SAP Community - Cloud Integration

SAP BTP Trial Account Creation and Enabling Integration Suite service(SAP CPI)

2024-05-16T09:35:26.608000+02:00

Create an SAP Account from SAP.com
It Creates the SAP Universal ID
Fill in the Required Fields and Click on Submit.

2. After Clicking on the Submit button, SAP will send an email to finalize your SAP account.

3. Open Your Mail and Click to activate your account

4. Now We have to create the SAP BTP Trial Account, go to account.hana.ondemand.com and click on sign in, give your email and password, and click on sign in.

5. After logging into the BTP Cockpit, Click on Trial Home.

6. Choose the region you want and click on Create Account

7. After clicking on Create Account, it creates a Global account and subaccount for you, then click on Continue.

8. Click on Go To Your Trial Account.

9. Click on Subaccount.

10. Click on Instances and Subscriptions

11. Here we can see the services we subscribed to.

To access the Integration Suite, first, we must Subscribe to it.

12. To Subscribe to the Integration Suite, click on Service Marketplace and search for Integration Suite.

13. Click on Integration Suite and click on Create.

14. Click on create.

15. To check Whether the Integration Suite is created or not click on View Subscription.

16. Now we can see the Integration suite in subscriptions.

Click on Integration Suite, it will open the Integration Suite.

17. It will Show you the Authorization error because to access the Integration Suite we have to assign an Integration_Provisioner Role for the User.

18. To assign an Integration_Provisioner Role, Go back to the BTP Cockpit click on Users, and select the User.

19. After Selecting the User click on Assign Role Collection.

20. Search for the Integration_Provisioner Role and click on Assign Role Collection.

21. After Assigning Role, Click on Instances and Subscriptions and then Click on Integration Suite.

22. Click on Add Capabilities.

Note: - Sometimes it will not show the add capabilities option, it will take time to resolve this Refresh the page or try sign-out and Sign in again.

23. After clicking on Add Capabilities, it will show you the list of Capabilities,

Select the capabilities that you need and click on next.

24. In capabilities if you select Manage APIs then this step will appear, select the two checkboxes and click on next.

25. Click on Activate.

26. To activate Capabilities of Integration Suite it will take some time.

27. After the activation click on ok.

28. To create and monitor the Iflow we need to assign some roles related to Process Integration.
Go back to BTP Cockpit->User->Assign the below Roles

29. Now open the Integration Suite from BTP cockpit->Instances and subscriptions.

Now You can create, edit, and monitor the Iflows.

Syniti RDG provides a simplified design to create Multi Value Validation and Derivation Rules

2024-05-17T12:35:22.385000+02:00

Syniti RDG is an SAP-endorsed application on the Business Technology Platform (SAP BTP) to facilitate MDG
implementation with intuitive UI and process automation. RDG automates many of the technical configuration
steps that are required to implement SAP MDG and it offers a user-friendly interface to be more relatable
to business users.

A multi-value check rule is for validating multiple attribute values against a logical condition.
A multi value derivation rule is to derive multiple attributes values based on a logical condition.

The below example is used to create Multi value validation to be triggered for a specific Change Request Type
to validate attribute values of Entity ‘BP_CENTRL’ of data model ‘BP’.

Step 1: Create Multi Validation Rule in Syniti RDG

In the main menu, select "Manage Business Rules".

In the business Rules Page, define a New Rule: Start by creating a new rule, select the type of rule as "Multivalue Check Rule" to create.

In the following steps, the user can choose a Change request type from the list and select the entity for which
the rule must be created. The user then needs to select the type of Business Rule that he/she wants to create,
Mutli Value Check Rule to create Validation Rule in BRFPlus and Derivation Rule to create Derivation Rule in
BRFPlus.

Select Data model as ‘BP’, ‘ZBP1P1V1’ CR Type (select relevant CR type as required) , Entity as ‘BP_CENTRL’,
Rule type: Multi Value Validation and then click on an option like "Rule1” to start defining a new validation rule.

Business Scenario: Only Green business partners are allowed to create. Choose the attributes
BP_CENTRL~NAME_ORG1 that needs to be validated. If BP_CENTRL~NAME_ORG1 = ‘RED’, send a warning message ‘Enter name1 as Green’

Click’+’ to create "Rule2” validation rule. If BP_CENTRL~NAME_ORG1 = ‘YELLOW’, send a warning message ‘Enter name1 as Green’

Click’+’ to create "Rule3” validation rule. Define a new condition

If BP_CENTRL~NAME_ORG1 = ‘GREEN’ and BP_CENTRL~NAME_ORG2 != ‘CORP’ , When the conditions are not met, send error message ‘Enter name2 as CORP’

Multi value validation BADI implementation has bee created in the back end automatically to check the multi value validation.

Step 2: Trigger the rule in nwbc application.

The rules created in the previous step are triggered when creating a Change Request of the type for which the rules are created in RDG (ZBP1P1V1).

Validation Rule1 :

Now name1 is entered as GREEN, Error message appears for name 2

Validation Rule3:

After successful verification of Validation Rule1 & Rule 3 , ‘No Errors found’

Below is the Decision table that got automatically generated in BRFPlus through Syniti RDG.

Validation Rules created in FMDM Catalog automatically in decision table format

Multi Derivation Rule: Most of the steps are similar to Multi Validation rules, except here we have to mention
the multiple deriving attributes which is derived based on satisfying certain condition

In the business Rules Page, define a New Rule: Start by creating a new rule, select the type of rule as "Multi Value Derivation Rule" to create.

Step 1 : Select Data model as ‘BP’, ‘ZBP1P1V1’ CR Type (select relevant CR type as required) , Entity as ‘BP_CENTRL’,
Rule type: Multi Derivation and then click on an option like "Rule1” to start defining a new derivation rule.

Business Scenario: For all Green business partners, derive multiple attributes like Salutation, Title, BU search term1,
BU search term2 through multi value validation rules, for the ease of understanding, simple business derivations rules are taken and
explained here, there is no restriction to create multiple rules with multiple condition.

If BP_CENTRL~NAME_ORG1 = ‘GREEN’, following attributes will be derived automatically upon successful validation rules

BP_CENTRL~BU_SORT1, BP_CENTRL~BU_SORT2, BP_CENTRL~TITLE_LET, BP_CENTRL~TITLE_BP

After saving the Mutli value derivation business rule thru RDG, Multi value derivation BADI implementation has been
created / updated in the back end automatically to derive multiple attributes

Step 2: Trigger the rule in NWBC application.

Multi Value Derivation Rules created in FMDM Catalog automatically in decision table format

With the help of Syniti RDG, you can now create multi value validation / derivation rules without the effort of creating
Custom BADI implementation in the backend and it simplifies the way of creating decision tables automatically in BRFPlus.

Syniti RDG is a certified SAP BTP solution and is available on SAP App Store.

To know more details about the product, check the blog Partner Add-on Solutions.

Your opinions and feedback are highly appreciated and feel free to post them in the comment section.

Please follow and read more interesting blogs on SAP Master Data Governance | SAP | SAP Blogs

You can also find and post questions about the product here: SAP Master Data Governance Community

RDG eases the process of data replication through SOA services with custom enhancements.

2024-05-21T09:38:22.790000+02:00

Syniti RDG is an SAP-endorsed application on the Business Technology Platform (SAP BTP) to facilitate MDG implementation with intuitive UI and process automation.

RDG eases the process of data replication by setting data replication configuration steps like data replication model, create and maintain business systems and can map standard and customized attributes with different mapping transformations. This simplifies the process onto one easy to navigate screen. RDG replication via IDoc or via services (WSDL and SOA) are available and are dependent on the outbound implementation selected. Custom enhancements with replication of data can also be created in SOA proxy structure depending on business requirements.

In the main menu, select "Interface Configuration".

Create New Replication Model:

Step 1: In the home screen, select ‘Interface Configuration.’

Step 2: Create new Interface by selecting + .

Step 3: Enter required data:

Replication Model – ZSOABP (select or create new)
Description – SOA for BP
Outbound Implementation – 986_1
Communication Channel – Defaults from Outbound Implementation setup. For SOA services, the value is 1.
Data Model - BP
Business System – T42CLNT100

Additional data is optional:

Sequence – Defaults to 00
Filter Time

If the Business System is not set up it can be added.

New Business System:

Step 1: Select Manage Business System to add a New Business System

Step 2: Enter Business System – follow standard naming convention.

Step 3: Additional data is optional.

Once the replication model is saved with all necessary configurations, select the business system for mapping to load the SOA Proxy ABAP structure like below.

For data replication involving SOA, enhancements with elements and attributes may be added in the Mapping Details table. An enhancement may have attribute(s) directly under it or may have element(s) that contain attribute(s).

Add Element and Attribute:

Depending on the requirement, enhancement can be created for elements or attributes.

Step 1: Highlight the segment. Click on Edit Proxy and click on Add.

Step 2: Choose Add Element. Or choose Add Attribute to add the attribute directly under the enhancement.

Step 3: Enter enhancement details.

Step 4: Enter custom attributes that extends Business partner.

Step 5: Click Save and select the correct TR and package.

Step 6: Receive a confirmation message that the changes have been submitted and that the details will load when completed.

Step 7: After the refresh, the new enhancement is now added to the proxy structure.

Edit Mapping

After the enhancement is created and loaded, additional mappings of different types can be made depending on the requirements.

Step 1: Find a segment/field or enhancement/attribute by scrolling or by using the filter at the top of the table. Or filter by selecting the type of transformation. To change the mapping, click Edit Mapping. Then adjust the mapping by selecting fixed, bypass or mapped value transformation.

Step 2: Choose Fixed Value transformation and Mapped value for the attributes extended.

Step 3: For Mapped Value transformation, select table from the drop down list. It is mandatory to select and map the key values of table. The key value can be a static or dynamic change request data value.

To map dynamic change request key value, select the field from the proxy structure itself.

Step 4: Select the table field to map the value of table field to the field of enhanced proxy structure.

Step 5: Complete the mapping according to the transformation:

If Fixed value is selected, enter the fixed value.
Bypass will not require additional information (only available for IDOC)
Mapped value will require a referencing table to be selected along with the key value. Then map it with the table field.

Step 6: Save mapping, select transport and package to complete.

To check the enhancement details being replicated, approve a change request from BP. An outbound message is created in SRT_MONI, once the data is sent out successfully to the target business system with mappings.

Note: SOA Manager Configurations are mandatory to set up, before replicating the data.

With the help of Syniti RDG, you can now replicate data through SOA services with standard and custom enhancements made to the model.

Syniti RDG  is a certified SAP BTP solution and is available on SAP App Store.

To know more details about the product, check the blog Partner Add-on Solutions.

Your opinions and feedback are highly appreciated and feel free to post them in the comment section.

Please follow and read more interesting blogs on SAP Master Data Governance | SAP | SAP Blogs

You can also find and post questions about the product here: SAP Master Data Governance Community

What’s New for SAP Integration Suite – Spring 2024

2024-05-23T08:50:16.661000+02:00

Continuing the blogpost series, we want to share with you the SAP Integration Suite innovation highlights of spring:

New look of SAP Integration Suite with the Horizon theme
Get help using built-in support
Access policies on package level
Design guideline checks in integration flow editor
Importing of message mapping with message type
Introducing the new pipeline concept in Cloud Integration
Activate Edge Integration Cell on Google Cloud Platform
Rollback to last successful Edge Integration Cell deployment
Creation of APIs using edmx for deployment on Edge Integration Cell
UDFs with Imported Archives in message mapping
Further execution types in message mappings
Archiving of payload data created in trading partner management scenarios
Duplicate nodes on target side in a message guideline
Global code value mapping from multiple sources to one target node
Copy API artifacts in API Management
Configuration of additional virtual hosts in API Management
Composing APIs and customizing business data graphs leveraging Graph
Distributed tracing through the event mesh
Direct consumption of SAP S/4 HANA Cloud events in SAP Integration Suite, advanced event mesh
New release of the Cloud Connector
Additional partner content published on SAP Business Accelerator Hub

New look of SAP Integration Suite with the Horizon theme

Probably you have seen it already, over the last days our user interface got a facelift and follows the Horizon theme with a modern, lightweight, and refreshed user experience. The icons, buttons, and texts change slightly but all functionality is still the same. Additionally, within our SAP Integration Suite home page we added a carousel that provides you with some spotlights. Enjoy the new look.

Get help using built-in support

We have made a big step forward in the direction of embedded product support. This new feature assists you with a combined search across knowledge base articles and help documentation to achieve a better understanding and guides you towards a solution. Additionally, it lets you file incidents through the support platform, all in one single window. Check out the documentation.

Cloud Integration

Access policies on package level

Isolation of sensitive data for different lines of business is crucial. We have extended our access policies in that way that you can control the access in the design time not only on artifacts but also on package level. This simplifies the tenant admin’s experience while restricting access to all integration artifacts of a package at once. Access policies on artifacts released before are not disrupted. In future we will offer an overwrite option to allow package access policies to overwrite artifact access policies. Only with granted access developers can deploy, undeploy, start integration flows, or access local variables. Refer to the blogpost and to the documentation for all details.

Design guideline checks in integration flow editor

Our design guidelines aim to model enterprise-wide integration flows in a robust fashion to safeguard the business processes. They cover different areas such as applying the highest security standards, handling errors, scripting, and performance. Now the first ones are embedded within the integration flow designer as rules and help to programmatically validate integration flows against them.

As an integration lead, you may not only learn about all available design guidelines but also enable the applicable ones on your tenants. And as an integration developer, you can validate the integration flows against the enabled guidelines and if needed improve the quality of your integration flow. Additionally, a report can be downloaded for report purposes. Be aware that currently not all design guidelines are covered by the tool. The complete list can be found in our help documentation. More rules will be added in the next increments. Check out the documentation.

Importing of message mapping with message type

You can now import message mappings from ES Repository that contains message type objects. Earlier, during the import, the message type objects were converted as WSDL files. See the documentation.

Introducing the new pipeline concept in Cloud Integration

The pipeline concept is mainly addressed to existing SAP Process Orchestration customers which plan to migrate their scenarios to Cloud Integration, but it can also be generally applied to any asynchronous integration scenario. It contains a sequence of generic and scenario-specific integration flows, leverage the Partner Directory to define the message processing behaviour, use XSLT mappings to carry out the receiver determination, and handles all asynchronous scenarios with a reduced number of JMS queues. For more details read the blogpost.

Edge Integration Cell

Activate Edge Integration Cell on Google Cloud Platform

You can now activate the Edge Integration Cell runtime on Google Cloud Platform. Check out the documentation and read also #3379690 to get the full list of supported regions and the future availability schedule.

Rollback the deployment

As the Edge Integration Cell is updated at cloud speed you have to update your Kubernetes version monthly by using the Edge Lifecycle Management user interface. Now it is also possible to roll back to the last successful version if an upgrade or configuration modification operation fails. The option to downgrading back to a previous tried-and-trusted version is also on the roadmap. Read the documentation.

Creation of APIs using edmx for deployment on Edge Integration Cell

You can now create an OData API artifact using a .edmx file. This functionality enables users to easily generate and manage OData APIs by leveraging existing .edmx files. Details how to create the APIs can be found in the documentation.

Migration Assessment and migration tool

Supporting our SAP Process Orchestration customers in their journey to SAP Integration Suite is one of our key investment areas. During last development takts we have released the innovations:

UDFs with Imported Archives in message mapping

By introducing a new type of artifacts, Imported Archives, you are now able to import your user-defined functions (UDFs) which have a reference to imported archive objects (with XSLT or Java mappings) in Enterprise Services Repository directly into Cloud Integration. You can reuse the imported archive objects across multiple Function Libraries artifacts, which in turn are reused across multiple message mappings. Read the documentation.

Further execution types in message mappings

As we want to increase reusability of message mapping artifacts from SAP Process Orchestration, we extended the import procedure of function library objects from the ES Repository by the execution types ALL_VALUES_OF_QUEUE and ALL_VALUES_OF_CONTEXT. Check out the documentation.

B2B Integration

Archiving of payload data created in trading partner management scenarios

We are thrilled to announce that you can now archive the interchange payload of your transaction activities to meet your data-retention requirements for auditing purposes. This archiving feature is executed once a day. Both the payload and headers are stored as zip files on your own CMIS-compliant content management system. Refer to the documentation Creating an agreement template and Creating a trading partner agreement.

Duplicate nodes on target side in a MAG

In B2B integration scenarios, you may occasionally encounter situations where certain information, such as different types of partners or currencies, is distributed across the source structure. However, there may only be one node in the target structure. To address this, the mapping guidelines editor now offers the ability to duplicate or replicate group or leaf nodes. This allows each source alternative to be mapped to one of these duplicates. See the documentation.

Global code value mapping from multiple sources to one target node

Additionally, we have news to tell regarding the global code value mappings. For the definition of more complex code value mapping scenarios, you may create a global code value mapping with multiple source code values to one on the target side. So, the value function now supports N:1 in addition to the existing 1:1 cardinality. Refer to the documentation.

API Management

Copy API artifacts

You can now create a duplicate of an API artifact by copying it within the same package or in a different integration package within the same Integration Suite subscription. Read the documentation.

Configuration of additional virtual hosts

The recent update allows for the configuration of additional virtual hosts and client certificate-based authentication entirely as a self-service instead of the previously established procedure that involved creating ops tickets. This applies to the default as well as custom domains. Additionally, the keystore and trust store values can be maintained as a reference, thereby ensuring that the virtual host definitions are automatically updated whenever certificates and keys are rotated. For further details refer to the following documentation pages (this, this).

Composing APIs and customizing business data graphs

Get a better understanding how Graph can be used to compose different APIs into a single connected data graph you may walk through this tutorial.

Event Mesh

Distributed tracing through the event mesh

For diagnose problems SAP Integration Suite, advanced event mesh offers you an end-to-end tracing capability for tracking an event all the way from the producing to the receiving application and it's way across one or multiple event brokers. Common OpenTelemetry backends can be leveraged for troubleshooting the error message. Read the documentation.

Direct consumption of SAP S/4 HANA Cloud events

Since March already it is also possible not only to receive SAP S/4HANA but also SAP S/4HANA Cloud events directly in SAP Integration Suite, advanced event mesh without any intermediate hops. This is very helpful for any large SAP S/4HANA projects, where performance is crucial. Check out the documentation.

New release of the Cloud Connector

A new release 2.17.0 of the SAP Cloud Connector has been recently published and can be downloaded. With this release we’ve not only ensured the highest security levels but also worked on improving the overall user experience and functionality. See the blogpost or all the details.

SAP Business Accelerator Hub

Additional partner content has been published on SAP Business Accelerator Hub, our public catalog hosted by SAP to discover, explore, and test SAP and partner APIs required to build extensions or process integrations. Examples are the integration of SAP S/4HANA with Shopify published by Flexso NV; or Effective People A/S an integration to replicate employee data from SAP SuccessFactors Central to SAP Concur; and NTT DATA Business Solutions AG an exchange of application and vendor data between SAP LeanIX and SAP Integration Suite. Please check out the separate blogpost for more details.

How to stay tuned to recent and upcoming innovations?

The blog post ends with a list of links to websites that hopefully keep you up-to-dated:

SAP Road Map Explorer for SAP Integration Suite, SAP Integration Suite, advanced event mesh, and SAP API Business Hub
What’s New in SAP Integration Suite
Sign up to get invitations to the upcoming monthly webinars hosted by the Product Management experts. Next one is scheduled for May 28th
2024 Learning Sessions for SAP User Groups for all recordings, presentations, and Q&As in case you have missed a webinar
Release Navigator for SAP Integration Suite easing you the way to find product release related notes, blogposts, and webpages

SAP Cloud Integration: Advanced Event Mesh Adapter: OAuth Authentication

2024-05-23T10:22:36.147000+02:00

SAP Cloud Integration (aka CPI) offers an “Advanced Event Mesh Adapter” which is well integrated with the “Advanced Event Mesh” broker.
This article shows how to set up a scenario where we send a message from iFlow via “Advanced Event Mesh Adapter” to SAP Integration Suite, Advanced Event Mesh (AEM) with OAuth Authentication.

Technologies covered in this blog post:
🔹SAP Business Technology Platform, Cloud Foundry environment
🔹SAP Cloud Integration
🔹SAP Integration Suite, Advanced Event Mesh
🔹XSUAA, OAuth 2.0

Content

0. Introduction
1. BTP: Create OAuth Client with XSUAA
2. AEM: Configure OAuth Settings
3. CPI: Create iFlow
4. Run Scenario

Prerequisites

🔹To follow this tutorial, access to SAP Advanced Event Mesh is required.
🔹Access To CPI Tenant is required.
🔹Access to Subaccount in BTP with permissions to create service instances
🔹I recommend bookmarking the Security Glossary

0. Introduction

We want to send a message from an iFlow to Advanced Event Mesh Broker.
We want to use the “Advanced Event Mesh” adapter.
Authentication should be configured with OAuth.

What is OAuth?
Let’s try to give a brief summary:
We don’t send user/password to the endpoint.
Instead, we send a token (a string containing some info).
We fetch that token from a so-called “Authorization Server”.
Beforehand, we have registered a “client” at that server.
Upon registration, the client gets an ID and a password, called “secret”.

To fetch a token, one of several “OAuth flows” is used.
Typical flow:
(1) the web application (“client”) requests a token from “Auth Server” (with ID / secret).
(2) The server asks the end user for consent (user enters name/password).
(3) Web app receives token and sends it (4) to the endpoint (“Resource Server”).
(5) The endpoint validates the token (with help from “Auth Server”) and responds to client.
This flow is called “Authorization Code” and requires interaction from end user.

Summarizing, we have 4 participants:
Resource Server, hosting the resources, that are requested by the web app (e.g. photos).
Client, the (web) application.
Authorization Server, the server which issues the access tokens and knows how to validate end users.
End User, human user who uses the web applications and owns the resources (e.g. own photos).

What is a JWT token?
It stands for JSON Web token, it is a string that contains data in JSON format.
The string is encoded with Base46.
The data contains the client ID and permissions and more.

How does it apply to CPI?
If user interaction and user information is not required, we can use “Client Credentials flow”.
It is simpler, because user consent can be skipped.
This is what we use for our scenario.

We can see that XSUAA acts as “Authorization Server” which issues a JWT token.
The AEM represents the “Resource Server” which hosts the protected resources, in this case we connect to it for sending messages.
CPI takes the role of the client which requests a JWT token and sends client ID + secret.

To be more concrete:
Beforehand, we create an instance of XSUAA service, which involves the registration of a client at XSUAA.
The instance is the client and the credentials are obtained via service key (because we cannot bind).
The credentials are then stored in CPI as a Security Artifact (in this case: “OAuth 2 Client Credentials”).
This security artifact is configured in the AEM adapter.
CPI is then able to automatically fetch a JWT token which is sent by the AEM adapter when connecting to AEM.
At AEM side, we have to configure the information of XSUAA and the client credentials.
This enables AEM to validate the incoming JWT token (with the help of XSUAA).

In the following hands-on tutorial, we’re going to take care of each of the 3 participants:

🔹Register an OAuth client at the Authorization Server (XSUAA).
🔹Configure the Resource Server to support OAuth (AEM).
🔹Configure the client application to use the OAuth client with “client credentials” flow (CPI).

1. BTP: Create OAuth Client

In this tutorial, we’re using XSUAA, but the approach should be similar when using other Authorization Servers like IAS.
We create a service instance (which represents the OAuth client) and use the credentials for configuring CPI and AEM.

1.1. Create Service instance

Go to your subaccount -> Service Marketplace -> Authorization and Trust Management -> Create
Then select the service plan as “application” and enter a name of your choice.
In my example: "xsuaaForAem".

1.2. Create Service Key

After service creation we click “view instance”.
There, we press on “Create Service Key”.

We can enter any name of our choice, e.g. "myKey".
Press Create.

1.3. View Credentials

After creating the service key, we can view the credentials, i.e. the content of the service key.
We can either use the “View Credentials” button on the service details, or the context button of the new service key.

The content of the service key is a JSON object which contains 3 relevant properties:

🔸clientid
🔸clientsecret
🔸url

We should take a note of them.
Why?
This is the OAuth client, with its name and password, and the URL from where it can fetch an access token.
We need this information to configure both AEM and CPI.

2. AEM: Configure OAuth Authentication

Now we head over to AEM for defining the configurations required for OAuth authentication.

Why?
Our iFlow will establish a connection and will have to authenticate.
Instead of authenticating with username and password, we want to use OAuth.
As a consequence, AEM will receive a JWT token.
Which means that AEM will have to somehow validate the token content.
Below configurations enables AEM to do this validation.

At AEM, 3 steps are required:

🔹Enable OAuth (only once)
🔹Create OAuth Profile (for each OAuth client)
🔹Set default profile (in case of multiple profiles)

2.0. Enable OAuth Authentication

We login to our SAP Integration Suite, advanced event mesh.
We click on Cluster Manager, choose our broker and click on the Manage tab.
In the section Event Broker Service Settings we click on Authentication.
We enable OAuth Provider Authentication and Save.

This step needs to be executed only once.

2.1. Create OAuth Profile

In the Cluster Manager, we choose our broker and Open Broker Manager.
There, we click on Messaging -> Access Control on the left navigation pane.
Below Client Authentication tab, we go to the sub-tab OAuth Profiles.
To create a new profile, we click ➕OAuth Profile button and enter a name like "xsuaaForAem".
After pressing Create we can configure this new profile.

Note:
One profile corresponds to one OAuth client.
In our case, the OAuth client is the service instance of XSUAA, but it could be an “Application” in IAS or Microsoft Azure AAD, etc

Settings

🔸Enabled
yes

🔸OAuth Client ID
Here we enter the clientid which we copied in chapter 1.3.
In my example, I enter sb-na-a8e2450d-3c00...

🔸Change OAuth Client Secret
We should not forget to click here, although it doesn’t seem to be a field. 👀
Here we enter the clientsecret which we copied in chapter 1.3.
In my example, I enter 0WUSE1jLm...
Note:
The client secret is required for AEM to call the introspection endpoint of XSUAA.

🔸OAuth Role
This is a confusing setting.
Anyways, in case of OAuth flow, we choose Resource Server.
It makes sense, because in the OAuth diagram we assigned the role of Resource Server to AEM.

🔸Issuer Identifier
Another confusing field.
We can enter any string of our choice, as long as we use it when sending a request to AEM.
This value is an ID which helps AEM to find the proper OAuth profile for an incoming JWT token.
With other words:
At the end of the day, we send a JWT token to AEM.
AEM contains multiple OAuth profiles.
So how does AEM know, which profile to use for validating the incoming token?
The answer is easy to guess:
It uses this field 👍.
First of all, the validator reads the issuer which is carried by the JWT (the property name inside JWT token is iss).
And it searches for a profile with the same Issuer Identifier.
Alternatively, we can enter any unique string in this field.
In that case, we have to send this same string in the request, as a special property.
(Documentation can be found here)

In our tutorial, we use the url of XSUAA, which is our issuer and is contained in the JWT.
We copy the url property from chapter 1.3
In my example:
https://subdomain.authentication.eu12.hana.ondemand.com

🔸Discovery Endpoint
It is not required in our scenario.
Optionally you can enter a URL like this:
https://subdomain.authentication.eu12.hana.ondemand.com/.well-known/openid-configuration

🔸JWKS Endpoint
It is not required in our scenario
Also, it is not required if the Discovery Endpoint is provided, because the JWKS Endpoint can be found in the metadata that are returned by the discovery endpoint.
Anyways, in my example, the URL would be
https://subdomain.authentication.eu12.hana.ondemand.com/token_keys

Alternatively, the JWKS endpoint can be found when looking into a JWT token.
The JWT token contains a header which contains a claim called jku.
This is an abbreviation for JWKS Url and the value is the same as above.

What is JWKS?
It stands for JSON Web Key Set.
It is a JSON object which contains a list of keys.
These keys are public keys, exposed by the Authorization Server.
A public key is used to verify a signature.
It is required, because a JWT token is signed (with private key) by the Authorization Server and the signature is contained in the third segment of the JWT.
Thus, the receiver of the JWT token can validate the token by extracting the signature and verifying it with the public key that is found via the first segment of the JWT
In our example, we don’t need to enter the value, because the value can be read from the JWT token

🔸Introspection Endpoint
This is an endpoint which is offered by the Authorization Server (XSUAA).
We compose the URL by appending /introspect to the url property from chapter 1.3.
In my example:
https://subdomain.authentication.eu12.hana.ondemand.com/introspect
Docu can be found in the Cloud Foundry UAA reference.
The introspect endpoint is called to validate the JWT token.
The token is sent to the endpoint and the response contains a property (active) which indicates if the token is valid.

🔸Authorization Groups Claim Name
We leave this empty.

🔸Parse Access Token
We set to disabled.

🔸Validate Access Token Audience
We enable the setting and enter the value of client ID into the field.
The aud claim in a JWT token contains a list of receivers that are intended by this token.
The client itself is always in the aud.
As such, we can enter the clientid which we received in chapter 1.3

🔸Validate Access Token Issuer
We can enable this validation and enter the exact issuer which is contained in the iss claim of the JWT token.
In our example, it is the token endpoint of XSUAA server, the value which we will need in chapter 3.1
We enter the value of the url property of chapter 1.3
However, that’s only the base URL, so we have to append the endpoint segments: /oauth/token

In my example:
https://subdomain.authentication.eu12.hana.ondemand.com/oauth/token

🔸Validate Access Token Scope
We disable this validation, because we don’t require a specific scope.

🔸Validate Access Token Type
We can enable this validation and leave the default values as:
at+jwt (accept access tokens and JWT tokens)

Finally, we can press “Apply” in the right upper corner.

2.2. Configure Default Profile

After creating an OAuth profile, it is ready to be used.
We've seen in the AEM dashboard that the new profile is added to a list of multiple OAuth profiles.
Now there's another setting in the "Client Authentication" Tab which allows to define which of the existing profiles should be used as default.

Within "Broker Manager" we go to
Access Control -> Client Authentication -> Settings
and press "Edit"
We make sure that OAuth Authentication is enabled.
Now we select our OAuth Profile which we created above as Default Profile Name.

And as usual:
Finally, we press “Apply”.

2.3. Create Queue

If not yet available, we create a queue to which we’ll send events from iFlow.
To do so, we go to
Broker Manager -> Messaging -> Queues
and create a queue with name “testqueue”.

Recap

At AEM, we’ve configured OAuth via these 3 steps:

Broker Service
🔹enable OAuth Authentication
Broker Manager
🔹create OAuth Profile
🔹define default OAuth Profile

3. CPI: Create iFlow

At this point, the AEM broker is ready to receive JWT tokens issued for the OAuth client created in chapter 1.
Now we head over to Cloud Integration dashboard where 2 tasks are waiting for us:
🔹create a Security Artifact for handling the JWT token
🔹create an iFlow with AEM adapter for sending messages

3.1. Create Security Artifact

We create a security artifact for securely storing the credentials which we received in chapter 1.3.
CPI provides a special artifact type for OAuth 2 which is able to automatically fetch a JWT token with “Client Credentials” flow.
We go to
Monitor -> Security Material
and click on
Create -> OAuth 2 Client Credentials

In the dialog, we enter the following values:

🔸Name
Any name of our choice.
Note that this name will be used in the iFlow.
In my example, I’m entering "xsuaaForAem".

🔸Token Service URL
This is the endpoint provided by the Authorization Server, used for requesting a JWT token.
We enter the value of the url property of chapter 1.3.
However, that’s only the base URL, so we have to append the endpoint segments: /oauth/token
The full URL in my example:
https://subdomain.authentication.eu12.hana.ondemand.com/oauth/token

🔸Client ID
Here we enter the value of the clientid property which we copied in chapter 1.3.
In my example, I enter "sb-na-a8e2450d-3c00"

🔸Client Secret
Here we enter the clientsecret property which we copied in chapter 1.3.
In my example, I enter "0WUSE1jLmsX/BcB0LlD"

🔸Client Authentication
We choose “Send as Body Parameter”.

🔸Content-Type
We choose “application/x-www-form-urlencoded"

Finally, we press "Deploy".

With this, we’ve enabled CPI to fetch a JWT token for us.
Note that the credentials have to be the same as we’ve configured in the AEM profile.

3.2. Create iFlow

Now we can go ahead and create the iFlow.
In this tutorial the iFlow is as minimalistic as possible, as we only want to show the usage of the AEM adapter.

We create a simple iFlow which does really nothing but sending messages to the Event Broker.
We define a hard-coded dummy message text.
We just want to make sure that the OAuth authentication works fine.
Let's quickly go through the steps:

🔸Start Event
The iFlow is triggered once after deploy, by a "Timer" start event.

🔸Content Modifier
In the "Message Body" tab we enter any dummy message text of our choice.

🔸AEM Adapter: Connection tab
Host
The value for host is copied from AEM and pasted as is, no need to cut or append anything.
We go to
AEM dashboard -> Cluster Manager -> Choose service -> “Connect” tab
We expand “Solace Messaging” and copy Secured SMF Host Public Internet URL.

We paste the clipboard content into the “Host” field in AEM adapter.
Message VPN
Same procedure: copy the “Message VPN” value from the “Connect” tab of AEM.
See screenshot above.
Paste the clipboard content into the “Message VPN” field of the AEM-adapter in iFlow.
Username
We can leave the “default” user.
Authentication Type
Select “OAuth2”.
OAuth2 Credential Type
Choose "OAuth2 Client Credentials".
OAuth2 Client Credentials Credential Name
Here we enter the name of the security artifact created in chapter 3.1.
In my example: "xsuaaForAem".

🔸AEM Adapter: Processing tab
Here we configure our queue.
Endpoint Type
We select "Queue".
Destination Name
Here we enter the name of the desired target queue.
In my example: “testqueue”.

That’s it for iFlow creation.
BTW, saving is always a good idea.

4. Run Scenario

Now we can deploy the iFlow and check the result:
🔷In CPI :
The log at “Monitor Message Processing” should show success message:

🔷In AEM:
We go to “Broker Manager” and check the number of “Messages Queued” which should have increased.

🔷Consume:
Another option would be to use the “Try-Me” tool in AEM to consume the messages sent from iFlow.

We go to Cluster Manager -> Select Service -> Connect
We expand Solace Web Messaging and copy the “Connection Details”.
Then we go to
Broker Manager -> Try Me
and enter the connection details and the queue name.
Immediately, we receive the messages and can check the dummy content which we specified in the “Content Modifier” step of the iFlow.

With that we can be happy. 😊
We've confirmed that OAuth authentication can be realized with CPI and AEM via AEM adapter.

Troubleshooting

If the authentication is not configured correctly, the iFlow would fail during deployment.
The error could be seen in Monitor -> Manage Integration Content

Error message like below, security related error messages are usually not helpful:
com.solacesystems.jcsmp.JCSMPErrorResponseException: 401: Unauthorized

Status 401 indicates that the access is not allowed, token validation failed.
Super
This means that the OAuth configuration is not correct.
Sorry that I don’t have a better explanation.

To fix it, we need to go through the tutorial again and check:
- ClientID and secret: are they the same in CPI-Security-Artifact and in AEM-OAuth-Profile?
- Is the correct Security Artifact configured in the CPI-AEM-adapter?
- Go through the OAuth profile and check each setting and URLs, deactivate the validations.
- You may want to fetch a JWT token manually (e.g. using Postman or curl) and introspect it (www.jwt.io) to view the content of the iss claim.

Sorry that I cannot give better advice.

Summary

In this blog post we've learned how to use OAuth authentication for sending messages from iFlow via AEM adapter.
We've learned that 3 configuration steps are required at AEM:

AEM Broker Service: enable OAuth Authentication
AEM Broker Manager: create OAuth Profile
AEM Broker Manager: define default OAuth Profile

And we've learned how to configure the AEM adapter for an iFlow receiver channel:
CPI Monitoring: Create security artifact for "Client Credentials"
CPI iFlow AEM adapter: use the security artifact for OAuth2 authentication.
CPI iFlow AEM adapter: Connection details are copied from "Connection" tab in AEM.

In this blog post we've used XSUAA as Authorization Server.
We've focused on the OAuth flow "Client Credentials".

Links

OAuth spec https://datatracker.ietf.org/doc/html/rfc6749

AEM docu https://help.pubsub.em.services.cloud.sap/Cloud/cloud-lp.htm

🌟

SAP CodeJam Roadshow 2024 - Latin America edition 🇧🇷 🇨🇱 🇦🇷 🇨🇴 (August 8th - 21st 2024)

2024-05-24T08:00:00.056000+02:00

¡Hola SAP Developers!

I got some exciting news to share with you. Similar to the European Roadshow that our colleagues @thomas_jung and @RichHeilman have done in the past, this time, @josh_bentley and I will hit the road for the first-ever SAP CodeJam Roadshow in Latin America. We will have 4 stops on the roadshow 🇧🇷 🇨🇱 🇦🇷 🇨🇴 from August 8th - 21st 2024, doing a total of eight CodeJams, 2 per location :-).Event-driven integration using SAP Integration Suite, advanced event mesh.

Event-driven integration with SAP Integration Suite, advanced event mesh

This SAP CodeJam instance will be about event-driven architectures focusing on SAP Integration Suite, advanced event mesh. During the CodeJam, we will cover different technologies/tools: SAP Integration Suite, advanced event mesh, SAP Cloud Integration, SAP Business Application Studio, CloudEvents, and Node.js.

SAP Build: Create apps and processes without code

This SAP CodeJam event will give you a hands-on experience with SAP Build for building apps and business processes without code (Low Code/No Code).

You will get to know the environment by creating:

A business app for an online store (SAP Build Apps).
A business process for approving purchases (SAP Build Process Automation).
We will also demo desktop automations and a business site in which you can embed the app (SAP Build Work Zone).

SAP CodeJam events part of the roadshow (Register Now!)

Below is a listing of the SAP CodeJam events on the roadshow schedule:

Dates	CodeJam topic	Location	Registration
8 August	Event-driven integrations with SAP Integration Suite, advanced event mesh	São Paulo, Brazil 🇧🇷	Link
9 August	SAP Build: Create Apps and Processes Without Code	São Paulo, Brazil 🇧🇷	Link
12 August	Event-driven integrations with SAP Integration Suite, advanced event mesh	Santiago, Chile 🇨🇱	Link
13 August	SAP Build: Create Apps and Processes Without Code	Santiago, Chile 🇨🇱	Link
15 August	Event-driven integrations with SAP Integration Suite, advanced event mesh	Buenos Aires, Argentina 🇦🇷	Link
16 August	SAP Build: Create Apps and Processes Without Code	Buenos Aires, Argentina 🇦🇷	Link
20 August	Event-driven integrations with SAP Integration Suite, advanced event mesh	Bogotá, Colombia 🇨🇴	Link
21 August	SAP Build: Create Apps and Processes Without Code	Bogotá, Colombia 🇨🇴	Link

Make sure to register to secure your place. It is likely that the places available will go fast.

What if the CodeJam topics do not cover the SAP technology that you focus on? We may organise additional local events just to get together and have a chat.... similar to an SAP Stammstich.

See you all somewhere in Latin America on the roadshow!

Automatically update SSL Certificates before they expire in SAP CPI

2024-05-30T10:58:32.883000+02:00

I will explain how to automatically install SSL certificates on CPI using SAP's APIs.You can follow the steps below to set a timer and have it loaded automatically, without having to manually check whether it has expired or not.

Automatically update system certificates before they expire with SAP CPI and Groovy (openssl command)

Instead of manually updating the certificate, we can automatically install the certificate before it expires with this API created by SAP.

You can use CPI APIs to update a certificate in Keystore.

In this scenario, we will perform a PUT operation to the /CertificateResources path of the CPI API below.

Method	Resource Path
PUT	/CertificateResources('{Hexalias}')/$value

We must convert the name (alias) of the certificate we want to update in CPI KeyStore to hexadecimal.

In this scenario, we will update the certificate for facebook

hexadecimal value for facebook: 66616365626F6F6B

Note: For hexadecimal format, you can use text to hexadecimal converter online.

The URL to be sent in the put operation:

https://<host address>/api/v1/CertificateResources(‘66616365626F6F6B)/$value?fingerprintVerified=true&returnKeystoreEntries=false&update=true

When you test the service with the hexadecimal value in Postman, you can manually import and update the certificate.

The current content of the certificate is written to the Request Body:

For Example:

[---Begin Certificate----]

AHcAdv+IPwq2.....

.....

.....

1tIQYIeaHKDHPA==

[---End Certificate----]

Header, Params and Body fields are defined as in the service document.

Header:

Request Body:

We will now do the same operation we did manually in Postman in CPI using SAP's API.

The steps to be taken in CPI for this process are as follows.

First, we get FetchToken to log into CPI.

We write the following information for Get Token.

A user authorized in CPI is defined and the CPI link is written in the Address field.

In the next step, we will check the SSL/TLS certificate of the server named " graph.facebook.com " with groovy and obtain the current certificate.

Code detail is as follows:

import java.security.cert.X509Certificate
import java.util.Base64
import javax.net.ssl.SSLPeerUnverifiedException
import javax.net.ssl.SSLSession
import javax.net.ssl.SSLSocket
import javax.net.ssl.SSLSocketFactory
import com.sap.gateway.ip.core.customdev.util.Message

def processData(Message message) {
    try {
        def factory = SSLSocketFactory.getDefault() as SSLSocketFactory
        def socket = factory.createSocket("graph.facebook.com", 443) as SSLSocket

        // Connect to the peer
        def session = socket.getSession()
        X509Certificate cert = session.peerCertificates[0] as X509Certificate

        def sDNName = cert.issuerDN.name // Server's DN Name
        def sDEREncoded = Base64.getEncoder().encodeToString(cert.encoded)

        // Set Properties
        message.setProperty("sDNName", sDNName)
        message.setProperty("sDEREncoded", sDEREncoded)

        return message
    } catch (SSLPeerUnverifiedException e) {
        throw new Exception("graph.facebook.com did not present a valid cert.")
    }
}

Then we add a new content modifier.

Header details:

We store the certificate we received in our body.

Put service details as follows:

The part that should not be skipped here is; Http Session Reuse option should be On Exchange.

This option enables Http session reuse. More than one message can be exchanged with one http session. Since there will be no re-authentication in the second message, subsequent calls will be made faster.

You can find detailed information about this subject on this blog.

https://community.sap.com/t5/technology-blogs-by-sap/cloud-integration-how-to-configure-session-handling-in-integration-flow/ba-p/13325908

After saving and deploying the integration, we can view it from the logs.

In the following section, we write the sDEREncode of the certificate to the body and thus the certificate in the keystore is updated.

Certification dates before operation

When we run the integration, it is updated as follows:

You can understand that the imported certificate has changed when the date below is updated.

Duplication of Target Nodes in Integration Advisor (Leaf Nodes)

2024-06-12T11:03:18.395000+02:00

Introduction

Recently, we have introduced a new feature in Integration Advisor for the duplication of target nodes. This feature allows the duplication of leaf as well as group nodes of a target Message Implementation Guideline (MIG) in the Message Guideline (MAG) editor. This feature helps in special mapping situations where you have two sources which must be mapped to (multiple instances of) the same target node.

In this blog post, I will show a scenario which illustrates some of the benefits of this new feature when applying it to the duplication of leaf nodes. In a previous article, a scenario with group nodes was presented.

Scenario

We use a similar scenario like in the previous article: Assume you have a source MIG based on UN/EDIFACT message ORDERS (version D.21B S3, e.g.) which shall be mapped to an SAP IDoc ORDERS.ORDERS05. But now we consider the mapping between the date time segments (the document date) in the header. You agreed with your partner, which sends the UN/EDIFACT ORDERS message, that they can use one of two date time formats: CCYYMMDD or CCYYMMDDHHMMSS. However, on your own side, which receives the SAP IDoc ORDERS.ORDERS05, you want to have both the date (DATUM) and the time field (UZEIT) filled, the latter set to 120000 (noon) by default, if the sender doesn't specify a time. Furthermore, you again want to use Integration Advisor's Date Time Conversion for the mapping:

Solution

Mapping in a classical way, you would map source node 2380 to both target nodes DATUM and UZEIT. Because of the two different source formats, you would need to implement two mapping functions (e.g. using if-statements) and wouldn’t be able to make use of the in-built date time conversion.

Integration Advisor offers you here a more elegant solution: In the Edifact source MIG, you can qualify node 2380 (Date or time) based on the value of node 2379 (Date or time format code). As a result, your source MIG structure now shows two different nodes 2380 [2379 = 102] and 2380 [2379 = 204]. For each of the nodes, the date time format is fixed and known. Please note that in the payload only one of the 2380 nodes will be filled.

Now you can use duplication of leaf target nodes in your mapping: Duplicate the DATUM field as well as the UZEIT field (see Duplicate Target Nodes) of the target MIG and map the source field 2380 [2378 = 102] to the first instances and the source field 2380 [2379 = 204] to the second instances:

Now switch all four mappings to "Date Time Mapping":

And select the right date time formats, e.g.:

In this example you can also see how you can specify fixed values for target date time fields, for which there is no source field available. Now you can simulate the mapping with the attached example payloads:

Summary

In this blog article we showed how we can use the duplicate target nodes feature for solving a mapping challenge which involves leaf nodes in contrast to the previous article, which considered group nodes. We also would be happy to know more about your use cases for this new feature.
Please, share your ideas and feedback in a comment. Furthermore, you can follow the SAP Integration Suite topic page to get to know more about Integration Suite in general, or read other posts about Integration Advisor. You can also follow my profile if you want to read similar content in the future.

Concur EMEA Fusion 2024 Event Recap

2024-06-12T14:44:10.723000+02:00

On May 16 2024, SAP Concur hosted Fusion Exchange EMEA in London and I was honored to have the opportunity to attend this year. It was nothing short of an extraordinary experience! We have around 600 onsite attendance and the event was packed with insightful presentations, innovative demonstrations, and invaluable networking opportunities that left me feeling inspired and excited about the future of our industry.

Keynote Highlights: The Power of AI in Spend Management

One of the standout moments of the event was Fred Fredericks' keynote demo, which truly showcased the transformative potential of AI in the realm of spend management. Fred demonstrated how artificial intelligence can be harnessed to analyze massive volumes of receipts, significantly enhancing the efficiency and accuracy of our Spend Control Tower. This advanced capability not only streamlines the process but also provides deeper insights into business data, ultimately driving better decision-making and cost savings for our customers.

AI's role in travel policy compliance was another highlight. By leveraging AI, we can ensure that travel policies are adhered to more rigorously, reducing instances of non-compliance and associated costs. Gen AI is already embedded in Concur request to provide intelligent cost estimates for trip planning.

Furthermore, AI's ability to understand personal travel preferences offers a seamless and personalized experience for our users, making business travel more enjoyable and efficient.

Session Highlights: The New Travel Experience

As travel continues to evolve, we are dedicated to creating new and improved experiences for our users. We have enhanced the user experience (UX) to make our mobile app more intuitive and now offer sustainability travel options for our customers. Our travel search capabilities are now more streamlined, allowing companies the freedom to choose from a diverse range of suppliers, sources, and content to meet global travel requirements. Additionally, with Microsoft integration, users can easily share their Concur Travel itineraries with colleagues or join the same trip, enhancing collaboration and convenience.

Engaging with Customers: A Source of Inspiration

Beyond the impressive technology and solutions showcased, what truly made Concur EMEA Fusion 2024 special was the opportunity to engage with our customers. I had the pleasure of participating in numerous insightful conversations, each offering a unique perspective and highlighting various challenges and opportunities within our field. We discussed topics such as invoice field matching, SAP ICS for Concur Invoice, and SuccessFactors Integration to Concur. Our customers expressed a keen interest in upgrading their integration strategies, making these discussions particularly valuable and forward-looking. These interactions are incredibly valuable, as they inspire us to continue innovating and improving our offerings to better meet the needs of our users.

We are also grateful for the feedback indicating that 97% of our attendees rated the educational sessions as good. Also a huge kudos to my amazing booth staffing colleagues who made this event such a success.

Looking Ahead: Continued Innovation and Growth

As I reflect on my experience at Concur EMEA Fusion 2024, I am filled with optimism and excitement for the future. The advancements in AI, our new partnership with Mastercard, and the integration with our rail partners reaffirm our direction and motivate us to continue pushing the boundaries. In conclusion, Concur EMEA Fusion 2024 was more than just an event; it was a testament to the power of innovation, collaboration, and customer-centricity. Thank you to everyone who made this experience unforgettable, and here's to continued growth and innovation in the years to come!

The sessions presentations could be downloaded here

Performance form custom element update from User entity via OData API upsert in CPI

2024-06-12T21:49:38.682000+02:00

Introduction:

Performance evaluation and performance management entail multiple steps for an employee within SuccessFactors. Beginning with Assessment, Signature, and Completion, the form template progresses through various evaluation stages for employees. The performance form template is configured to extract employee data such as LastName, FirstName, Department, Division, HireDate, Business Title, etc. While some information suffices for performance evaluation, for larger companies, considering additional details is crucial, which may not be directly fetched from the form template or available within its general settings.

In such cases, custom sections within the form templates are utilized to incorporate the necessary data. This is achieved through custom elements sections nested under custom sections in the Performance Review Template.

In this blog, we will delve into the steps to create custom elements in the Performance Review Template and allocate the requisite field permissions to facilitate its integration via the OData API, utilizing CPI as middleware.

Objective:

The purpose of this blog is to illustrate the necessary steps for creating and updating custom field sections in performance forms and templates, which cannot be done via basic upsert or user sync jobs in the Integration Center. To address this, automation and updates through CPI can be an ideal approach for updating custom sections. The custom field section in performance forms consists of user-created objects, allowing for the input of any desired values during the completion of an employee's performance form.

In our scenario, we assume there is data requiring updates from the User Entity to the custom Element form section. While manual updating is feasible in small-scale scenarios, it becomes exceedingly challenging for a significant number of employees. Therefore, automation is essential to facilitate data transition from User MDF to CustomFormSection.

To accomplish this, CPI serves as a middleware to import the data and facilitate updates to the CustomFormSection. The image below illustrates the one-to-one mapping, demonstrating how CPI replicates values between these two entities.

Fig 1: Demonstration of fields that need to be moved from User MDF to CustomFormSection in FormContent

Implementation:

The below architecture diagram shows the complete expectation and execution of the CPI job. The left-hand section is the query section which are the calls that CPI made to get the current data from FormContent (All performance form data of an employee) and the existing data in User MDF custom fields.

The right-hand section shows the upsert operation performed by the CPI job. If any custom field data exists for the employee, then it gets replicated into the custom fields section by using the entity FormCustomSection to upsert all custom elements at once. (The screenshot for the same upsert is shown later down the blog).

The CPI job can be scheduled so that all the delta changes or new forms' custom sections can get updated with the relevant data.

Fig 2: Architecture for FormCustomSection update from User MDF via CPI

For the custom elements permission setting navigate to Admin Center/Manage Templates/<Choose your template name> in SuccessFactors, under the custom field and section the custom elements are created as follows,

Fig 3: Custom Elements created for the custom section.

For the section field permission select Type: Write and All for other API roles, this is shown below for example.

Fig 4: Field Permission setting for Custom Fields created under the custom section.

The section permission field can also be defined so that the API user can update it only when this gets launched in the inbox, and it is at step LAUNCH.

Fig 5: Custom Section Permission settings

The newly created custom section will look somewhat like as shown below, and the values will be populated from User Entity (for ex. customString1 … 5) via CPI.

Fig 6: Custom Section in Performance Form

To get and update the values related to each Form we will query the Entity FormContent from the SuccessFactors ODATA V2 API adaptor, see the screenshot below for reference. The FilterFormContent includes the formTemplate Id and lastModifiedDateTime string as this is dynamically set in each execution.

Fig 7: Odata API call to FormContent

After getting data from FormContent the same payload can be used to get User value, by navigating to FormContent/formHeader/FormHeader/formSubject/User/custom01 … custom05 the custom values can be extracted, and the payload can be prepared to update the customFormElement for each custom Elements created in the above steps.

To upsert the custom element the Upsert (POST) is used where the entity can be selected as FormCustomSection, this entity can be directly used to update all your custom elements all at once,

Fig 8: OData API for Upsert FormCustomSection

The payload FormCustomSection is prepared from FormContent and the payload is attached below to refer,

<FormCustomSection>
    <FormCustomSection>
        <sectionIndex>1</sectionIndex>
        <formContentId>6916</formContentId>
        <formDataId>4352</formDataId>
        <customElement>
            <FormCustomElement>
                <elementKey>ele_1</elementKey>
                <sectionIndex>1</sectionIndex>
                <itemId>-1</itemId>
                <formContentId>6916</formContentId>
                <formDataId>4352</formDataId>
                <valueKey>wf_sect_1_e_ele_10</valueKey>
                <value>custom string 1</value>
            </FormCustomElement>
            <FormCustomElement>
                <elementKey>ele_2</elementKey>
                <sectionIndex>1</sectionIndex>
                <itemId>-1</itemId>
                <formContentId>6916</formContentId>
                <formDataId>4352</formDataId>
                <valueKey>wf_sect_1_e_ele_21</valueKey>
                <value>custom string 2</value>
            </FormCustomElement>
            <FormCustomElement>
                <elementKey>ele_5</elementKey>
                <sectionIndex>1</sectionIndex>
                <itemId>-1</itemId>
                <formContentId>6916</formContentId>
                <formDataId>4352</formDataId>
                <valueKey>wf_sect_1_e_ele_52</valueKey>
                <value>custom string 3</value>
            </FormCustomElement>
            <FormCustomElement>
                <elementKey>ele_3</elementKey>
                <sectionIndex>1</sectionIndex>
                <itemId>-1</itemId>
                <formContentId>6916</formContentId>
                <formDataId>4352</formDataId>
                <valueKey>wf_sect_1_e_ele_33</valueKey>
                <value>custom string 4</value>
            </FormCustomElement>
            <FormCustomElement>
                <elementKey>ele_4</elementKey>
                <sectionIndex>1</sectionIndex>
                <itemId>-1</itemId>
                <formContentId>6916</formContentId>
                <formDataId>4352</formDataId>
                <valueKey>wf_sect_1_e_ele_44</valueKey>
                <value>custom string 5</value>
            </FormCustomElement>
        </customElement>
    </FormCustomSection>
</FormCustomSection>

As per the definition of FormCustomElement the elementKey, valueKey forms the unique to update a particular customElement, and combining formDataId and formContentId forms the unique value to update the customElement only for a particular employee. The above payload upsert will respond to successful upsert for elementKey, valueKey formDataId, and formContentId as a key pair.

The mapping for the above payload can be shown below to understand the field's association for each custom element with the payload after the upsert.

Fig 9: Output mapping of each custom element

Conclusion:

Thus, the custom Form section can be created and automated easily, which can be updated in a delta run from CPI. Custom section upsert enables the Route map to complete the initial launch step by itself thus eliminating the manual update of data within the form. This can be extended to re-route the form by itself by using RouteMap API. Custom Form sections add more value to Performance forms as they enable more insights for an employee to be passed down for performance evaluation. Thus, using FormCustomSection or customElement API upsert is useful to perform and set up the automation task.

Introducing Dark CPI web extension For SAP Applications

2024-06-13T12:12:37.651000+02:00

Hello Readers,

This is my first blog. I want to share an open-source extension tool.

Extension provides control to change theme to dark mode for SAP CPI, SAP Build zone.

The Dark SAP CPI Web Extension is a versatile open-source tool that enhances the user interface of SAP CPI and SAP Build Work Zone. It offers a seamless transition to a dark theme, promoting a comfortable visual experience for users. In this guide, we'll show you how to use Dark CPI to get the most out of its features.

Key Features of Dark CPI

Ease of Use: Users can effortlessly switch to a dark theme, reducing eye strain.
Theme Variety: The extension boasts a range of themes such as 'Morning Horizon', 'Evening Horizon', and 'Quartz Light', allowing users to personalize their interface according to their preference and the time of day.
Accessibility: The dark theme can be activated via a simple click on the extension icon, making it easily accessible for all users.
Community Support: Currently, there are 80+ weekly users. Thank you for the support and feedback given by you all.

Installation Guide

Step 1: Download and Install from the Extension Store

Go to the Extension Store: Chrome Store or EDGE Store (version 1.3 will be released very soon)
Search for Dark CPI.
Click on "Add to Browser".

Step 2: Enable the Extension

After installation, click on the Dark CPI icon in your browser toolbar.

Alternative Installation from GitHub

Visit the Dark CPI GitHub Repository
Download the latest release.
Unzip the downloaded file.
Open your browser and navigate to the extensions page (e.g., `chrome://extensions/`).
Enable Developer Mode.
Click on "Load unpacked" and select the unzipped folder.

How to Use Dark CPI

Popup on click appears as below under these conditions:

If you click on Extension Icon which is besides URL if extension is pinned, or you can pin it by clicking on extension manager of browser.
If active tab is not supported,
It supported then you can see the name of application and current theme.
Launchpad supports theme are displayed in below buttons.

The options available are:

Default Theme: Provided by SAP.
Dark UI: Corresponding dark UI to the default theme.
Old UI: Rollback option (only visual, no functionality change).

Applying Themes

1. SAP CPI (from v1.0):

Open the SAP CPI application.
Choose your desired theme from the extension popup.
This will enhance the SAP UI with the selected dark theme.

Before Theme:

After Applying Theme:

Design page of evening Horizon theme

Rollback Theme (Old):

By default, the right-side navigation (home, monitor design, etc.) is open. Dark CPI will close it by default to avoid clutter.

Navigation Open:

Navigation Closed:

2. SAP Build Work Zone (from v1.3):

Launch the SAP Build Work Zone application.
Select your preferred theme from the extension popup.

It has user settings to switch theme. Keep same theme in extension popup.

As you can see below, SAP does not support dark theme properly. This will enhance its UI.

Before Applying Theme:

After Applying Theme:

3. Theme Designer (from v1.3):

- Open the Theme Designer.

- Choose your desired theme from the extension popup.

Before Applying Theme:

After Applying Theme:

Privacy and Transparency

The extension does not collect any personal data or tenant information, ensuring user privacy. Being open-source, users are encouraged to review the source code and monitor network activity for complete transparency.

Troubleshooting Tips

Theme Not Applying: Ensure the extension is enabled and you have selected the theme from the extension popup.

Visual Bugs: Report any issues on the GitHub repository for prompt assistance.

Conclusion

Dark CPI is your go-to extension for enhancing and customizing the look and feel of your SAP applications. With its comprehensive features, it caters to all your needs from theme customization to fixing SAP UI issues automatically. Install Dark CPI today and transform your user experience.

For more detailed information, visit the Dark CPI GitHub Repository.

SAP Cloud Integration Manage Artifacts Of Design Time

2024-06-19T03:51:11.200000+02:00

Introduction :

In cloud integration, the processes of creating, deleting, or modifying a flow are done manually by entering the package. I will show how to perform these processes through the CPI link. The aim of this blog is to highlight the flexible structure of CPI.

Required:

SAP BTP and Integration Suite

Cloud Integration Steps:

To demonstrate how all the processes work, I have covered them all in a single flow. This includes flow deletion, updating, creation, and the information we can retrieve related to the flow.

For a more straightforward architecture, I utilized process calls. Based on the type of request, process calls will be executed via the router.

The API we will use: https://{Account Short Name}-tmn.{SSL Host}.{region}.hana.ondemand.com/api/v1/IntegrationDesigntimeArtifacts

1- The overall view of the flow:

Local Process 1 : POST

Local Process 2 : PUT

Local Process 3: GET

Local Process 4: DELETE

The reason we separate with the router is that some processes require mapping, while others do not.

2-CM_Headers&Properties:

Our service works with a CSRF token, so we need to obtain the token first. In the initial content modifier, we store the request headers of the service.

Headers:

Properties:

We are storing parameters like Name, Id, PackageId, and Version in properties because we will use them in our services.

3-HTTP Fetch Token:

A defined user must access CPI as an authorized user. After defining security materials, credentials are provided in the flow.

4-CM_SetHeaders:

The service's response headers:

Content-type:application/atom+xml;type=entry;charset=utf-8

fetch-cookie :${header.set-cookie}

cookie : ${header.fetch-cookie.replace("[","").replace("]","").replace("; path=/; secure; HttpOnly","").replace("path=/, ","")}

I defined "fetch cookie" to avoid getting a forbidden error due to cookies in the service.

5-Router:

6- First Method : POST

Since our goal is to create a flow using the POST method, here is the body we will send:

{
"Name": "string",
"Id": "string",
"PackageId": "Id of Package"
}

Message Mapping:

We stored the sent fields in properties in the content modifier. In the mapping, we will retrieve them from the properties.

OData V2- Connection and Processing:

Content Modifier :

Let's try it now in Postman.

Authorization:

CPI Technical User

Body:

<Root>

<Id>TestFlow</Id>

<Name>TestFlow</Name>

<PackageId>Testing</PackageId>

</Root>

GET METHOD:

We will obtain information about these artifacts by providing the Id and Version details from within the package.

/api/v1/IntegrationDesigntimeArtifacts(Id='${property.Id}',Version='${property.Version}')

Content Modifier:

Postman :

<Root>

<Id>TestFlow</Id>

</Root>

PUT METHOD:

Postman:

Body:

<Root>

<Name>ChangingNameTestFlow</Name>

<Id>TestFlow</Id>

</Root>

DELETE METHOD:

/api/v1/IntegrationDesigntimeArtifacts(Id='${property.Id}',Version='${property.Version}')

Content Modifier:

Postman:

Body:

<Root>

<Id>TestFlow</Id>

</Root>

Additional : A Groovy script exists within the subprocess to catch exceptions.I have embedded it into all local processes.Sometimes, error details don't propagate to the exception subprocess in the main flow, so you can embed them into local processes.

References:

https://help.sap.com/docs/cloud-integration/sap-cloud-integration/integration-content?locale=en-US

https://help.sap.com/docs/cloud-integration/sap-cloud-integration/handle-exceptions?locale=en-US&q=exception%20handling

How to create API to upload file to Azure Blob by Integration Suite

2024-06-20T15:51:10.318000+02:00

In this blog, I'll introduce how to consume Azure Blob API via SAP Integration Suite.

This picture is what I explain in this blog.

Prerequisite

You have Azure account
You have created Blob storage account
You have BTP Trial Account
Subscribe Integration Suite

Regarding 3 & 4, you can refer this tutorial, Connectivity to Non-SAP Applications using SAP Integration Suite .

API Details

Before send HTTP request, in general we have to confirm the information of HTTP method(Get/Post/Put, etc) and query parameters.

But on this page, we cannot find them.

So this time, I refer to API Docs of Open connecter, which I'm not sure that it matches with Azure Adapter.

Integration Suite > Capability > Extend Non-SAP Connectivity > Connector > Azure Blob

See API Docs > files Create a file.

We can now confirm we need following parameters.

Parameter Name
Authorization	header
containerName	query
path	query
file	body

Create Security material

There're several ways to authorize Azure resources.

For more information, please refer to the following link.

Authorize requests to Azure Storage

In this article, I explain the way to use "Shared Key".

But please note that Shared key authorization is not recommended.

Put Block List

Go to Monitor > Integrations and APIs > Manage Security > Security material.

Create secure parameter as instructed in this SAP note (3331283).

Activate Azure Adapter for SAP Integration Suite

Regarding the connection between Azure Blob Storage and SAP Integration Suite, we can use predefined package.

In this article, I use the following adapter.

SAP Accelerator Hub > Azure Storage Adapter

In this article, I'll use "Azure Blob Storage, Upload Block Blob into the Container"

Integration Suite Home Screen > Discover Integrations > Search "Azure Adapter for SAP Integration Suite"

Press "Copy"

You can confirm the adapter was activated in Design > Integration and APIs

Create Integration Flow

Choose Design > Integrations and APIs > Create to create an integration package.

Choose the Artifacts tab. Here you will create your first integration flow. Choose Add > Integration Flow.

Choose Edit to start editing the integration flow.

Runtime Configuration

First, you have to set up query parameters that you send from API client.

Integration Flow > Runtime Configuration.

Allow query parameters that the API requires.

HTTPS

Connect "Sender" and "Start" by HTTPS as follows.

Addess	You can set API path as you like.
CSRF Protected	off

Azure Storage

Connect end and Receiver by "Azure Storage Adapter" as follows.

On Connection Tab, Select shared key that you created previous step.

On Processing Tab, set parameter's as follows.

Parameter	Value
Operation	Upload Block Blob
Storage Account Name	Your Azure Blob storage account.
Container Name	${header.containername}
Blob Path	${header.path}

Deploy

The entire process is as follows.

If everything is OK, press "deploy"

Confirm that the endpoint URL is generated by following path, Monitor > Integration and API's > Manage Integration Content.

Test by Postman

Open your Postman application.

Paste the copied endpoint in the request URL field and choose POST as the method.

Go to your SAP BTP subaccount. Copy the clientid and clientsecret from your service key.

For Authorization, choose Basic Auth. Paste the clientid and clientsecret as the username and password.

For Params, you can enter query parameters, "containerName" and "path" as follows.

For Body, upload a file from your local.

Click "Send" and confirm status code 200 is returned.

You can confirm the file is transferred to Azure Storage Container.

Reference

CPI: use Query parameters in external API call

Open Connectors - Query Parameters....using HTTP connectors

Steps to access Azure Blob Storage via REST API from SAP CPI using Azure Storage Adapter and SAP PO/PI using http adapter

Connectivity to Non-SAP Applications using SAP Integration Suite

Cloud Integration with SAP Integration Suite - The Comprehensive Guide: New Book Edition Released

2024-06-28T10:24:19.401000+02:00

Many have eagerly awaited a new edition of the popular SAP Cloud Integration book by Rheinwerk Publishing. As the world keeps turning and the development teams at SAP never rest, the SAP Integration Suite has established itself as a comprehensive integration solution and has evolved significantly, with Cloud Integration as its centerpiece and key capability.

And indeed, there is now a new edition of the book, titled "Cloud Integration with SAP Integration Suite - The Comprehensive Guide”.

Spanning 900 pages, this book provides a comprehensive description of all the capabilities of SAP Integration Suite, as expected from previous editions. It includes a wealth of tutorials and example scenarios that readers can model and execute independently and from scratch.

Whether you are an integration expert or aspire to become one, this book, written by Swati Singh, John Mutumba Bilay, and Shashank Singh (all from Rojo Consultancy B.V.), with a foreword by Andreas Quenstedt, chief product owner of SAP Integration Suite, is exactly what you need.

Designed to be a valuable resource for both beginners and experts in the field, the book gradually introduces concepts and tools starting from Chapter 2. It provides a step-by-step guide to designing and executing the first, simplest integration flow. Additional features and complexity are then added in the following chapters.

In addition, the book offers a variety of challenging use cases and tutorials that will engage and pique the curiosity of experts.

Compared to the third edition, the new edition includes the following new or significantly expanded topics:

The topic of event-driven integration has been added, demonstrating how to set up SAP Integration Suite's Advanced Event Mesh as an event hub
Connecting to an AS2 server with the AS2 adapter.
Working with script collections.
Advanced mapping techniques.
Extension of the monitoring feature, including external logging and integration with Splunk.
The chapter on connecting to external third-party systems using Open Connectors has been extended. It includes example scenarios showing integration with Salesforce and Amazon Web Services.
Migration scenarios, such as from Neo to Cloud Foundry and from SAP PO to Cloud Integration.
Joint usage of Cloud Integration together with the API Management capability.
Lastly, one major milestone of SAP Integration Suite is covered in a separate chapter: Edge Integration Cell.

We wish you an enjoyable reading experience and success in your integration projects!"

New Partner Content on SAP Business Accelerator Hub (Q2 ’24)

2024-07-03T13:03:58.290000+02:00

As a continuation of the previous blog, we would like to provide further updates and keep up the momentum of sharing relevant information with our community.

In this blog series, learn about the new content packages published on SAP Business Accelerator Hub from our partners during Q2 '2024, along with their high-level details.

For complete details on each partner's content, refer to the partners listing which is available on the home page of SAP Business Accelerator Hub.

_____________________________________________________________________________________

Kaar Technologies

Integration package published:

KTern.AI Digital Maps Integration with SAP ECC and SAP S/4HANA

This package contains reference information about KTern.AI Digital Maps integration with SAP ECC, SAP S/4HANA, SAP Business Suite to assess and plan SAP led Digital Transformations. KTern.AI is an SAP recognized Spotlight App on SAP Store and Industry Cloud solution to help enterprises globally with data-driven automation and Generative AI led business transformation

SAP-validated partner use case (VPUC) published:

KTern.AI for RISE with SAP DXaaS

Pioneer AI-First Transformations with Clean Core Strategy using KTern.AI driven ‘Digital Transformation as a Service’ (DXaaS) delivery automation for RISE with SAP.

----------------------------------------------------------------------------------------------------------------------------------------------

PiLog India Pvt Ltd

API package published:

PiLog Preferred Records

The integration of PiLog Preferred Records (PPR) with SAP S/4HANA Cloud brings Standardized Material and Service Master Records into your organization. PiLog Preferred Record Structured material description contains the Genuine Manufacturer, Genuine Part Number/Model Number and Standardized characteristic values.

----------------------------------------------------------------------------------------------------------------------------------------------

Coveo Solutions Inc

API package published:

Coveo Commerce

Coveo for Commerce drives incremental revenue for B2B and B2C organizations through AI-powered product discovery. With extensible APIs for your SAP Commerce Cloud storefront you can create relevant search, optimized product listing pages and personalized product recommendations.

Coveo Search Token

Coveo offers personalized search and recommendations across product and content, customer specific price lists, relevance generative answering, and more. The Coveo Search Token Omni Commerce Connect (OCC) Web Service powers your storefront with a secure and efficient way to access the Coveo Commerce and Search APIs. This endpoint integrates with SAP Commerce Cloud by allowing it to retrieve the Coveo search token for authentication and make it available to storefronts.

----------------------------------------------------------------------------------------------------------------------------------------------

Qintesi S.p.A

API package published:

Namirial eSignAnyWhere

Discover smoother operations and enhanced security with our signature integration for SAP! Our solution makes signing documents easy and stylish. Simplify your work and increase productivity while ensuring your signatures are secure and legally valid. Immerse yourself in a world of efficiency and accuracy with our SAP signature integration.

----------------------------------------------------------------------------------------------------------------------------------------------

Crave InfoTech

SAP-validated partner use case (VPUC) published:

Account Payable Automation – Gate to Pay

Customer's Account Payable (AP) processes faced challenges in terms of data inflow points, manual handling of thousands of invoices daily, delays in the Material Invoice Receipt Order (MIRO) parking, and the need for a streamlined approach to invoice data publishing for settlements.

-----------------------------------------------------------------------------------------------------------------------------------------------

TARENTO

SAP-validated partner use case (VPUC) published:

iVolve - A Tarento Framework to Empower Transformation

Strategy, selection, migration & consolidation of Enterprise Integration Platform as a Service (EiPaaS).

iVolve’s Integration Platform Recommendation Tool - Gain rapid insight into potential marketplace integration platforms that solves your as-is/to-be integration vision, styles & use cases.
iVolve’s Vector Sprint - A fixed priced, time bound discovery sprint evaluating a target platform against integration vision, use cases, styles, patterns, domains & modernization demands. Detailed outcome driven workshops drive insight & artifacts for implementation.
iVolve Migration Automation Framework - Automated & Accelerated integration re-platforming to the cloud. Leverage accelerators & assets on the framework to engage your transformation with guidance & delivery from our integration competence center.

-----------------------------------------------------------------------------------------------------------------------------------------------

Wipro Limited

SAP-validated partner use case (VPUC) published:

Smart Energy Procurement Advisor

Natural Language Query (NLQ) enabled assist platform for Energy Procurement executive, bound by standard procurement policy guidelines. Utilizes Retrieval Augmented Generation (RAG) model abstracted via Langchain framework, powered by AOAI (GPT Turbo 3.5 / text-ada-002 models via Gen AI hub). Employs multi-dimensional spatial distance ranking to present historical top results. Simulate custom scenarios, override base policies, and trigger workflows for stakeholder approvals. Full track and trace features. Dashboard to manage events and maintain closure details and future adoption to Joule.

-----------------------------------------------------------------------------------------------------------------------------------------------

KPMG S.p.A

SAP-validated partner use cases (VPUC) published:

Innovative Real-Time Forecasting Process

This project harnesses the real-time computing capabilities of SAP HANA Cloud to seamlessly integrate and standardize data from diverse sources, including both cloud and non-cloud systems, as well as SAP and non-SAP environments. Leveraging SAP Analytics Cloud, an integrated model has been created to facilitate financial and managerial planning. Through automated processes called data actions, essential calculations are performed efficiently. The final step involves presenting the processed data on tailor-made dashboards, providing a comprehensive and insightful view for informed decision-making.

Intelligent Forecasting with SAP AI Core

This project seeks to implement artificial intelligence logic into the planning process, aiming to generate practical solutions. Upon receiving real-time and historical data inputs, the applied AI techniques will compute forecasting and budgetary information. The culminating data will then be seamlessly incorporated into SAP Analytics Cloud for visualization and potential adjustments.

Manage Corporate Income Taxes

The use case encompasses the evaluation of Corporate Income Taxes, including IRES and IRAP for Italian markets, and others based on individual country requirements, along with Deferred Tax Assets and Deferred Tax Liabilities in alignment with local and IFRS Gaap. The system utilizes SAP Analytics Cloud capabilities to automatically gather data from source systems, including GL, HR, and assets, with the option to upload necessary data through an Excel file. Employing a pre-designed form, the tax department can manually adjust data at various stages of the process, ensuring complete and accurate traceability during data collection and after variation impact calculation. Automatic rules facilitate the association of GL Accounts with Tax Variations and the assessment of their impact on corporate income tax. Additionally, dashboards are provided for the analysis of Tax Data and reconciliation of Tax Rates.

Manage Strategic Planning

Helps the end customer to fully manage both the strategic planning and process consolidation, ensuring maximum transparency and continuous monitoring of the entire process progress.

KSelf - SuccessFactors Self Service Dashboard By KPMG

The main objective of the custom solution is to make employees completely autonomous in modifying their data through a secure tool that applies all the necessary checks before saving the data in the Employee Central module.

Manage Regional Ceilings for Training Dashboard

Helps in effective management of item/class for all areas, Automated centralized management of seats to be assigned to each area, Integration with Learning Management System and SAP SuccessFactors for integrated reporting.

-----------------------------------------------------------------------------------------------------------------------------------------------

Twenty5 LLC

Integration package published:

Twenty5 Integration with SAP S/4HANA Cloud

This integration package contains standard integration flows to synchronize the commercial project between Twenty5 and SAP S/4HANA Cloud by leveraging the ODATA services provided by SAP S/4HANA Cloud.

-----------------------------------------------------------------------------------------------------------------------------------------------

RealCore Group GmbH

Integration package published:

SAP LeanIX Integration with SAP Cloud Integration

This integration package enables data synchronization between SAP Cloud Integration Content and SAP LeanIX factsheets by reading specific SAP Cloud Integration objects and transferring them to SAP LeanIX application.

SAP LeanIX Integration with SAP Process Orchestration

This integration package enables data synchronization between SAP Process Orchestration Content and SAP LeanIX factsheets by reading specific SAP Process Orchestration objects and transferring them to SAP LeanIX application.

-----------------------------------------------------------------------------------------------------------------------------------------------

If you are interested in Partnering with SAP Business Accelerator Hub, please refer to this section and discover center mission for more details.

Stay tuned for further updates and information by the end of the next quarter!

Create DataType and Message Type artifact in Cloud Integration capability of SAP Integration Suite

2024-07-10T10:43:24.414000+02:00

Introduction

SAP Cloud Integration version 6.54.xx comes with new feature, where in one can create Datatype and Messagetype as reusable design time artifacts in Cloud Integration capability of SAP Integration Suite

This feature is available only in SAP Integration Suite standard and above service plans.

SAP Cloud Integration version 6.54.xx software update is planned on mid of July 2024 (date and time subjected to change).

Create DataType :

1. Open the Integration Suite Tenant and navigate to Design -->Integrations and API's

2. Create an Integration Package or open an existing one.

3. Navigate to the Artifacts tab and click on Edit in the top right corner

4. Click on Add drop down and select Data Type from the list

5. Add Data Type dialog is displayed with Create (radio button) selected by default.

6. Enter the values for the fields Name, ID,Target Namespace, Description ,select the category - Simple Type(selected by default) or Complex Type for the Datatype you want to create and click on Add or Add and Open in Editor

7. On Click of Add, the Data Type artifact with the provided name gets created and is listed in the Artifacts list page

8. On Click of Add and Open in Editor, the Data Type artifact gets created with the provided name and the artifact gets opened in the Editor in display mode.

9. The Editor contains three tabs : Overview,Structure and XSD.The Structure is shown by default when the artifact is opened. It displays the structure of the datatype in a tree table with the following columns :

Name : Contains the Name of the node(element or attribute).For Root node the name is same as the name of the Datatype and it cannot be edited.
Category : This column shows whether the root element has subnodes or not . For root node it is either Simple type or Complex Type and for submodes it can be either Element or Attribute. You cannot change values in this column.
Type: This column displays the type with which the node is defined.Here you select a built-in data type or reference to an existing data type for an element or attribute. You must specify a type for attributes.
Occurrence: Determines how often elements occur.For attributes, you can determine whether the attribute is optional or required.
Restrictions : This column displays the facets (if any) defined incase the node is defined by a built-in primitive type or a user defined Simple type Datatype

9. Switch to edit mode and to define/build the Structure of the Datatype. On selecting the first row(rootnode),the Add drop down in the table header gets enabled and also the details of the row are displayed in the right side section of the editor.

10. Simple Type Data Type :

No child nodes can be added
Root node is defined by string built-in primitive datatype.
Click on the root node and the Properties sheet which contains the details of the node selected is displayed on the right side of the editor. In Edit mode ,user can edit the Type ,define the restrictions applicable for the Type selected.

11.Complex Type Data Type :

To add child nodes:

Click on the root node and the Add drop down in the table header gets enabled.

Add -->Element to add child element node

Add -->Attribute to add attribute node

Add -->Rows to add multiple Elements/Attributes

Click on the newly added node and define the details in the Properties sheet

12. Once the Structure is defined,Click on Save to save the artifact as Draft, Save as Version to save the artifact as versioned artifact.

13. XSD tab displays the read only view of the xsd schema of the Datatype artifact

Create MessageType:

1. Open the Integration Suite Tenant and navigate to Design -->Integrations and API's

2. Create an Integration Package or open an existing one.

3. Navigate to the Artifacts tab and click on Edit in the top right corner

4. Click on Add drop down and select Message Type from the list

5. Add Message Type dialog is opened

6.Enter the values for the fields Name, ID, XMLNamespace, Datatype to be Used, Description, and click on Add or Add and Open in Editor

7. On Click of Add, Message Type artifact gets created and is listed in the Artifacts list page

8.On Click of Add and Open in Editor, MessageType artifact gets created and the artifact gets opened in the DataType Editor with Structure tab loaded by default in non-edit mode . The rootnode Name would be same as the Message Type name ,Category as Element and Type as Data Type Used (if selected in the Add Message Type dialog)

9. Overview tab in Edit mode is as shown below :

10 XSD tab :

11. Datatype Used to create a Message type can be changed in Overview tab or in Structure tab. Switch to edit mode and select the root node in the Structure tab.The properties sheet gets displayed on the right side of the page with Datatype Used field as editable.

12. No other nodes(child nodes) are editable in the Message Type artifact.

Latest Pipeline Concept enhancements: Custom error handling and others

2024-07-11T10:14:27.850000+02:00

We have lately shipped a new version of the Pipeline Concept package on the SAP Business Accelerator Hub based on customer and partner feedback, this is now version 1.0.5. The package can be accessed from here. If you have already copied the package to your workspace in your SAP Integration Suite tenant, you can simply run the update of the package to be able to use the latest features.

As part of the package, we have now added a change list which allows you to see all increments that we have shipped so far. In the latest version, we have delivered the following:

Extension for custom error handling
In generic IDoc inbound processing flow, display list of IDoc numbers in case of IDoc bulk messages
For IDoc inbound, sender interface is calculated as a combination of MESTYP, IDOCTYP and CIMTYP
Supporting test mode via testMode header in the allowed headers configuration
In standard error handling, copied messages from the dead letter queue are switched to DEBUG log level

The custom error handling extension is a sort of customer exit which allows you to implement your own error handling in a separate integration flow which is then called via ProcessDirect instead of the standard error handling if the standard error handling doesn't meet your requirements. This way you can customize the pipeline processing without changing the generic integration flows that we ship as part of the pipeline concept. For more details, see Monitoring and Error Handling in the Pipeline Concept.

For improved monitoring of IDoc bulk messages, all IDoc numbers are stored in a custom header property. This allows you to search the message processing logs in the message monitoring based on a particular IDoc number. Furthermore we have revised the sender interface for IDoc messages. Before it contained the message type only, now it's a combination of the message type, the IDoc type and a potential IDoc extension which brings you more flexibility in setting up your IDoc scenarios. See Special Cases.

If you like to run your integration scenarios using a regression test tool, you may benefit from the test mode flag. This is simply a header which is passed through the whole sequence of pipelines. Depending of your test case setup you may then pass the test message to a virtualized or mocked receiver instead of to the actual receiver. By the way, our partners providing regression test tools already support the pipeline concept in their tools. See Testing the Pipeline.

We are currently working on the next increment. For the test flag for instance we plan to extend the generic flows so that test messages which go into an error won't be restarted. Furthermore, we plan to extend the partner directory approach that is used to dynamically configure the runtime behavior. In some cases, the partner ID which is limited to 60 chars might not be sufficient, so we need to react on this. Furthermore, we like to provide you the option to use alternative partners which provides you more flexibility in setting up your integration scenarios, e.g., with this, sender wildcard scenarios can be easily setup.

So, stay tuned. And if you have further ideas, requirements, feedback feel free to reach out to me or simply leave a comment.

NetSuite Adapter for SAP Integration Suite

2024-07-12T15:37:03.059000+02:00

SAP announced the NetSuite adapter for Integration Suite this month. For those customers using NetSuite ERP, the NetSuite adapter for SAP Integration Suite is the ideal solution to enable fast and robust integrations of NetSuite in your business processes.

You can now seamlessly integrate data from diverse sources into the NetSuite ERP platform and elevate your organization’s efficiency by reducing efforts to create a listed set of integration workflows with the NetSuite adapter.

What is NetSuite?

NetSuite is an ERP system; with multi-suite features, it's an extensive business management platform designed to handle critical functions like sales, marketing, finance, accounting, inventory management, procurement, and more.

NetSuite’s centralized data accessibility ensures seamless operations across different functions and locations. It provides invaluable operational insights, reporting, and analytics, enhancing financial visibility and decision-making.

What is the NetSuite Adapter?

With the NetSuite adapter, you have the capability to establish a connection with the NetSuite application and execute a variety of operations with different features.

Key Features

Support for multiple API versions: NetSuite supports multiple API versions with an editable API version field enabling users to input the latest supported version.
Secure authentication based on Tokens: The NetSuite adapter supports the Token-Based Authentication (TBA) mechanism which increases overall system security. Every call between NetSuite and SAP Cloud Integration is secured by Tokens.
Support for multiple NetSuite operations: The NetSuite adapter supports various operations like Add, Get, Delete, Async Add List, etc.
Dynamic configuration with headers and properties: Assigning dynamic values to different properties allows enhanced flexibility to your integration flows. You can also refer to dynamic parameters using SAP Cloud Integration exchange headers and properties.
Processing more than one record at a time: Some operations can be performed on one or more new instances of a record in NetSuite. As an example, the addlist operation can be used to add one or more new instances of a record to NetSuite.
Processing more than one record of data asynchronously: Some operations can be performed on one or more new instances of a record in NetSuite in an asynchronous manner. In general, for asynchronous operations, bulk records are sent to NetSuite without the need to wait for a response.
XSD Generator: To help speed up the integration, an XSD generator in the form of an Eclipse Plug-in is provided alongside the adapter. With this Eclipse Plug-in/Workbench, it is possible to generate an XSD which includes the structure of an Account Record. The generated XSD can then be imported into Cloud Integration and used for mapping purposes.
Full integration support for Custom Records and Fields: In addition to supporting all the standard NetSuite Records (or entities), the Adapter integrates with all the Custom Objects in NetSuite.

How does the adapter work?

NetSuite Adapter allows you to perform various functions related to finance, accounting, inventory management, etc. Let’s look at a simple operation get an employee in NetSuite using the NetSuite Adapter for SAP Integration Suite.

Get an Employee in NetSuite

Before we begin, it is assumed that employee type records are available in NetSuite for querying. Our example illustrates how the NetSuite Adapter allows querying to get an employee. The process begins with a client initiating an HTTPS request to an endpoint for retrieving employee information from NetSuite.

Connect to NetSuite

Field	Description
Address	Specify the address of NetSuite to be used for the connection. This address typically includes your NetSuite Account ID. NetSuite URLs often follow the pattern: https://<accountid>.suitetalk.api.netsuite.com. Example: https://12345-sb1.suitetalk.api.netsuite.com
Account ID	Specify the Account ID to be used for the connection. To find the account ID in NetSuite, you can usually locate it in the account's URL when logged in. Additionally, it might be available in the NetSuite account settings or administration section. Example: 1112711_SB1
Authentication	Select your Authentication Mechanism. Currently, only the Token-Based Authentication (TBA) is supported.
Consumer Credentials Alias	This field should refer to a security material (of type User Credentials). This User Credential should include both Consumer Key (as username) and Consumer Secret (as password).
Token Credentials Alias	This field should refer to a security material (of type User Credentials). This User Credential should include both Token ID (as username) and Token Secret (as password).
Timeout (in ms)	Specify the maximum waiting time (in milliseconds) while establishing a connection with NetSuite. The default Timeout is 60000 ms.

Prepare Request Body and Mapping

You can use a content modifier to ensure that the request payload includes all the necessary parameters NetSuite requires for querying employee data.

The message body should include the internal ID/external ID of the employee.
Note: For more information about internal ID/external ID, see NetSuite documentation.

Alternatively, you can enable Create Request From Properties and specify the ID type and
ID Value in the fields.

Next, we use a mapping to ensure that the request contains all necessary parameters and is correctly structured for querying employee data. To help speed up the integration, an XSD generator in the form of an Eclipse Plug-in is available alongside the adapter.

Our NetSuite Eclipse Plug-in allows you to generate desired XSD and import it in an Integration Flow and use it in mappings. You can add it before the Request-Reply Step. This way, you can create the correct XML request message to create or modify a resource in NetSuite.

Furthermore, the Eclipse Plug-in XSD Generator helps you generate up-to-date XSDs for your NetSuite resources for all the different operations. Once the message mapping is complete, the transformed request is sent to NetSuite.

Execute Get using the NetSuite Adapter

To retrieve details related to an employee, you need to specify the API version and operation as get. This selection allows you to access the specific record type employee, enabling you to fetch comprehensive information associated with that employee.

The response from NetSuite further undergoes message mapping again to ensure it is transformed into a format that the client system understands and can process. You can also use XSDs generated by the NetSuite Eclipse Plug-in to create a mapping to handle the response message returned by NetSuite.

The client system receives and interprets this response, extracting and utilizing the retrieved employee information as needed.

Quick Links

For detailed information about NetSuite adapter configuration, see NetSuite Adapter Guide.

Note: The NetSuite adapter is available as part of your SAP Integration Suite license.

Avoiding Multiple Destination Creation for Integration Between SAP ERP and SAP Integration Suite

2024-07-12T15:37:23.892000+02:00

When integrating SAP ERP (ECC, S/4 HANA) with SAP Integration Suite, it’s common to create separate destinations for each iFlow. This can lead to an excessive number of destinations, which can be cumbersome to manage. Here are two methods to streamline this process and avoid creating multiple destinations:

Method 1: Certificate-Based Authentication and create_by_url Class

One effective way to reduce the number of destinations is to establish certificate-based authentication between SAP ERP and SAP Integration Suite. This method allows you to securely authenticate and communicate without needing a separate destination for each iFlow.

Setup Certificate-Based Authentication: Ensure that both SAP ERP and SAP Integration Suite trust each other’s certificates.
Use the create_by_url Class: This ABAP class can dynamically create HTTP connections using URLs, thus avoiding the need for predefined destinations.

Sample code :

DATA: lo_http_client TYPE REF TO if_http_client.
cl_http_client=>create_by_url( EXPORTING  url                = 'Pass URL Here'
                                          ssl_id             = 'Pass SSL Id'
                               IMPORTING  client             = lo_http_client
                               EXCEPTIONS argument_not_found = 1
                                          plugin_not_active  = 2
                                          internal_error     = 3
                                          OTHERS             = 4 ).
* Check for exceptions
IF sy-subrc <> 0.

ENDIF.
* Disable logon popup
lo_http_client->propertytype_logon_popup = lo_http_client->co_disabled.

* Set the HTTP method to POST
lo_http_client->request->set_method( 'POST' ).

* Send the HTTP request
lo_http_client->send(
    EXCEPTIONS
        http_communication_failure = 1
        http_invalid_state         = 2
        http_processing_failed     = 3
        http_invalid_timeout       = 4
        OTHERS                     = 5 ).

* Check for exceptions
IF sy-subrc = 0.
    * Receive the HTTP response
    lo_http_client->receive(
        EXCEPTIONS
            http_communication_failure = 1
            http_invalid_state         = 2
            http_processing_failed     = 3
            OTHERS                     = 5 ).
ENDIF.

Method 2: Create RFC Destination with Blank Path Prefix and Use create_by_destination Class

Another approach is to create a general RFC destination in transaction SM59 with only the host specified and leaving the path prefix blank. You can then dynamically set the specific path for each request using the header field ~request_uri.

RFC Destination :
RFC Destination

Sample code :

DATA: lo_http_client TYPE REF TO if_http_client.

* Create HTTP client using the destination name
cl_http_client=>create_by_destination(
    EXPORTING
        destination              = 'DestinationName'
    IMPORTING
        client                   = lo_http_client
    EXCEPTIONS
        argument_not_found       = 1
        destination_not_found    = 2
        destination_no_authority = 3
        plugin_not_active        = 4
        internal_error           = 5
        OTHERS                   = 6 ).

* Check for exceptions
IF sy-subrc <> 0.

ENDIF.

* Disable logon popup
lo_http_client->propertytype_logon_popup = lo_http_client->co_disabled.

* Set the HTTP method to POST
lo_http_client->request->set_method( 'POST' ).

* Set the specific path for the request
lo_http_client->request->set_header_field(
    name  = '~request_uri'
    value = 'PassYourPath' ).

* Send the HTTP request
lo_http_client->send(
    EXCEPTIONS
        http_communication_failure = 1
        http_invalid_state         = 2
        http_processing_failed     = 3
        http_invalid_timeout       = 4
        OTHERS                     = 5 ).

* Check for exceptions
IF sy-subrc = 0.
    * Receive the HTTP response
    lo_http_client->receive(
        EXCEPTIONS
            http_communication_failure = 1
            http_invalid_state         = 2
            http_processing_failed     = 3
            OTHERS                     = 5 ).
ENDIF.

By implementing these methods, you can significantly reduce the number of destinations required for integration between SAP ERP and SAP Integration Suite, making the process more efficient and easier to manage.

Integration of SAP Task Center, Azure and ServiceNow - SSO, User Provisioning and Token exchange

2024-07-19T16:10:57.124000+02:00

During the configuration of Task Connect, an integration between ServiceNow and SAP Task center, we devoted significant effort to addressing security concerns, particularly focusing on user authentication and user provisioning. Given the widespread use of Azure as an identity and token provider, we developed a method to synchronize users and groups across ServiceNow, SAP Task Center, and Azure.

In this document, you will find the scenario overview, related architectural diagrams presenting the different components and how they interact with each other and what are the steps to follow to configure the connection between ServiceNow, SAP Task Center and Azure.

1. Scenario overview

The starting point in this scenario is the user's authentication and access token issued by the SAP Cloud Identity tenant's authentication service (IAS), indicated as AT (IAS) APP in returned by step 2 in figure 1 below and following the notation <token type> (<issuer>) <audience>. The complete token exchange is orchestrated by the OAuth 2.0 and OpenID Connect (OIDC) authorization and authentication frameworks and their respective token types, which are access tokens (AT), refresh tokens (RT), and identity tokens (ID). Thus, AT (IAS) IAS is an access token, issued by the IAS tenant's OAuth 2.0 authorization server, with an audience set to the IAS tenant's client ID. All tokens except for refresh tokens are formatted as JWTs. Compared to the token exchange in the previous parts of this blog series (see part I, Interoperability and standards, for more details), SAML 2.0 - or more precisely the SAML assertion as an OAuth 2.0 authorization grant defined in section 2.1 of RFC 7522 - is no longer used in this scenario. Instead of transforming between different token formats (JWT to SAML and back to JWT), this scenario only uses JWTs for the token exchange. It is important to note that for this token exchange no direct trust relationship between the application on BTP and Azure AD is required. The application only has a trust relationship to the IAS tenant, and the IAS tenant maintains the trust relationship to the Azure AD tenant (and vice versa).

All authentication requests for the business application on BTP (SAP TASK CENTER) are forwarded by the IAS tenant to the Azure AD tenant which is configured as a corporate identity provider (IdP) in IAS. IAS acts as a proxy and delegates authentication to Azure AD in the role of the relying party to the corporate identity provider. The IAS tenant therefore requires an application registration in Azure AD.

Note: For the TaskConnect integration configuration to work, the SAP Task Center should be configured according to the following documentation: https://help.sap.com/docs/task-center/sap-task-center/initial-setup

2. Users authentication and token exchange

The user accesses the BTP business application's SAP Task Center. The app delegates authentication to the IAS tenant using OIDC. It starts the authentication process by redirecting the user' browser to the IAS tenant's OAuth server authorization endpoint at https://<IAS tenant name>.accounts.ondemand.com/oauth2/authorize and sending an OAuth authorization request.
Because the user is not yet authenticated at the IAS tenant, the user's browser is redirected to the IAS tenant's single sign-on (SSO) endpoint at https://<IAS tenant name>.accounts.ondemand.com/saml2/idp/sso.
The business application is configured in IAS to pass all authentication requests to Azure AD as its corporate IdP. Therefore, IAS sends an OAuth authorization request to the Azure AD tenant's OAuth authorization endpoint.
The user gets prompted by Azure AD to enter the credentials. Upon successful authentication, Azure AD sends the authorization code to IAS by redirecting the user's web browser to the URI specified in the previous request.
IAS receives the authorization code and sends an access token request to Azure AD's token. Azure AD issues an access token and refresh token (RT(AAD)IAS which is cached for later use in step for the authenticated user with an audience set to the IAS tenant's OIDC name.
The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant's OIDC proxy. The client application sends a token request to the IAS tenant's token endpoint. The POST request is authenticated with the client ID and secret of the business application in IAS. The client assertion from IAS takes the form of a signed JWT that proofs the application's identity to AAD when requesting tokens via the IAS corporate IdP OIDC proxy.
The business application exchanges the IAS-issued ID token into an Azure AD-issued access token via the IAS tenant's OIDC proxy token exchange endpoint. The POST request uses the assertion parameter to pass the base64-encoded IAS ID token of the user.
IAS token service sends a refresh token request using RT(AAD)IAS cached in step 5 to obtain a new access token AT(AAD)APP for the business application,
The business application uses the Azure AD On-behalf-Of (ObO) flow for requesting the access token
Finally, the business application calls the ServiceNow to take actions to the signed-in user's tasks.
ServiceNow validate the token using OIDC provider to verify ID tokens configuration with the same application registered in Azure which issues an access token and refresh token in step 5.

3. User provisioning - Azure SAP

Use SAP Cloud Identity Services - Identity Provisioning to provision users from Microsoft Azure Active Directory to SAP Cloud Identity Services - Identity Authentication.

4. User provisioning & SSO - Azure-ServiceNow

Use ServiceNow enterprise application in Azure to provision users from Microsoft Azure Active Directory to ServiceNow instance
Use the same ServiceNow enterprise application created in step 13 in Azure to authenticate users from Microsoft Azure Active Directory to ServiceNow instance

5. Technical service flow

You need to create integration user for SAP Technical connection and choose how SAP Task Center will authenticate when technical connection is used (delta jobs in SAP are using this technical connection)

For example, you can use Basic Auth or OAuth:

For basic auth provide username and password to the team who is configuring the connection to ServiceNow.
The BTP business application requests a client assertion from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant's OIDC proxy.
For OAuth follow these steps in ServiceNow (account with admin role is required)
1. Open System OAuth -> Application Registry. Click New and choose "Create an OAuth API endpoint for external clients". Configure the record and share username, user password, client id and client secret with the team configuring the connection to ServiceNow

6. Register the applications in Azure AD for IAS tenant and SN OIDC provider to verify ID tokens.

The token exchange and OIDC proxy setup between the SN, IAS, and the Azure AD tenant, requires a trust relationship which is established by registering one application in the Azure AD tenant

“SAPIASTenant” represents the SAP Cloud Identity Service tenant.

Step 1
Login to Azure Portal (e.g. with your Microsoft 365 E5 developer subscription’s admin account) and select Azure Active Directory from the portal menu.

Select App registrations from the left-side menu.

Step 2
Click + New registration

Step 3
Enter "<SAP IAS Tenant>" for the Name of the new application registration.

Replace <SAP IAS Tenant> with your friendly name

Select "Web" from the dropdown list in the Redirect UR I section.

Enter your IAS tenant's redirect UR Iin the Redirect URI section's text field:https://<IAStenant name>.accounts.ondemand.com/oauth2/callback.Replace <IAS tenant name> with your tenant's name.

Click Register.

Step 4
Copy the newly generated Application (client) ID to a temporary text file. You will need it in the next step for deploying the sample application.

Step 5
Select Manifest from the navigation menu to edit the application registration's manifest file.
Change the value for the field "accessTokenAcceptedVersion" from null to 2.
Click Save.

7. Configure trust to the IAS tenant in Azure AD

Trust to the IAS tenant is configured in Azure AD with a new federated identity credential. In addition, a client secret is required for the initial token exchange in step 5 of figure 1. Both credentials will be configured for the application registrations in the following step.

Step 6
Select the SAPIASTenant app from the list. (created in step 3)
Select Certificates & secrets from the menu and switch to the Client secrets tab.
Click + New client secret.

Step 7
Enter "<SAPOIDCProxy>" for the Description.
Click Add.

Step 8
Click Copy to clipboard in the Value column and paste it to a temporary text file. You will need it later in the setup process.

Step 9
Create another one secret for ServiceNow
Enter "<ServiceNow>" for the Description.
Click Add.

8. Configure permissions and scopes in Azure AD

To request the Outlook calendar event on behalf of the user, the business application (SAPBTPGraphApp) requires the Graph API permission Calendars.Read. SAPBTPGraphApp also exposes the custom scope "token.exchange".This scope is referred to as a (downstream) API permission for the SAPIASTenant application registration and required for steps 7 and 8 in figure 1. For the initial token request to Azure AD (see step 5 in figure 1 and figure 2), the SAPIASTenant application exposes the custom scope "ias.access".

Step 10
Go to Expose an API in the navigation menu.
Click + Add a scope.

Step 11
Accept the default value for the Application ID URI.
Click Save and continue.

Step 12
Enter "ias.access" for the new Scope name. Provide an Admin consent display name and description.
Click Add scope.

Scope name:
ias.access

Admin consent display name:
IAS Tenant Access

Admin consent description:
Access to SAP Cloud Identity service Application

Step 13
Copy the full-qualified URI of the new scope (api://<client id>/ias.access) from the clipboard to temporary text file. It will be used in a later setup step.

Step 14
Add Optional claim to the token.
Navigate to Token configuration
+ Add optional claim
Token Type - ID
Select "email" and add

Step 15
If message about API permissions required appear
select the checkbox - Turn On Microsoft Graph email permission (required for claim to appear in token)
Click "add"

Step 16
Grant Admin Consent

Step 17
Navigate to authentication
Scroll down to Implicit grant and hybrid flows
Select the tokens you would like to be issued by the authorization endpoint:
Select the checkbox ID tokens
Click Save

9. Configure Azure as an OAUTH OIDC provider on ServiceNow

Step 18
Open the ServiceNow instance
Navigate to All > System OAuth > Application Registry.
Click New, click Configure an OIDC provider to verify ID tokens.

Step 19
Fill the form.

Field	Description
Name	A unique name that identifies the OAuth OIDC entity.
Client ID	The client ID of the application registered in Azure in step 4. The instance uses the client ID when requesting an access token.
Client Secret	The client secret of the application registered in Azure in step 31.
OAuth OIDC Provider Configuration	The OIDC provider (ADFS, Auth0, Azure AD, Google, Okta) can be used to validate the JWT token. Click the record of your OIDC provider configuration to validate the User Claim and User Field are set appropriately. If you check Enable JTI claim verification, the ServiceNow JWT token validation also validates the JTI sent by the provider. See next step for more details
Clock Skew	The number, in seconds, for the constraint to be considered valid. The default is 300.
Comments	Additional information to associate with the application.
Application	The name of the application containing this entity.
Accessible from	Select an option to make it accessible from all application scopes, or this application scope only. (all scope by default)
Enforce Token Restrictions	Select to only allow tokens to be used with APIs set to allow the authentication profile. You can set grant access using an API access policy. For more information, seeCreate REST API access policy. Default: Unselected.
Active	Select the check box to make the OAuth application active.
Redirect URL	The URL of the OAuth application for receiving the authorization code. (automatically added when save the application
End Session Endpoint URL	The URL endpoint which enables after a session ends.(not required
Enable force authentication	Option to enable force authentication for users. (not required)

Step 20
OAuth OIDC Provider Configuration
Click on the search icon and then New

OIDC Provider - A unique name that identifies the OIDC provider

OIDC Metadata URL - the OIDC provider OpenID Connect metadata document (details in next step)

User claim: email
User Field: the field in SN which contain mail value

Enable JTI claim verification: Disable

Step 21
Navigate to azure application which created in step 3 - Overview - Endpoints - OpenID Connect metadata document

Step 22
Navigate to Oauth Entity Scope and add
offline_access,
Open id

Click Update.

Step 23
Navigate to the Oauth Entity Profiles which is automatically created when Save Oauth OIDC entity.

Verify that the Grant type is is Resource Owner Password Credentials and then add the OAuth Entity Scopes created in the above step.

Step 24
Add Auth Scope:
useraccount

Step 25
Navigate to the created in step 34 Oauth OIDC Entity and copy the redirect url

Step 26
Navigate to Azure App registered in step 3
Authentication
Add the url from the previous step. (do not remove or replace the url added in step 3 when create the application)
Save

10. Setup user provisioning - Azure >> SAP

Step 27
Launch a browser window and access your Azure portal using the URL: https://portal.azure.com/.

You will need to authenticate to your Azure AD using your admin credentials.

Step 28
Click Microsoft Entra ID.

Step 29
Click App Registration >> New registration.

Step 30
Specify a name for your app and click Register

Step 31
Click API permission >> Add a permission.

Step 32
Select Microsoft Graph.

Step 33
Click Application permissions.

Step 34
From the list of API permissions, expand User and select User.Read.All.

Step 35
From the API list also select Group >> Read.All and Directory >> Read.All. Click Add permissions at the bottom of the screen once done.

Step 36
The permissions are not granted by default. To grant the permissions, click Grant admin consent for Default Directory.

Step 37
Click Yes on the popup message and confirm that all permissions are granted.

Step 38
Click Overview from the left panel. Make a note of the Application (client) ID. You will need this later when creating the source system in IPS. Click Add a certificate or secret.

Step 39
Click New client secret.

Step 40
Specify a description and expiry time for the client secret.

Step 41
You should have client secret added successfully. Make a note of the value field as you will need it later when creating the source system in IPS.

Step 42
Navigate to the main overview page of Azure AD and make a note of your Primary domain. You will need this value when creating the source system in IPS.

Step 43
Follow the blog https://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services/ba-p/13546054 and specific hint on filtering users by a group in Identiy Provisionning Source system Properties, add aad.group.filter=displayName eq '<group_name>':

11. Establish trust between task sub account and IAS

Step 44
Go to BTP Cockpit->Security->Trust Configuration

Step 45
Select "Establish trust" and choose the IAS

Step 46
Select "Establish trust" and choose the IAS

Note: This creates an OIDC application in IAS for the subaccount

NB: Task Center/Service Now integration works only with OIDC trust between Task Center subaccount and IAS

Step 47
This would create an application in iAS

For more information, you can check: https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication

12. Setup the corporate identity provider and OIDC proxy in SAP Cloud Identity tenant

Step 48
Login as an administrator to your SAP Cloud Identity service administration console at
https://<IAStenant name>.accounts.ondemand.com/admin

Step 49
Go to Identity Providers > Corporate Identity Providers and click Create.
Enter a Display name(e.g. "Azure Active Directory") and click Save.

Step 50
Click on Identity Provider Type from the Trust settings of the new corporate identity provider.

Step 51
Select OpenID Connect Compliant from the list.
Click Save.

Step 52
Click on OpenID Connect Configuration from the Trust settings of the new corporate identity provider. 

Step 53
Enter your Azure AD tenant's OIDC Discovery URL (https://login.microsoftonline.com/<AAD tenant ID>/v2.0) Click Load.

The Issuer field gets populated from the loaded Azure AD tenant's OIDC metadata.

Step 54
Enter the SAPIASTenant's client ID in the Client ID field. In the Client Secret field, enter the value of theOIDCProxysecret copied in step 8.

Click Validate.

Step 55
Verify a successful validation of the OIDC configuration.

Click OK.

Step 56
Click + Add

Step 57
Copy and paste the full-qualified URI of the SAPIASTenant application's custom scope (api://<client id>/ias.access) copied in step 13 for the new scope.

Click Save.

Step 58
Click+ Add again and add the scope:
"email"
"openid"
"offline_access"

Click Save.

Step 59
Click Save.

Step 60
Go to Applications & Resources > Applications
Select the application from "Establish trust between Task subaccount and IAS" step – step 47

Click Attributes

Step 61
Navigate to Attributes and add

Name: "xsuaa-persist-corporate-idp-token"
Source: Expression
Value: true

Save

Step 62
Select "Conditional Authentication"
In the "Default Identity Provider", choose the Azure provider configured in steps 48-59, Click Save

13. Configure destinations for SAP in the BTP sub-account

SAP Task Center uses destinations to connect to Service Now task provider

 Client Specific configuration:

aadTokenEndpoint: Azure AD token endpoint athttps://login.microsoftonline.com/<AAD tenant ID>/oauth2/v2.0/token
iasTokenEndpoint: SAP Cloud Identity service tenant's token endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/token
iasTokenExchange: SAP Cloud Identity service's token exchange service endpoint athttps://<IAStenant name>.accounts.ondemand.com/oauth2/exchange/corporateidp

Step 63
Go back to the SAP BTP Cockpit and navigate to your CF subaccount.
Select Connectivity > Destinations from the navigation menu.
Click New Destination.

Step 64
Enter the following values for the first destination:
Refer to 6. TECHNICAL SERVICE FLOW

Click Save.

Step 65
Repeat steps 63 and 64 with following values for the second destination:

Refer to 10. CONFIGURE AZURE AS AN OAUTH OIDC PROVIDER ON THE SERVICENOW , step 21.

AuthnContextClassRef = urn:oasis:names:tc:SAML:2.0:ac:classes:X509
clientKey = token service password=client secret
Token service user = client id

Task Center documentation for Third Party destination setup: https://help.sap.com/docs/task-center/sap-task-center/connect-third-party-task-provider-and-sap-task-center

Click Save.

14. Test the scenario

Step 66
Use SAP Task Center Administration app to check the status of the configured connector destination, following: https://help.sap.com/docs/task-center/sap-task-center/working-with-task-center-administration-app

Step 67
Use SAP Task Center Web app, to validate that tasks from the new destination are seen by business users (for more information, see: https://help.sap.com/docs/task-center/sap-task-center/sap-task-center-web-app)