country = geo_info_from_ip_address(ip_)['country']
| where country !in (myBTPDevelopers);</code></pre><P> </P><P> </P><P> </P><P> </P><P>For a smoke test I teleported myself into the land of leprechauns<span class="lia-unicode-emoji" title=":rainbow:">đ</span>, steep cliffs, and mysterious celtic culture<span class="lia-unicode-emoji" title=":four_leaf_clover:">đ</span> using an Azure VM. Marvel at the rule that identifies that mischieveous btp user!</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of found btp login from Ireland" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141499iD40F77EF87B0AF7F/image-size/large?v=v2&px=999" role="button" title="Picture2.png" alt="Screenshot of found btp login from Ireland" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of found btp login from Ireland</span></span></P><P>The next sample uses the <A href="https://learn.microsoft.com/azure/sentinel/understand-threat-intelligence" target="_blank" rel="noopener nofollow noreferrer">Threat Intelligence</A> feature to verify if the BTP remote access can be traced back to a feed of known problematic IP indicators (e.g. a bot network). I maintained it on Sentinel on the Threat Management section using the IP known to BTP for my recent logins to the SAP AI Core service to trigger a result. In real life you would take the IPs from a threat intel feed of course. I don't have a bot net handy though<span class="lia-unicode-emoji" title=":winking_face:">đ</span>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of Sentinel Threat Management experience" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141136i039C7B6EA1D1B723/image-size/large?v=v2&px=999" role="button" title="Picture3.png" alt="Screenshot of Sentinel Threat Management experience" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of Sentinel Threat Management experience</span></span></P><P> That makes it available to my Kusto query as below. See below the screenshot of the result:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of Kusto query result filtered by problematic IPs" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141137iB57CB9FC2D659821/image-size/large?v=v2&px=999" role="button" title="Picture4.png" alt="Screenshot of Kusto query result filtered by problematic IPs" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of Kusto query result filtered by problematic IPs</span></span></P><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-javascript"><code>//flag unexpected logins from IP indicators from Sentinel
let ips = ThreatIntelligenceIndicator
| distinct NetworkIP = tostring(NetworkIP);
let login_messages = dynamic(['ClientAuthenticationSuccess','UserAuthenticationSuccess']);
SAPBTPAuditLog_CL
| where SubaccountName == "SAP-AI-Core-playground"
| where Message contains "aicore" and Message has_any (login_messages)
| extend ip_ = trim(" ", replace(@"\s", "", replace(@"\r|\n|\t", "", tostring(Message.ip))))
| join kind=inner (
ips
| extend NetworkIP_ = trim(" ", replace(@"\s", "", replace(@"\r|\n|\t", "", tostring(NetworkIP))))
) on $left.ip_ == $right.NetworkIP_;</code></pre><P> </P><P> </P><P> </P><P> </P><P>A natural next evolution of the detection would be to extend it to the "<STRONG>impossible travel</STRONG>" scenario.</P><P>These queries are simple to set up and are good to go to serve as <A href="https://learn.microsoft.com/azure/sentinel/threat-detection" target="_blank" rel="noopener nofollow noreferrer">new analytics rule</A> on the solution, donât you think?</P><P>Let me know what other scenarios you would like to see <span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">đ</span></P><H1 id="toc-hId-302473890"> </H1><H1 id="toc-hId-105960385">Thoughts on production readiness</H1><P>SAPâs Audit Log Service is widely adopted across the SAP BTP services and foundational to the platform.</P><P>Onboarding your subaccounts and global accounts to Sentinel for SAP BTP eases "<STRONG>subaccount sprawl</STRONG>". Customers with hundreds of subaccounts easily loose sight of what is where and what gets frequented by whom. <STRONG>Such "blind or forgotten spots" lead to exposure</STRONG> that can be prevented.</P><P>Sentinel for SAP BTP recently went into âGeneral Availabilityâ state, making it good to use for anyone who doesnât like previews <span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">đ</span></P><P>To create meaningful detections based on the SAP BTP audit log at minimum other sources, such as the Authorization and Trust Management service (XSUAA) must be considered. Enriching your threat signals with indicators from the rest of your IT landscape gets you from "SAP-security-acolyte"đ§đťâ<span class="lia-unicode-emoji" title=":school:">đŤ</span> to master of disasterđĽˇđź.</P><P>The built-in Sentinel for SAP playbooks use SAP BTP public APIs for automatic remediation. See the user API documentation for disabling users <A href="https://api.sap.com/api/PlatformAPI/path/getUserUsingGET" target="_blank" rel="noopener noreferrer">here</A>.</P><H1 id="toc-hId--90553120"> </H1><H1 id="toc-hId--287066625">Final words</H1><P>Constantly staying ahead of attackers all the time is impossible. However, putting up a fight so they move on without doing more serious damage or at least being automatically informed about the incident puts you back in the driverâs seat.</P><P>The <A href="https://learn.microsoft.com/azure/sentinel/sap/sap-btp-solution-overview" target="_blank" rel="noopener nofollow noreferrer">Sentinel for SAP BTP solution</A> enables you to bring the SAP BTP audit log information for cross-correlation with your wider IT landscape to the Microsoft SIEM solution Sentinel. Furthermore, it powers <STRONG>automatic remediations like user block, password reset</STRONG>, and more.</P><P>Looking for R3, ERP, S/4HANA, and RISE next? <A href="https://learn.microsoft.com/azure/sentinel/sap/solution-overview" target="_blank" rel="noopener nofollow noreferrer">Here</A> you go.</P><P>For true confidence in drastic actions like blocking users, you require signals from as many sources as possible. <STRONG>Think beyond the SAP boundary and towards your complete IT landscape</STRONG>: Devices, endpoints, and suspicious logins etc. All of those touchpoints leave a trail of your attacker long before they reach SAP BTP, because of the prior phishing attempts or lateral movement etc. Have a look at <A href="https://learn.microsoft.com/azure/sentinel/sap/deployment-attack-disrupt" target="_blank" rel="noopener nofollow noreferrer">Defender XDR</A> for further info.</P><P><STRONG>What detections are you running for your BTP landscape?</STRONG> Let the community know so we can learn from each otherâs security practices.</P><P>Cheers</P><P>Martin</P>2024-07-25T10:46:43.272000+02:00https://community.sap.com/t5/spend-management-q-a/re-sap-ariba-integration-with-a-third-party-system/qaq-p/13793974/comment-id/179489#M179489Re: SAP ARIBA integration with a third-party system2024-08-14T08:27:40.015000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P>Hey <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/1458785">@Tural-Hajiyev</a>,</P><P>SAP integration suite would be a good starting point for your research. Have a look here: <A href="https://api.sap.com/package/SAPBusinessNetworkIntegrationwithNonSAPERP/integrationflow" target="_blank" rel="noopener noreferrer">https://api.sap.com/package/SAPBusinessNetworkIntegrationwithNonSAPERP/integrationflow</A></P><P>And this older community thread: <A href="https://community.sap.com/t5/spend-management-q-a/sap-ariba-integration-with-microsoft-dynamics/qaq-p/12151543" target="_blank">https://community.sap.com/t5/spend-management-q-a/sap-ariba-integration-with-microsoft-dynamics/qaq-p/12151543</A></P><P>Let the community know what you decided in the end with which public source <span class="lia-unicode-emoji" title=":slightly_smiling_face:">đ</span></P><P>KR Martin</P>2024-08-14T08:27:40.015000+02:00https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/integrating-low-code-solutions-with-microsoft-using-sap-integration-suite/ba-p/13789298Integrating low code solutions with Microsoft using SAP Integration Suite has never been easier!2024-08-14T08:50:31.455000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P><EM>This blog is co-authored with Vinayak Adkoli (Lead Product Manager, SAP Integration Suite, SAP SE). Link to Microsoft Learn Hub for Power Platform and SAP<SPAN> </SPAN><A href="https://learn.microsoft.com/power-platform/sap/" target="_blank" rel="noopener nofollow noreferrer">here</A><span class="lia-unicode-emoji" title=":link:">đ</span>.</EM></P><P>Dear community,</P><P>Extending SAP with low-code platforms significantly increases the speed of development, enabling rapid innovation essential for staying competitive today.</P><P style=" padding-left : 30px; "><EM>Analysts predict that low code will become the preferred software development method by 2025.</EM> (<A href="https://kpmg.com/us/en/articles/2023/low-code-adoption.html" target="_blank" rel="noopener nofollow noreferrer">KPMG</A>, 2023)</P><P style=" padding-left : 30px; "><EM>Forrester approximates the citizen development market to be valued at 30 billion dollars by 2028.</EM> (<A href="https://www.forrester.com/blogs/the-low-code-market-could-approach-50-billion-by-2028/" target="_blank" rel="noopener nofollow noreferrer">Forrester</A>, 2024)</P><P>However, it is crucial to maintain stringent security measures and <STRONG>respect existing SAP authorizations</STRONG>. By doing so, organizations can harness the benefits of low-code development while ensuring the protection and compliance of their SAP environment.</P><P>Oh boy, you ready for all the solutions, apps, curious interns, and mad scientists looking to interact with SAP ERP to combine with Microsoft 365? <span class="lia-unicode-emoji" title=":face_with_open_mouth:">đŽ</span></P><P>Fear no more! The API Management capability of SAP Integration Suite is more than ready. In our usual <STRONG>Microsoft + SAP co-engineering</STRONG> fashion, we are proud to jointly release a fully-fledged enterprise-grade API management policy to support the integration pattern.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Architecture overview of low code app using SAP APIM for Principal Propagation" style="width: 937px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149546i44A0048A9B70F4CD/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_1-1723200587279.png" alt="Architecture overview of low code app using SAP APIM for Principal Propagation" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Architecture overview of low code app using SAP APIM for Principal Propagation</span></span></P><P>It enables <STRONG>SAP Principal Propagation</STRONG> with SAP services such as SAP Gateway, S/4HANA Cloud, RISE, and many more using <STRONG>Microsoft Entra ID</STRONG> (formerly Azure AD) as Identity Provider. At the core of the solution is the proven OAuth2SAMLBearer flow.</P><P><div class="video-embed-center video-embed"><iframe class="embedly-embed" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2FnQplgEHASAI%3Ffeature%3Doembed&display_name=YouTube&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DnQplgEHASAI&image=https%3A%2F%2Fi.ytimg.com%2Fvi%2FnQplgEHASAI%2Fhqdefault.jpg&type=text%2Fhtml&schema=youtube" width="400" height="225" scrolling="no" title="#211 - The one with SSO with SAP API Management and Power Platform (Vinayak Adkoli & Martin Pankraz)" frameborder="0" allow="autoplay; fullscreen; encrypted-media; picture-in-picture;" allowfullscreen="true"></iframe></div></P><P>This way users of your low code solutions and apps spanning the Microsoft and SAP ecosystem are mapped from their Microsoft Entra Id identities to their named SAP backend users. SAP authorizations are fully retained!</P><P>In addition to that, solving this challenge on Integration Suite level enables scaling the approach to arbitrary many different consumer solutions. <STRONG>No more re-inventing the wheel for every developer!</STRONG></P><H4 id="toc-hId-1280450457">Find the APIM policy and further guidance here on the <A href="https://api.sap.com/policytemplate/Principal_Propagation_via_Entra_Id" target="_blank" rel="noopener noreferrer">SAP Business Accelerator hub</A>.</H4><P><EM>Note that <STRONG>SuccessFactors</STRONG> requires a slightly <A href="https://api.sap.com/policytemplate/SuccessFactors_Principal_Propagation_via_Entra_Id" target="_blank" rel="noopener noreferrer">different policy</A>.</EM></P><P>Of course, you may deviate from the blueprint outlined based on your scenario across SAP BTP, SAP Graph, Integration Suite, other SAP SaaS solutions etc.</P><P> </P><TABLE><TBODY><TR><TD width="227"><P><STRONG>Approach</STRONG></P></TD><TD width="204"><P><STRONG>Principal Propagation Scenarios</STRONG></P></TD></TR><TR><TD width="227"><P>OAuth2SAMLBearer flow</P></TD><TD width="204"><P>Service to service, on-behalf-of user</P></TD></TR><TR><TD width="227"><P>Authorization Code flow</P></TD><TD width="204"><P>Interactive user session (prone to MFA interference)</P></TD></TR><TR><TD width="227"><P>Client Credentials flow</P></TD><TD width="204"><P>Service to service</P></TD></TR><TR><TD width="227"><P>X.509</P></TD><TD width="204"><P>Any</P></TD></TR></TBODY></TABLE><P><STRONG>We recommend using OAuth2SAMLBearer</STRONG>, because:</P><UL><LI>The given scenario in this blog is about app integration and identities known to Microsoft Entra ID, for the integration</LI><LI>OAuth2 is more flexible and granular control over access to resources</LI><LI>NetWeaver does not support Client Credentials flow and X509 certificates come with management overhead.</LI></UL><P>For simplicity and readability of the blog I will refer only to NetWeaver specific settings even though the approach works with any SAP product that supports OAuth2SAMLBearer.</P><P>Learn more about this space overall from the <A href="https://community.sap.com/t5/technology-blogs-by-members/principal-propagation-in-a-multi-cloud-solution-between-microsoft-azure-and/ba-p/13482071" target="_blank">blog series</A> by my magnificent colleague <A href="https://community.sap.com/t5/user/viewprofilepage/user-id/171519" target="_blank">Martin Raepple</A>.</P><P> </P><H1 id="toc-hId-696688795">A glimpse under the hood</H1><P>The API Management policy works under the assumption that trust between your <STRONG>OAuth 2.0 Server for AS ABAP</STRONG> and <STRONG>Microsoft Entra ID</STRONG> has been setup before.</P><P>Have a look at the <A href="https://github.com/MartinPankraz/SAP-MSTeams-Hero/blob/main/Towel-Bearer/103a-sap-principal-propagation-basics.md" target="_blank" rel="noopener nofollow noreferrer">developer series on our YouTube playlist</A> for a walk-through experience (be warned this was a âwithout-script exerciseâ to show pitfalls and how to overcome).</P><P><div class="video-embed-center video-embed"><iframe class="embedly-embed" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2FJGvJJnMSEHM%3Flist%3DPLvqyDwoCkBXZ85LoFrNWv9Mj88TiDAc4g&display_name=YouTube&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DJGvJJnMSEHM&image=https%3A%2F%2Fi.ytimg.com%2Fvi%2FJGvJJnMSEHM%2Fhqdefault.jpg&type=text%2Fhtml&schema=youtube" width="200" height="112" scrolling="no" title="Episode 3.â Configure SAP Principal Propagation with AAD and SAP OAuth serverâ" frameborder="0" allow="autoplay; fullscreen; encrypted-media; picture-in-picture;" allowfullscreen="true"></iframe></div></P><P>In addition to the existing authorizations maintained on SAP each application consuming the SAP API proxy from API Management needs to be authorized on Entra ID.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_2-1723200587281.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149547i587571D597468F5E/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_2-1723200587281.png" alt="MartinPankraz_2-1723200587281.png" /></span></P><P><SPAN>See this official </SPAN><A href="https://learn.microsoft.com/entra/identity/saas-apps/sap-netweaver-tutorial" target="_blank" rel="noopener nofollow noreferrer">guide</A><SPAN> for details on the Entra ID SAML2 setup. See the difference for OAuth2SAMLBearer compared to general SAML2 below:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_3-1723200587304.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149548i8FCC4418F9B2ABB0/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_3-1723200587304.png" alt="MartinPankraz_3-1723200587304.png" /></span><SPAN>Keep close attention to the Entity ID. It is case sensitive! I chased an error once for half a day because of that.</SPAN></P><P>Be aware that Entity ID must be unique in your Entra ID tenant. In case you want to use SAML2 for Fiori SSO and OAuth2 for SAP Principal Propagation for this SID at the same time, you need to maintain both on the Entra ID enterprise app registration. Assign an order (index) that works with your login flow. See below sample for reference.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_4-1723200587311.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149549i01605E902BEF05F3/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_4-1723200587311.png" alt="MartinPankraz_4-1723200587311.png" /></span></P><P>Have a look at my <A href="https://github.com/MartinPankraz/SAP-MSTeams-Hero/blob/main/Towel-Bearer/103a-sap-principal-propagation-basics.md" target="_blank" rel="noopener nofollow noreferrer">video series</A> for a more guided experience on the OAuth2 part. I also like <A href="https://www.itsfullofstars.de/2020/04/create-oauth-2-0-client-user/" target="_blank" rel="noopener nofollow noreferrer">this simple blog</A> series to complete the picture.</P><H2 id="toc-hId-629258009">Take care of your OAuth settings</H2><P>The steps for the OAuth configuration may vary a bit by SAP product. Here the focus is on NetWeaver.</P><P>Move on to your SAP backend and create a user for your OAuth client. For SAP NetWeaver based systems that will be a <STRONG>user of type system</STRONG> with authorizations for <STRONG>S_SCOPE</STRONG> that are relevant for the OData service you want to expose.</P><H4 id="toc-hId-690909942">Both the OAuth2 client user and your SAP end user need S_SCOPE authorization.</H4><P>Use transaction PFCG to assign the authorization objects to your role or create a new one. I like <A href="https://www.itsfullofstars.de/2020/04/oauth-3-gateway-add-authorization-s_scope-to-oauth-2-0-client-user/" target="_blank" rel="noopener nofollow noreferrer">this blog series</A> for reference.</P><P>Verify from transaction <STRONG>/n/IWFND/MAINT_SERVICE</STRONG> that your OData service is enabled for OAuth2.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_5-1723200587334.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149551iDFA8CA9029B6786D/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_5-1723200587334.png" alt="MartinPankraz_5-1723200587334.png" /></span></P><H2 id="toc-hId-236230999">Birds eye<span class="lia-unicode-emoji" title=":bird:">đŚ</span> view on the overall process</H2><P>Below sequence diagram explains an initial login performing SAP Principal Propagation using the OAuth2SAMLBearer flow. There are three requests involved:</P><P>1. Low Code app login (Entra ID) invoked by the app</P><P>2. Token exchange for a SAML2 assertion (Entra ID on-behalf-of flow) invoked by API Management</P><P>3. Token exchange of SAML2 assertion issued by Entra ID to SAP access token issued by SAP OAuth2 server. The request is invoked by API Management. The result is a token carrying the authorizations set on the SAP backend (PFCG transaction) for that end user.</P><P>As stated at the beginning, the <STRONG>heavy lifting is done by the provided API Management policy</STRONG>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_6-1723200587338.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149550i45AC47AC25CFB759/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_6-1723200587338.png" alt="MartinPankraz_6-1723200587338.png" /></span></P><P>Once a bearer access token from SAP is available, all requests can be directly served from the API Management token cache. Once it expires â typically after one hour â the refresh token is used to request a new access token. The same is true for the first login step from the low code app.</P><P> </P><H2 id="toc-hId-39717494">Import the policy into your tenant</H2><P><A href="https://api.sap.com/policytemplate/Principal_Propagation_via_Entra_Id" target="_blank" rel="noopener noreferrer">Download the policy</A><span class="lia-unicode-emoji" title=":inbox_tray:">đĽ</span> from the SAP Business Accelerator Hub and import the template into your SAP API Management tenant.</P><P>Learn more about configuring an API Provider with SAP Cloud Connector on <A href="https://learning.sap.com/learning-journeys/developing-with-sap-integration-suite/creating-an-api-provider_b95113e7-369f-4dd3-9773-ec4e0fde2e00" target="_blank" rel="noopener noreferrer">this SAP tutorial</A>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_7-1723200587348.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149552iDD234964B840041E/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_7-1723200587348.png" alt="MartinPankraz_7-1723200587348.png" /></span></P><P>Apply to all the PostFlow steps of the TargetEndpoints of your APIs as you see fit. See <A href="https://learning.sap.com/learning-journeys/developing-with-sap-integration-suite/using-policies_cd5fde51-b3d2-40d3-bd71-3f2870c2b51b" target="_blank" rel="noopener noreferrer">this SAP tutorial</A> and this <A href="https://github.com/SAP/apibusinesshub-api-recipes/blob/master/recipes/README.md" target="_blank" rel="noopener nofollow noreferrer">SAP GitHub repos</A> for more details. The <STRONG>policy requires to run in the PostFlow section</STRONG> in order for the âtarget.basepathâ to be populated.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_8-1723200587355.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149553i508C78BD54749F15/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_8-1723200587355.png" alt="MartinPankraz_8-1723200587355.png" /></span></P><P>Consider the governance and security trade-offs between mighty policies and SAP OAuth clients authorized for everything vs. a multitude of clients for each API and scope.</P><P> </P><H2 id="toc-hId--156796011">Configure the policy using a key value map</H2><P>All the configuration needed for earlier shown token exchange flow is best provided with an encoded key value map (I recommend starting with un-encoded one, when you do this the first time for simpler troubleshooting). Create a new encrypted one called âSAPPrincipalPropagationMapâ. The name is referenced on the provided policy.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_9-1723200587365.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149554i5F0AFA2E01EF34F7/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_9-1723200587365.png" alt="MartinPankraz_9-1723200587365.png" /></span></P><P> </P><P>Fill the values as per your environment:</P><P> </P><TABLE><TBODY><TR><TD width="200"><P><STRONG>Key</STRONG></P></TD><TD width="200"><P><STRONG>Value sample</STRONG></P></TD><TD width="200"><P><STRONG>Hints</STRONG></P></TD></TR><TR><TD width="200"><P><STRONG>entra-id-tenant-id</STRONG></P></TD><TD width="200"><P>12a345bc-1234-56ab-78ab-zzzzzzzzz</P></TD><TD width="200"><P>Find it on the Azure portal (e.g. <A href="https://portal.azure.com/?feature.customportal=false#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview" target="_blank" rel="noopener nofollow noreferrer">here</A>)</P></TD></TR><TR><TD width="200"><P><STRONG>issuer</STRONG></P></TD><TD width="200"><P><A href="https://sts.windows.net/12a345bc-1234-56ab-78ab-zzzzzzzzz/" target="_blank" rel="noopener nofollow noreferrer">https://sts.windows.net/12a345bc-1234-56ab-78ab-zzzzzzzzz/</A></P></TD><TD width="200"><P>The prefix is fixed. Only the tenant id is dynamic.</P><P> </P><P><A href="https://login.microsoftonline.com/12a345bc-1234-56ab-78ab-zzzzzzzzz%20for%20v2" target="_blank" rel="noopener nofollow noreferrer">https://login.microsoftonline.com/12a345bc-1234-56ab-78ab-zzzzzzzzz</A> for v2 endpoints</P></TD></TR><TR><TD width="200"><P><STRONG>entra-id-audience</STRONG></P></TD><TD width="200"><P>api://999abce-7777-abcd-a6c9-zzzzzzzzzzz</P></TD><TD width="200"><P>The globally unique Application ID URI from the Entra ID app registration representing your SAP API Management instance</P></TD></TR><TR><TD width="200"><P><STRONG>AADRegisteredAppClientId</STRONG></P></TD><TD width="200"><P>999abce-7777-abcd-a6c9-zzzzzzzzzzz</P></TD><TD width="200"><P>The Application (client) id of the Entra ID app registration representing your SAP API Management instance.</P></TD></TR><TR><TD width="200"><P><STRONG>AADRegisteredAppClientSecret</STRONG></P></TD><TD width="200"><P> </P></TD><TD width="200"><P>The secret created for the application 999abce-7777-abcd-a6c9-zzzzzzzzzzz</P></TD></TR><TR><TD width="200"><P><STRONG>AADSAPResource</STRONG></P></TD><TD width="200"><P><A href="https://a4h100" target="_blank" rel="noopener nofollow noreferrer">https://a4h100</A></P></TD><TD width="200"><P>The providerâs name from your NetWeaver SAML setup. Typically, a URL with <A href="https://SID" target="_blank" rel="noopener nofollow noreferrer">SID</A> followed Client number</P></TD></TR><TR><TD width="200"><P><STRONG>sap-oauth-client-username</STRONG></P></TD><TD width="200"><P>ODATAOAUTH</P></TD><TD width="200"><P>User name provided on SOAUTH2 transaction (/sap/bc/webdynpro/sap/oauth2_config?sap-client=100)</P><P> </P><P>Create a system user on SU01 with minimum rights (S_SCOPE) and reference that on SOAUTH2.</P><P>Donât forget to assign authorized scope.</P></TD></TR><TR><TD width="200"><P><STRONG>sap-oauth-client-password</STRONG></P></TD><TD width="200"><P> </P></TD><TD width="200"><P>This is only used to request tokens not to authenticate to SAP.</P></TD></TR><TR><TD width="200"><P><STRONG>sap-oauth-scope</STRONG></P></TD><TD width="200"><P>ZPRODUCTSVIEW_CDS_0001</P></TD><TD width="200"><P>The scope assigned on SOAUTH2. If multiple make a space-separated list.</P></TD></TR><TR><TD width="200"><P><STRONG>SAPOAuthServerAdress</STRONG></P><P><STRONG>ForTokenEndpoint</STRONG></P></TD><TD width="200"><P>a4h-internal.cloudapp.net:44301</P></TD><TD width="200"><P>Host and port of the target SAP OAuth server. When cloud connector is used, put the virtual hostname and port.</P></TD></TR></TBODY></TABLE><P> </P><P>Adjust the name of the API provider as per your setup in the policy elements âRefreshSAPTokenâ, âfetchSAPOAuthTokenâ, and âGetCSRFTokenâ.</P><P> </P><H2 id="toc-hId--353309516">SAP Cloud Connector settings are minimal</H2><P>In this scenario all authentication means are done by the SAP API Management policy. Therefore, the configuration for the connected on-premises API provider (your SAP Cloud Connector) is reduced to the host and port only.</P><P><STRONG>Keep Authentication on NONE</STRONG>. But be assured that the OAuth2SAMLBearer flow has your back. Additional auth config on the Cloud Connector would <STRONG>either be redundant or interfere with the setup</STRONG>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_10-1723200587374.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149555i41A84EB8ECF67601/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_10-1723200587374.png" alt="MartinPankraz_10-1723200587374.png" /></span></P><P> </P><P>Note: The Principal Propagation option on the Cloud Connector connection config uses short-lived X.509 certificates and the purpose of the scenario outlined in this blog was about API only approaches.</P><P> </P><H2 id="toc-hId--549823021">Authorize the consuming application with API Management</H2><P>Authorize the Power Automate SAP OData connector to request tokens for your API Management instance using its client id: <STRONG>6bee4d13-fd19-43de-b82c-4b6401d174c3</STRONG> assigning the <STRONG>user_impersonation</STRONG> scope.</P><P>Verify the id from the <A href="https://learn.microsoft.com/azure/sap/workloads/expose-sap-odata-to-power-platform?#sap-odata-connector-in-power-platform" target="_blank" rel="noopener nofollow noreferrer">Microsoft docs</A>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_11-1723200587409.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149556i9EFCB4910D321877/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_11-1723200587409.png" alt="MartinPankraz_11-1723200587409.png" /></span></P><P> </P><P>Next, verify the client id of your API Management instance is authorized on the app registration attached to your target SAP product (in my sample SAP NetWeaver). And because I was lazy, I gave it the same name. Check the required scope is ticked too ("Scopes = 1" on the bottom table of the screenshot below).</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_12-1723200587427.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149557iD8D069BD0ADF9475/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_12-1723200587427.png" alt="MartinPankraz_12-1723200587427.png" /></span></P><P> </P><P>Be aware that your internal policies might require you to actively assign users or groups to the enterprise app registration. Otherwise, you will get an error before you even get to SAP. Been there, done that. Just saying <span class="lia-unicode-emoji" title=":winking_face:">đ</span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_13-1723200587440.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149558i4ED9938A420B934C/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_13-1723200587440.png" alt="MartinPankraz_13-1723200587440.png" /></span></P><P> </P><H2 id="toc-hId--746336526">The final mile of integration</H2><P>Ok, all homework is done. Now we get to go outside and enjoy the âlow codeâ sun <span class="lia-unicode-emoji" title=":sun_with_face:">đ</span> Create your SAP OData connection, choose the authentication type Microsoft Entra ID and paste the URI of the Entra ID app registration that represents your API Management.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_14-1723200587456.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149560iF20249E61471336E/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_14-1723200587456.png" alt="MartinPankraz_14-1723200587456.png" /></span></P><P> </P><P>Clicking on <STRONG>Sign in</STRONG> triggers the $metadata request to your OData endpoint to pull available values.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_15-1723200587459.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149559i4D1D1ED38119112E/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_15-1723200587459.png" alt="MartinPankraz_15-1723200587459.png" /></span></P><P>The connection is now authorized with the user you supplied. However, each user with whom the flow is shared will be authorizing its use of the connection on first call again with their identity.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_16-1723200587462.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149562iB68079A85DE8EA29/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_16-1723200587462.png" alt="MartinPankraz_16-1723200587462.png" /></span></P><H1 id="toc-hId--302192667">Hints on troubleshooting</H1><UL><LI>SAPâs OAuth server has a tracing tool provided as WebDynpro.<UL><LI>Open it from SAPGUI with transaction sec_diag_tool or navigate to the web app: /sap/bc/webdynpro/sap/<STRONG>sec_diag_tool</STRONG>?sap-client=YYY</LI><LI>Search for error messages and successful mapping of the Entra ID provided email to the SAP backend user.</LI><LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MartinPankraz_17-1723200587464.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/149561i9BC284308936B14D/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_17-1723200587464.png" alt="MartinPankraz_17-1723200587464.png" /></span><P> </P></LI></UL></LI></UL><UL><LI>All the settings are client dependent! Always double check it is being applied (or add sap-client URL parameter to be sure). Been there done that <span class="lia-unicode-emoji" title=":winking_face:">đ</span> See below transactions to verify setup:<UL><LI>SAML2 or the webdynpro: /sap/bc/webdynpro/sap/saml2?sap-client=YYY</LI><LI>SOAUTH2 or the webdynpro: /sap/bc/webdynpro/sap/oauth2_config?sap-client=YYY</LI></UL></LI></UL><P> </P><UL><LI>Before applying the APIM policy consider running the sequence of authentication calls locally (with âline of sightâ to NetWeaver of course) using a REST client. See <A href="https://raw.githubusercontent.com/MartinPankraz/AzureSAPODataReader/master/Templates/AAD_APIM_SAP_Principal_Propagation.postman_collection.json" target="_blank" rel="noopener nofollow noreferrer">this Postman collection</A> for reference. Verify errors from transaction /n/IWFND/<STRONG>ERROR_LOG</STRONG>. Drop cookies in your REST client before re-testing!</LI></UL><P> </P><UL><LI>Verify the produced Entra ID tokens attributes using a safe JWT validator (e.g. <A href="https://devtoys.app/" target="_blank" rel="noopener nofollow noreferrer">DevToys</A>). Donât share your sensitive tokens on some website for validation!<UL><LI>iss (Issuer): Should read something like <A href="https://sts.windows.net/12a3456-zzz..." target="_blank" rel="noopener nofollow noreferrer">https://sts.windows.net/12a3456-zzz...</A> or <A href="https://login.microsoftonline.com/12a3456-zzz" target="_blank" rel="noopener nofollow noreferrer">https://login.microsoftonline.com/12a3456-zzz</A>... for v2 endpoints.</LI><LI>aud (Audience): Something like âapi://bbbbbb-cccc-dddd-dddd-eeeeeeeeâ</LI><LI>scp (Scope): âuser_impersonationâ</LI></UL></LI></UL><P> </P><UL><LI>For the SAML2 assertion exercise the same approach but do base64 decode and XML pretty print. Notepad++ with MIME tools -> Base64 decode and XML Tools -> pretty print does the job locally just fine. Again, donât paste sensitive info online! Verify the following claims from your assertion:<UL><LI>AudienceRestriction -> Audience: Should be a URL containing your SID and client id, e.g. <A href="https://A4H100" target="_blank" rel="noopener nofollow noreferrer">https://A4H100</A></LI><LI>Claims: Name, email or whatever you have configured to be used to identify the named SAP backend user.</LI></UL></LI></UL><P> </P><UL><LI>While doing integration tests with the API Management policy consider decoding the <A href="https://help.sap.com/docs/sap-api-management/sap-api-management/create-key-value-map?version=Cloud&locale=en-US" target="_blank" rel="noopener noreferrer">key value map</A> or use a public one till you are confident with your setup to see immediately what config values were provided.</LI></UL><P> </P><UL><LI>Verify that your key value map changes are being pulled.</LI></UL><P> </P><UL><LI><SPAN>Cached a faulty token? Disable the caching policy step "LookupSAPTokens" and "LookupSAPRefreshTokens" using the enabled attribute on the XML or consider adding an API to clear the cache by user using the "InvalidateCache" policy step. </SPAN></LI></UL><P> </P><UL><LI><SPAN>405 Method Not allowed (SAP note <A href="https://me.sap.com/notes/0003386802" target="_self" rel="noopener noreferrer">3386802</A><span class="lia-unicode-emoji" title=":disappointed_face:">đ</span> SAP API Management generates PUT method entries for OData v2 and PATCH entries for OData v4 services. Power Automate's "Update entity" step uses the PATCH approach. In case of conflict, either choose the "Create any type of OData request" step and configure PUT instead on Power Automate or adjust the swagger definition using "Edit in API Designer" on SAP API Management to add PATCH to cater for this.</SPAN></LI></UL><P> </P><UL><LI><SPAN>POLICY_PARSING_ERROR: In case you encounter a generic "Unable to update API", make sure you have maintained a correctly named APIProvider attribute under HTTPTargetConnection entity. It is being refrenced in multiple ServiceCallout steps! </SPAN></LI></UL><H1 id="toc-hId--498706172"> </H1><H1 id="toc-hId--695219677">Thoughts on production readiness</H1><P><STRONG>SAP Integration Suite</STRONG> <STRONG>is</STRONG> more than <STRONG>ready for prime time</STRONG> as the de-facto standard for SAP heavy integrations.</P><P>The <A href="https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/75/73ffc0ae444443a23b9e661d77d637/frameset.htm" target="_blank" rel="noopener noreferrer">OAuthSAML2Bearer flow</A> is an ever green discussed in the community at length for years and fully supported by SAP for service to service Principal Propagation.</P><P>The involved Entra ID app registration client secret can be governed with Azure automation or SAP Build Apps Process Automation. See this <A href="https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/secrets_rotation/" target="_blank" rel="noopener nofollow noreferrer">Microsoft article</A> and this <A href="https://github.com/Azure/AzureAD-AppSecretManager" target="_blank" rel="noopener nofollow noreferrer">GitHub repos</A> for reference.</P><P>Applying the <STRONG>battle-proven API management policy</STRONG> from the API hub ensures a configuration driven approach and clear update paths.</P><P>The <STRONG>SAP and Microsoft low code eco system is a natural fit</STRONG> for productivity across business needs that involve M365 (Microsoft Graph, Teams, Outlook, SharePoint Online, etc.) and SAP.</P><P>In terms of governance, <STRONG>SAP offers extensive integration with the Microsoft ecosystem</STRONG>. See <A href="https://community.sap.com/t5/technology-blogs-by-sap/supporting-multiple-api-gateways-with-sap-api-management-using-azure-api/ba-p/13680433" target="_blank">this co-authored blog</A> about SAP API Management integrating Azure APIs and <A href="https://community.sap.com/t5/technology-blogs-by-members/govern-sap-apis-living-in-various-api-management-gateways-in-a-single-place/ba-p/13682483" target="_blank">this one about Azure API Center</A> to handle a multitude of gateways in a single place.</P><P> </P><H1 id="toc-hId--891733182">Final Words</H1><P>Thatâs a wrap <span class="lia-unicode-emoji" title=":burrito:">đŻ</span>. Today you saw how to configure SAP Principal Propagation with Microsoft Entra ID for low code solutions. The approach maps Microsoft identities to SAP named users to retain its SAP authorizations. In addition to that you learnt that a provided SAP API Management policy performs the heavy lifting of the authentication flow.</P><P>App developers and low coders no longer need to deal with the complexity of the principal propagation and get added benefit of token caching, token refresh, and CSRF handling out-of-the-box. Find the policy on the <A href="https://api.sap.com/policytemplate/Principal_Propagation_via_Entra_Id" target="_blank" rel="noopener noreferrer">SAP Business Accelerator hub</A>.</P><P>Get started from <A href="https://learn.microsoft.com/azure/sap/workloads/expose-sap-odata-to-power-platform?#sap-odata-connector-in-power-platform" target="_blank" rel="noopener nofollow noreferrer">here</A>.</P><P> </P><P>Cheers</P><P><a href="https://community.sap.com/t5/user/viewprofilepage/user-id/216068">@vinayak_adkoli</a> and Martin</P>2024-08-14T08:50:31.455000+02:00https://community.sap.com/t5/technology-q-a/re-bring-the-data-from-azure-databricks-adb-to-sap-aba/qaq-p/13804411/comment-id/4842756#M4842756Re: Bring the data from Azure DataBricks (ADB) to SAP ABA...2024-08-23T08:08:03.769000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P>Have you considered the <A href="https://github.com/microsoft/ABAP-SDK-for-Azure" target="_blank" rel="noopener nofollow noreferrer">ABAP SDK for Azure</A>? It has accelerator code for your scenario.</P><P>I believe you will find the REST API descriptions <A href="https://learn.microsoft.com/en-us/rest/api/databricks/" target="_blank" rel="noopener nofollow noreferrer">here</A>.</P><P>Cheers Martin</P>2024-08-23T08:08:03.769000+02:00https://community.sap.com/t5/technology-q-a/re-bring-the-data-from-azure-databricks-adb-to-sap-aba/qaq-p/13807964/comment-id/4843238#M4843238Re: Bring the data from Azure DataBricks (ADB) to SAP ABA...2024-08-27T07:56:18.078000+02:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P>Yes, the accelerator code on the ABAP SDK is aimed at connecting to Azure services for pull based approaches. That was the first request on your list. Connection direction does not mean you cannot get the data. The SDK is pull-oriented but of course its code can be used for push-based too. You may connect to ADB REST api for instance and handle Managed Identities, Entra ID authentication flows etc out-of-the-box from ABAP.</P><P>Push based approaches require a completely different stack with transformations and coding your receiver on ABAP. And we haven't started discussing retry logic and mass data movement yet <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">đ</span> at that point a thread of comments is no longer suitable to arrive at a sustainable solution.</P>2024-08-27T07:56:18.078000+02:00https://community.sap.com/t5/technology-blogs-by-members/sap-private-linky-swear-with-azure-running-cloud-connector-and-sap-private/bc-p/13942082#M170390Re: SAP Private linky swear with Azure â running Cloud Connector and SAP Private Link side-by-side2024-11-19T11:59:03.301000+01:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P>Hey <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/1696610">@MofizurRahaman</a>,</P><P>there is not much more that can be said about as the blog already states.</P><P>1. SAP PLS is no replacement of the SCC. You are comparing a networking service with a software product that includes audit logging, selective RFC exosure etc. They are complementary rather than competitive. Hence, the roadmap item to enable the SCC to communicate with BTP over PLS.</P><P>2. SAP PLS supports principal propagation of course, because it is a networking solution. This space has likely evolved since my last post on it but the approach still holds true. See blog <A href="https://community.sap.com/t5/technology-blogs-by-members/sap-private-linky-swear-with-azure-propagate-your-sap-principles-via-sap/ba-p/13514641" target="_blank">part 5</A>.</P><P>3. This depends on your own needs. No official guidance published yet.</P><P>Let the community know what you decided in the end <span class="lia-unicode-emoji" title=":slightly_smiling_face:">đ</span></P>2024-11-19T11:59:03.301000+01:00https://community.sap.com/t5/technology-blogs-by-members/perform-sap-principal-propagation-with-microsoft-entra-id-for-sap/ba-p/13860532Perform SAP Principal Propagation with Microsoft Entra ID for SAP SuccessFactors!2024-11-20T10:09:24.231000+01:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P><SPAN><EM>This blog is co-authored with Vinayak Adkoli (Lead Product Manager, SAP Integration Suite, SAP SE). Link to Microsoft Learn Hub for Power Platform and SAP <A href="https://learn.microsoft.com/power-platform/sap/" target="_blank" rel="noopener nofollow noreferrer">here</A><span class="lia-unicode-emoji" title=":link:">đ</span>.</EM></SPAN></P><P><SPAN>Dear community,</SPAN></P><P><SPAN>The <A href="https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/integrating-low-code-solutions-with-microsoft-using-sap-integration-suite/ba-p/13789298" target="_blank">last blog post</A> showed how to integrate Microsoft and SAP low code solutions with SAP services using the <STRONG>API Management</STRONG> capability of <STRONG>SAP Integration Suite</STRONG> and <STRONG>Microsoft Entra ID</STRONG> as identity provider overall. Todays post is about the specifics for <STRONG>SAP SuccessFactors</STRONG>.</SPAN></P><P><SPAN>Spoiler alertđ¤Ť: the approach stays the same! Only a slightly modified API Management policy needs to be imported. SuccessFactors uses API keys for its SAML assertions rather than an OAuth2 client id and contains your SuccessFactors company id.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_0-1725956414383.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/164365iF3E72E696385CEC5/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_0-1725956414383.png" alt="MartinPankraz_0-1725956414383.png" /></span></P><P> </P><P><SPAN>Technically you could use the same policy for NetWeaver based systems and SuccessFactors, because the âunexpectedâ authentication attributes are ignored as of the releases that were tested. It is a good practice though to separate the concerns. Therefore we published a separate policy instead of a one-size-fits all one with bloated number of attributes.</SPAN></P><P><SPAN>At the core of the solution is again the proven OAuth2SAMLBearer flow. See the <A href="https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae2748ab9f23228dd6a31b06.html" target="_blank" rel="noopener noreferrer">official SuccessFactors docs</A> on the required SAML attributes for reference.</SPAN></P><P><SPAN>In addition to that, solving this challenge on Integration Suite level enables scaling the approach to arbitrary many different consumer </SPAN>solutions<SPAN>. No more re-inventing the wheel for every developer!</SPAN></P><H3 id="toc-hId-1177884419">Find the <A href="https://api.sap.com/policytemplate/SuccessFactors_Principal_Propagation_via_Entra_Id" target="_blank" rel="noopener noreferrer">SuccessFactors specific policy</A> on the SAP Business Accelerator Hub.</H3><P><SPAN>Of course, you may deviate from the blueprint outlined based on your scenario across SAP BTP, SAP Graph, Integration Suite, other SAP SaaS solutions etc.</SPAN></P><P> </P><H1 id="toc-hId-723205476"><SPAN>A glimpse under the hood</SPAN></H1><P><SPAN>Start your journey on SAP API Management by creating a new API provider for your SuccessFactors tenant. Be aware</SPAN><span class="lia-unicode-emoji" title=":index_pointing_up:">âď¸</span><SPAN> of the different domains for the portal UI and the associated OData API endpoint! See <A href="https://userapps.support.sap.com/sap/support/knowledge/en/2215682" target="_blank" rel="noopener noreferrer">SAP note 2215682</A> for reference.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_1-1725956414399.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/164367iF2A52315213DC2F4/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_1-1725956414399.png" alt="MartinPankraz_1-1725956414399.png" /></span></P><P> </P><P><SPAN>Next, register your SuccessFactors OData API. In my sample I am taking the entity set âUserâ, that resides on the base path for a tenant in DC5 like so:</SPAN></P><P><SPAN><A href="https://api5.successfactors.eu/odata/v2/User/$metadata" target="_blank" rel="noopener nofollow noreferrer">https://api5.successfactors.eu/odata/v2/User/$metadata</A></SPAN></P><P><SPAN>Make sure to verify the base path of the URL (/odata/v2 vs. /odata/v2/User) of your target endpoint on API Management. See below Screenshot for reference.</SPAN></P><P><SPAN>Otherwise, you will encounter routing issues for request like /odata/v2/User(â1000â).</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_2-1725956414406.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/164366i9CC6FB9ACFB02EBF/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_2-1725956414406.png" alt="MartinPankraz_2-1725956414406.png" /></span></P><P> </P><P><SPAN>The API Management policy works under the assumption that trust between your SAP SuccessFactors OAuth2 server and Microsoft Entra ID has been setup before. See <A href="https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/d9a9545305004187986c866de2b66987.html" target="_blank" rel="noopener noreferrer">this guide</A> for reference.</SPAN></P><P><SPAN>In addition to the existing authorizations maintained on SuccessFactors each application consuming the SAP API proxy from API Management need to be authorized on Entra ID.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_3-1725956414410.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/164368i0584EB755CB8CC61/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_3-1725956414410.png" alt="MartinPankraz_3-1725956414410.png" /></span></P><P> </P><P><SPAN>See this official <A href="https://learn.microsoft.com/entra/identity/saas-apps/successfactors-tutorial" target="_blank" rel="noopener nofollow noreferrer">guide</A> for details on the Entra ID setup. Be aware the linked guide refers to the SAML2 setup (not OAuth2!). See the difference for OAuth2SAMLBearer below:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_4-1725956414426.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/164369i2904509327C43906/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_4-1725956414426.png" alt="MartinPankraz_4-1725956414426.png" /></span></P><P> </P><P><SPAN>The Entity ID can be any URI. It is a good practice though to use something that resembles your SuccessFactors tenant.</SPAN></P><P><SPAN>Be aware that Entity ID must be unique in your Entra ID tenant. In case you want to use SAML2 for SSO and OAuth2 for SAP Principal Propagation for this tenant at the same time, you need to maintain both on the Entra ID enterprise app registration. Assign an order (index) that works with your login flow.</SPAN></P><P><SPAN> </SPAN></P><H2 id="toc-hId-655774690"><SPAN>Take care of your OAuth settings</SPAN></H2><P><SPAN>The steps for the OAuth configuration may vary by SAP product. Here the focus is on SAP SuccessFactors.</SPAN></P><P><SPAN>Move on to your SuccessFactors tenant and open the app âManage OAuth2 Client Applicationsâ to create a new OAuth client for your Microsoft Entra ID enterprise app. Populate the values as per your environment.</SPAN></P><P><SPAN>Be aware that you need to <STRONG>copy the certificate body only</STRONG> without the header -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_5-1725956414443.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/164370i02E60D7734B39D9B/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_5-1725956414443.png" alt="MartinPankraz_5-1725956414443.png" /></span></P><P> </P><H2 id="toc-hId-459261185"><SPAN>Import the policy into your tenant</SPAN></H2><P><SPAN>Download <A href="https://api.sap.com/policytemplate/SuccessFactors_Principal_Propagation_via_Entra_Id" target="_blank" rel="noopener noreferrer">the policy from the SAP Business Accelerator Hub</A> and import the template into your SAP API Management tenant.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_6-1725956414454.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/164372i4C53B25E651BB51E/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_6-1725956414454.png" alt="MartinPankraz_6-1725956414454.png" /></span></P><P> </P><P><SPAN>Apply to all the PostFlow steps of the TargetEndpoints of your APIs as you see fit. See <A href="https://learning.sap.com/learning-journeys/developing-with-sap-integration-suite/using-policies_cd5fde51-b3d2-40d3-bd71-3f2870c2b51b" target="_blank" rel="noopener noreferrer">this SAP tutorial</A> and this <A href="https://github.com/SAP/apibusinesshub-api-recipes/blob/master/recipes/README.md" target="_blank" rel="noopener nofollow noreferrer">SAP GitHub repos</A> for more details.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_7-1725956414461.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/164371i8727F8882B0EDB0F/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_7-1725956414461.png" alt="MartinPankraz_7-1725956414461.png" /></span></P><P> </P><P><SPAN>Consider the governance and security trade-offs between mighty policies and SAP OAuth clients authorized for everything vs. a multitude of clients for each API and scope.</SPAN></P><P> </P><H2 id="toc-hId-262747680"><SPAN>Configure the policy using a key value map</SPAN></H2><P><SPAN>All the configuration needed for earlier shown token exchange flow is best provided with an encoded key value map (I recommend starting with un-encoded one, when you do this the first time for simpler troubleshooting). Create a new encrypted one called âSAPPrincipalPropagationMapâ. The name is referenced on the provided policy.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_8-1725956414472.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/164373iF5298E4C404308EF/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_8-1725956414472.png" alt="MartinPankraz_8-1725956414472.png" /></span></P><P> </P><P><SPAN>Fill the values as per your environment:</SPAN></P><TABLE><TBODY><TR><TD width="200"><P><STRONG><SPAN>Key</SPAN></STRONG></P></TD><TD width="200"><P><STRONG><SPAN>Value sample</SPAN></STRONG></P></TD><TD width="200"><P><STRONG><SPAN>Hints</SPAN></STRONG></P></TD></TR><TR><TD width="200"><P><STRONG><SPAN>entra-id-tenant-id</SPAN></STRONG></P></TD><TD width="200"><P><SPAN>12a345bc-1234-56ab-78ab-zzzzzzzzz</SPAN></P></TD><TD width="200"><P><SPAN>Find it on the Azure portal (e.g. <A href="https://portal.azure.com/?feature.customportal=false#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview" target="_blank" rel="noopener nofollow noreferrer">here</A>)</SPAN></P></TD></TR><TR><TD width="200"><P><STRONG><SPAN>issuer</SPAN></STRONG></P></TD><TD width="200"><P><SPAN><A href="https://sts.windows.net/12a345bc-1234-56ab-78ab-zzzzzzzzz/" target="_blank" rel="noopener nofollow noreferrer">https://sts.windows.net/12a345bc-1234-56ab-78ab-zzzzzzzzz/</A></SPAN></P></TD><TD width="200"><P><SPAN>The prefix is fixed. Only the tenant id is dynamic.</SPAN></P><P><SPAN> </SPAN></P><P><SPAN><A href="https://login.microsoftonline.com/12a345bc-1234-56ab-78ab-zzzzzzzzz%20for%20v2" target="_blank" rel="noopener nofollow noreferrer">https://login.microsoftonline.com/12a345bc-1234-56ab-78ab-zzzzzzzzz</A> for v2 endpoints</SPAN></P></TD></TR><TR><TD width="200"><P><STRONG><SPAN>entra-id-audience</SPAN></STRONG></P></TD><TD width="200"><P><SPAN>api://999abce-7777-abcd-a6c9-zzzzzzzzzzz</SPAN></P></TD><TD width="200"><P><SPAN>The globally unique Application ID URI from the Entra ID app registration representing your SAP API Management instance</SPAN></P></TD></TR><TR><TD width="200"><P><STRONG><SPAN>AADRegisteredAppClientId</SPAN></STRONG></P></TD><TD width="200"><P><SPAN>999abce-7777-abcd-a6c9-zzzzzzzzzzz</SPAN></P></TD><TD width="200"><P><SPAN>The Application (client) id of the Entra ID app registration representing your SAP API Management instance.</SPAN></P></TD></TR><TR><TD width="200"><P><STRONG><SPAN>AADRegisteredAppClientSecret</SPAN></STRONG></P></TD><TD width="200"><P><SPAN> </SPAN></P></TD><TD width="200"><P><SPAN>The secret created for the application 999abce-7777-abcd-a6c9-zzzzzzzzzzz</SPAN></P></TD></TR><TR><TD width="200"><P><STRONG><SPAN>AADSAPResource</SPAN></STRONG></P></TD><TD width="200"><P><SPAN><A href="https://my.successfactors.eu" target="_blank" rel="noopener nofollow noreferrer">https://my.successfactors.eu</A></SPAN></P></TD><TD width="200"><P><SPAN>The providerâs name from your SuccessFactors SAML setup. </SPAN></P></TD></TR><TR><TD width="200"><P><STRONG><SPAN>sap-oauth-sf-api-key</SPAN></STRONG></P></TD><TD width="200"><P><SPAN>ABCDE1234FGH6789</SPAN></P></TD><TD width="200"><P><SPAN>API Key generated by SuccessFactors for your OAuth2 application. Instructions <A href="https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/6b3c741483de47b290d075d798163bc1.html" target="_blank" rel="noopener noreferrer">here</A>.</SPAN></P></TD></TR><TR><TD width="200"><P><STRONG><SPAN>sap-oauth-company-id</SPAN></STRONG></P></TD><TD width="200"><P><SPAN>SF123456</SPAN></P></TD><TD width="200"><P><SPAN>Your SuccessFactors Company id. Find <A href="https://userapps.support.sap.com/sap/support/knowledge/en/2655655" target="_blank" rel="noopener noreferrer">here</A>.</SPAN></P></TD></TR><TR><TD width="200"><P><STRONG><SPAN>SAPOAuthServerAdress</SPAN></STRONG></P><P><STRONG><SPAN>ForTokenEndpoint</SPAN></STRONG></P></TD><TD width="200"><P><SPAN>salesdemo.successfactors.eu</SPAN></P></TD><TD width="200"><P><SPAN>OAuth <A href="https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/223bc880027b4da7983e2f60c49d3992.html" target="_blank" rel="noopener noreferrer">endpoint</A> of your successfactors instance.</SPAN></P></TD></TR></TBODY></TABLE><P><SPAN> </SPAN><SPAN>Adjust the name of the API provider as per your setup in the policy elements âfetchSAPOAuthTokenâ, and âGetCSRFTokenâ.</SPAN></P><H2 id="toc-hId-66234175"><SPAN>The final mile of integration</SPAN></H2><P><SPAN>Ok, all homework is done. Now we get to go outside and enjoy the âlow codeâ sun with SAP SuccessFactors </SPAN><span class="lia-unicode-emoji" title=":sun_with_face:">đ</span><SPAN>Create your SAP OData connection in Power Automate, choose the authentication type Microsoft Entra ID and paste the URI of the Entra ID app registration that represents your API Management.</SPAN></P><P> </P><H1 id="toc-hId--259362049"><SPAN>Hints on troubleshooting</SPAN></H1><UL><LI><SPAN>Before applying the APIM policy consider running the sequence of authentication calls locally (with âline of sightâ to NetWeaver of course) using a REST client. See <A href="https://raw.githubusercontent.com/MartinPankraz/AzureSAPODataReader/master/Templates/SuccessFactors%20Entra%20ID%20principal%20propagation.postman_collection.json" target="_blank" rel="noopener nofollow noreferrer">this Postman collection</A> for reference.</SPAN></LI></UL><P><SPAN> </SPAN></P><UL><LI><SPAN>Verify the produced Entra ID tokens attributes using a safe JWT validator (e.g. <A href="https://devtoys.app/" target="_blank" rel="noopener nofollow noreferrer">DevToys</A>). Donât share your sensitive tokens on some website for validation!</SPAN><UL><LI><SPAN>iss (Issuer): Should read something like <A href="https://sts.windows.net/12a3456-zzz..." target="_blank" rel="noopener nofollow noreferrer">https://sts.windows.net/12a3456-zzz...</A> or <A href="https://login.microsoftonline.com/12a3456-zzz" target="_blank" rel="noopener nofollow noreferrer">https://login.microsoftonline.com/12a3456-zzz</A>... for v2 endpoints.</SPAN></LI><LI><SPAN>aud (Audience): Something like âapi://bbbbbb-cccc-dddd-dddd-eeeeeeeeâ</SPAN></LI><LI><SPAN>scp (Scope): âuser_impersonationâ</SPAN></LI></UL></LI></UL><P><SPAN> </SPAN></P><UL><LI><SPAN>For the SAML2 assertion exercise the same approach but do base64 decode and XML pretty print. Notepad++ with MIME tools -> Base64 decode and XML Tools -> pretty print does the job locally just fine. Again, donât paste sensitive info online! Verify the following claims from your assertion:</SPAN><UL><LI><SPAN>AudienceRestriction -> Audience: Should be a URL containing your app id, e.g. <A href="https://my.successfactors.eu" target="_blank" rel="noopener nofollow noreferrer">https://my.successfactors.eu</A> </SPAN></LI><LI><SPAN>Claims: Name, email or whatever you have configured to be used to identify the named SAP backend user.</SPAN></LI></UL></LI></UL><P><SPAN> </SPAN></P><UL><LI><SPAN>While doing integration tests with the API Management policy consider decoding the <A href="https://help.sap.com/docs/sap-api-management/sap-api-management/create-key-value-map?version=Cloud&locale=en-US" target="_blank" rel="noopener noreferrer">key value map</A> or use a public one till you are confident with your setup to see immediately what config values were provided.</SPAN></LI></UL><P><SPAN> </SPAN></P><UL><LI><SPAN>Verify that your key value map changes are being pulled.</SPAN></LI></UL><P> </P><UL><LI><SPAN>Cached a faulty token? Disable the caching policy step "LookupSAPTokens" using the enabled attribute on the XML or consider adding an API to clear the cache by user using the "InvalidateCache" policy step. </SPAN></LI></UL><P> </P><UL><LI><SPAN>405 Method Not allowed (SAP note<SPAN> </SPAN><A href="https://me.sap.com/notes/0003386802" target="_self" rel="noopener noreferrer">3386802 </A>SAP API Management generates PUT method entries for OData v2 and PATCH entries for OData v4 services. Power Automate's "Update entity" step uses the PATCH approach. In case of conflict, either choose the "Create any type of OData request" step and configure PUT instead on Power Automate or adjust the swagger definition using "Edit in API Designer" on SAP API Management to add PATCH to cater for this.</SPAN></LI></UL><P> </P><H1 id="toc-hId--455875554"><SPAN>Thoughts on production readiness</SPAN></H1><P><SPAN><STRONG>SAP Integration Suite is</STRONG> more than <STRONG>ready for prime time</STRONG> as the de-facto standard for SAP heavy integrations.</SPAN></P><P><SPAN>The <A href="https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/75/73ffc0ae444443a23b9e661d77d637/frameset.htm" target="_blank" rel="noopener noreferrer">OAuthSAML2Bearer flow</A> is an ever green discussed in the community at length for years and fully supported by SAP for service to service Principal Propagation.</SPAN></P><P><SPAN>The involved Entra ID app registration client secret can be governed with Azure automation or SAP Build Apps Process Automation. See this <A href="https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/secrets_rotation/" target="_blank" rel="noopener nofollow noreferrer">Microsoft article</A> and this <A href="https://github.com/Azure/AzureAD-AppSecretManager" target="_blank" rel="noopener nofollow noreferrer">GitHub repos</A> for reference.</SPAN></P><P><SPAN>Applying the <A href="https://api.sap.com/policytemplate/SuccessFactors_Principal_Propagation_via_Entra_Id" target="_blank" rel="noopener noreferrer">battle-proven API management policy</A> from the API hub ensures a configuration driven approach and clear update paths.</SPAN></P><P><SPAN>PowerAutomate also supports Principal Propagation with SuccessFactors directly. However, that would be a point-to-point integration without the <STRONG>governance and security benefits of having an API Management</STRONG> solution in between.</SPAN></P><P><SPAN>The <STRONG>SAP and Microsoft low code eco system is a natural fit</STRONG> for productivity across business needs that involve M365 (Microsoft Graph, Teams, Outlook, SharePoint Online, etc.) and SAP.</SPAN></P><P><SPAN>In terms of governance, <STRONG>SAP offers extensive integration with the Microsoft ecosystem</STRONG>. See <A href="https://community.sap.com/t5/technology-blogs-by-sap/supporting-multiple-api-gateways-with-sap-api-management-using-azure-api/ba-p/13680433" target="_blank">this co-authored blog</A> about SAP API Management integrating Azure APIs and <A href="https://community.sap.com/t5/technology-blogs-by-members/govern-sap-apis-living-in-various-api-management-gateways-in-a-single-place/ba-p/13682483" target="_blank">this one about Azure API Center</A> to handle a multitude of gateways in a single place.</SPAN></P><P> </P><H1 id="toc-hId--652389059"><SPAN>Final Words</SPAN></H1><P><SPAN>Thatâs a wrap </SPAN><span class="lia-unicode-emoji" title=":burrito:">đŻ</span><SPAN>. Today you saw how to extend the learnings from the first blog to enable SAP SuccessFactors for Power Automate with Principal Propagation through Microsoft Entra ID. The approach maps Microsoft identities to SAP named users to retain its SAP authorizations. In addition to that you learnt that a provided SAP API Management policy performs the heavy lifting of the authentication flow.</SPAN></P><P><SPAN>App developers and low coders no longer need to deal with the complexity of the principal propagation and get added benefit of token caching, and CSRF handling out-of-the-box.</SPAN></P><P>Get started from here.</P><P><SPAN>#Kudos to <A href="https://community.sap.com/t5/user/viewprofilepage/user-id/171519" target="_blank">Martin Raepple</A> for the contribution of the tricky part of the token dance.</SPAN></P><P><SPAN>Cheers</SPAN></P><P><a href="https://community.sap.com/t5/user/viewprofilepage/user-id/216068">@vinayak_adkoli</a> and Martin</P>2024-11-20T10:09:24.231000+01:00https://community.sap.com/t5/technology-q-a/re-sap-api-management-oauth-2-0-authentication-with-su/qaq-p/13943126/comment-id/4893185#M4893185Re: SAP API Management - OAuth 2.0 authentication with Su...2024-11-20T10:15:18.334000+01:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781Here is the blog that references the new policy on Entra ID + SuccessFactors: <A href="https://community.sap.com/t5/technology-blogs-by-members/perform-sap-principal-propagation-with-microsoft-entra-id-for-sap/ba-p/13860532" target="_blank">https://community.sap.com/t5/technology-blogs-by-members/perform-sap-principal-propagation-with-microsoft-entra-id-for-sap/ba-p/13860532</A>2024-11-20T10:15:18.334000+01:00https://community.sap.com/t5/technology-q-a/re-sap-api-management-oauth-2-0-authentication-with-su/qaq-p/13944142/comment-id/4893368#M4893368Re: SAP API Management - OAuth 2.0 authentication with Su...2024-11-21T10:41:34.338000+01:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781Hey Faisal, the difference is who is in charge of generating/signing the SAML assertion and who handles secrets for the trust relationship. Only IdPs are trustworthy in that sense.2024-11-21T10:41:34.338000+01:00https://community.sap.com/t5/technology-blogs-by-members/it-has-never-been-easier-to-print-from-sap-with-microsoft-universal-print/bc-p/13962135#M170759Re: It has never been easier to print from SAP with Microsoft Universal Print2024-12-12T14:55:30.019000+01:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P>Hey <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/1818896">@Martin-Frick</a>, hope you are enjoying down under.</P><P>Microsoft Universal print as per <A href="https://learn.microsoft.com/en-us/azure/sap/workloads/universal-print-sap-frontend#sap-web-applications" target="_blank" rel="noopener nofollow noreferrer">our docs article</A> uses the browser and OS functionalities for cloud printing from Fiori apps. What made you think otherwise? Do we need to update materials maybe?</P><P>KR Martin</P>2024-12-12T14:55:30.019000+01:00https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/microsoft-sentinel-for-sap-goes-agentless/ba-p/13960238Microsoft Sentinel for SAP goes agentless2024-12-17T08:53:02.437000+01:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<H5 id="toc-hId-1464676131"><SPAN>What a title during Agentic AI times </SPAN><span class="lia-unicode-emoji" title=":face_with_tears_of_joy:">đ</span></H5><P><SPAN>Dear community,</SPAN></P><P><SPAN>Bringing SAP workloads under the protection of your SIEM of choice is a primary concern for many customers out there.</SPAN></P><P style=" padding-left : 30px; "><SPAN><STRONG>The window for defenders is small</STRONG></SPAN></P><P style=" padding-left : 30px; "><SPAN>âCritical <STRONG>SAP vulnerabilities </STRONG>being <STRONG>weaponized in less than 72 hours</STRONG> of a patch release and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and <STRONG>compromised in less than three hours</STRONG>.â (<A href="https://onapsis.com/resources/reports/active-cyberattacks-mission-critical-sap-applications/" target="_blank" rel="noopener nofollow noreferrer">SAP SE + Onapsis</A>, Apr 6 2024)</SPAN></P><P><SPAN>Having a turn-key solution as much as possible leads to better adoption of SAP security. Agents running in Docker containers, Kubernetes, or other self-hosted solutions are not for everyone.</SPAN></P><P><SPAN><A href="https://learn.microsoft.com/en-us/azure/sentinel/sap/solution-overview" target="_blank" rel="noopener nofollow noreferrer">Microsoft Sentinel for SAP</A>âs latest capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components. Bazinga</SPAN><span class="lia-unicode-emoji" title=":collision:">đĽ</span></P><P> </P><H1 id="toc-hId-751831750"><SPAN>Meet agentless<span class="lia-unicode-emoji" title=":cross_mark:">â</span><span class="lia-unicode-emoji" title=":robot_face:">đ¤</span> </SPAN></H1><P><SPAN>The new integration path leverages <A href="https://help.sap.com/docs/integration-suite" target="_blank" rel="noopener noreferrer">SAP Integration Suite</A> to connect Microsoft Sentinel with your SAP systems. The Cloud integration capability of SAP Integration Suite speaks all relevant protocols, has connectivity into all the places where your SAP systems might live, is strategic for most SAP customers, and is fully <A href="https://learn.microsoft.com/en-us/azure/sap/workloads/rise-integration" target="_blank" rel="noopener nofollow noreferrer">SAP RISE</A> compatible by design.</SPAN></P><P><SPAN>Best of all: The already <A href="https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-security-content" target="_blank" rel="noopener nofollow noreferrer">existing SAP security content</A> (detections, workbooks, and playbooks) in Microsoft Sentinel continues to function the same way as it does for the Docker-based collector agent variant.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MartinPankraz_1-1733905028186.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/200605i7B2792433BBEB345/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_1-1733905028186.png" alt="MartinPankraz_1-1733905028186.png" /></span></P><P><SPAN>During the private preview we saw <STRONG>drastically reduced deployment times</STRONG> for SAP customers being less familiar with Docker, Kubernetes and Linux administration. Cherry on the cake: the network challenges donât have to be tackled again. The people running your SAP Cloud Connector went through that process a long time ago. <span class="lia-unicode-emoji" title=":sign_of_the_horns:">đ¤</span><STRONG>SAP Basis rocks</STRONG></SPAN><span class="lia-unicode-emoji" title=":sign_of_the_horns:">đ¤</span></P><P> </P><H1 id="toc-hId-555318245"><SPAN>Ok, hook me up!</SPAN></H1><P>Customers on SAP NetWeaver 750+ may simply create additional configuration on their SAP Cloud Connector. A small set of RFC function modules are required to be reachable from SAP Integration Suite. Verify from the Sentinel documentation for the latest info.</P><P>Depending on your SAP version, you might need to install <SPAN><A href="https://me.sap.com/notes/3054326" target="_blank" rel="noopener noreferrer">SAP note 3054326</A></SPAN> to enable the remote call of the audit log API</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MartinPankraz_2-1733905028204.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/200606iA95DD4DD70C0E1C5/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_2-1733905028204.png" alt="MartinPankraz_2-1733905028204.png" /></span></P><P>Move on to the Destination maintenance view on your Subaccount on SAP Business Technology Platform. Add an RFC connection matching the details of your SAP Cloud Connector configuration. Consult <SPAN><A href="https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/configure-access-control-rfc" target="_blank" rel="noopener noreferrer">SAPâs official documentation</A></SPAN> for more details.</P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MartinPankraz_3-1733905028220.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/200607i91A8952FDAECF268/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_3-1733905028220.png" alt="MartinPankraz_3-1733905028220.png" /></span></P><P>Finish the exercise by providing a user on SAP with the required authorizations to call the mentioned remote function modules. Find a transport to bring a pre-configured role <SPAN><A href="https://learn.microsoft.com/azure/sentinel/sap/preparing-sap#configure-the-microsoft-sentinel-role" target="_blank" rel="noopener nofollow noreferrer">here</A></SPAN> for your convenience.</P><P>Everyone else below SAP NetWeaver 750, reach out to us to talk more details for older AS ABAP releases. Given the audit log API evolution, a different integration package is required.</P><P> </P><H1 id="toc-hId-358804740"><SPAN>Thoughts on production readiness</SPAN></H1><P><SPAN>SAP Integration Suite and SAP Cloud Connector are among the most used SAP Cloud components for decades now and are completely ready for prime time as they say.</SPAN></P><P><SPAN>The new agentless offering of the Microsoft Sentinel for SAP solution is currently <A href="https://aka.ms/SentinelSAPAgentlessSignUp" target="_blank" rel="noopener nofollow noreferrer">in preview</A> but reuses fully mature capabilities and leverages <A href="https://learn.microsoft.com/azure/sentinel/sap/sap-solution-security-content" target="_blank" rel="noopener nofollow noreferrer">existing security content</A>. It will be expanded based on your feedback and requirements.</SPAN></P><P><SPAN>The integration marks your steppingstone to bring your SAP threat signals into the <A href="https://learn.microsoft.com/unified-secops-platform/overview-unified-security" target="_self" rel="nofollow noopener noreferrer">Unified Security Operations Platform</A> â a combination of Defender XDR and Sentinel â that looks beyond SAP at your whole IT estate.</SPAN></P><P><SPAN>Microsoft Sentinel solution for SAP applications is certified for SAP S/4HANA Cloud, Private Edition RISE with SAP, and SAP S/4HANA on-premises. So, you are all good to go </SPAN><span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">đ</span></P><P> </P><H1 id="toc-hId-162291235"><SPAN>Final Words</SPAN></H1><P><SPAN>Thatâs a wrap </SPAN><span class="lia-unicode-emoji" title=":burrito:">đŻ</span><SPAN>. You learned today:</SPAN></P><UL><LI><SPAN>All there is to know about <STRONG>going agentless</STRONG> with the Microsoft Sentinel for SAP solution,</SPAN></LI><LI><SPAN>How important it is to <STRONG>bring SAP under the protection of your central SIEM</STRONG>, and that</SPAN></LI><LI><SPAN>Leveraging existing SAP integration components gets you up and running securely, SAP RISE future proof, and in no time.</SPAN></LI></UL><P>Get started from <A href="https://aka.ms/SentinelSAPAgentlessSignUp" target="_blank" rel="noopener nofollow noreferrer">here</A> and find the updated Microsoft docs <A href="https://learn.microsoft.com/azure/sentinel/sap/deployment-overview?tabs=agentless" target="_blank" rel="noopener nofollow noreferrer">here</A>.</P><P><SPAN>#Kudos to the amazing Sentinel team!</SPAN></P><P><SPAN> </SPAN></P><P><SPAN>Cheers</SPAN></P><P><SPAN>Martin</SPAN></P>2024-12-17T08:53:02.437000+01:00https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/getting-started-with-sap-snc-for-rfc-integrations/ba-p/13983462Getting Started with SAP SNC for RFC integrations2025-01-12T17:20:02.514000+01:00Martin-Pankrazhttps://community.sap.com/t5/user/viewprofilepage/user-id/143781<P><SPAN>Dear community,</SPAN></P><P><SPAN>Many of you still rely heavily on the legacy SAP interface RFC. In my world that often means customers connecting their third-party services to SAP backends (AS ABAP). Securing a protocol such as SAP Remote Function Call (RFC) requires network layer protection.</SPAN></P><P><SPAN>Often Kerberos is discussed on this topic, because it allows the mapping of Windows-Known identities to SAP backend users. However, <STRONG>this post is about apps and technical connections using X.509 certs</STRONG> â not people. They complain less â and boringly but reliably behave the same way once configured properly</SPAN><span class="lia-unicode-emoji" title=":winking_face:">đ</span><SPAN> Meet <STRONG>SAP Secure Network Communications</STRONG> (SNC).</SPAN></P><P><EM><SPAN>By the way: In case you want user-based flows and focus on SAP Principal Propagation have a look at <A href="https://community.sap.com/t5/technology-blogs-by-members/principal-propagation-in-a-multi-cloud-solution-between-microsoft-azure-and/ba-p/13561150" target="_blank">this series</A> by my beloved colleague <A href="https://community.sap.com/t5/user/viewprofilepage/user-id/171519" target="_blank">Martin Raepple</A>.</SPAN></EM></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="SAP SNC integration architecture overview" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/210985i9E08478E04A64031/image-size/large?v=v2&px=999" role="button" title="Picture1.png" alt="SAP SNC integration architecture overview" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">SAP SNC integration architecture overview</span></span></P><P> </P><H2 id="toc-hId-1079366398"><SPAN>Welcome to the world of <A href="https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_751_IP/e73bba71770e4c0ca5fb2a3c17e8e229/e656f466e99a11d1a5b00000e835363f.html" target="_blank" rel="noopener noreferrer">SAP Secure Network Communication</A>s (SNC) for trustworthy technical connections!</SPAN></H2><P><SPAN>In light of zero-trust efforts customers want to secure their technical connections to SAP RFCs too. In that space certificate-based authentication mechanisms are king. SNC is a prominent choice.</SPAN></P><P><SPAN>There are libraries for languages like <A href="https://support.sap.com/en/product/connectors/jco.html" target="_blank" rel="noopener noreferrer">Java</A>, <A href="https://support.sap.com/en/product/connectors/msnet.html" target="_blank" rel="noopener noreferrer">DotNet</A>, <A href="https://support.sap.com/en/product/connectors/nwrfcsdk.html" target="_blank" rel="noopener noreferrer">C/C++</A>, <A href="https://github.com/SAP-archive/PyRFC" target="_blank" rel="noopener nofollow noreferrer">Python</A>, and <A href="https://github.com/SAP-archive/node-rfc" target="_blank" rel="noopener nofollow noreferrer">NodeJS</A> that support SNC for RFC. Python and NodeJS were recently archived and will no longer be maintained. In case you get stuck, consider <A href="https://blogs.sap.com/2023/05/17/generate-soap-services-for-your-legacy-rfcs-to-simplify-integration-out-of-the-box/" target="_blank" rel="noopener noreferrer">generating SOAP services for your SAP RFCs</A> to uplevel the communication stack to layer 7 for use with TLS instead.</SPAN></P><P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MartinPankraz_1-1736697403542.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/210981iC0A2D3111564937D/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_1-1736697403542.png" alt="MartinPankraz_1-1736697403542.png" /></span></P><P style=" text-align: center; "><SPAN>Source: <A href="https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_751_IP/e73bba71770e4c0ca5fb2a3c17e8e229/3f3dacb1c27344e29f3c7b5864825eb5.html" target="_blank" rel="noopener noreferrer">SAP Help</A></SPAN></P><P><SPAN>Below I will show a simple setup with self-signed certificates. This way you can get started with a working setup and elevate towards more sophisticated as you go. Troubleshooting </SPAN><SPAN>SNC errors can be cumbersome, so starting small with less variables and less room for error is a good idea.</SPAN></P><P> </P><H2 id="toc-hId-882852893"><SPAN>First things first: reach your private RFC interface</SPAN></H2><P><SPAN>SAP products like the SAP Cloud Connector support apps (and people) on the SAP Business Technology Platform to connect to private instances of AS ABAP systems (behind firewall, in RISE, on-premises, or on a protected hyperscaler environment) and bring the required RFC execution environment.</SPAN></P><P><SPAN>Third-party apps must overcome the same challenges. Typically, that means you will be provided with a piece of software to act as reverse invoke proxy (same as the SAP Cloud Connector) besides the âline of sightâ through connected private networks from that proxy. See step 0 in the overview drawing for reference.</SPAN></P><P><SPAN>It establishes connection to your third-party app inside out, so that no inbound firewall rules or the likes need to be touched.</SPAN></P><P><SPAN>For instance, Microsoft apps like <A href="https://www.microsoft.com/download/details.aspx?id=39717" target="_blank" rel="noopener nofollow noreferrer">Azure Data Factory, Azure Synapse</A>, <A href="https://www.microsoft.com/download/details.aspx?id=105539" target="_blank" rel="noopener nofollow noreferrer">Microsoft Purview</A>, Microsoft Fabric, and <A href="https://learn.microsoft.com/power-bi/connect-data/service-gateway-onprem" target="_blank" rel="noopener nofollow noreferrer">Microsoft Power BI</A> have dedicated means to connect. These components are called Self-hosted Integration Runtime (SHIR) or On-Premises Data Gateway. Find the downloads on the individual product pages.</SPAN></P><P><SPAN>Be aware that services like Azure Functions or <A href="https://learn.microsoft.com/azure/logic-apps/connectors/sap?tabs=consumption#enable-secure-network-communications-snc" target="_blank" rel="noopener nofollow noreferrer">Azure LogicApps</A> have a second approach beyond the Microsoft On-premises Data Gateway. They can bring the means to execute RFC calls, provide SNC configuration, and create line-of-sight to the <A href="https://learn.microsoft.com/azure/logic-apps/connectors/sap?tabs=consumption#network-connectivity-prerequisites" target="_blank" rel="noopener nofollow noreferrer">private network through injection</A> capability in a single deployment. This way you don't need the reverse invoke proxy.</SPAN></P><P><SPAN>Each of the described solutions have individual guides on the SAP RFC setup and how to expose the configuration for SAP SNC.</SPAN></P><P><EM><SPAN>Can highly recommend my colleague </SPAN></EM><SPAN><A href="https://taylorbrazelton.com/2024/02/26/2024-02-23-setting-up-snc-between-power-apps-automate-and-sap/" target="_blank" rel="noopener nofollow noreferrer"><EM>Taylor Brazeltonâs blog</EM></A><EM> for SNC from Power Platform and On-premises Data Gateway.</EM></SPAN></P><P><SPAN>Find below an SAP SNC config sequence with self-signed certificates generated by OpenSSL. Through this setup AS ABAP accepts requests protected by SNC via the SHIR.</SPAN></P><P><SPAN>I assume you have already installed the SHIR on a suitable windows machine and taken care of <A href="https://learn.microsoft.com/purview/register-scan-sapecc-source#prerequisites" target="_blank" rel="noopener nofollow noreferrer">required installations</A> like SAP Java Connector (JCo), SAP Connector for Microsoft .NET (NCo), and .NET Framework. My samples and script commands are Windows specific. However, Linux works the same way with slightly different commands.</SPAN></P><P> </P><H2 id="toc-hId-686339388"><SPAN>Download SAP SNC Crypto Lib to your SNC client machine</SPAN></H2><UL><LI><SPAN>Search the latest âSAPCRYPTOLIBâ on SAPâs <A href="https://me.sap.com/softwarecenterviewer/67838200100200022586/MAINT" target="_blank" rel="noopener noreferrer">software center</A> (S-User with download rights required)</SPAN></LI><LI><SPAN>And extract the SAR file using <A href="https://me.sap.com/softwarecenterviewer/01200615320100002542/MAINT" target="_blank" rel="noopener noreferrer">SAPCAR</A>. Command looks something like this:</SPAN></LI></UL><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>.\SAPCAR_1200-70007719.EXE -xvf .\SAPCRYPTOLIBP_8553-20011729.SAR -R .\..\libs\sapcryptolib</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><UL><LI><SPAN>Find the executable sapgenpse</SPAN></LI></UL><P> </P><H2 id="toc-hId-489825883"><SPAN>Prepare your SNC client machine</SPAN></H2><UL><LI><SPAN>Create a folder to hold your SAP PSE artifacts:</SPAN></LI></UL><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>mkdir sapsecudir
cd .\sapsecudir</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><UL><LI><SPAN>Permanently add environment variable to point at this folder</SPAN></LI></UL><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>[Environment]::SetEnvironmentVariable("SECUDIR", "C:\sapsecudir", "Machine") # Sets the variable permentaly on the system.
$env:SECUDIR = "C:\sapsecudir" # Updates the current powershell session as there currently does not exist a function to reload.</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><P> </P><H2 id="toc-hId-293312378"><SPAN>Generate a certificate for your SNC client app</SPAN></H2><UL><LI><SPAN>Create folders to hold your certificates: mkdir rootCA sncCert</SPAN></LI><LI><SPAN>Generate root CA certificate: Adjust the subject as needed</SPAN></LI></UL><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>openssl genpkey -algorithm RSA -out rootCA/ca.key.pem -pkeyopt rsa_keygen_bits:2048
openssl req -x509 -new -key rootCA/ca.key.pem -days 7305 -sha256 -extensions v3_ca -out rootCA/ca.cert.pem -subj "/O=Contoso/CN=Root CA"</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><UL><LI><SPAN>Generate SNC client certificate and adjust subject as needed:</SPAN></LI></UL><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>openssl genrsa -out sncCert/snc.key.pem 2048
openssl req -key sncCert/snc.key.pem -new -sha256 -out sncCert/snc.csr.pem -subj "/O=Contoso/CN=SNC"</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><UL><LI><SPAN>Sign the SNC certificate with the root CA certificate:</SPAN></LI></UL><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>openssl x509 -req -in sncCert/snc.csr.pem -days 3650 -CA rootCA/ca.cert.pem -CAkey rootCA/ca.key.pem -CAcreateserial -out sncCert/snc.cert.pem</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><P> </P><H2 id="toc-hId-96798873"><SPAN>Establish trust between SNC client and SAP</SPAN></H2><UL><LI><SPAN>Add the SNC cert to a PKCS #12 archive file (.p12)</SPAN></LI></UL><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>openssl pkcs12 -export -out snc.p12 -inkey sncCert\snc.key.pem -in sncCert\snc.cert.pem -certfile rootCA\ca.cert.pem</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><UL><LI><SPAN>Create the SAP Personal Security Environment (PSE) using the container</SPAN></LI></UL><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>.\sapgenpse.exe import_p12 -p SAPSNCSKERB.pse C:\Users\shir-admin\Documents\snc.p12</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><P> </P><H3 id="toc-hId-29368087"><SPAN>Verify SAP is configured for SNC yet</SPAN></H3><P><SPAN>One way of doing that is using transaction RZ10 and browsing the parameters prefixed with SNC. See <A href="https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/df185fd53bb645b1bd99284ee4e4a750/06298bf7ec7e4ae19fba6ab0c518dda1.html" target="_blank" rel="noopener noreferrer">this SAP document</A> on the required âSNC Parameters for X.509 Configurationâ settings and their implications.</SPAN></P><P><SPAN>If there is no configuration yet execute the transaction SNCWIZARD and maintain settings for X.509 credentials. Take note of the SNC private key subject. The CN will be required later.</SPAN></P><P><SPAN>Add your SNC client (I named mine PRV for Microsoft Purview) to the SAP Access Control List (ACL) using transaction SNC0 and allow RFC and CPIC connections.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_2-1736697403544.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/210979iBF1D0B87863E6169/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_2-1736697403544.png" alt="MartinPankraz_2-1736697403544.png" /></span></P><H3 id="toc-hId--167145418"> </H3><H3 id="toc-hId--363658923"><SPAN>Import SNC client cert into SAP</SPAN></H3><UL><LI><SPAN>Use transaction STRUST</SPAN></LI><LI><SPAN>Navigate to the instance below SNC SAPCryptolib (if crossed out with a red X, create one from right-click)</SPAN></LI><LI><SPAN>Scroll down below the certificate list pane, choose import certificate and supply your snc.cert.pem file.</SPAN></LI><LI><SPAN>Click âAdd to Certificate Listâ button</SPAN></LI><LI><SPAN>Click âSaveâ.</SPAN></LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_3-1736697403552.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/210982i4D5DAC894F2F5F39/image-size/large?v=v2&px=999" role="button" title="MartinPankraz_3-1736697403552.png" alt="MartinPankraz_3-1736697403552.png" /></span></P><P> </P><H3 id="toc-hId--560172428"><SPAN>Download SAP cert and import into SNC client PSE</SPAN></H3><UL><LI><SPAN>From the same STRUST screen, double click the Subject line of âOwn Certificateâ and</SPAN></LI><LI><SPAN>Scroll down again to find the âExport Certificateâ button at the bottom.</SPAN></LI><LI><SPAN>Move to your SNC client machine (where your SHIR runs), put the certificate in a secure place (in my sample it landed in a folder called sap) and run below command to import it into your PSE.</SPAN></LI></UL><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>sapgenpse.exe maintain_pk -p SAPSNCSKERB.pse -v -a C:\sap\contoso-public-key.crt</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><P><SPAN>Now your SAP trusts connections coming from your SHIR.</SPAN></P><P> </P><H2 id="toc-hId--538514295"><SPAN>Allow your SHIR process to use your SAP PSE</SPAN></H2><UL><LI><SPAN>Verify which user or service is being used by your SNC client to obtain certificate to communicate with SAP. The Purview SHIR uses the service user âNT SERVICE\DIAHostServiceâ.</SPAN></LI><LI><SPAN>Add a credential to allow the certificate retrieval request from the PSE.</SPAN></LI></UL><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>.\sapgenpse.exe seclogin -p C:\sapsecudir\SAPSNCSKERB.pse -x your-pse-pin -O "NT SERVICE\DIAHostService"</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><P><SPAN>Verify credentials like so</SPAN></P><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>.\sapgenpse.exe seclogin -l -O "NT SERVICE\DIAHostService"</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><P><SPAN>You can delete them like this:</SPAN></P><P> </P><P> </P><P> </P><P> </P><P> </P><pre class="lia-code-sample language-bash"><code>.\sapgenpse.exe seclogin -d -O " NT SERVICE\DIAHostService "</code></pre><P> </P><P> </P><P> </P><P> </P><P> </P><P><SPAN>Use the <STRONG>-h parameter to get help</STRONG> with the sapgenpse command line tool or check the command reference <A href="https://help.sap.com/docs/SAP_NETWEAVER_750/e73bba71770e4c0ca5fb2a3c17e8e229/0d9ce63bab134b39a52e340255d7650c.html" target="_blank" rel="noopener noreferrer">here</A>.</SPAN></P><P> </P><H1 id="toc-hId--441624793"><SPAN>Test communication using SAP SNC</SPAN></H1><P><SPAN>Navigate to your client application and supply the SNC configuration you have prepared. Some apps require an SAP user and password in addition even though providing a client certificate would be enough for a technical connection (remember: no user mapping or SSO).</SPAN></P><P><EM><SPAN>This gives you the option to further trim down access. Use transaction SU01 and the SNC tab or the maintenance view âVUSREXTIDâ from transaction SM30 to configure the SNC external ID (CN) to your SAP user name.</SPAN></EM></P><P><SPAN>See below sample taken from the connection configuration fly-out pane on the Azure portal UI. It can be applied, however, to any SNC client configuration. See further samples <A href="https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/ce/1dfd3d4aefd95ee10000000a114084/content.htm" target="_blank" rel="noopener noreferrer">here</A> and <A href="https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc01703.0222/doc/html/fre1292886445861.html" target="_blank" rel="noopener nofollow noreferrer">here</A>.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MartinPankraz_4-1736697403557.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/210983iBFAF35BE9B7B3379/image-size/medium?v=v2&px=400" role="button" title="MartinPankraz_4-1736697403557.png" alt="MartinPankraz_4-1736697403557.png" /></span></P><P> </P><P><SPAN>Trigger âTest connectionâ and marvel at the SNC secured communication test from Microsoft Purview to AS ABAP</SPAN><span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">đ</span></P><P><SPAN>Or go even a step further and call your first RFC. RFC_PING or STFC_CONNECTION might be a suitable one in case your target is not yet operational or not identified yet.</SPAN></P><P> </P><H1 id="toc-hId--638138298"><SPAN>Hints on Troubleshooting</SPAN></H1><UL><LI><SPAN>First, try to connect from your client to AS ABAP without SNC to ensure that networking is properly configured already. Be aware of <A href="https://help.sap.com/docs/Security/575a9f0e56f34c6e8138439eefc32b16/616a3c0b1cc748238de9c0341b15c63c.html" target="_blank" rel="noopener noreferrer">SAP RFC ports</A> (ZZ placeholder represents your SAP instance number, e.g. 00 or 01 often) and check firewall accordingly if needed.</SPAN><UL><LI><SPAN>32ZZ and 33ZZ for direct RFC connections</SPAN></LI><LI><SPAN>48ZZ for SNC secured RFC connections</SPAN></LI></UL></LI><LI><SPAN>Verify SNC status from transaction SM51 -> click âSNC Statusâ button to ensure it is fully configured</SPAN></LI><LI><SPAN>Consult the <A href="https://community.sap.com/t5/application-development-blog-posts/report-zsm04000-snc-zrsusr000-620-show-snc-status-of-current-user-sessions/ba-p/13027982" target="_blank">blog series</A> from @<A href="https://community.sap.com/t5/user/viewprofilepage/user-id/360" target="_blank">Frank_Buchholz</A> on more sophisticated approaches to verify individual SNC connections. For instance, report â<A href="https://github.com/SAP-samples/security-services-tools" target="_blank" rel="noopener nofollow noreferrer">ZSM04000_SNC</A>â shows more details.</SPAN></LI><LI><SPAN>For those of you using <A href="https://help.sap.com/docs/SAP_NETWEAVER_750/1ca554ffe75a4d44a7bb882b5454236f/ab35e1c69f744d69a4fcf4ca93284e0c.html" target="_blank" rel="noopener noreferrer">SAP UCON</A> may consult the SNC connectivity status there.</SPAN></LI><LI><SPAN>Intentionally âbreakingâ your SNC config by mistyping the SNC partner name for instance could give you another indication on a functional setup.</SPAN></LI></UL><P> </P><H1 id="toc-hId--834651803"><SPAN>Final Words</SPAN></H1><P><SPAN>Thatâs a wrap </SPAN><span class="lia-unicode-emoji" title=":burrito:">đŻ</span><SPAN>. You learned today how to secure your technical RFC connections from third party apps to AS ABAP systems using SNC. The guide keeps it simple so you can establish a stable setup base from which to iterate on more complex setups confidently </SPAN><span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">đ</span><SPAN>Generate SOAP services for your RFCs and use TLS in case SNC is not an option.</SPAN></P><P><SPAN>By the way: When introducing an API Management solution between your 3rd party app and the SOAP service on AS ABAP you may use OAuth2, or OpenID Connect on the client. You still need to translate on the API Management layer to an auth mechanism that <A href="https://help.sap.com/docs/SAP_NETWEAVER_750/f7dd32926c1c4fcf889a4303d833a22b/cf507f42805444f3ad1caf430ca4a221.html" target="_blank" rel="noopener noreferrer">AS ABAP supports</A>. Either way a step forward in securing your SAP connections.</SPAN></P><P><SPAN>Happy integrating with SAP!</SPAN></P><P><SPAN>#Kudos again to <A href="https://www.linkedin.com/in/savas-akgol-713b3915/" target="_self" rel="nofollow noopener noreferrer">Savas Akgol</A>, <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/171519">@MartinRaepple</a>, and <a href="https://community.sap.com/t5/user/viewprofilepage/user-id/360">@Frank_Buchholz</a> for helping with some of the hard parts <span class="lia-unicode-emoji" title=":folded_hands:">đ</span></SPAN></P><P><SPAN> </SPAN></P><P><SPAN>Cheers</SPAN></P><P><SPAN>Martin</SPAN></P>2025-01-12T17:20:02.514000+01:00