https://raw.githubusercontent.com/ajmaradiaga/feeds/main/scmt/topics/SAP-BTP-Security-blog-posts.xml SAP Community - SAP BTP Security 2024-07-26T23:00:22.251078+00:00 python-feedgen SAP BTP Security blog posts in SAP Community https://community.sap.com/t5/technology-blogs-by-members/custom-domains-for-btp-cloudfoundry-applications/ba-p/13647389 Custom domains for BTP CloudFoundry applications 2024-03-26T08:43:26.536000+01:00 WouterLemaire https://community.sap.com/t5/user/viewprofilepage/user-id/9863 <H1 id="toc-hId-860820414">Introduction</H1><P>I wanted to activate a custom domain on BTP for my own website <SPAN><A href="https://wouter.lemaire.tech" target="_blank" rel="noopener nofollow noreferrer">https://wouter.lemaire.tech</A></SPAN> . To achieve this I followed this great step-by-step blog post of&nbsp;<a href="https://community.sap.com/t5/user/viewprofilepage/user-id/1307">@andrew_lunde</a>&nbsp;: <SPAN><A href="https://community.sap.com/t5/technology-blogs-by-sap/step-by-step-guide-to-custom-domains-with-multitenant-multi-target/ba-p/13390754" target="_blank">https://community.sap.com/t5/technology-blogs-by-sap/step-by-step-guide-to-custom-domains-with-multitenant-multi-target/ba-p/13390754</A></SPAN></P><P>Nevertheless, I did some steps different which still made it challenging to configure:</P><UL><LI>I bought the domain using google domains</LI><LI>Used certbot instead of my own certificate (in companies you’ll probably have a company certificate)</LI><LI>Added MTA configuration to automatically map the domain after deploying your app</LI></UL><P>Those differences changed some steps in the flow which I documented and want to share in this blog post.</P><H1 id="toc-hId-664306909">Prerequisites</H1><P>Check the official SAP help documentation, this might help you to understand the flow: <SPAN><A href="https://help.sap.com/docs/custom-domain/custom-domain-service/create-custom-domains?locale=en-US" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/custom-domain/custom-domain-service/create-custom-domains?locale=en-US</A></SPAN></P><P>You need to buy a custom domain, this is not part of this service. This service just allows you to use your custom domain (which you pay separately) to your BTP applications and services. I’m using google domains which has been migrated to Squarespace.</P><P>Install certbot: <A href="https://certbot.eff.org/instructions?ws=other&amp;os=windows" target="_blank" rel="noopener nofollow noreferrer">https://certbot.eff.org/instructions?ws=other&amp;os=windows</A></P><P><SPAN>Download the latest version of the Certbot installer for Windows at&nbsp;</SPAN><A href="https://github.com/certbot/certbot/releases/latest/download/certbot-beta-installer-win_amd64_signed.exe" target="_blank" rel="noopener nofollow noreferrer">https://github.com/certbot/certbot/releases/latest/download/certbot-beta-installer-win_amd64_signed.exe</A>.</P><P>Make sure your BTP account has the entitlements:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_0-1711151575890.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85345i3B8E7F3BFEE29ADB/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_0-1711151575890.png" alt="WouterLemaire_0-1711151575890.png" /></span></P><P>Create an instance of this service in your CloudFoundry Space:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_1-1711151597097.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85346iBC88292177046BAF/image-size/medium?v=v2&amp;px=400" role="button" title="WouterLemaire_1-1711151597097.png" alt="WouterLemaire_1-1711151597097.png" /></span></P><P><SPAN>Install the CloudFoundry CLI with the Custom Domain Self-Service plugin. The plugin can be downloaded from here: <A href="https://tools.hana.ondemand.com/#cloud" target="_blank" rel="noopener nofollow noreferrer">https://tools.hana.ondemand.com/#cloud</A></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_2-1711151618301.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85347i9882F81BEEA8E46B/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_2-1711151618301.png" alt="WouterLemaire_2-1711151618301.png" /></span></P><P><SPAN>Once downloaded, install it by going into the folder of the plugin and run the following command in your cli: “cf install-plugin custom-domain-cli”</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_3-1711151644365.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85350iCFAD2257FD39C63A/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_3-1711151644365.png" alt="WouterLemaire_3-1711151644365.png" /></span></P><P><SPAN>Validate if it was successful by running “cf plugins”. This will show you a list of all installed plugins including the custom domain plugin: </SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_4-1711151713084.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85351iF8B68B559837D045/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_4-1711151713084.png" alt="WouterLemaire_4-1711151713084.png" /></span></P><H1 id="toc-hId-467793404"><SPAN>Create your custom domain</SPAN></H1><P><SPAN>1) Login to CloudFoundry using the cli:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_5-1711151748528.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85352iCFA67D8EA9531FED/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_5-1711151748528.png" alt="WouterLemaire_5-1711151748528.png" /></span></P><P><SPAN>2) Create your custom domain using the command “cf create-domain wlcf wouter.lemaire.tech”</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_6-1711151769099.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85353i19B9926BAD315BE2/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_6-1711151769099.png" alt="WouterLemaire_6-1711151769099.png" /></span></P><P>You can validate if this was successful with the command “cf domains”, here you should see your domain listed:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_7-1711151778954.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85354iC202E414E5DEA07E/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_7-1711151778954.png" alt="WouterLemaire_7-1711151778954.png" /></span></P><P>3) Create a private key for your custom domain in Cloud Foundry using the command:</P><P>cf custom-domain-create-key custom-domain-wouter-lemtech-key "CN=*.wouter.lemaire.tech, EMAIL=wouter@lemaire.tech, O=lemtech, C=BE" "wouter.lemaire.tech"</P><UL><LI>custom-domain-create-key: command for the cf cli custom domain plugin to create the key</LI><LI>custom-domain-wouter-lemtech-key: this is the name for the key that will be created. We need this in a later phase</LI><LI>“CN=*.wouter.lemaire.tech, EMAIL=wouter@lemaire.tech, O=lemtech, C=BE” : details need to create the CSR</LI><LI>"wouter.lemaire.tech": the domain name I want to connect (more can be listed here)</LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_8-1711151800033.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85355i0F173B5EF44FE1B1/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_8-1711151800033.png" alt="WouterLemaire_8-1711151800033.png" /></span></P><P>4) Get the Certificate Signing Request (CSR) by using the created private key using the following command:</P><P>cf custom-domain-get-csr custom-domain-wouter-lemtech-key csr.pem</P><UL><LI>custom-domain-get-csr: cf cli custom domain command to retrieve the csr</LI><LI>custom-domain-wouter-lemtech-key: name of the private key which was created in the previous step</LI><LI>csr.pem: name of that will be used to store the csr in</LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_9-1711151835284.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85356iC656181070A84742/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_9-1711151835284.png" alt="WouterLemaire_9-1711151835284.png" /></span></P><P><SPAN>5) Sign the CSR using certbot by running</SPAN> cmd as administrator from the folder where the csr.pem file is stored and run the following command:</P><P>certbot certonly --manual --csr ./csr.pem --preferred-challenges dns</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_10-1711151853127.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85358i4CD94A523FAD6757/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_10-1711151853127.png" alt="WouterLemaire_10-1711151853127.png" /></span></P><P>This will give you a token which you need to use to create a TXT record in Google Domains:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_11-1711151861507.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85359i613C0DDDD93060B5/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_11-1711151861507.png" alt="WouterLemaire_11-1711151861507.png" /></span></P><P>Once you created the record, you can press enter. This might take a while but eventually provide you some certificates:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_12-1711151871269.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85360i5B461FA1B082BAF7/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_12-1711151871269.png" alt="WouterLemaire_12-1711151871269.png" /></span></P><P>6) Upload the signed certificate to CloudFoundry</P><P>As I received three certificates from certbot and it was not clear which one to take so I tried merging all of them into one:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_13-1711151886853.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85362i6D6CD8835C515904/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_13-1711151886853.png" alt="WouterLemaire_13-1711151886853.png" /></span></P><P><SPAN>When uploading the combined certificate using the following command, it went in error:</SPAN></P><P><SPAN>cf custom-domain-upload-certificate-chain </SPAN>custom-domain-wouter-lemtech-key allchain.pem</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_14-1711151894910.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85363i25AE3C6D1AA0D103/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_14-1711151894910.png" alt="WouterLemaire_14-1711151894910.png" /></span></P><P>So I tried all certificates separately and eventually the last one worked <span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></P><P>cf custom-domain-upload-certificate-chain custom-domain-wouter-lemtech-key 0001_chain.pem</P><UL><LI>custom-domain-upload-certificate-chain: command to upload the certificate to CloudFoundry</LI><LI>custom-domain-wouter-lemtech-key : key that I created earlier</LI><LI>0001_chain.pem: certificate that needs to be uploaded</LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_15-1711151908658.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85364i9E8137D019100E2D/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_15-1711151908658.png" alt="WouterLemaire_15-1711151908658.png" /></span></P><P>It will ask for confirmation and upload BUT not yet activate:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_16-1711151918206.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85365i2A2484B102B1475E/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_16-1711151918206.png" alt="WouterLemaire_16-1711151918206.png" /></span></P><P>We can check if the certificate was uploaded successfully with the following command + the private key:</P><P>cf custom-domain-show-certificates custom-domain-wouter-lemtech-key</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_17-1711151929340.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85366i94A2C7EEE289AE62/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_17-1711151929340.png" alt="WouterLemaire_17-1711151929340.png" /></span></P><P>7) Activate the custom domain using the following command:</P><P>cf custom-domain-activate custom-domain-wouter-lemtech-key wouter.lemaire.tech</P><UL><LI>custom-domain-activate: command for activating</LI><LI>custom-domain-wouter-lemtech-key: private key name</LI><LI>wouter.lemaire.tech: domain to be activated</LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_18-1711151943919.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85367i9F67D90B29B304A7/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_18-1711151943919.png" alt="WouterLemaire_18-1711151943919.png" /></span></P><P>You can check if the active custom domains in CloudFoundry with the command: cf custom-domain-list</P><P>In my case, I have two, one main custom domain which I’ll use to continue “Wouter.lemaire.tech” but also a generic domain that allows me to use subdomains “*.wouter.lemaire.tech”. I’ll use this one later.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_19-1711151955919.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85368iCD35232FD4692440/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_19-1711151955919.png" alt="WouterLemaire_19-1711151955919.png" /></span></P><P>8 ) Configure DNS for custom domain</P><P>Before we can do this, we need to get the API of CloudFoundry in your subaccount. This can be done by using the command “cf api”:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_20-1711151969685.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85369i74DA138FA529D1ED/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_20-1711151969685.png" alt="WouterLemaire_20-1711151969685.png" /></span></P><P>In Google Domains, I created the following record:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_21-1711151976230.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85370i39F0D4FA7AAC4B40/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_21-1711151976230.png" alt="WouterLemaire_21-1711151976230.png" /></span></P><P>To test if it works I used the command “nslookup Wouter.lemaire.tech”:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_22-1711151982841.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85371iF89FB8CBC82338FE/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_22-1711151982841.png" alt="WouterLemaire_22-1711151982841.png" /></span></P><P>9) Map application to custom domain</P><P>Before we do, we can check the list of apps to find the connected route for each application</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_23-1711151994699.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85372i46CCB45E3717EE88/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_23-1711151994699.png" alt="WouterLemaire_23-1711151994699.png" /></span></P><P>With the following command, we will map an app with the custom domain we created (this needs to be done for the approuter app as this is the access point for an application in BTP):</P><P><SPAN>cf map-route &lt;Application Name&gt; &lt;Custom Domain&gt; --hostname &lt;Application Hostname&gt;</SPAN></P><P><SPAN>In my example it looks like this, without the hostname as I want it to be connected with the main domain:</SPAN></P><P><SPAN>cf map-route lemtech-approuter wouter.lemaire.tech</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_24-1711152002676.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85373i63ED0022F37350EF/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_24-1711152002676.png" alt="WouterLemaire_24-1711152002676.png" /></span></P><P>If you now check the list of apps, you’ll see that the route for the approuter is connected to the custom domain:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_25-1711152009142.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85374iE32CC6FE0FEDDB21/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_25-1711152009142.png" alt="WouterLemaire_25-1711152009142.png" /></span></P><P><SPAN>You can also check the list of routes:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_26-1711152015149.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85375iC552A194A455037F/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_26-1711152015149.png" alt="WouterLemaire_26-1711152015149.png" /></span></P><P><SPAN>10) Configure the MTA of your app</SPAN></P><P><SPAN>After every deploy the mapping between the route and your app will be gone and you need to do this over again. This can be done in the BTP Cockpit:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_27-1711152025585.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85376i4E03E92F27E85382/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_27-1711152025585.png" alt="WouterLemaire_27-1711152025585.png" /></span></P><P><SPAN>You can avoid this by configuring the domain in the mta.yaml file of your application as followed:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_28-1711152033375.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85377i3F998BDF5E7329E3/image-size/medium?v=v2&amp;px=400" role="button" title="WouterLemaire_28-1711152033375.png" alt="WouterLemaire_28-1711152033375.png" /></span></P><P><SPAN>With this configuration you’ll keep the domain connected to your application after each deploy</SPAN></P><P><SPAN>That’s how it’s done </SPAN><span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></P><H1 id="toc-hId-271279899"><SPAN>Result</SPAN></H1><P><SPAN>Try navigating to <A href="https://wouter.lemaire.tech" target="_blank" rel="noopener nofollow noreferrer">https://wouter.lemaire.tech</A> this will open my website which is running on SAP BTP Cloud Foundry!</SPAN><SPAN>&nbsp;</SPAN></P><H1 id="toc-hId-74766394"><SPAN>Additional</SPAN></H1><P><SPAN>Additionally I’m also want to create subdomains so I can use the custom domain for other applications. For this, I added a record in google domains as followed:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_29-1711152044282.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85378i8B327DCF8E9A5FB6/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_29-1711152044282.png" alt="WouterLemaire_29-1711152044282.png" /></span></P><P><SPAN>I have activated the custom domain “*.wouter.lemaire.tech”</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_30-1711152054510.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85379iB9B6BEF65429872E/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_30-1711152054510.png" alt="WouterLemaire_30-1711152054510.png" /></span></P><P><SPAN>Mapped the application BTP Service Overview with the custom domain Wouter.lemaire.tech using btp-services as hostname:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WouterLemaire_31-1711152061124.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/85380iCBBD700CF83FA6F4/image-size/large?v=v2&amp;px=999" role="button" title="WouterLemaire_31-1711152061124.png" alt="WouterLemaire_31-1711152061124.png" /></span></P><P><SPAN>Result: <A href="https://btp-services.wouter.lemaire.tech/" target="_blank" rel="noopener nofollow noreferrer">https://btp-services.wouter.lemaire.tech/</A> </SPAN></P> 2024-03-26T08:43:26.536000+01:00 https://community.sap.com/t5/technology-blogs-by-members/integrating-ibm-security-verify-with-sap-cloud-identity-services-in-sap-btp/ba-p/13651722 Integrating IBM Security Verify with SAP Cloud Identity Services in SAP BTP 2024-04-02T10:29:43.856000+02:00 TusharTrivedi https://community.sap.com/t5/user/viewprofilepage/user-id/150726 <P>This blog delves into the technical aspects of integrating IBM Security Verify with SAP Cloud Identity Services (CIS) in SAP Business Technology Platform (BTP) as a proxy.</P><P>SAP CIS offers a suite of solutions for managing user identities, access controls, and application integrations across the IT landscape. Conversely, IBM Security Verify provides identity governance, workforce and Customer Identity Access Management (CIAM), and privileged account controls through automated, cloud-based, and on-premises capabilities. By integrating these platforms, organisations can leverage their combined strengths to establish a secure business environment. This integration enhances operational control, regulatory compliance, and user experience in the digital era.</P><P>IBM Security Verify supports various authentication methods, including passwordless, fingerprints, and one-time passcodes, ensuring flexibility and robustness against unauthorised access. Meanwhile, SAP Cloud Identity Services serves as a comprehensive Identity and Access Management solution which is available in SAP BTP.</P><P>The integration process involves configuration updates in SAP CIS and IBM Security Verify to enable authentication utilising standard protocols supported by both components, such as SAML 2.0. Organisations must ensure they have the necessary admin privileges or access rights for editing configurations before initiating the integration procedure. Collaboration between the organisation and SAP is required for the integration, with most of the effort undertaken by the organisation.</P><P><STRONG><U>Reference Architecture</U></STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_0-1711558240041.png" style="width: 603px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87620iCDBBC15EAA0C32FA/image-dimensions/603x264?v=v2" width="603" height="264" role="button" title="TusharTrivedi_0-1711558240041.png" alt="TusharTrivedi_0-1711558240041.png" /></span></P><P>The diagram represents a SAP Cloud Identity Service that integrates with IBM Security Verify though which various SAP BTP application(s), SAP SaaS solution(s) and on-premises application(s) can be accessed. It demonstrates user sign-in via IBM Security Verify which allow possible passwordless, bio-metric or multi-factor authentication (MFA) using mobile devices for fast application access and pleasing user-experience.</P><P><STRONG><U>Prerequisites</U></STRONG></P><UL><LI>SAP Cloud Identity Services(for trial instance check this <A href="https://help.sap.com/docs/cloud-identity?locale=en-US" target="_blank" rel="noopener noreferrer">link</A>)</LI><LI>IBM Security Verify (for trial instance check this <A href="https://www.ibm.com/docs/en/security-verify?topic=overview-accessing-security-verify" target="_blank" rel="noopener nofollow noreferrer">link</A>)</LI><LI>A smartphone with IBM Security Verify App</LI></UL><P><STRONG><U>Configurations and Settings in IBM Security Verify</U></STRONG></P><P>Log in into <A href="https://ibmlabs.verify.ibm.com/ui/admin" target="_blank" rel="noopener nofollow noreferrer">IBM Security Verify</A> as an administrator&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_1-1711558240051.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87619iDD2FB2053352AAF9/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_1-1711558240051.png" alt="TusharTrivedi_1-1711558240051.png" /></span></P><P>When a user logs in, home screen as shown below will be displayed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_2-1711558240063.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87621i225AF80516E58B56/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_2-1711558240063.png" alt="TusharTrivedi_2-1711558240063.png" /></span></P><P>Now on the left panel, click on "Applications" under "Applications". On the right side of the screen, there is an “Add application” button. Click on it.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_3-1711558240075.png" style="width: 581px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87624iB89E19C5B29F0C09/image-dimensions/581x318?v=v2" width="581" height="318" role="button" title="TusharTrivedi_3-1711558240075.png" alt="TusharTrivedi_3-1711558240075.png" /></span></P><P>Fill the necessary details under “General” section as below and save the details.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_4-1711558240081.png" style="width: 583px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87622iE900EAD3FCED43E8/image-dimensions/583x351?v=v2" width="583" height="351" role="button" title="TusharTrivedi_4-1711558240081.png" alt="TusharTrivedi_4-1711558240081.png" /></span></P><P>Before we go further, let’s log into SAP BTP account and you will be navigated on SAP BTP Cockpit. As suggested below, navigate to the “Instances and Subscriptions” tab, which is under “Services”.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_5-1711558240088.png" style="width: 581px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87623i84B54FDB35A41913/image-dimensions/581x305?v=v2" width="581" height="305" role="button" title="TusharTrivedi_5-1711558240088.png" alt="TusharTrivedi_5-1711558240088.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_6-1711558240097.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87625i2B53267225252EA7/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_6-1711558240097.png" alt="TusharTrivedi_6-1711558240097.png" /></span></P><P>Upload the metadata file which you have recently saved on your device to IBM Verify dashboard</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_7-1711558240104.png" style="width: 581px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87626iFC489D70B361D987/image-dimensions/581x327?v=v2" width="581" height="327" role="button" title="TusharTrivedi_7-1711558240104.png" alt="TusharTrivedi_7-1711558240104.png" /></span></P><P><STRONG><U>Configurations and Settings in SAP Cloud Identity Services</U></STRONG></P><P>Now, get back to SAP BTP and navigate to “Instances and Subscriptions.”</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_8-1711558240123.png" style="width: 582px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87627iD26384015971092A/image-dimensions/582x304?v=v2" width="582" height="304" role="button" title="TusharTrivedi_8-1711558240123.png" alt="TusharTrivedi_8-1711558240123.png" /></span></P><P>Now, enable the “Cloud Identity Services” if it’s not and once done it will be accessible as below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_9-1711558240142.png" style="width: 583px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87630i22174F3EA9625389/image-dimensions/583x306?v=v2" width="583" height="306" role="button" title="TusharTrivedi_9-1711558240142.png" alt="TusharTrivedi_9-1711558240142.png" /></span></P><P>Once you click on “Cloud Identity Services”, you will be redirected to the login screen of the SAP authentication screen as shown below</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_10-1711558240151.png" style="width: 585px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87628iEBE7E7B581BEAD5D/image-dimensions/585x306?v=v2" width="585" height="306" role="button" title="TusharTrivedi_10-1711558240151.png" alt="TusharTrivedi_10-1711558240151.png" /></span></P><P>After successful login, you can see the home screen of Cloud identity service. Go to the “Identity Providers” as highlighted below</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_11-1711558240165.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87629iE9F459AA6A3456D1/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_11-1711558240165.png" alt="TusharTrivedi_11-1711558240165.png" /></span></P><P>Click on the Corporate Identity providers and create new identity provider</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_12-1711558240180.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87631i14BC0DD99326AD6F/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_12-1711558240180.png" alt="TusharTrivedi_12-1711558240180.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_13-1711558240199.png" style="width: 582px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87632iA827A103C5B7CE0F/image-dimensions/582x304?v=v2" width="582" height="304" role="button" title="TusharTrivedi_13-1711558240199.png" alt="TusharTrivedi_13-1711558240199.png" /></span></P><P>Once the new identity provider is added successfully, click on the identity provider type and select SAML 2.0 compliant as shown below</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_14-1711558240217.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87633iBF1B725FC5F931FA/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_14-1711558240217.png" alt="TusharTrivedi_14-1711558240217.png" /></span></P><P>Go to the SAML configuration section and fill in the information as shown below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_15-1711558240253.png" style="width: 465px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87635i9249EB9FC9127D47/image-dimensions/465x243?v=v2" width="465" height="243" role="button" title="TusharTrivedi_15-1711558240253.png" alt="TusharTrivedi_15-1711558240253.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_16-1711558240282.png" style="width: 582px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87636iF17F5BCC71338399/image-dimensions/582x303?v=v2" width="582" height="303" role="button" title="TusharTrivedi_16-1711558240282.png" alt="TusharTrivedi_16-1711558240282.png" /></span></P><P>You can browse the “Metadata” file from your device once you download it from IBM Security Verify dashboard. Go to “Sign on” section of the application and on the right side of the screen, download the file from the given URL and upload the same in SAP Cloud Identity Service as highlighted below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_17-1711558240291.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87634i31E8A06AE0210E24/image-dimensions/580x319?v=v2" width="580" height="319" role="button" title="TusharTrivedi_17-1711558240291.png" alt="TusharTrivedi_17-1711558240291.png" /></span></P><P>Click on the Trusting application section and add SAP BTP trial sub-account.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_18-1711558240308.png" style="width: 581px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87637iCC89A43551D2E79A/image-dimensions/581x302?v=v2" width="581" height="302" role="button" title="TusharTrivedi_18-1711558240308.png" alt="TusharTrivedi_18-1711558240308.png" /></span></P><P>Now, navigate back to SAP BTP cockpit and establish the trust configuration which is under “Security” section &nbsp;for the cloud identity application as shown in the below screenshots.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_19-1711558240327.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87639i167BF05ECCDAFF00/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_19-1711558240327.png" alt="TusharTrivedi_19-1711558240327.png" /></span></P><P>Select “Establish Trust”</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_20-1711558240343.png" style="width: 582px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87638i162E95E24B25C60D/image-dimensions/582x304?v=v2" width="582" height="304" role="button" title="TusharTrivedi_20-1711558240343.png" alt="TusharTrivedi_20-1711558240343.png" /></span></P><P>You will see the below steps once you click on establish trust.&nbsp; As a first step, choose tenant and click on next.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_21-1711558240362.png" style="width: 583px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87640i0A33044697A8BC5B/image-dimensions/583x306?v=v2" width="583" height="306" role="button" title="TusharTrivedi_21-1711558240362.png" alt="TusharTrivedi_21-1711558240362.png" /></span></P><P>After selecting a tenant in the next step choose the domain for your SAP Cloud identity services application.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_22-1711558240383.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87641iEFD4BF3271BCFE37/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_22-1711558240383.png" alt="TusharTrivedi_22-1711558240383.png" /></span></P><P>Click on the next button and configure parameters as shown in below screenshot.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_23-1711558240404.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87642iFB90AFAA4E99207C/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_23-1711558240404.png" alt="TusharTrivedi_23-1711558240404.png" /></span></P><P>Click on the next button and make a final review of the setup you have done while establishing the trust.&nbsp; Then click on the finish button and save the details.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_24-1711558240426.png" style="width: 586px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87645i81921A9A59AC826E/image-dimensions/586x306?v=v2" width="586" height="306" role="button" title="TusharTrivedi_24-1711558240426.png" alt="TusharTrivedi_24-1711558240426.png" /></span></P><P>Once done, you can see the new active trust configuration as shown below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_25-1711558240444.png" style="width: 581px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87644i1759C90ACFBCBE7C/image-dimensions/581x305?v=v2" width="581" height="305" role="button" title="TusharTrivedi_25-1711558240444.png" alt="TusharTrivedi_25-1711558240444.png" /></span></P><P>To provide access to the user, click on the Users section which is inside the “Security” section on the left menu.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_26-1711558240458.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87643i7725168E02472D61/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_26-1711558240458.png" alt="TusharTrivedi_26-1711558240458.png" /></span></P><P>Click on the user and assign role collection to the user as shown below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_27-1711558240478.png" style="width: 581px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87646iCC474B356848F0EC/image-dimensions/581x305?v=v2" width="581" height="305" role="button" title="TusharTrivedi_27-1711558240478.png" alt="TusharTrivedi_27-1711558240478.png" /></span></P><P>You can select different roles and assign them to the user. Here we have added three roles to the user.&nbsp; After selecting all the roles, click on the&nbsp; “Assign role collection” button and save the details.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_28-1711558240506.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87648iDFCEFBDD87A73D6E/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_28-1711558240506.png" alt="TusharTrivedi_28-1711558240506.png" /></span></P><P>We have completed the configurations in IBM Security Verify and SAP Cloud Identity Services. Let’s test it now by opening the SAP business studio application as shown below.</P><P><STRONG><U>How does it work? Let’s Check.</U></STRONG></P><P>Log into SAP BTP Cockpit and Navigate to “Instances and Subscriptions” under “Services” as highlighted below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_29-1711558240524.png" style="width: 582px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87647i747B918F47100581/image-dimensions/582x304?v=v2" width="582" height="304" role="button" title="TusharTrivedi_29-1711558240524.png" alt="TusharTrivedi_29-1711558240524.png" /></span></P><P>It will redirect to the sign in options screen of the SAP. Here, select SAP cloud identity service as an identity provider.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_30-1711558240534.png" style="width: 583px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87649iBB43174F0F6B5561/image-dimensions/583x306?v=v2" width="583" height="306" role="button" title="TusharTrivedi_30-1711558240534.png" alt="TusharTrivedi_30-1711558240534.png" /></span></P><P>Once you select, it will redirect to the verify sign in option screen for a authentication. Here you can select a different sign in option for Verify or can log in with IBM id/Cloud directory.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_31-1711558240543.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87650i48ED1F1BEB730AAE/image-dimensions/580x303?v=v2" width="580" height="303" role="button" title="TusharTrivedi_31-1711558240543.png" alt="TusharTrivedi_31-1711558240543.png" /></span></P><P>Enter your IBMid for log in and click the continue button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_32-1711558240557.png" style="width: 583px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87651iE87EDDC24774E25E/image-dimensions/583x305?v=v2" width="583" height="305" role="button" title="TusharTrivedi_32-1711558240557.png" alt="TusharTrivedi_32-1711558240557.png" /></span></P><P>&nbsp;<SPAN>It will redirect you for w3 authentication screen where you can enter your w3 id &amp; password.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_33-1711558240565.png" style="width: 580px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87653i9F758C1762A1DA16/image-dimensions/580x304?v=v2" width="580" height="304" role="button" title="TusharTrivedi_33-1711558240565.png" alt="TusharTrivedi_33-1711558240565.png" /></span></P><P>Once you click on sign in, you will see below screen of SAP business application studio.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_34-1711558240572.png" style="width: 582px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87652i3AE86427757EF2BF/image-dimensions/582x306?v=v2" width="582" height="306" role="button" title="TusharTrivedi_34-1711558240572.png" alt="TusharTrivedi_34-1711558240572.png" /></span></P><P>Click on the “OK” button and you will be redirected to the SAP Business Application Studio home screen.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="TusharTrivedi_35-1711558240600.png" style="width: 581px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/87654i00A7A88933D64B54/image-dimensions/581x304?v=v2" width="581" height="304" role="button" title="TusharTrivedi_35-1711558240600.png" alt="TusharTrivedi_35-1711558240600.png" /></span></P><P><STRONG><U>Conclusion</U></STRONG></P><P>To summarise, combining IBM Security Verify with SAP Cloud Identity Services via SAML 2.0 provides a strong solution for organisations wishing to:<BR /><BR /><U>Enhance security</U>: By implementing multi-factor authentication and centralised user management, businesses may greatly minimise the risk of unauthorised access to vital data and applications.</P><P><U>Improve the user experience</U>: SAML 2.0 integration offers single sign-on, which allows users to access various applications with a single login, eliminating login fatigue and increasing overall user experience.</P><P><U>Simplify identity management</U>: Consolidating identity management across several platforms allows organisations to streamline administration operations and reduce the complexity of managing user access.</P><P>Overall, this integration enables organisations to achieve a balance between strong security and a user-friendly interface, building trust and confidence in this digital era.</P> 2024-04-02T10:29:43.856000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/single-sign-on-to-sap-cloud-integration-cpi-runtime-from-an-external/ba-p/13655108 Single Sign On to SAP Cloud Integration (CPI runtime) from an external Identity Provider 2024-04-11T06:53:39.270000+02:00 vinayak_adkoli https://community.sap.com/t5/user/viewprofilepage/user-id/216068 <H2 id="toc-hId-990764901"><STRONG>Introduction:</STRONG></H2><P>Yes, you read it right (and you read it right here !). There is an <U>out-of-the-box</U> approach to achieving a single sign-on (SSO) experience for user flows between a corporate identity provider (that authenticates and authorizes the user) and a tenant of Cloud Integration runtime (loosely called CPI worker) fully within the BTP ecosystem.</P><P>Ok, let’s zoom out a bit and break this down.</P><P>If you are reading this blog post, you probably know already that SAP BTP Services can leverage the <U>OpenID Connect</U> federation-based mechanics of SAP Cloud Identity Service (read: SAP IAS) to connect users from corporate Identity Providers like Entra ID (formerly known as Azure AD), Okta, etc. to XSUAA BTP’s OAuth Authorization Server.<BR />This is certainly not uncharted and I did a detailed <A href="https://community.sap.com/t5/technology-blogs-by-sap/single-sign-on-to-sap-integration-suite-sap-api-business-hub-enterprise-via/ba-p/13573716" target="_self">blog post</A> a few months ago demonstrating this setup.</P><P>However, this setup applied mostly to browser-based SaaS applications (<EM>read</EM>: Design Time applications with a web frontend), and that brings us to the objective of this blog -&gt; Customers want to put together a similar setup for their client applications that interface with SAP Cloud Integration’s IFLows (in other words, the CPI runtime).<BR />Certainly, this is not impossible to achieve and solution blueprints like these have existed in the past:</P><UL><LI>My colleague Francisco’s <A href="https://community.sap.com/t5/technology-blogs-by-sap/principal-propagation-in-sap-integration-suite-from-external-system-to-an/ba-p/13543111" target="_blank">blog</A> puts API Management in between a client and Cloud Integration and enforces API Management to perform an OAuthSAMLBearer handshake.</LI><LI>Microsoft champion Martin Raepple <A href="https://community.sap.com/t5/technology-blogs-by-members/principal-propagation-in-a-multi-cloud-solution-between-microsoft-azure-and/ba-p/13479950" target="_blank">teaches</A> how to set up SAML Trust between Entra ID Identity Provider and BTP to set up a user impersonation flow.</LI></UL><P>However, these approaches were often seen as cumbersome to set up / troubleshoot and certainly not for the faint-hearted!</P><H2 id="toc-hId-794251396"><STRONG>Solution Summary:</STRONG></H2><P>An easier solution can be described in two phrases: '<FONT face="terminal,monaco" color="#993366">OpenID Connect</FONT>' and '<FONT face="terminal,monaco" color="#993366">Authorization Code</FONT> grant type'. If you are super-smart then you've figured it out already. You can stop reading this blog and hack this yourself.<BR />I wish you a nice day ahead! If you are like me and need a bit more explanation, keep reading <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Here is the solution blueprint that explains that handshake:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/93034i23EDF7DB077BF799/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Picture1.png" /></span></P><P style=" text-align: center; "><FONT size="2"><EM><STRONG>SCENARIO</STRONG>: Flows that require end-user authentication from external Identity Providers can natively do so with OIDC and Authorization Code grant type</EM></FONT></P><P><STRONG>Step 0:</STRONG> Generate Service Instance / Service Key SAP Cloud Integration Runtime. Refer to <A href="https://help.sap.com/docs/cloud-integration/sap-cloud-integration/specifying-service-instance-and-service-key-parameters-in-json-format" target="_self" rel="noopener noreferrer">this</A> link. Instead of <FONT face="terminal,monaco" color="#993366">Client Credentials</FONT>&nbsp;make sure to select&nbsp; <FONT face="terminal,monaco" size="3" color="#993366">Authorization Code</FONT>.</P><P><STRONG>Step 1:</STRONG> Onboard the needed corporate identity providers in SAP IAS and set up the 'Application' that connects back to your SAP BTP Subaccount as a <U>Trusted Identity Provider</U> via OpenID Connect. Refer to my <A href="https://community.sap.com/t5/technology-blogs-by-sap/single-sign-on-to-sap-integration-suite-sap-api-business-hub-enterprise-via/ba-p/13573716" target="_blank">previous</A> blog post for a detailed procedure.&nbsp;</P><P><STRONG>Step 2:</STRONG> Client (end-user)&nbsp; initiates a connection to the required IFlow (or API artifact). This kicks off the 3-legged OAuth user login flow.</P><P data-unlink="true"><STRONG>Step 3:</STRONG> As the user is not signed in, she is redirected to XSUAA's login endpoint, and upon login the IAS tenant's&nbsp;<SPAN>&nbsp;OAuth server authorization endpoint at&nbsp;</SPAN><EM>https://&lt;IAS&nbsp;<SPAN>&nbsp;</SPAN>tenant name&gt;.accounts.ondemand.com</EM><EM>/oauth2/authorize </EM>is invoked using the authorization code grant type. The details of the actual federation as part of the handshake have been omitted here for simplicity. But suffice it to say that the authorization code from the identity provider is made available to the IAS's callback endpoint and finally made available to XSUAA's authorize endpoint and exchanged for the actual access token. This access token will bear the user's scopes and role permissions needed to access the Cloud Integration's IFlow resource.&nbsp;</P><P><STRONG>Step 4:</STRONG> Once successfully authorized, on the receiver side of the IFlow, we will establish connections to 3 different types of backends for illustration purposes. <U>a)</U> S/4HANA Onpremise system over Cloud Connector and Principal Propagation <U>b)</U> SuccessFactors and <U>c)</U> S/4HANA Cloud with <U>OAuth2 SAMLBearer</U> Assertion security material.&nbsp;</P><H2 id="toc-hId-597737891">Putting it all together:</H2><P>Let's get our hands dirty by putting together the sequence now. The prerequisites to follow along are listed below:</P><UL><LI>Administrator privileges in the BTP subaccount where the Integration Suite subscription exists.</LI><LI>An IAS Tenant (with Administrator privileges) that can be coupled (<EM>read</EM>: Trusted) with the said BTP Subaccount.</LI><LI>Privileges to create Applications (<EM>read</EM>: IDP configurations) in Entra ID (Azure AD) and/or Okta.</LI><LI>Postman Client.</LI><LI>Backend systems to which the frontend user principal can be propagated to. Either of S/4HANA OnPrem, S/4HANA Cloud, or SuccessFactors tenant.</LI></UL><H3 id="toc-hId-530307105"><SPAN>Step 0: Create a Service Instance for the Authorization Code grant type</SPAN></H3><P><SPAN>Create an instance of the '<U>Process Integration Runtime</U>' Service (integration-flow service plan)&nbsp; specifically with the <FONT face="terminal,monaco" color="#993366">authorization code</FONT> grant type. You can copy the JSON snippet pasted below. Do not worry about the location of the <FONT face="terminal,monaco" color="#993366">redirect_uri</FONT>. (When we get down to testing the flow, the browser will invoke the redirect_uri, but this has no consequence as the 'code' will be available for us to copy as a query parameter from the URL itself. When we test this from Postman the client, Postman does not invoke the URL. If you are curious to know, you can read about it <A href="https://stackoverflow.com/questions/62760501/how-does-postman-handle-localhost-oauth-2-redirects" target="_self" rel="nofollow noopener noreferrer">here</A>.) Also, make a note that we have specified <FONT face="terminal,monaco" color="#993366">refresh_token</FONT> as part of the requested grant type. This will let us demonstrate the ability for clients to refresh the access token post-expiry.&nbsp;</SPAN></P><P>&nbsp;</P><pre class="lia-code-sample language-json"><code>{ "grant-types": [ "refresh_token", "authorization_code" ], "redirect-uris": [ "http://localhost" ], "roles": [ "ESBMessaging.send" ] }</code></pre><P>&nbsp;</P><P>With the service instance created, generate a service key (example block is pasted below). Grab the <FONT face="terminal,monaco" color="#993366">clientid</FONT>, <FONT face="terminal,monaco" color="#993366">clientsecret</FONT>, <FONT face="terminal,monaco" color="#993366">authorizationurl</FONT>, <FONT face="terminal,monaco" color="#993366">tokenurl</FONT> attributes. We will need these later.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-05 at 8.58.50 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92480iC725C39BBB316413/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-05 at 8.58.50 PM.png" alt="Screenshot 2024-04-05 at 8.58.50 PM.png" /></span></P><P>&nbsp;</P><H3 id="toc-hId-333793600">Step 1: Configure OpenID Connect based Trusted Identity Provider of SAP IAS in your SAP BTP subaccount</H3><P>This step is the <EM>heart-and-soul</EM> of our approach. We will couple an SAP IAS tenant with our BTP subaccount that has the subscription of our SAP Cloud Integration (SAP Integration Suite) tenant using OpenID Connect protocol and then onboard the desired external Identity Providers (I will demonstrate Entra ID and Okta) as corporate identity providers in the IAS administration console.<BR />Since I've documented the steps in my previous blog, I will not repeat the exact steps here. Please refer to the following sections in the <A href="https://community.sap.com/t5/technology-blogs-by-sap/single-sign-on-to-sap-integration-suite-sap-api-business-hub-enterprise-via/ba-p/13573716" target="_self">linked</A> blog.</P><P>&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="45.2319587628866%" height="30px"><STRONG>Objective</STRONG></TD><TD width="54.7680412371134%" height="30px"><STRONG>Steps to follow from the linked blog</STRONG></TD></TR><TR><TD width="45.2319587628866%" height="57px"><SPAN>Couple your BTP subaccount and your SAP IAS tenant.</SPAN></TD><TD width="54.7680412371134%" height="57px">Steps 1-6</TD></TR><TR><TD width="45.2319587628866%" height="85px"><SPAN>Configure applications (relying party) in Azure AD and Okta IDP based on OpenID Connect and SAP IAS as the callback URI.</SPAN></TD><TD width="54.7680412371134%" height="85px">Steps&nbsp;<SPAN>7 - 25</SPAN></TD></TR><TR><TD width="45.2319587628866%" height="57px"><SPAN>Configure application in Okta with SAML Trust to SAP IAS.</SPAN></TD><TD width="54.7680412371134%" height="57px">Steps <SPAN>26 - 33</SPAN></TD></TR><TR><TD width="45.2319587628866%" height="57px"><SPAN>Onboard the above Corporate Identity Provider configurations into SAP IAS.</SPAN><SPAN><BR /></SPAN></TD><TD width="54.7680412371134%" height="57px">Steps <SPAN>34 - 46</SPAN></TD></TR><TR><TD width="45.2319587628866%" height="57px"><SPAN>configure IAS as the proxy Identity Provider and SAP BTP as the Service Provider.</SPAN></TD><TD width="54.7680412371134%" height="57px">Steps <SPAN>47 - 52</SPAN></TD></TR></TBODY></TABLE><P>Nevertheless, here is a summary of the main steps involved in the setup.</P><P>1. The subaccount where the Integration Suite subscription exists has a 'Trusted connection' with the OpenID Connect protocol (not SAML) to the IAS tenant.</P><H3 id="toc-hId-137280095"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-06 at 9.54.43 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92370i2923FA725D32E9FB/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-06 at 9.54.43 PM.png" alt="Screenshot 2024-04-06 at 9.54.43 PM.png" /></span></H3><P>2. The IAS tenant has a '<U>Corporate Identity provider</U>' connection to Azure AD (Entra ID) via a set of Application credentials and OpenID Connect protocol.</P><H3 id="toc-hId--59233410"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-06 at 9.38.55 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92371i46791EF93D74A62B/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-06 at 9.38.55 PM.png" alt="Screenshot 2024-04-06 at 9.38.55 PM.png" /></span></H3><H3 id="toc-hId--255746915">&nbsp;</H3><P>3. Notice the '<U>Application</U>' settings on the <U>Azure</U> side. The redirect URI has been set to the IAS tenant's '<FONT face="terminal,monaco" color="#993366">../oath2/callback</FONT>' segment</P><H3 id="toc-hId--452260420"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-06 at 9.36.29 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92373i509F15FCA90FD4E7/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-06 at 9.36.29 PM.png" alt="Screenshot 2024-04-06 at 9.36.29 PM.png" /></span></H3><P>4.&nbsp;The IAS tenant has a '<U>Corporate Identity provider</U>' connection to <U>Okta IDP</U> via a set of Application credentials and OpenID Connect protocol.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-06 at 9.39.59 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92432i776D80A7FA5F374B/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-06 at 9.39.59 PM.png" alt="Screenshot 2024-04-06 at 9.39.59 PM.png" /></span></P><P>&nbsp;</P><P>5. Notice the '<U>Application</U>' settings on the Okta side. The redirect URI has been set to the IAS tenant's '<FONT face="terminal,monaco" color="#993366">../oath2/callback</FONT>' segment.</P><H3 id="toc-hId--648773925"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-06 at 9.37.38 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92374i81E6E2901B08DC4C/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-06 at 9.37.38 PM.png" alt="Screenshot 2024-04-06 at 9.37.38 PM.png" /></span></H3><P>6. We will not leverage this flow in our demonstration but note that it is very much possible to use <U>SAML bindings</U> between the Corporate Identity Provider and IAS. The federation works exactly as OIDC.</P><H3 id="toc-hId--920518799"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-06 at 10.45.14 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92375iD2A2E55CFA07BCE7/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-06 at 10.45.14 PM.png" alt="Screenshot 2024-04-06 at 10.45.14 PM.png" /></span></H3><P>&nbsp;</P><P>7. Next, we want to demonstrate a dynamic / Group assertion / <U>Role Collection</U> based user role/authorization determination. For that note that on the Azure side, we have a group called '<U>IntegrationDevelopers</U>' that contains the users who must be authorized to call the IFlow / API on the Cloud Integration side.&nbsp;</P><H3 id="toc-hId--1117032304"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-06 at 9.46.09 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92376i8C5DCA173138645F/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-06 at 9.46.09 PM.png" alt="Screenshot 2024-04-06 at 9.46.09 PM.png" /></span></H3><P>8. Notice how the 'g<U>roups</U>' claim on the IAS side resolves to the value of the group from Azure.</P><H3 id="toc-hId--1313545809"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-06 at 9.44.09 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92378iBDD9051E0C87D093/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-06 at 9.44.09 PM.png" alt="Screenshot 2024-04-06 at 9.44.09 PM.png" /></span></H3><P>9. Similarly, see that the target user has been assigned to the '<U>IntegrationSuiteDevelopers'</U>&nbsp;Group in Okta.</P><H3 id="toc-hId--1510059314"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-06 at 9.41.35 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92379iCF54AEA938541828/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-06 at 9.41.35 PM.png" alt="Screenshot 2024-04-06 at 9.41.35 PM.png" /></span></H3><P>10. Okta presents the user's '<U>Groups</U>' claim to IAS that XSUAA will resolve in a later step.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-06 at 9.44.47 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92453iC8468488FC669780/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-06 at 9.44.47 PM.png" alt="Screenshot 2024-04-06 at 9.44.47 PM.png" /></span></P><P>11. As a last configuration step, notice that there is a RoleCollection on the BTP side (with the '<U>MessagingSend</U>' role assigned) mapped to the respective groups from the source identity providers.</P><H3 id="toc-hId--1706572819"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-06 at 10.16.35 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92380iC7EA847196B55E73/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-06 at 10.16.35 PM.png" alt="Screenshot 2024-04-06 at 10.16.35 PM.png" /></span></H3><P>&nbsp;</P><H3 id="toc-hId--1903086324">Step 2 &amp; 3: Initiate the client flow.</H3><P>The easiest way to demonstrate a client flow is to do so in <U>Postman</U> which natively supports simulating an OAuth 2.0 3-legged Authorization Code grant flow. We can break down the segments of the 3-legged flow in a <U>browser</U> as well. I will demonstrate both of these user agents.</P><P>Summary of the steps about to be performed in this section</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%"><STRONG>Objective</STRONG></TD><TD width="50%"><STRONG>Steps</STRONG></TD></TR><TR><TD width="50%">Use Postman to set up Authorization Code flow with Okta Identity Provider</TD><TD width="50%">1-8</TD></TR><TR><TD>Use Postman to set up Authorization Code flow with Entra ID Identity Provider</TD><TD>9</TD></TR><TR><TD width="50%">Usage of Refresh Tokens</TD><TD width="50%">13-14</TD></TR><TR><TD>Use Browser to set up Authorization code flow with Identity Providers</TD><TD>15-18</TD></TR></TBODY></TABLE><P>1. Within the '<FONT face="terminal,monaco" color="#993366">Authorization</FONT>' tab in Postman, set the '<FONT face="terminal,monaco" color="#993366">Type</FONT>' to '<FONT face="terminal,monaco" color="#993366">OAuth 2.0</FONT>' and the '<FONT face="terminal,monaco" color="#993366">Grant type</FONT>' to '<FONT face="terminal,monaco" color="#993366">Authorization Code</FONT>'.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 11.15.05 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92461i98EB5D2D021225FD/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 11.15.05 AM.png" alt="Screenshot 2024-04-07 at 11.15.05 AM.png" /></span></P><P>2. Enter the values for the <FONT face="terminal,monaco"><FONT color="#993366">Callback URL</FONT>, <FONT color="#993366">Auth URL</FONT>, <FONT color="#993366">Access Token URL</FONT>, <FONT color="#993366">Client ID</FONT>, <FONT color="#993366">Client Secret</FONT></FONT>&nbsp;from the values saved in the Step 0 block above.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 11.15.39 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92468i5508D569B3F6918F/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 11.15.39 AM.png" alt="Screenshot 2024-04-07 at 11.15.39 AM.png" /></span></P><P>3. Click on '<U>Get New Access Token</U>'. Make sure to turn on the '<U>Console</U>' tab at the bottom to keep track of requests and responses across the wire.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 11.16.06 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92470iD8B6C992154608E8/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 11.16.06 AM.png" alt="Screenshot 2024-04-07 at 11.16.06 AM.png" /></span></P><P>4. Postman will launch the Logon pop-up from BTP's Authorization Server. Notice that you are presented with a list of Identity Providers to log into as configured in BTP's Trust Management section. Select the one that corresponds to your IAS Tenant.<BR />Pay attention to the GET requests in the Console tab. You will see that the request to the 'authorize' resource is being redirected to the login page.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 11.16.34 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92471i6DDB9ED43F11866D/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 11.16.34 AM.png" alt="Screenshot 2024-04-07 at 11.16.34 AM.png" /></span></P><P>5. The system will prompt you to present the user identifier, this will serve as an input to the 'Conditional Authentication' block set in the IAS tenant to resolve which corporate identity provider to redirect to, for the user logon challenge.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 11.16.57 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92472i5D854A4F4A5EE4E0/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 11.16.57 AM.png" alt="Screenshot 2024-04-07 at 11.16.57 AM.png" /></span></P><P>6. The system determines that the challenge should come from Okta IDP for my <EM>*.sap.com</EM> user name. Please refer to the '<U>Conditional Authentication</U>' screenshot to get a summary of the determination process.<BR />In the 'Console' section, make a note of how the callbacks are handled.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Conditional Authentication section in SAP IAS" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94888i08E3F205BCA248EF/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-10 at 9.32.30 PM.png" alt="Conditional Authentication section in SAP IAS" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Conditional Authentication section in SAP IAS</span></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 11.17.19 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92473i7BA023461B56F428/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 11.17.19 AM.png" alt="Screenshot 2024-04-07 at 11.17.19 AM.png" /></span></P><P>7. Okta will authenticate the user and present back the '<FONT face="terminal,monaco" color="#993366">authorization code</FONT>' to IAS.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 11.17.23 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92474iEAFD77C181E2CDBC/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 11.17.23 AM.png" alt="Screenshot 2024-04-07 at 11.17.23 AM.png" /></span></P><P>8. Finally the client will exchange the authorization code for the <FONT face="terminal,monaco" color="#993366">access token</FONT> from the configured token endpoint.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 11.17.30 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92475i3FCE2A6A26E6ECB8/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 11.17.30 AM.png" alt="Screenshot 2024-04-07 at 11.17.30 AM.png" /></span></P><P>9. Let us now perform steps nos. 3-8 again, but this time let us log in with our <EM>*.outlook.com</EM> user that gets authenticated and authorized from Entra ID (Azure AD).</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-08 at 5.57.54 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/93040i2DB4528BC41E8F77/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-08 at 5.57.54 PM.png" alt="Screenshot 2024-04-08 at 5.57.54 PM.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-08 at 5.55.56 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/93041iFDA69D400BF70E20/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-08 at 5.55.56 PM.png" alt="Screenshot 2024-04-08 at 5.55.56 PM.png" /></span></P><P>10. Upon inspection, you will note that the access token issued by XSUAA has the '<FONT face="terminal,monaco" color="#993366">ESBMessaging.send</FONT>' scope as determined by the '<FONT face="terminal,monaco" color="#993366">Groups</FONT>' claim presented by the source IDP. You will remember that we created a mapping for this resolution in a previous step. Also, note that the system bears a <FONT face="terminal,monaco" color="#993366">refresh_token</FONT>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 11.17.51 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92476i13000808DE7417E9/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 11.17.51 AM.png" alt="Screenshot 2024-04-07 at 11.17.51 AM.png" /></span></P><P>11. Further, if you inspect the respective JWTs issued by Okta and Entra ID, you will see that the tokens contain the claims that represent the <U>Groups</U>, <U>RoleCollections</U>, and <U>User</U> Identifier info.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-08 at 6.02.17 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/93038iDF074F57326C609D/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-08 at 6.02.17 PM.png" alt="Screenshot 2024-04-08 at 6.02.17 PM.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-08 at 6.01.10 PM.png" style="width: 982px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/93039i00D82A733F67F3CD/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-08 at 6.01.10 PM.png" alt="Screenshot 2024-04-08 at 6.01.10 PM.png" /></span></P><P>12. Simply go ahead and '<U>Use Token</U>' to load the token to make your request.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 11.18.01 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92477i0BF06E608D43D2AA/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 11.18.01 AM.png" alt="Screenshot 2024-04-07 at 11.18.01 AM.png" /></span></P><P>13. Using the refresh_token -&gt; Notice that the token will expire after a set duration (based on the 'expiry' setting). As you can see in the screenshot below, Postman detects that the available token is expired. It gives an option to '<U>Refresh</U>' the token. Click on this button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 12.58.21 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92484i6CD290951A002C25/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 12.58.21 PM.png" alt="Screenshot 2024-04-07 at 12.58.21 PM.png" /></span></P><P>14. Make a note in the Console tab that the client POSTs to the token endpoint with the available refresh_token and the refresh_token grant_type to get a fresh access token.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-07 at 12.59.15 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92485i844B14E9BCCE1FBB/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-07 at 12.59.15 PM.png" alt="Screenshot 2024-04-07 at 12.59.15 PM.png" /></span></P><P>15. In the next screenshots, let us perform the same set of steps in a browser.&nbsp;We will need to frame the URL to the <FONT face="terminal,monaco" color="#993366">/oauth/authorize</FONT> endpoint. The easiest way to do so would be to copy the URL from the Postman Console we referred to before. The URL is in the format :</P><PRE><A target="_blank" rel="noopener">https://&lt;tenant-id&gt;&gt;/authentiation.&lt;dc&gt;.hana.ondemand.com/oauth/authorize<SPAN>?<BR />response_type=code&amp;client_id=&lt;url-encoded-client-id&gt;&amp;redirect_uri=&lt;url-encoded_redirect_uri&gt;</SPAN></A></PRE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-08 at 8.58.56 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92933i2E3BE633C8DBD648/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-08 at 8.58.56 AM.png" alt="Screenshot 2024-04-08 at 8.58.56 AM.png" /></span></P><P>16. Invoke the URL in a browser.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-08 at 9.24.05 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92934iCE3000E772A66A02/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-08 at 9.24.05 AM.png" alt="Screenshot 2024-04-08 at 9.24.05 AM.png" /></span></P><P>17. After the 'login' and 'authenticate' procedures, you will see that the browser is redirected to the redirect_uri location. You can copy the '<FONT face="terminal,monaco" color="#993366">code</FONT>' parameter from the URL.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-08 at 8.59.57 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92935i642C2B58390DCE85/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-08 at 8.59.57 AM.png" alt="Screenshot 2024-04-08 at 8.59.57 AM.png" /></span></P><P>18. Go back to Postman and POST the Access Token endpoint with the <FONT face="terminal,monaco" color="#993366">grant_type</FONT> set to <FONT face="terminal,monaco" color="#993366">authorization_code</FONT> and the copied <FONT face="terminal,monaco" color="#993366">code</FONT> and the <FONT face="terminal,monaco" color="#993366">redirect_uri</FONT>. The server will respond with the <FONT face="terminal,monaco" color="#993366">access_token</FONT> with the same set of attributes populated as demonstrated in Step 11.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-08 at 9.03.29 AM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/92936iBAA309680685FF77/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-08 at 9.03.29 AM.png" alt="Screenshot 2024-04-08 at 9.03.29 AM.png" /></span></P><H3 id="toc-hId--2099599829">&nbsp;</H3><H3 id="toc-hId-1998853962">Step 4: Integration Flow Reciever side propagation</H3><P>Now that we have an <FONT face="terminal,monaco" color="#993366">access_token</FONT> that can be presented to the Cloud Integration runtime (to a 'Sender Adapter'), let us put together a simple IFlow that can demonstrate the fact that the user's identity from the external identity provider can be propagated to 3 backend systems - <U>a)</U> S/4HANA Onpremse, <U>b)</U> SuccessFactors and <U>c)</U> S/4HANA Cloud via <U>Principal Propagation</U> and <U>OAuth2SAMLBearer</U> mechanisms respectively.</P><P>Here is a summary of the steps we intend to achieve:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%"><STRONG>Objective</STRONG></TD><TD width="50%"><STRONG>Steps</STRONG></TD></TR><TR><TD width="50%">Create a sample IFlow that demonstrates the user propagation sequence to 3 different types of backend systems.</TD><TD width="50%">1-2</TD></TR><TR><TD width="50%">Invoke S4HANA Cloud backend&nbsp;</TD><TD width="50%">3 - 7</TD></TR><TR><TD>Invoke SAP SuccessFactors backend</TD><TD>8 - 13</TD></TR><TR><TD>Invoke SAP S/4HANA Onpremise backend</TD><TD>14 - 17</TD></TR></TBODY></TABLE><P>1. Let's start by putting together a simple IFlow to illustrate the user propagation flow. Since we are planning to invoke with 3 backends, the quickest way to demonstrate this would be to create a <U>Router</U> that has 3 branches. Each with a 'Request-Reply' step for the backend type, S/4HANA Cloud, SuccessFactors, and S/4HANA OnPremise respectively.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.04.01 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94321iB1506DA98BBAAA08/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.04.01 PM.png" alt="Screenshot 2024-04-09 at 5.04.01 PM.png" /></span></P><P>2. The logic we will follow is that the client passes a value in a custom header named 'target' that shall determine which of the routes is to be invoked.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.11.04 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94329iDAD95FEA401ADF4F/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.11.04 PM.png" alt="Screenshot 2024-04-09 at 5.11.04 PM.png" /></span></P><P>3. In the property sheet of the HTTP Receiver for S/4HANA Cloud backend, notice that we've used a credential named '<FONT face="terminal,monaco" color="#993366">s4hanaCloudCredentials</FONT>' with the OAuth2 SAML Bearer Assertion type.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.04.51 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94322i510E3E684E9F63B9/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.04.51 PM.png" alt="Screenshot 2024-04-09 at 5.04.51 PM.png" /></span></P><P>4. I will not get into the details behind how the attributes of this Security Material have been formulated. Refer to parts of&nbsp;<A href="https://community.sap.com/t5/technology-blogs-by-sap/how-to-get-principal-propagation-from-cloud-foundry-to-s-4hana-cloud-with/ba-p/13534051" target="_self">this</A> blog post for details. The points worth mentioning here are that <U>a)</U> we are using the target system type <U>SAP BTP (CF)</U> and<U> b)</U> the '<FONT face="terminal,monaco" color="#993366">userIdSource'</FONT>&nbsp;attribute is annotated for '<FONT face="terminal,monaco" color="#993366">email</FONT>' &amp; nameIdFormat is set to '<FONT face="terminal,monaco" color="#993366">urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</FONT>', thereby implying that the user identifier from our original JWT token negotiated with the corporate identity provider will serve as the user principal to be propagated.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.08.29 PM.png" style="width: 833px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94324iB398FD91A28BDD12/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.08.29 PM.png" alt="Screenshot 2024-04-09 at 5.08.29 PM.png" /></span></P><P>5. Let us make a call to the IFlow URL with the access token set from step 8 described in the above section. Note that we've set the 'target' header attribute to 's4hanacloud'&nbsp; so that the call gets executed in the first route. We get an HTTP 200 OK and the service document as the response and there you have it! We were able to successfully propagate the user from an external identity provider and execute a call in an S/4HANA backend with the user's context.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.11.42 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94328i421B86AB9618EB8D/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.11.42 PM.png" alt="Screenshot 2024-04-09 at 5.11.42 PM.png" /></span></P><P>6. How do I prove my point that the user was indeed propagated? The next two screenshots do so. Note that on the S/4HANA side, I have a 'Business User' that bears my (that is propagated from Okta) emailID. Also, note that the HTTP Call is executed with this user context and NOT with a Communication User (technical user) attached to the Communication Arrangement.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 4.24.48 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94326i27A22AD5685783C2/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 4.24.48 PM.png" alt="Screenshot 2024-04-09 at 4.24.48 PM.png" /></span></P><P>7. Further to prove my point, I execute step no. 5, this time by presenting my *@outlook.com user (that comes from Entra ID), you see that the call fails and the error description calls out that the backend was not able to resolve the presented *.outlook.com user.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.13.21 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94327i890B800F01F00C1B/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.13.21 PM.png" alt="Screenshot 2024-04-09 at 5.13.21 PM.png" /></span></P><P>8. Let us now look at the 2nd route, the one that invokes a SuccessFactors URL. We extend the same 'OAuthSAMLBearer Assertion' type with a credential named 'SFSFUserPrincipal'. On the processing tab, you will see that I'm invoking a GET Query on the JobProfile resource.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.06.05 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94332iB3049CBDC9B0A638/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.06.05 PM.png" alt="Screenshot 2024-04-09 at 5.06.05 PM.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-10 at 8.36.23 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94884i647EB0D62F0D3B36/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-10 at 8.36.23 PM.png" alt="Screenshot 2024-04-10 at 8.36.23 PM.png" /></span></P><P>9. In the details of the Security Material, note that we've set the attributes per SuccessFactors <A href="https://help.sap.com/docs/SAP_SUCCESSFACTORS_EMPLOYEE_CENTRAL/736e8ee2ac8943c7b6278039a7924e97/3a77fab602834ca686824555f7560d70.html?version=2205" target="_blank" rel="noopener noreferrer">documentation</A>. The User ID is set for principal propagation. Like before, we've used the same <FONT face="terminal,monaco" color="#993366">nameIdFormat</FONT> as set in step 4 above, and don't forget to include the <FONT face="terminal,monaco" color="#993366">apiKey</FONT> attribute as well.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.09.01 PM.png" style="width: 966px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94333iE5CE169F04974F33/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.09.01 PM.png" alt="Screenshot 2024-04-09 at 5.09.01 PM.png" /></span></P><P>10. Let us now invoke the IFlow, this time around with the header 'target' set to 'sfsf'. I get back a response from SuccessFactors with the JobProfile details.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.16.44 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94334i265F9EF4FBB1193A/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.16.44 PM.png" alt="Screenshot 2024-04-09 at 5.16.44 PM.png" /></span></P><P>11. Again, <EM>how do we prove that the call indeed was made in the signed-in user's context</EM>? There are many ways to establish this. A simple way I followed was to put a 'proxy' layer like API Management before the call hits the SuccessFactors backend and print out the '<U>Bearer token</U>' from the '<U>Authorization</U>' header.&nbsp; Upon Base64 decoding the token, you will see that the token bears a '<U>sfPrinciple</U>' attribute with the employee ID identifier.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 2.54.16 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94335i5FCCE4AFBD05E781/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 2.54.16 PM.png" alt="Screenshot 2024-04-09 at 2.54.16 PM.png" /></span></P><P>12. Look up the employee profile of the user in question in your SuccessFactors tenant and you can verify the matching employee ID and the corresponding email address.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 2.53.41 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94336i749BE4BD06089628/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 2.53.41 PM.png" alt="Screenshot 2024-04-09 at 2.53.41 PM.png" /></span></P><P>13. Negative testing -&gt; If I perform the call again, this time by signing in with the email address from Entra ID you should see a 401 unauthorized exception stating that the propagated user wasn't resolved.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.15.20 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94337iC1819ED14B8CBFF6/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.15.20 PM.png" alt="Screenshot 2024-04-09 at 5.15.20 PM.png" /></span></P><P>14. Finally, we are down to the last segment of our testing. A connection to S/4HANA On-premise. I've configured an SAP Cloud Connector and an X.509 certificate signing procedure (that is beyond the scope of this demonstration) and have dialed 'Principal Propagation' for the authentication type.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.06.26 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94413i1D03B76E1099D38B/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.06.26 PM.png" alt="Screenshot 2024-04-09 at 5.06.26 PM.png" /></span></P><P>15. Invoking the client this time around with the 'target' header set to 's4hanaonpremise'. I get back a response from the server with my service document for the invoked GWSAMPLE_BASIC OData service.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-10 at 9.42.33 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94889i5506CCA84879D9A5/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-10 at 9.42.33 PM.png" alt="Screenshot 2024-04-10 at 9.42.33 PM.png" /></span></P><P>16. As a quick verification step, let us go to the 'Monitor' section in the Cloud Connector and within the 'Most Recent Requests' tab, you can see a record for the 'User' that was propagated.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 4.54.26 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94414i8899BAAC3848E6E0/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 4.54.26 PM.png" alt="Screenshot 2024-04-09 at 4.54.26 PM.png" /></span></P><P>17. Open the LJSTrace log file and you can hunt down a log entry that corresponds to the user subject that was propagated via the short-lived x.509 certificate.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-04-09 at 5.02.03 PM.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94415iC16607E26C47C404/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-04-09 at 5.02.03 PM.png" alt="Screenshot 2024-04-09 at 5.02.03 PM.png" /></span></P><P><EM>Phew!</EM></P><H2 id="toc-hId-2095743464">Summary:</H2><P>It is beyond doubt that '<FONT face="terminal,monaco" color="#993366">client credentials</FONT>' and '<FONT face="terminal,monaco" color="#993366">x.509 certificate</FONT>' are the two most prominent and widely popular ways to authenticate to an Integration Flow / API artifact in SAP Integration Suite, but should you have a requirement to authenticate and authorize with the client user's identity from a corporate Identity Provider, OpenID Connect support from SAP Cloud Identity Service along with the <FONT face="terminal,monaco" color="#993366">Authorization Code</FONT> grant type in SAP Integration Suite provide an excellent and out-of-box approach to get your job done.</P><P>Cheers, and more power to the&nbsp; <a href="https://community.sap.com/t5/c-khhcw49343/SAP+Integration+Suite/pd-p/73554900100800003241" class="lia-product-mention" data-product="23-1">SAP Integration Suite</a>&nbsp;&nbsp;Community!</P> 2024-04-11T06:53:39.270000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/sap-secure-login-service-for-sap-gui-now-supports-custom-certificate/ba-p/13666599 SAP Secure Login Service for SAP GUI Now Supports Custom Certificate Authorities on AWS 2024-04-11T10:24:50.174000+02:00 Martina_Kirschenmann https://community.sap.com/t5/user/viewprofilepage/user-id/5013 <P><STRONG>The SAP Secure Login Service for SAP GUI solution provides your SAP GUI users with simple and secure access to their ABAP-based business applications. In March 2024, we released the long-awaited Custom Certificate Authority (CA) feature. You can now integrate your own Public Key Infrastructure (PKI) by connecting to a private CA hosted on Amazon Web Services (AWS).</STRONG></P><P>With the SAP Secure Login Service for SAP GUI, you can provide end users of SAP GUI with X.509 certificates that enable single sign-on (SSO) to ABAP-based business applications. After successful authentication, the SAP Secure Login Service provisions a short-lived X.509 certificate to the Secure Login Client on the end-user desktop. This certificate is then used for SSO to the ABAP systems. In the initial scope of the solution, the SAP-managed Cloud CA was used to sign these end user certificates.</P><P><FONT size="4"><STRONG>What’s new?</STRONG></FONT></P><P>With the newly released feature you now have the option to integrate your own PKI by connecting your cloud-based private CA running on Amazon Web Services (AWS) to the SAP Secure Login Service. After successful authentication of the end user, your private CA issues an X.509 certificate. And the SAP Secure Login Service then returns this X.509 certificate to the Secure Login Client on the end user desktop.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="SAP Secure Login Service for SAP GUI - Custom CA AWS.jpg" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/94949iB409141F953D0970/image-size/large?v=v2&amp;px=999" role="button" title="SAP Secure Login Service for SAP GUI - Custom CA AWS.jpg" alt="SAP Secure Login Service for SAP GUI - Custom CA AWS.jpg" /></span></P><P><FONT size="4"><STRONG>How does it work?</STRONG></FONT></P><P>By connecting your cloud-based private CA running on AWS, the X.509 certificates will be signed by your own customer-managed CA. The SAP Secure Login Service will just reuse your CA setup and provision the certificates to the Secure Login Client of the end users.</P><P>Configuration required for the token exchange, credentials for accessing AWS, and which AWS Private CA to be used can be configured in the administration console of SAP Secure Login Service (via the new tab “Custom CA”). This configuration is needed for secure token exchange and to ensure that only your SAP Secure Login Service subscription can be used to access your custom CA. And at the same time, that the certificates can only be used for SAP GUI SSO.</P><P>Of course, the certificates that are signed by your custom CA will look differently from the ones that are signed by the SAP Cloud Root CA. You can decide about the root, how many levels you want to have in there, and the names.</P><P>For configuration information, please refer to the documentation that is available on SAP Help Portal here:</P><P><SPAN><A href="https://help.sap.com/docs/SAP%20SECURE%20LOGIN%20SERVICE/c35917ca71e941c5a97a11d2c55dcacd/32875689a8654e0bb3c8697fb6947940.html" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/SAP%20SECURE%20LOGIN%20SERVICE/c35917ca71e941c5a97a11d2c55dcacd/32875689a8654e0bb3c8697fb6947940.html</A></SPAN></P><P><FONT size="4"><STRONG>What are the benefits?</STRONG></FONT></P><P>For compliance reasons you might not be allowed to use the SAP-managed Cloud CA to sign the end user certificates but have to use a CA that is fully under your control. With the new feature you can now integrate with your custom CA running on AWS thereby having full control how the CA is set up. For example, the root of the CA, whether it is in the AWS CA or offline, and how the signed certificates will look like.</P><P><FONT size="4"><STRONG>More information</STRONG></FONT></P><P>For more information about our SAP Secure Login Service for SAP GUI solution and to stay up to date on the latest developments, visit our topic page in SAP Community:</P><P><SPAN><A href="https://pages.community.sap.com/topics/single-sign-on" target="_blank" rel="noopener noreferrer"><STRONG>https://pages.community.sap.com/topics/single-sign-on</STRONG></A></SPAN></P><P>&nbsp;</P> 2024-04-11T10:24:50.174000+02:00 https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/influence-the-development-of-sap-enterprise-threat-detection-cloud-edition/ba-p/13687244 INFLUENCE THE DEVELOPMENT OF SAP ENTERPRISE THREAT DETECTION, CLOUD EDITION 2024-05-03T06:40:10.948000+02:00 KirtiSingh01 https://community.sap.com/t5/user/viewprofilepage/user-id/1447958 <P>Introducing influence page for SAP Enterprise Threat Detection, cloud edition.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KirtiSingh01_2-1714475829296.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/103858i767BFD6748C29B56/image-size/large?v=v2&amp;px=999" role="button" title="KirtiSingh01_2-1714475829296.png" alt="KirtiSingh01_2-1714475829296.png" /></span></P><P>The SAP Enterprise Threat Detection product team are inviting customers and partners to share their feedback and ideas to enhance our solution.</P><P>On <A href="https://influence.sap.com/sap/ino/#/campaign/3606" target="_blank" rel="noopener noreferrer">SAP Enterprise Threat Detection, cloud edition Influence page</A> you can see all submitted requests, submit your improvement requests, vote and comment on other ideas.</P><P>The rationale and advantages of a customer influence page include:</P><UL><LI>Augmenting customers engagement and influence on product features.</LI><LI>Improving product/services using meaningful customer insights.</LI><LI>Cultivating an engaged community.</LI><LI>Serving as a central platform for customer suggestions and fueling innovation.</LI></UL><P>The product team regularly evaluates the ideas and considers them for roadmap planning. Votes help to priorities ideas along with other important selection criteria such as:</P><UL><LI><STRONG>DESIRABILITY</STRONG>: How many customers voted for this? How many customers will benefit from it?</LI><LI><STRONG>VIABILITY</STRONG>: Is this Improvement Request globally relevant? Is this in alignment with SAP’s strategy for the product?</LI><LI><STRONG>FEASIBILITY</STRONG>: Is the development effort realistic? Is this request achievable within the product’s architecture?</LI></UL><P>While this page is mainly for the public cloud edition, for private cloud and on-premise versions feel free to propose integration-related ideas.</P><P><STRONG>Follow the steps below to get access</STRONG>&nbsp;and start sharing your enhancement ideas:</P><UL><LI><STRONG>Go to</STRONG>&nbsp;<A href="https://influence.sap.com/sap/ino/#/campaign/3606" target="_blank" rel="noopener noreferrer">SAP Enterprise Threat Detection, cloud edition Influence page</A><U>.</U>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<UL class="lia-list-style-type-circle"><LI>In case you are a new user, create a user account using S-User-ID and accept the Terms of Use. Once the user is created you activate SSO and can access without any interruption.</LI></UL></LI></UL><UL><LI><STRONG>Follow&nbsp;</STRONG>the session to get notified of new Improvement Requests and blogs.</LI><LI><STRONG>Vote</STRONG>&nbsp;and&nbsp;<STRONG>comment</STRONG>&nbsp;on Improvement Requests posted by other customers/ partners.</LI><LI><STRONG>Submit</STRONG>&nbsp;new Improvement Requests.</LI></UL><P>You can also check out the videos\link below, if you wish to learn more about SAP Continuous Influence and how to submit and manage improvement requests:</P><UL><LI><A href="https://www.sap.com/assetdetail/2019/06/145793d7-517d-0010-87a3-c30de2ffd8ff.html" target="_blank" rel="noopener noreferrer">How to get started and navigate on the Customer Influence Site</A></LI><LI><A href="https://www.sap.com/assetdetail/2018/11/08f0cc5e-277d-0010-87a3-c30de2ffd8ff.html" target="_blank" rel="noopener noreferrer">How to submit an improvement request</A></LI><LI><A href="https://www.sap.com/about/customer-involvement/influence-adopt.influence-opportunities.html#join-customer-influence" target="_blank" rel="noopener noreferrer">SAP Customer Influence and Adoption main info page</A></LI></UL><P>Please reach us at <A href="mailto:SAP-ETD@sap.com" target="_blank" rel="noopener nofollow noreferrer">SAP-ETD@sap.com</A> in case of any issue.</P><P>We look forward to seeing your ideas and further improve our software as we move forward.</P> 2024-05-03T06:40:10.948000+02:00 https://community.sap.com/t5/technology-blogs-by-members/streamlining-user-provisioning-from-ibm-verify-to-sap-cloud-identity/ba-p/13695010 Streamlining User Provisioning from IBM Verify to SAP Cloud Identity Services 2024-05-08T12:57:02.652000+02:00 TusharTrivedi https://community.sap.com/t5/user/viewprofilepage/user-id/150726 <P>SAP Cloud Identity Services (CIS), part of SAP BTP, can be used to integrate Identity Access Management (IAM). In our last blog, we discussed the integration of SAP Cloud Identity Services (CIS) with IBM Security Verify, and now we're taking the next step in this integration. User provisioning is the process of setting up new user accounts in a system or application. In this blog, we will explore a common use case - - transitioning user provisioning from IBM Verify to SAP Cloud Identity Services, and how this transition can streamline operations and enhance security.</P><P><STRONG>The Challenge of User Provisioning</STRONG></P><P>User provisioning is the process of granting and controlling access to resources within an organisation’s information technology infrastructure. Historically, on-boarding or off-boarding users has been a laborious and time-consuming procedure that frequently required numerous processes across multiple systems. As businesses embrace cloud solutions, the complexity of user provisioning has grown, necessitating automated and integrated approaches.</P><P><STRONG>Transitioning from IBM Verify to SAP Cloud Identity Services</STRONG></P><P>IBM Verify is a comprehensive identity and access management system that includes multi-factor authentication (MFA) and adaptive access control, while SAP Cloud Identity Services offers identity lifecycle management, single sign-on (SSO), and access governance features. Integrating these two systems can help organisations automate and streamline user provisioning operations, while also improving security and user experience.</P><P>&nbsp;</P><P><STRONG><U>How does it work?</U></STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 1.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107254iC87D93636632C1FF/image-dimensions/600x390?v=v2" width="600" height="390" role="button" title="Picture 1.jpg" alt="Picture 1.jpg" /></span></P><P>The diagram shows that IBM Security Verify acts as a central user management system. It creates user accounts and manages their attributes, and also provisions them (or creates them) in SAP Cloud Identity Services, potentially syncing relevant user attributes. Selected attributes from Verify are&nbsp;mapped&nbsp;to specific target attributes in SAP Cloud Identity Services, ensuring consistent user information across both systems. SCIM, a standardised protocol, enables communication between Verify and SAP Cloud Identity Services. On the left side of the diagram, IBM Security Verify acts as a SCIM server, receiving requests for user management and then modifying the target directory as needed. This streamlines user creation and ensures consistent user information across both systems.</P><P>&nbsp;</P><P><STRONG><U>Prerequisites</U></STRONG></P><UL><LI>SAP Cloud Identity Services (for trial instance check this <A href="https://help.sap.com/docs/cloud-identity?locale=en-US" target="_blank" rel="noopener noreferrer">link</A>)</LI><LI>IBM Security Verify (for trial instance check this <A href="https://www.ibm.com/docs/en/security-verify?topic=overview-accessing-security-verify" target="_blank" rel="noopener nofollow noreferrer">link</A>)</LI><LI>A smartphone with IBM Security Verify App</LI></UL><P>&nbsp;</P><P><STRONG><U>Configurations and Settings in IBM Security Verify and SAP Cloud Identity Services</U></STRONG></P><P>Log into <A href="https://ibmlabs.verify.ibm.com/ui/admin" target="_blank" rel="noopener nofollow noreferrer">IBM Security Verify</A> as an administrator  </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 2.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107255iF33506AB018341EE/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 2.jpg" alt="Picture 2.jpg" /></span></P><P>When a user logs in, the home screen as shown below will be displayed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 3.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107256iA46ECE028C7D63C1/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 3.jpg" alt="Picture 3.jpg" /></span></P><P>On the left panel, click on "Applications" under "Applications". On the right side of the screen, there is an “Add application” button. Click on it.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 4.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107258i998C9B160EB85555/image-dimensions/600x329?v=v2" width="600" height="329" role="button" title="Picture 4.jpg" alt="Picture 4.jpg" /></span></P><P>Fill in the necessary details under “General” section as below and save the details.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 5.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107259iF49D6F1784AAD6A7/image-dimensions/600x363?v=v2" width="600" height="363" role="button" title="Picture 5.jpg" alt="Picture 5.jpg" /></span></P><P>Before we go further, let’s log into SAP BTP account and you will be navigated on SAP BTP Cockpit. As suggested below, navigate to the “Instances and Subscriptions” tab which is under “Services.”</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 6.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107261i1A4FCC6A1C0D1C12/image-dimensions/601x326?v=v2" width="601" height="326" role="button" title="Picture 6.jpg" alt="Picture 6.jpg" /></span></P><P>You have to enable the cloud identity services application.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 7.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107262i0B72D5F41CB61C9B/image-dimensions/601x316?v=v2" width="601" height="316" role="button" title="Picture 7.jpg" alt="Picture 7.jpg" /></span></P><P>Once enabled, it will look as below. Now, click on Cloud Identity Services application and you will be redirected to the login screen of the SAP authentication screen as shown below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 8.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107263iCC19230226369943/image-dimensions/601x316?v=v2" width="601" height="316" role="button" title="Picture 8.jpg" alt="Picture 8.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 9.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107266i357621A8168E5EF0/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 9.jpg" alt="Picture 9.jpg" /></span></P><P>After a successful login, you can see the home screen of Cloud identity Services. Go to the “Identity Providers” as highlighted below :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 10.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107268i5D2F63349F825C38/image-dimensions/601x337?v=v2" width="601" height="337" role="button" title="Picture 10.jpg" alt="Picture 10.jpg" /></span></P><P>Click on the Corporate Identity providers and create new identity provider.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 11.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107269i7DEC6BF3C2F442CB/image-dimensions/601x313?v=v2" width="601" height="313" role="button" title="Picture 11.jpg" alt="Picture 11.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 12.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107270iDFD2CD3C9DA26807/image-dimensions/601x337?v=v2" width="601" height="337" role="button" title="Picture 12.jpg" alt="Picture 12.jpg" /></span></P><P>Once the new identity provider is successfully added,&nbsp; click on the identity provider type and select SAML 2.0 compliant, as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 13.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107271i5C962799BF791BA2/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 13.jpg" alt="Picture 13.jpg" /></span></P><P>Go to the SAML configuration section and fill in the information as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 14.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107275iD992FDB591A7B11C/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 14.jpg" alt="Picture 14.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 15.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107279i5840BC903244CD42/image-dimensions/601x314?v=v2" width="601" height="314" role="button" title="Picture 15.jpg" alt="Picture 15.jpg" /></span></P><P>You can browse the “Metadata” file from your device once you download it from IBM Security Verify dashboard. Go to the &nbsp;“Sign on” section of the application and on the right side of the screen, download the file from the given URL and upload the same in SAP Cloud Identity Services as highlighted below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 16.jpg" style="width: 598px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107280i74553FB8FBABC481/image-dimensions/598x329?v=v2" width="598" height="329" role="button" title="Picture 16.jpg" alt="Picture 16.jpg" /></span></P><P>Click on the Trusting application section and add SAP BTP trial subaccount.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 17.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107281i7C0241A7448A67D6/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 17.jpg" alt="Picture 17.jpg" /></span></P><P>Establish the trust configuration, which is under the “Security” section &nbsp;for the cloud identity application as shown in the below screenshots.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 18.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107282i6B60DB321260CD72/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 18.jpg" alt="Picture 18.jpg" /></span></P><P>You will see the below steps once you click on establish trust. In the first step, choose tenant and click on the next.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 19.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107284iC5DF2A58932143A3/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 19.jpg" alt="Picture 19.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 20.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107285i669823593CB1EF97/image-dimensions/601x317?v=v2" width="601" height="317" role="button" title="Picture 20.jpg" alt="Picture 20.jpg" /></span></P><P>After selecting a tenant, choose domain for your SAP Cloud Identity Services application.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 21.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107286iDC0DF0A0829D035F/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 21.jpg" alt="Picture 21.jpg" /></span></P><P>Click on the next button and configure parameters as shown in the below screenshot.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 22.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107288iD40F34CDECC0FD9A/image-dimensions/601x317?v=v2" width="601" height="317" role="button" title="Picture 22.jpg" alt="Picture 22.jpg" /></span></P><P>Click on the next button and review the setup that you have done while establishing the trust. Finally, click on the finish button and save the details.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 23.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107289iD6BAA6A35F4A9AA5/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 23.jpg" alt="Picture 23.jpg" /></span></P><P>Once done, you can see the trust new active trust configuration as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 24.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107392i27CD4C569D25B32C/image-dimensions/601x317?v=v2" width="601" height="317" role="button" title="Picture 24.jpg" alt="Picture 24.jpg" /></span></P><P>Now go back to IBM Security Verify and click on “Sign-on” section, then select “Use metadata” checkbox. It will allow us to upload the metadata file which we have downloaded from SAP BTP as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 25.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107394i216EC7591BDAD303/image-dimensions/601x317?v=v2" width="601" height="317" role="button" title="Picture 25.jpg" alt="Picture 25.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 26.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107395i35F9A561397134EF/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 26.jpg" alt="Picture 26.jpg" /></span></P><P>Upload the metadata file which you have recently saved on your device to IBM Verify dashboard.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 27.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107397i52227C152B94583A/image-dimensions/600x339?v=v2" width="600" height="339" role="button" title="Picture 27.jpg" alt="Picture 27.jpg" /></span></P><P>Now go to the “Account lifecycle” tab and add SCIM URL, Username and password detail as shown in below image. You can get all the details from SAP Cloud Identity Services application page.</P><P>&nbsp;</P><P>To get SCIM URL, go to SAP CIS and get the URL details from the browser and add “SCIM” at the end of URL.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 28.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107398i0F1E9139A1B89A00/image-dimensions/600x333?v=v2" width="600" height="333" role="button" title="Picture 28.jpg" alt="Picture 28.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 29.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107399iC0B3302E3F629661/image-dimensions/600x333?v=v2" width="600" height="333" role="button" title="Picture 29.jpg" alt="Picture 29.jpg" /></span></P><P>After adding the above details, scroll down and you can see “Attribute mapping” section. &nbsp;Click on the checkbox for which attribute you want to map from IBM Verify to SAP CIS and want to keep updated. Here we have checked email. &nbsp;Save this detail once changes are completed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 30.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107400i05DBB07F4608DEC7/image-dimensions/600x351?v=v2" width="600" height="351" role="button" title="Picture 30.jpg" alt="Picture 30.jpg" /></span></P><P>We have completed the configurations in IBM Security Verify and SAP Cloud Identity Services. Let’s add user with attribute&nbsp; into Verify and check if it is mapped to Cloud Identity Users dashboard.</P><P>Go to the Users tab under the “Directory” section on the left side of the verify dashboard and click on the “Add User” button as shown in below screenshot.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 31.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107401iD25469100AB22F06/image-dimensions/601x359?v=v2" width="601" height="359" role="button" title="Picture 31.jpg" alt="Picture 31.jpg" /></span></P><P>Fill out the necessary information for the user as mentioned in the below image and click on the “Save” user tab.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 32.jpg" style="width: 300px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107402i6BC43DACFD285AE2/image-dimensions/300x427?v=v2" width="300" height="427" role="button" title="Picture 32.jpg" alt="Picture 32.jpg" /></span></P><P>Scroll down and you can add more detail about the user. Here we have added an email ID, mobile number and user company details.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 33.jpg" style="width: 300px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107404i61838B107F605CA6/image-dimensions/300x495?v=v2" width="300" height="495" role="button" title="Picture 33.jpg" alt="Picture 33.jpg" /></span>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 34.jpg" style="width: 293px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107405i6D6E7519C623DBAE/image-dimensions/293x495?v=v2" width="293" height="495" role="button" title="Picture 34.jpg" alt="Picture 34.jpg" /></span></P><P>Once done, click on the Save button and the user detail will be saved.</P><P>Open the Cloud Identity Services application and go to the user section to check whether the newly-created user from Verify is mapped.</P><P>Click on the “Instance and subscription” section from the “Services” section on the left menu, and once the application list is shown, click on the Cloud Identity Services application as shown below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 35.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107406i9D4A6985D7838094/image-dimensions/601x353?v=v2" width="601" height="353" role="button" title="Picture 35.jpg" alt="Picture 35.jpg" /></span></P><P>When the new application is loaded, click on the “User Management” tile and all the user list will be displayed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 36.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107407i4908B40D66F3039E/image-dimensions/600x354?v=v2" width="600" height="354" role="button" title="Picture 36.jpg" alt="Picture 36.jpg" /></span></P><P>As you can see in the below screenshot, a new user is created, which is added from Verify and mapped into SAP Cloud Identity Services. Also, the user detail is mapped into Cloud Identity Services.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 37.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107408i49144A562C9FB9B1/image-dimensions/600x351?v=v2" width="600" height="351" role="button" title="Picture 37.jpg" alt="Picture 37.jpg" /></span></P><P><STRONG><U>Conclusion</U></STRONG></P><P>Effective user provisioning is critical to maintaining security, compliance, and operational efficiency. Centralising identity management, improving security, and streamlining administration activities enables organisations to successfully manage user identities and access controls across their entire IT infrastructure. Embracing integrated identity management solutions is more than just convenient - - &nbsp;it is a strategic need for businesses looking to flourish in an increasingly linked and security-conscious environment.</P><P><STRONG><U>More information:</U></STRONG></P><P>Refer to our another blog on <A href="https://community.sap.com/t5/technology-blogs-by-members/integrating-ibm-security-verify-with-sap-cloud-identity-services-in-sap-btp/ba-p/13651722" target="_blank">SAP Cloud Identity Service integration with IBM Security Verify</A>.</P><P>If you have any question or query about&nbsp;SAP BTP please refer to <A href="https://community.sap.com/" target="_blank">SAP Community</A> and for any question or query about IBM Security Verify refer to <A href="https://community.ibm.com/community/user/security/communities/community-home?CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d" target="_blank" rel="noopener nofollow noreferrer">IBM Security Verify Community</A></P> 2024-05-08T12:57:02.652000+02:00 https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/sap-s-4hana-extracting-user-email-addresses-from-standard-tables/ba-p/13697756 SAP S/4HANA - Extracting User Email Addresses from Standard Tables 2024-05-10T15:09:30.362000+02:00 karthikj2 https://community.sap.com/t5/user/viewprofilepage/user-id/148163 <P><FONT size="5"><STRONG>What are we discussing here?</STRONG></FONT></P><P>When working with SAP systems, it is fundamental to need / verify user <FONT size="4">email</FONT> addresses for various purposes. Whether it is to send Automated Notifications, facilitating communication between users, or Generating Reports, having accurate and up-to-date email addresses is crucial. However, extracting the email address from SAP system is not as easy as we think. In this blog post, we will explore the simplest method to extract / find email addresses of users from SAP Standard tables.</P><P>Note : There is no direct transaction code or program to extract email addresses of users</P><P><FONT size="5"><STRONG>How are we going to achieve it?</STRONG></FONT></P><P>The primary table that stores user information in SAP is <STRONG>USR21</STRONG>. This table contains User Master Data, including Personal Numbers (<STRONG>PERSNUMBER</STRONG>) associated with each user. To retrieve email addresses, we will link this table with the address data table <STRONG>ADR6</STRONG>.</P><P><STRONG>What is USR21?</STRONG></P><P>USR21 is a standard table in SAP ERP system that assigns User Names and Address Keys.</P><P><STRONG>What is ADR6?</STRONG></P><P>The ADR6 table in SAP ERP system is a standard table that stores email addresses (Business Address Services) for any address record.</P><P><FONT size="5"><STRONG>Procedure to Extract Email Address from SAP Tables</STRONG></FONT></P><P>Execute table view transaction code: <STRONG>SE16</STRONG> -&gt; Enter Table Name : <STRONG>USR21</STRONG> -&gt; Execute</P><P>Provide the list of User ID(s) through Multiple Selection for <STRONG>BNAME </STRONG>-&gt; Execute</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="karthikj2_5-1715344388432.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108676iCEC89D0CE48CCB7B/image-size/medium?v=v2&amp;px=400" role="button" title="karthikj2_5-1715344388432.png" alt="karthikj2_5-1715344388432.png" /></span></P><P>Copy the list of Personnel Number <STRONG>(PERSNUMBER)</STRONG> for the users</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="karthikj2_6-1715344388441.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108674iCC1979566995EEFE/image-size/medium?v=v2&amp;px=400" role="button" title="karthikj2_6-1715344388441.png" alt="karthikj2_6-1715344388441.png" /></span></P><P>Execute table view transaction code: <STRONG>SE16</STRONG> -&gt; Enter Table Name: <STRONG>ADR6</STRONG> -&gt; Execute</P><P>Provide the list of Personnel Number(s) through Multiple Selection for <STRONG>PERSNUMBER </STRONG>-&gt; Execute</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="karthikj2_7-1715344388447.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108675i7E1876E52EBE5A3D/image-size/medium?v=v2&amp;px=400" role="button" title="karthikj2_7-1715344388447.png" alt="karthikj2_7-1715344388447.png" /></span></P><P><STRONG>SMTP_ADDR</STRONG> column of ADR6 table will provide the list of email address for users</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="karthikj2_8-1715344388454.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108680i9911656A2E120BA1/image-size/medium?v=v2&amp;px=400" role="button" title="karthikj2_8-1715344388454.png" alt="karthikj2_8-1715344388454.png" /></span></P><P>SAP also offers to extract the list into Spreadsheet from this screen</P><P><STRONG>&nbsp;</STRONG><STRONG>Tip :</STRONG> Ensure to select ALV Grid Display in User Specific Settings at initial screen of ADR6</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="karthikj2_9-1715344388461.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108681iA9B307175988C370/image-size/medium?v=v2&amp;px=400" role="button" title="karthikj2_9-1715344388461.png" alt="karthikj2_9-1715344388461.png" /></span></P><P><FONT size="5"><STRONG>What are other options?</STRONG></FONT></P><P>Another approach for SAP S/4HANA is to leverage the built-in Core Data Services<STRONG> (CDS)</STRONG> view.</P><P>Table :&nbsp;<STRONG>PUSER002</STRONG> can also be used | BNAME = UserName | Ensure column <STRONG>SMTP_ADDR</STRONG> is visible</P><P><FONT size="5"><STRONG>Word of Caution</STRONG></FONT></P><P><STRONG>Avoid Unintended Disclosure</STRONG></P><P>When querying SAP tables, be cautious not to inadvertently disclose email addresses to unauthorized users or external sources.</P><P>Limit access to relevant personnel and follow proper authorization procedures.</P><P>Remember, accurate and secure email addresses contribute to smooth business processes and effective communication within your organization. Handle them responsibly, and always prioritize data protection.</P><P>If you have any further questions or need assistance, do not hesitate to comment on this blog. Happy SAP querying!</P><P>Feel free to share this article with your colleagues and peers who work with SAP systems.</P> 2024-05-10T15:09:30.362000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/identity-access-management-iam-reference-architectures-2024/ba-p/13697891 Identity Access Management (IAM) Reference Architectures 2024 2024-05-10T17:20:21.397000+02:00 1Gunnar https://community.sap.com/t5/user/viewprofilepage/user-id/11449 <H1 id="toc-hId-865442847"><STRONG>Identity Access Management Reference Architectures in 2024</STRONG></H1><P>We are happy to share with you that we just released an update to our reference architectures (2024 version).</P><P>The latest version is published in&nbsp;<A href="https://discovery-center.cloud.sap/refArchCatalog/?category=security" target="_self" rel="nofollow noopener noreferrer">SAP Discovery Center</A> along with further links to our documentation and to related missions. We want to support you trying out easily what we describe.</P><P>If you are new to this topic, consider reading my&nbsp;<A href="https://community.sap.com/t5/technology-blogs-by-sap/identity-lifecycle-sap-reference-architecture-for-identity-access/ba-p/13504029" target="_self">older blog post about Cloud leading Identity Lifecycle from 2021.</A>&nbsp;The 1st chapter is still valid to start with - although it's 3 years old <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P data-unlink="true">We have an updated version of the <A href="https://support.sap.com/en/offerings-programs/support-services/security-optimization-services-portfolio.html?anchorId=section_1784311506" target="_self" rel="noopener noreferrer">SAP Secure Operations Map</A>&nbsp;which allows you to verify your security requirements and map them to the regional requirements like NIST or BSI.<BR />The Secure Operations Map contains in the application layer the three main IAM pillars that are now described in the SAP Discovery Center:</P><H3 id="toc-hId-927094780"><A href="https://discovery-center.cloud.sap/refArchDetail/ref-arch-cloud-leading-authentication" target="_self" rel="nofollow noopener noreferrer">Authentication flows</A></H3><H3 id="toc-hId-730581275"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="[SAP Official]_SAP_Cloud_Leading_Authentication_L2.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/110029iB2CEA4D6F70D5B65/image-size/medium?v=v2&amp;px=400" role="button" title="[SAP Official]_SAP_Cloud_Leading_Authentication_L2.png" alt="[SAP Official]_SAP_Cloud_Leading_Authentication_L2.png" /></span><BR /><A href="https://discovery-center.cloud.sap/refArchDetail/ref-arch-cloud-leading-identity-lifecycle-authorizations" target="_self" rel="nofollow noopener noreferrer">Authorization flows as part of the identity lifecycle</A></H3><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="[SAP-official]_SAP_Cloud_Identity_Services_Authorization_L1.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/110031iA2E47F0A81B02F75/image-size/medium?v=v2&amp;px=400" role="button" title="[SAP-official]_SAP_Cloud_Identity_Services_Authorization_L1.png" alt="[SAP-official]_SAP_Cloud_Identity_Services_Authorization_L1.png" /></span></P><H2 id="toc-hId-404985051"><A href="https://discovery-center.cloud.sap/refArchDetail/ref-arch-cloud-leading-identity-lifecycle" target="_self" rel="nofollow noopener noreferrer">Identity Lifecycle flows</A></H2><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="[SAP Official]_SAP_Cloud_Identity_Services_Identity_Lifecycle_L1.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/110027iF904C1A7D2C1D674/image-size/medium?v=v2&amp;px=400" role="button" title="[SAP Official]_SAP_Cloud_Identity_Services_Identity_Lifecycle_L1.png" alt="[SAP Official]_SAP_Cloud_Identity_Services_Identity_Lifecycle_L1.png" /></span></P><P>&nbsp;</P><P>Please read them and we can use this community to discuss.</P><P>If you want to know more about the SAP Cloud Identity Services I recommend <A href="https://community.sap.com/t5/technology-blogs-by-sap/sap-cloud-identity-services-why-and-how-to-integrate-them-for-a-consistent/ba-p/13560015" target="_self">this blog post</A>.</P><P>&nbsp;</P><P>PS: Yes, we are already working on an integrated architecture which considers SAP Access Control - but we need a bit more time.</P><P>&nbsp;</P> 2024-05-10T17:20:21.397000+02:00 https://community.sap.com/t5/technology-blogs-by-members/installing-saprouter-on-linux-a-step-by-step-guide/ba-p/13698342 Installing SAPRouter on Linux: A Step-by-Step Guide 2024-05-11T15:55:48.753000+02:00 Muthumayandi_Yadava https://community.sap.com/t5/user/viewprofilepage/user-id/10779 <P><STRONG>What is SAP Router ?</STRONG></P><P>SAPRouter is a software component used to secure communication between SAP systems and the internet. Installing SAPRouter on Linux is a crucial step in ensuring secure communication for your SAP landscape. This step-by-step guide will walk you through the installation process.</P><P><STRONG>Prerequisites</STRONG>:</P><P>- Linux server (e.g., CentOS, Ubuntu)</P><P>- Root access to the server</P><P>- SAPRouter software package downloaded from the SAP Support Portal</P><P><STRONG>Step 1: Download SAPRouter:</STRONG></P><P>Download the SAPRouter software package from the SAP Support Portal. Ensure that you download the correct version for your operating system.</P><P><STRONG>Step 2: Extract the SAPRouter Package:</STRONG></P><P>Transfer the downloaded SAPRouter package to your Linux server. Use the following command to extract the package:</P><P>tar -xvf saprouter_&lt;version&gt;_linux_x86_64.tar.gz</P><P><STRONG>Step 3: Create a Directory for SAPRouter:</STRONG></P><P>Create a directory to store the SAPRouter files. You can use the following command to create the directory:</P><P>mkdir /usr/sap/saprouter</P><P><STRONG>Step 4: Copy SAPRouter Files:</STRONG></P><P>Copy the extracted SAPRouter files to the newly created directory:</P><P>cp -R &lt;path_to_extracted_files&gt;/saprouter /usr/sap/saprouter</P><P><STRONG>Step 5: Create a Configuration File:</STRONG></P><P>Create a configuration file named `saprouter.ini` in the `/usr/sap/saprouter` directory. Here's a basic example of the configuration file:</P><P># SAProuter Configuration File</P><P>version = 39</P><P>httpport = 81</P><P>tracefile = /usr/sap/saprouter/saprouter.trc</P><P>authid = *</P><P>permit = *</P><P><STRONG>Step 6: Set Permissions:</STRONG></P><P>Ensure that the SAPRouter binary and configuration files have the correct permissions:</P><P>chmod 755 /usr/sap/saprouter/saprouter</P><P>chmod 644 /usr/sap/saprouter/saprouter.ini</P><P>&nbsp;</P><P><STRONG>Step 7: Start SAPRouter:</STRONG></P><P>Start the SAPRouter using the following command:</P><P>/usr/sap/saprouter/saprouter -r -R /usr/sap/saprouter/saprouter.ini</P><P><STRONG>Step 8: Verify SAPRouter Status:</STRONG></P><P>Verify that SAPRouter is running and listening on the specified port (e.g., 81):</P><P>netstat -tuln | grep 81</P><P><STRONG>Step 9: Configure Firewall:</STRONG></P><P>Configure your firewall to allow incoming and outgoing traffic on the SAPRouter port (e.g., 81) to ensure proper communication.</P><P><STRONG>Step 10: Configure SAP Systems:</STRONG></P><P>Update the `secinfo` file of your SAP systems to include the SAPRouter details for communication through the SAPRouter.</P><P><STRONG>Overall information</STRONG>:</P><P>By following these steps, you can successfully install SAPRouter on your Linux server. This will help secure communication between your SAP systems and the internet, ensuring the integrity and confidentiality of your SAP la<SPAN>ndscape.</SPAN></P><P>#SAP #SAPRouter #Linux #Installation <a href="https://community.sap.com/t5/c-khhcw49343/SAP+Young+Thinkers/pd-p/7491a8e4-2c34-4d6b-bf69-b91db9291a90" class="lia-product-mention" data-product="1159-1">SAP Young Thinkers</a>&nbsp;#<a href="https://community.sap.com/t5/c-khhcw49343/Red+Hat+Enterprise+Linux/pd-p/566117836046276697184412662459974" class="lia-product-mention" data-product="304-1">Red Hat Enterprise Linux</a>&nbsp;<a href="https://community.sap.com/t5/c-khhcw49343/SUSE+Linux+Enterprise+Server/pd-p/68020287236497694019600446793069" class="lia-product-mention" data-product="305-1">SUSE Linux Enterprise Server</a>&nbsp;<a href="https://community.sap.com/t5/c-khhcw49343/SAP+Women+in+Tech/pd-p/5e61e027-661e-4c66-91ef-4e6fa20c40f6" class="lia-product-mention" data-product="1164-1">SAP Women in Tech</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/c-khhcw49343/SAP+Integration+Suite/pd-p/73554900100800003241" class="lia-product-mention" data-product="23-1">SAP Integration Suite</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/c-khhcw49343/SAP+Business+Application+Studio/pd-p/67837800100800007077" class="lia-product-mention" data-product="13-1">SAP Business Application Studio</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/user/viewprofilepage/user-id/10779">@Muthumayandi_Yadava</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/user/viewprofilepage/user-id/39302">@Subramanian</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/user/viewprofilepage/user-id/1387241">@Sap</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/user/viewprofilepage/user-id/121481">@YejinYun</a><SPAN>&nbsp;</SPAN></P> 2024-05-11T15:55:48.753000+02:00 https://community.sap.com/t5/technology-blogs-by-members/ringfencing-amp-decoupling-s-4hana-with-enterprise-blockchain-and-sap-btp/ba-p/13639467 RingFencing & DeCoupling S/4HANA with Enterprise Blockchain and SAP BTP - Ultimate Cyber Security 🚀 2024-05-14T13:56:58.227000+02:00 AndySilvey https://community.sap.com/t5/user/viewprofilepage/user-id/1397601 <P>tl;dr</P><P>As part of S/4HANA Transformation Programs, Security, Accessibility, Resilience are being re-imagined.</P><P>The going in position for a lot of S/4HANA Transformation Programs includes the Cyber Security principles:</P><UL><LI>Only Employees will have direct access to the Digital Core as End Users</LI><LI>There will be no direct access to the Digital Core by 3rd Party Applications</LI></UL><P>The first principle, 'Only Employees will have direct access to the Digital Core as Users', decoupling the SAP system for External Users has been an architectural design pattern for more than a decade.&nbsp; For example, due to the extremely sensitive and confidential nature of Product LifeCycle Management Data, 13 years ago SAP were advocating, <A href="https://help.sap.com/docs/SAP_ERP/38b3b859b68e464c90164894f04503e9/467980226c3b4a17ab1181a29a0a2de5.html?q=SAP%20PLM%20DMZ" target="_self" rel="noopener noreferrer">building an empty SAP PLM system in the DMZ</A> which would use RFC's to communicate with the actual SAP PLM system in the Secure Network Zone:</P><P>&nbsp;</P><P><A href="https://help.sap.com/docs/SAP_ERP/38b3b859b68e464c90164894f04503e9/467980226c3b4a17ab1181a29a0a2de5.html?q=SAP%20PLM%20DMZ" target="_self" rel="noopener noreferrer"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AndySilvey_0-1715237780340.png" style="width: 810px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107844iB7A8E744542D4B5C/image-dimensions/810x593?v=v2" width="810" height="593" role="button" title="AndySilvey_0-1715237780340.png" alt="AndySilvey_0-1715237780340.png" /></span></A></P><P>&nbsp;</P><P>The beauty of this design is that it decouples End User Access from the core SAP PLM system, therefore enhancing the security protection of the SAP PLM system.&nbsp;</P><P>Today's equivalent of that is to put the SAP Build Work Zone Launchpad in front of the S/4HANA Digital Core.</P><P>That is fine, that means the Digital Core is digitally decoupled for End Users,&nbsp; but what about Machine to Machine, Application to Application, 3rd Party Applications which want to get Data from the S/4HANA ?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Do you really want 3rd Party Companies calling APIs on your Digital Core - atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109763i172CAB6D70FBDD6E/image-size/large?v=v2&amp;px=999" role="button" title="Do you really want 3rd Party Companies calling APIs on your Digital Core - atkrypto.io .jpg" alt="Do you really want 3rd Party Companies calling APIs on your Digital Core - atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Do you really want 3rd Party Companies calling APIs on your Digital Core - atkrypto.io</span></span></P><P>&nbsp;</P><P>When a 3rd Party Company calls an API on your S/4HANA Digital Core, you are replicating your Data to that 3rd Party Company.</P><P>How can the S/4HANA Digital Core be decoupled when 3rd Party Applications need to get Data from the S/4HANA, how can the&nbsp;S/4HANA Digital Core be architected in such a way that there are no Machine to Machine calls directly to the S/4HANA for the purpose of getting Data ?</P><P>As elaborated in more detail in a <A href="https://community.sap.com/t5/technology-blogs-by-members/b2b-business-processes-ultimate-cyber-data-security-with-blockchain-and-sap/ba-p/13680992" target="_self">previous blog</A>, API's enable your Data to be replicated to 3rd Party Applications which can also be in 3rd Party Partner Companies, and this brings a set of problems centered around:</P><P style=" padding-left : 30px; "><STRONG>Trust between Partners:&nbsp;</STRONG>The more Partners in a Business Transaction or Business Process, the less trust there is between Partners. This is a very simple graph, as the number of Partners in a Business Transaction or Business Process goes up, so the trust between the Partners goes down. What is trust in a Business Transaction or Business Process, doing what you said you would, data, instruction, confirmation. I will deliver the parcel to the address you gave me, but what if somebody in my Team changes the delivery address for their own benefit ?</P><P style=" padding-left : 30px; "><STRONG>Protect the Originality &amp; Integrity of the Data</STRONG><SPAN>&nbsp;</SPAN>- When your S/4HANA sends the Data to your Business Partner's System we need to make sure that the Data cannot be modified or destroyed and therefore protect the originality and integrity of the Data</P><P style=" padding-left : 30px; "><STRONG>Replicating &amp; Integrating the Data from your S/4HANA to your Business Partner's System and at the same time Protect the Originality &amp; Integrity of the Data</STRONG><SPAN>&nbsp;</SPAN>- we need to get the Data from the S/4HANA to the Business Partner's System and we need to be sure, to have surety that the Data which arrives at the Business Partner's System is the same Data as was sent from your S/4HANA. If this Data can be&nbsp; changed in any way, we won't be able to<SPAN>&nbsp;</SPAN><EM><STRONG>trust</STRONG></EM><SPAN>&nbsp;</SPAN>the Business Processes and Insights which are depending on that Data. And so, in the activity of moving the Data we need to make sure that that piece of Data cannot be modified or destroyed&nbsp;and therefore protect the originality and integrity of the Data</P><P>and it doesn't end there, it's often the case that a 3rd Party Organisation will be getting Data directly from your S/4HANA (as the Source) or posting Data to your S/4HANA (as the Target), in both cases it could be an API which through your Integration Technologies is ultimately exposed to the Internet and where the system calling the API needs to have a User on your S/4HANA.</P><P>As ever, the pattern is the same, the theme is the same,</P><P style=" padding-left : 30px; "><STRONG>it's all about the Data</STRONG></P><P style=" padding-left : 30px; "><STRONG>what are the security, sensitivity, confidentiality, availability, criticality requirements of the Data</STRONG></P><P>Ring Fencing S/4HANA raises the Cyber Security by reducing the attack surface.</P><P>The most secure way is with Enterprise Blockchain as a Data Ring Fence around the S/4HANA Digital Core, therefore digitally decoupling access and integration of the S/4HANA Data from other Applications.</P><P>The Enterprise Blockchain is:</P><P style=" padding-left : 30px; ">. Ring Fencing of the S/4HANA&nbsp;</P><P style=" padding-left : 30px; ">. S/4HANA does not expose API's directly to any 3rd Party Companies</P><P style=" padding-left : 30px; ">. A Secure Store of Data</P><P style=" padding-left : 30px; ">. A Secure Communication Channel for Data</P><P style=" padding-left : 30px; ">. A Common Shared Single Source of Truth in your Organisation and across Organisations</P><P style=" padding-left : 30px; ">. The next generation Data Integration is about having a Common Shared Single Source of Truth</P><P>The S/4HANA Ring Fencing with Enterprise Blockchain as a shared single source of truth could involve the Enterprise Blockchain running on your SAP BTP Kyma Runtime and at the same time running on Kubernetes Servers in your Business Partner's Data Center:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108033iDE3DDBBCDEF532AC/image-size/large?v=v2&amp;px=999" role="button" title="S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io .jpg" alt="S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io</span></span></P><P>&nbsp;</P><P>Or alternatively the S/4HANA Ring Fencing with Enterprise Blockchain could be where the Enterprise Blockchain is running on your SAP BTP Kyma Runtime and your 3rd Party Business Partner Company reads the Data from your Enterprise Blockchain on your SAP&nbsp; BTP Kyma Runtime as a shared common single source of truth for the Data:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="S4HANA RingFenced by your own Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108035iACB5FCB38784CA5A/image-size/large?v=v2&amp;px=999" role="button" title="S4HANA RingFenced by your own Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io .jpg" alt="S4HANA RingFenced by your own Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">S4HANA RingFenced by your own Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io</span></span></P><P>&nbsp;</P><P>Read on for the full story... <span class="lia-unicode-emoji" title=":rocket:">🚀</span></P><P>&nbsp;</P><P>&nbsp;<STRONG>Introduction</STRONG></P><P>The reason I am so interested in this is I have been securing availability and accessibility of SAP systems for the last 25 years, and back in 2013 I wrote this blog about "<A href="https://community.sap.com/t5/technology-blogs-by-members/alternatives-for-securing-internet-facing-sap-applications/ba-p/13022930" target="_self">Alternatives for Securing Internet Facing Applications</A>".</P><P>There is so much to talk about on this subject, let's get in to it. Back in 2013 at a Customer, we were looking at Ring Fencing critical systems.</P><P>Back then the focus was on DeCoupling the SAP system where End User access was required from people coming in from the Internet, infact the reasons for the RingFencing were centered around:</P><P>&nbsp;</P><UL><LI>Access - Authentication &amp; Authorisation&nbsp;</LI><LI>Storage of Data</LI><LI>Communication Channels</LI><LI>DeCoupling especially for Internet Collaboration</LI></UL><P>&nbsp;</P><P>The DeCoupling for Internet Collaboration was based around SAP's <A href="https://help.sap.com/docs/SAP_ERP/930f133a36a843318dc3347afe00a9d6/19fb1caa59874deb8813bf399de8436f.html?version=6.18.latest" target="_self" rel="noopener noreferrer">SAP PLM Reference Architecture</A>,</P><P><A href="https://help.sap.com/docs/SAP_ERP/930f133a36a843318dc3347afe00a9d6/19fb1caa59874deb8813bf399de8436f.html?version=6.18.latest" target="_self" rel="noopener noreferrer"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AndySilvey_0-1715242480140.png" style="width: 794px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107868i0C00E16A2EB6E3C7/image-dimensions/794x122?v=v2" width="794" height="122" role="button" title="AndySilvey_0-1715242480140.png" alt="AndySilvey_0-1715242480140.png" /></span></A></P><P>and the <A href="https://help.sap.com/docs/SAP_ERP/38b3b859b68e464c90164894f04503e9/467980226c3b4a17ab1181a29a0a2de5.html?q=SAP%20PLM%20DMZ" target="_self" rel="noopener noreferrer">SAP PLM Technical System Landscape recommendation</A>:</P><P><A href="https://help.sap.com/docs/SAP_ERP/38b3b859b68e464c90164894f04503e9/467980226c3b4a17ab1181a29a0a2de5.html?q=SAP%20PLM%20DMZ" target="_self" rel="noopener noreferrer"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AndySilvey_1-1715242557723.png" style="width: 807px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107870i72E499A54D343B32/image-dimensions/807x585?v=v2" width="807" height="585" role="button" title="AndySilvey_1-1715242557723.png" alt="AndySilvey_1-1715242557723.png" /></span></A></P><P>&nbsp;</P><P>Fast forward to today, and SAP Customers have the luxury that the worry of securing End User Internet Access to their SAP systems is outsourced to SAP through the implementation of the <A href="https://help.sap.com/docs/build-work-zone-standard-edition/sap-build-work-zone-standard-edition/what-is-sap-build-work-zone-standard-edition" target="_self" rel="noopener noreferrer">SAP BTP Build Work Zone Launchpad</A>. It should not go unnoticed that when you implement the SAP BTP Build Work Zone Launchpad Service, you also don't have to care for Web Access Firewalls and the Security of Internet Access.</P><P>But what about API's, what about System to System, Machine to Machine ? What about Integrations ? What about when Non-SAP Applications in your Company or other Companies need data from the S/4HANA ?</P><P>S/4HANA has a rich collection of API's which is always growing, but, should Applications from your Partner Companies call API end points on the S/4HANA Digital Core ?</P><P>Should 3rd Party Applications, and 3rd Party Partner's Applications be directly accessing the Digital Core S/4HANA API's ?&nbsp;</P><P>Regardless of whether the S/4HANA is an [Any]OnPremise, S/4HANA RISE Private Cloud Edition, S/4HANA Public Cloud Edition, should 3rd Party Applications be allowed to directly call API's on your S/4HANA ?</P><P>Let's take the S/4HANA Business Partner API, should Applications from your Partner Companies be allowed/able to call this API on your Digital Core S/4HANA to retrieve changes to Business Partner Data ?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Legacy API Integrations calling S4HANA API and Replicating Data to 3rd Party Company Applications - atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107911i4605FDA55AA3DD21/image-size/large?v=v2&amp;px=999" role="button" title="Legacy API Integrations calling S4HANA API and Replicating Data to 3rd Party Company Applications - atkrypto.io.jpg" alt="Legacy API Integrations calling S4HANA API and Replicating Data to 3rd Party Company Applications - atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Legacy API Integrations calling S4HANA API and Replicating Data to 3rd Party Company Applications - atkrypto.io</span></span></P><P>&nbsp;</P><P>If you have doubts or think the answer is no, then read on, there is a solution, it is very nice, and very easy, and very secure.</P><P>One of the biggest Cyber Security threats to your Data and therefore your Operations and therefore your Business, is allowing 3rd Party Applications from 3rd Party Companies to call Data from API's on your S/4HANA Digital Core, and then, replicate your Data to Servers in their Company.</P><P>As ever, the pattern is the same, the theme is the same,</P><P style=" padding-left : 30px; "><STRONG>it's all about the Data</STRONG></P><P style=" padding-left : 30px; "><STRONG>what are the security, sensitivity, confidentiality, availability, criticality requirements of the Data</STRONG></P><P>Like the other blogs in this series, this blog is going to break the subject down in to three sections:</P><P style=" padding-left : 30px; "><STRONG>Section 1.0: The What is it of RingFencing and DeCoupling S/4HANA, and Enterprise Blockchain&nbsp;</STRONG></P><P style=" padding-left : 30px; "><STRONG>Section 2.0: The Why is it, of RingFencing and DeCoupling S/4HANA, and Enterprise Blockchain&nbsp;</STRONG></P><P style=" padding-left : 30px; "><STRONG>Section 3.0: The How is it,&nbsp; of RingFencing and DeCoupling S/4HANA, and Enterprise Blockchain</STRONG></P><P>In case you missed them, the previous blogs in this series are here:</P><P style=" padding-left : 30px; "><SPAN><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/why-i-love-sap-and-blockchain-databases-and-why-you-should-too/ba-p/13625869" target="_blank">Why I love SAP and Blockchain Databases and why you should too&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A></SPAN></P><P style=" padding-left : 30px; "><SPAN><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/sap-enterprise-architecture-positioning-blockchain-database-as-an/ba-p/13629842" target="_blank">SAP Enterprise Architecture: Positioning Blockchain Database as an Enterprise Technology Standard&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A></SPAN></P><P style=" padding-left : 30px; "><SPAN><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/sap-enterprise-architecture-let-the-use-case-find-the-blockchain/ba-p/13632458" target="_blank">SAP Enterprise Architecture: Let the Use Case find the Blockchain&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A></SPAN></P><P style=" padding-left : 30px; "><SPAN><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/oil-amp-gas-ultimate-data-security-blockchain-data-backbone-from-ot-to-sap/ba-p/13640699" target="_blank">Oil &amp; Gas - Ultimate Data Security - Blockchain Data Backbone from OT to SAP IT&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A></SPAN></P><P style=" padding-left : 30px; "><SPAN><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/the-what-is-the-why-to-the-how-to-of-esg-amp-sap-amp-enterprise-blockchain/ba-p/13642365" target="_blank">The What Is... The Why To... The How To... of: ESG &amp; SAP &amp; Enterprise Blockchain&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A></SPAN></P><P style=" padding-left : 30px; "><SPAN><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/bcp-business-continuity-planning-for-sap-s-4hana-made-easy-with-enterprise/ba-p/13647824" target="_blank">BCP: Business Continuity Planning for SAP S/4HANA - made easy with Enterprise Blockchain&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A></SPAN></P><P style=" padding-left : 30px; "><SPAN><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/trustable-ai-thanks-to-sap-ai-core-amp-sap-hana-cloud-amp-sap-s-4hana-amp/ba-p/13662822" target="_blank">Trustable AI thanks to - SAP AI Core &amp; SAP HANA Cloud &amp; SAP S/4HANA &amp; Enterprise Blockchain&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A></SPAN></P><P style=" padding-left : 30px; "><SPAN><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/iot-ultimate-data-cyber-security-with-enterprise-blockchain-and-sap-btp/ba-p/13676981" target="_blank">IoT - Ultimate Data Cyber Security - with Enterprise Blockchain and SAP BTP&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A></SPAN></P><P style=" padding-left : 30px; "><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/b2b-business-processes-ultimate-cyber-data-security-with-blockchain-and-sap/ba-p/13680992" target="_blank">B2B Business Processes - Ultimate Cyber Data Security - with Blockchain and SAP BTP&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A>&nbsp;</P><P>&nbsp;</P><P><STRONG>Section 1.0: The What is it of RingFencing and DeCoupling S/4HANA, and Enterprise Blockchain</STRONG></P><P>What is RingFencing ? There is a very nice description <A href="https://fastercapital.com/content/Data-Security--Ringfencing-Your-Data--Strengthening-Cybersecurity-Measures.html" target="_self" rel="nofollow noopener noreferrer">here</A>:</P><P>&nbsp;</P><P><A href="https://fastercapital.com/content/Data-Security--Ringfencing-Your-Data--Strengthening-Cybersecurity-Measures.html" target="_self" rel="nofollow noopener noreferrer"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AndySilvey_0-1715261427109.png" style="width: 752px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108043i2533B5D86CC60AAB/image-dimensions/752x280?v=v2" width="752" height="280" role="button" title="AndySilvey_0-1715261427109.png" alt="AndySilvey_0-1715261427109.png" /></span></A></P><P>&nbsp;</P><P>RingFencing is about isolating Data, away from the most important SAP system, the S/4HANA Digital Core.</P><P>DeCoupling, the word DeCoupling has a number of meanings in Enterprise IT. What we are talking about here in the case of the S/4HANA Digital Core and Data access by 3rd Party Company Applications is that we are DeCoupling the Data access away from directly on the S/4HANA, by DeCoupling we are making the S/4HANA Data indirectly accessible.</P><P>It can be thought that if we are RingFencing, or Isolating, or DeCoupling the S/4HANA Data away from the S/4HANA then we are creating another copy of the Data, another Replica of the Data, which is true, we are, and that is the same as when Data is replicated to 3rd Party Systems via API, whichever way you look at it, the ultimate goal is a Replica of the S/4HANA Data which is available and accessible to the 3rd Party Company Application for the reasons of that Application of Business Transaction.</P><P>We can replicate the Data using an S/4HANA API to the 3rd Party Company Application and lose all control of the Data and also have to deal with how to secure Authentication and Authorisation and Network Access to the API, or we can replicate to our own RingFenced isolated trusted location.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SAP S4HANA RingFenced DeCoupled Data Cyber Security Principles - atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108051i720015EC6E37F61F/image-size/large?v=v2&amp;px=999" role="button" title="SAP S4HANA RingFenced DeCoupled Data Cyber Security Principles - atkrypto.io .jpg" alt="SAP S4HANA RingFenced DeCoupled Data Cyber Security Principles - atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">SAP S4HANA RingFenced DeCoupled Data Cyber Security Principles - atkrypto.io</span></span></P><P>&nbsp;</P><P><STRONG>What about the Enterprise Blockchain, what is Enterprise Blockchain ?</STRONG></P><P>Enterprise Blockchain is:</P><P style=" padding-left : 30px; "><STRONG>. a Secure Store</STRONG></P><P style=" padding-left : 30px; "><STRONG>. a Secure Communication Channel</STRONG></P><P style=" padding-left : 30px; ">. <STRONG>A Common Shared Single Source of Truth in your Organisation and across Organisations</STRONG></P><P style=" padding-left : 30px; "><STRONG>. The next generation Data Integration is about having a Common Shared Single Source of Truth</STRONG></P><P><SPAN>McKinsey &amp; Company, in their&nbsp;</SPAN><A href="https://www.mckinsey.com/featured-insights/mckinsey-explainers/what-is-blockchain" target="_self" rel="nofollow noopener noreferrer">December 2023 Featured Insights Publication</A><SPAN>, gave a beautiful description of what is unique and special about Blockchain, "</SPAN><EM>Blockchain is a secure database shared across a network of participants, where up-to-date information is available to all participants at the same time</EM><SPAN>". If we just pause for a moment and let that sink in, and think about what that means, to Business Processes, to Collaboration, to System Resilience, we start to see what is so special about Blockchain Databases and Distributed Ledger Technology.</SPAN></P><P>In these previous blogs, I made a deep dive in to what Enterprise Blockchain is and why we should be positioning it in our Enterprise Architecture:</P><P style=" padding-left : 30px; "><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/why-i-love-sap-and-blockchain-databases-and-why-you-should-too/ba-p/13625869" target="_blank">Why I love SAP and Blockchain Databases and why you should too&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A></P><P>&nbsp;</P><P style=" padding-left : 30px; "><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/sap-enterprise-architecture-positioning-blockchain-database-as-an/ba-p/13629842" target="_blank">SAP Enterprise Architecture: Positioning Blockchain Database as an Enterprise Technology Standard&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A></P><P style=" padding-left : 30px; "><A class="" href="https://community.sap.com/t5/technology-blogs-by-members/sap-enterprise-architecture-let-the-use-case-find-the-blockchain/ba-p/13632458" target="_blank">SAP Enterprise Architecture: Let the Use Case find the Blockchain&nbsp;<span class="lia-unicode-emoji" title=":rocket:">🚀</span>&nbsp;</A></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108061i0B9C9B7C1EDECD31/image-size/large?v=v2&amp;px=999" role="button" title="S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io .jpg" alt="S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io</span></span></P><P>&nbsp;</P><P>and in a nutshell, Enterprise Blockchain is:</P><P style=" padding-left : 30px; "><EM><STRONG>. The Digital Transformation of Information Security into Cyber Security</STRONG></EM></P><P style=" padding-left : 30px; "><EM><STRONG>. The Next Generation Data Integrity, Originality, Confidentiality Protection</STRONG></EM></P><P style=" padding-left : 30px; "><STRONG>. Re-imagining Information Security</STRONG></P><P style=" padding-left : 30px; "><STRONG>. Natively, out of the box, due to its special characteristics the strongest, hardest, most resilient Enterprise Database product&nbsp;</STRONG></P><P>To wrap up this section:</P><P style=" padding-left : 30px; ">. RingFencing is about isolating and protecting Data</P><P style=" padding-left : 30px; ">. Enterprise Blockchain is about Cyber Security of Data</P><P>&nbsp;</P><P><STRONG>Section 2.0: The Why is it, of RingFencing and DeCoupling S/4HANA, and Enterprise Blockchain&nbsp;</STRONG></P><P>Why would we want to RingFence and DeCouple S/4HANA, the Digital Core from 3rd Party systems which legitimately need S/4HANA Data ?</P><P>The answer is simple, Cyber Security, Cyber Threats.</P><P>Not so long ago, the focus was on High Availability and Disaster Recovery, the biggest threat was the system going down and not coming back.</P><P>Today, things have changed, and the biggest threat is a malicious actor rendering our business Data unusable.</P><P>Today we know we can buy new servers, we know we can get a Data Center up and running, but how do we repair Data which has been maliciously rendered unusable ? Think about the <A href="https://www.ncsc.gov.uk/ransomware/home" target="_self" rel="nofollow noopener noreferrer">Ransomware</A> attack.</P><P>&nbsp;</P><P><A href="https://www.ncsc.gov.uk/ransomware/home" target="_self" rel="nofollow noopener noreferrer"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AndySilvey_0-1715622721595.png" style="width: 772px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109766iDE0DD72EEF3B0A4E/image-dimensions/772x336?v=v2" width="772" height="336" role="button" title="AndySilvey_0-1715622721595.png" alt="AndySilvey_0-1715622721595.png" /></span></A></P><P>&nbsp;</P><P>So what is <A href="https://fastercapital.com/content/Data-Security--Ringfencing-Your-Data--Strengthening-Cybersecurity-Measures.html" target="_self" rel="nofollow noopener noreferrer">ring fencing</A>&nbsp; and why do we need to do it ?</P><P>&nbsp;</P><P><A href="https://fastercapital.com/content/Data-Security--Ringfencing-Your-Data--Strengthening-Cybersecurity-Measures.html" target="_self" rel="nofollow noopener noreferrer"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AndySilvey_1-1715622817849.png" style="width: 761px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109767i880EBD11FE47EB7A/image-dimensions/761x232?v=v2" width="761" height="232" role="button" title="AndySilvey_1-1715622817849.png" alt="AndySilvey_1-1715622817849.png" /></span></A></P><P>&nbsp;</P><P>Ring Fencing is about reducing exposure to Cyber Threats.</P><P>What are the biggest easiest ways that we can reduce exposure to Cyber Threat ?</P><P style=" padding-left : 30px; "><STRONG>Stop 3rd Party Companies from calling API's on the S/4HANA Digital Core.</STRONG></P><P style=" padding-left : 30px; "><STRONG>Stop publishing API's for 3rd Party Application access on the S/4HANA Digital Core.</STRONG></P><P>Stop doing this:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Do you really want 3rd Party Companies calling APIs on your Digital Core - atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109769iC3BBAFEE9323A8B9/image-size/large?v=v2&amp;px=999" role="button" title="Do you really want 3rd Party Companies calling APIs on your Digital Core - atkrypto.io .jpg" alt="Do you really want 3rd Party Companies calling APIs on your Digital Core - atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Do you really want 3rd Party Companies calling APIs on your Digital Core - atkrypto.io</span></span></P><P>&nbsp;</P><P>And what's the solution ?&nbsp;&nbsp;</P><P>The solution is the Enterprise Blockchain as the Common Data Back Bone across Companies.</P><P>Instead of replicating and sending the Data to your Business Partner, you write the S/4HANA Data to the Enterprise Blockchain.</P><P>This is like pick your own strawberries, instead of sending your Partners the strawberries, you tell your Partner the strawberries are ready and which field they are in and you let your Partners pick the strawberries themselves from the Enterprise Blockchain.</P><P>S/4HANA Data Events write the Data to the Enterprise Blockchain and S/4HANA Notification Events notify the Partner that something has happened, then, instead of calling an API on your SAP S/4HANA, the Partner then calls the API of the Enterprise Blockchain and Reads the Data from there.</P><P>The Enterprise Blockchain Database software is running on your SAP BTP Kyma Runtime and in your Partner's Servers, therefore, creating natively, out of the box, the most secure and resilient common shared single source of truth. Your have a Distributed Ledger running from your SAP BTP to the Partner's Servers.</P><P>Therefore, S/4HANA Data Event Writes to the Enterprise Blockchain as the Common Shared Single Source of Truth across the Organisations, and the S/4HANA Notification Event notifies the Partner that something has happened and that they should call the Enterprise Blockchain API to get the Data of what has happened.</P><P>And as will be explained later in the blog, it's not only about the Enterprise Blockchain being a common shared source of truth across organisations, it's about digitally decoupling the S/4HANA from 3rd Party System Integrations and gradually ring fencing the S/4HANA away from being directly accessed by 3rd Party Systems as it is today with API's.</P><P>Imagine, as described in the previous blog, when we<SPAN>&nbsp;</SPAN><EM><A href="https://community.sap.com/t5/technology-blogs-by-members/sap-enterprise-architecture-let-the-use-case-find-the-blockchain/ba-p/13632458" target="_self">let the Use Case find the Enterprise Blockchain</A></EM>, we have a Business Requirement, a Business Demand, to make Data for B2B Business Process the safest it can be, the most trustable that it can be.</P><P>When we look in our Enterprise Technology Standards, and we look for the Technology Standard in our Enterprise Portfolio which is<SPAN>&nbsp;</SPAN><EM><A href="https://community.sap.com/t5/technology-blogs-by-members/sap-enterprise-architecture-positioning-blockchain-database-as-an/ba-p/13629842" target="_self">positioned to bring the strongest protection to Data, we find the Enterprise Blockchain</A></EM>.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Comparison Enterprise Blockchain Database and Traditional Legacy Database - atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109784i1ECEA63BF0102C5B/image-size/large?v=v2&amp;px=999" role="button" title="Comparison Enterprise Blockchain Database and Traditional Legacy Database - atkrypto.io .png" alt="Comparison Enterprise Blockchain Database and Traditional Legacy Database - atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Comparison Enterprise Blockchain Database and Traditional Legacy Database - atkrypto.io</span></span></P><P>&nbsp;</P><P>In the previous blogs, we have discussed in detail about the special characteristics of Enterprise Blockchain and just why it natively out of the box protects the integrity of data to a level that legacy database products cannot do, in a nutshell....</P><P><SPAN>B2B Business Processes are about Data</SPAN></P><P><SPAN>B2B Business Processes are about the Data that goes from your S/4HANA outside the boundaries of your Company and your Network and to Partner Company's Applications and Networks and Databases.</SPAN></P><P><SPAN>This means B2B Business Processes are about Data and the Data depends on a Database or a Datastore</SPAN></P><P><SPAN>What kind of Database do&nbsp;B2B Business Processes Data need ? What capabilities does the Database for the B2B Business Processes&nbsp; Data need to have ?</SPAN></P><P><SPAN>1. It must not be possible to modify the Data in the Database ]- the Database needs to be immutable</SPAN></P><P><SPAN>2. The Data in the Database, the integrity and originality of that Data must be protected to the highest level that is technically possible</SPAN></P><P><SPAN>3. The Data must be available with the highest availability, the Database must be resilient to attack</SPAN></P><P><SPAN>4. The Database must be running simutaneously in your DataCenter and your Business Partner's DataCenter</SPAN></P><P>5. S/4HANA must not expose any API's to Business Partner Companies</P><P><SPAN>When we look in our&nbsp;<A href="https://community.sap.com/t5/technology-blogs-by-members/sap-enterprise-architecture-positioning-blockchain-database-as-an/ba-p/13629842" target="_self">Enterprise Technology Standards we find 1 Technology Standard</A>&nbsp;in the Enterprise which has those capabilities, and that is..... Enterprise Blockchain</SPAN></P><P><SPAN>Enterprise Blockchain ticks those boxes...</SPAN></P><P>&nbsp;<SPAN>Immutable - tick that box</SPAN></P><P>&nbsp;<SPAN>Integrity must be protected to the highest level - tick that box, thanks to the Enterprise Blockchain Hash Mechanism and the Enterprise Blockchain Consensus Mechanism</SPAN></P><P>&nbsp;<SPAN>Highest level of resilience and availability - tick that box thanks to the Distributed and Decentralised nature of the Enterprise Blockchain&nbsp;</SPAN>DeCouples S/4HANA from the process, no need to S/4HANA API's to be exposed to 3rd Party Business Partner's Applications</P><P><SPAN>This is why, Enterprise Blockchain is the enabler of trustable outcomes from Enterprise B2B Business Processes.</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="atkrypto.io what is a blockchain" style="width: 930px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109785i88B9E15917C59179/image-size/large?v=v2&amp;px=999" role="button" title="atkrypto.io what is a blockchain.jpg" alt="atkrypto.io what is a blockchain" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">atkrypto.io what is a blockchain</span></span></P><P>&nbsp;</P><P>But there's more than that, B2B Business Processes can produce a lot of data, and the volumes of data can be big.</P><P>And this is why, in this blog we take the Enterprise Blockchain Technology story one level further and we introduce the:</P><P style=" padding-left : 30px; ">Enterprise Blockchain Wallet</P><P style=" padding-left : 30px; ">Off-Chain Data Storage</P><P>In the Enterprise Blockchain Platforms, the Enterprise Blockchain Wallet is used for Off-Chain storage of big data and in the following paragraphs we will explain why.</P><P>What is the Enterprise Blockchain Wallet, and what is Off-Chain Data Storage and why would we use them and why do we need them ?</P><P>As we have explained<SPAN>&nbsp;</SPAN><A href="https://community.sap.com/t5/technology-blogs-by-members/why-i-love-sap-and-blockchain-databases-and-why-you-should-too/ba-p/13625869" target="_self">in a previous blog</A>, the Enterprise Blockchain Database, the Distributed Ledger, can be looked at simply as a Database Table (which is replicated and synchronised across multiple Servers) and in principle it stores the Data like this:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Blockchain is a very simple form of database atkrypto.io" style="width: 896px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109786i522F51693A60D613/image-size/large?v=v2&amp;px=999" role="button" title="Blockchain is a very simple form of database atkrypto.io .jpg" alt="Blockchain is a very simple form of database atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Blockchain is a very simple form of database atkrypto.io</span></span></P><P>&nbsp;</P><P>This is fine, and suited to what we call<SPAN>&nbsp;</SPAN><A href="https://aws.amazon.com/compare/the-difference-between-structured-data-and-unstructured-data/#:~:text=Structured%20data%20is%20data%20that,files%20and%20large%20text%20documents." target="_self" rel="nofollow noopener noreferrer">Structured Data</A>, and as AWS nicely describe,<SPAN>&nbsp;</SPAN><A href="https://aws.amazon.com/what-is/structured-data/" target="_self" rel="nofollow noopener noreferrer">Structured Data</A><SPAN>&nbsp;</SPAN>is information like words and numbers. This kind of data is perfectly suited to being stored in an Enterprise Blockchain Database and also a legacy Database. Examples of the data would Names, Addresses, Phone Numbers, Product Information etc.</P><P>But, Payroll can produce a lot of Data, and in large volumes which would&nbsp;be too big to be stored on the Enterprise Blockchain Database itself.</P><P>And that's ok, Enterprise Blockchain Platforms are ready for that, and have been designed to store both Structured Data and Data which is in files which are so big that they cannot be stored in the Enterprise Blockchain Database itself, for example the photographs from a Waste Truck's onboard camera proving that waste was responsibly tipped in the correct location and taken at the same time as recording GPS location coordinates proving the location of the Waste Truck.</P><P>So, if we can't store the large photographs files in large quantities to the Enterprise Blockchain Database, then how, in an Enterprise Blockchain Platform do we store large files of Data ?</P><P>Voila.... bring in the Enterprise Blockchain Platform Wallet. The best Enterprise Blockchain Platform products include what is called the Enterprise Blockchain Platform Wallet, or to make it shorter, the Enterprise Blockchain Wallet.</P><P>The Enterprise Blockchain Wallet enables us to store large Data, like large Files safely and securely off the chain, or '<A href="https://www.bitdegree.org/crypto/learn/crypto-terms/what-is-off-chain" target="_self" rel="nofollow noopener noreferrer">Off-Chain</A>'.&nbsp;</P><P>But if we store the large Data files Off-Chain in the Enterprise Blockchain Wallet, then how do we also have them some how on the Enterprise Blockchain Database ?</P><P>The way this works is elegant, in any decent Enterprise Blockchain Platform, the Enterprise Blockchain Wallet location is completely configurable, and could be anywhere from<SPAN>&nbsp;</SPAN><A href="https://www.sap.com/norway/products/technology-platform/hana/features/cloud-data-lake.html" target="_self" rel="noopener noreferrer">SAP HANA Cloud (Data Lake)</A>, or for example&nbsp;multiple hyperscaler object stores, such as Amazon S3, OSS (Alicloud Object Storage<BR />Service), SAP HANA Cloud, Data Lake, and Azure Blob Storage.</P><P>The configurable Enterprise Blockchain Wallet of the Enterprise Blockchain Platform looks like this:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Enterprise Blockchain Platform - Enterprise Blockchain Wallets - Configurable Enterprise Wallets - atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109787i908D88B47AA86B97/image-size/large?v=v2&amp;px=999" role="button" title="Enterprise Blockchain Platform - Enterprise Blockchain Wallets - Configurable Enterprise Wallets - atkrypto.io .jpg" alt="Enterprise Blockchain Platform - Enterprise Blockchain Wallets - Configurable Enterprise Wallets - atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Enterprise Blockchain Platform - Enterprise Blockchain Wallets - Configurable Enterprise Wallets - atkrypto.io</span></span></P><P>&nbsp;</P><P>Ok, so we've got the large volumes of Data stored in the (configurable) Enterprise Blockchain Wallet, but what about securing the Data ? Obviously the Enterprise Blockchain Wallet storage location has built in security, for example the SAP HANA Cloud, the AWS S3 Buckets, but we need more than the out of the box security of these products, the reason we are using the Enterprise Blockchain Database is because of the amazing security strengths that it natively out of the box has, and so, what about the Enterprise Blockchain Wallet, doesn't the Enterprise Blockchain Platform have some cool super hard way of protecting the data in the Enterprise Blockchain Wallet ?</P><P>Well yes it does, this is the magic of Enterprise Blockchain Database 'Off-Chain' storage in the Enterprise Blockchain Wallet. This is so unique to Blockchain Technologies.</P><P>What happens is this, when store data in the Enterprise Blockchain Wallet, the Enterprise Blockchain Platform software runs a hash algorithm over the data that we have stored and the data, and<SPAN>&nbsp;</SPAN><A href="https://codesigningstore.com/what-is-hashing-algorithm-how-it-works#:~:text=In%20cryptography%2C%20hashing%20is%20a,output%20of%20the%20same%20length." target="_self" rel="nofollow noopener noreferrer">the large file gets hashed</A>:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AndySilvey_8-1715623249902.png" style="width: 784px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109780i6359638B6E44B57D/image-dimensions/784x232?v=v2" width="784" height="232" role="button" title="AndySilvey_8-1715623249902.png" alt="AndySilvey_8-1715623249902.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>The data or the file in the Enterprise Blockchain Wallet gets hashed, and then, that hash is stored in the Enterprise Blockchain Database.</P><P>This means we now have a unique hash of that data or file, and if anybody or anything makes even the tiniest teeniest change to that data or file, next time we run a hash over that data or file the result will be different that the original hash which is safely stored in the Enterprise Blockchain Database and this is how we will know that the data has been changed and we cannot trust the Data and therefore we cannot use it for our Enterprise Business Processes.</P><P>On the other hand, if just before we load the data in to the SAP Enterprise Applications, eg SAP Asset Performance Management and SAP S/4HANA,&nbsp; from the Enterprise Blockchain Wallet, if we run a hash over the data and the hash result is the same as we have in the Enterprise Blockchain Database, then we will know we can trust the Data and we can use it in our SAP Applications and we will have trustable Data.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Enterprise Blockchain Wallet Data Hashes Stored in the Enterprise Blockchain Database - atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109788i3271545F050395A2/image-size/large?v=v2&amp;px=999" role="button" title="Enterprise Blockchain Wallet Data Hashes Stored in the Enterprise Blockchain Database - atkrypto.io .jpg" alt="Enterprise Blockchain Wallet Data Hashes Stored in the Enterprise Blockchain Database - atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Enterprise Blockchain Wallet Data Hashes Stored in the Enterprise Blockchain Database - atkrypto.io</span></span></P><P>&nbsp;</P><P><STRONG>And this is why, for all of these reasons,&nbsp;</STRONG></P><P style=" padding-left : 30px; "><STRONG>Ring Fencing S/4HANA Digital Core&nbsp; depends on Data being stored in the Enterprise Blockchain</STRONG></P><P>&nbsp;</P><P>But that's not the end of the Ring Fencing need Enterprise Blockchain.&nbsp;</P><P>As we showed at the beginning of the blog in this picture:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109789iE2C8DF277B4A36A2/image-size/large?v=v2&amp;px=999" role="button" title="S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io .jpg" alt="S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">S4HANA RingFenced by Enterprise Blockchain S4HANA does not expose any APIs directly to 3rd Party Companies Ultimate Cyber Security - atkrypto.io</span></span></P><P>&nbsp;</P><P>As the picture shows, we have an Enterprise Blockchain Database Tenant installed on a Server Host at the in your DataCenter, in your Network on your SAP BTP Kyma Service AND we have an Enterprise Blockchain Database Tenant installed on your B2B Business Partner's Network, if they are a SAP Customer then like you they can put it on the SAP BTP Kyma Service, if not they can run it on Kubernetes.</P><P>The consequence of this is that we have a distributed Enterprise Blockchain Database table which stretches from your DataCenter and Network where your S/4HANA is writing Data to it and stretches&nbsp; all the way across the Network to your Business Partner's DataCenter.</P><P>This means we have Ring Fenced S/4HANA with Enterprise Blockchain Data Protection from the source from your S/4HANA to the target your B2B Business Partner's It infrastructure enabling the trusted resilient reliable Business Processes to be completed.</P><P>At the same time, we are not exposing S/4HANA or the API's on the S/4HANA to any 3rd Party Applications.</P><P>We have Ring Fenced and&nbsp; digitally decoupled the S/4HANA Data and Access from the Business Process.</P><P>And this is why we say, Enterprise Blockchain is a Secure Communication Channel, because instead of integrating Applications sending and replicating Data across Networks, we are sharing the Data across the Enterprise Blockchain and the Enterprise Blockchain is the Secure Communication Channel.</P><P>To conclude this section, the<SPAN>&nbsp;</SPAN><EM>Why to, B2B Ring Fencing S/4HANA and Enterprise Blockchain</EM>, B2B Business Process Data needs to safely replicated and trustable.</P><P>Enterprise Blockchain, due to its native super strong security strength when used as a store of Data enables B2B Business Processes to be both Secure, and Trustable.</P><P><SPAN>And as we will see in the next section, it's not only about the Enterprise Blockchain being a common shared source of truth across Organisations, it's about Ring Fencing and digitally decoupling the S/4HANA and removing the attack surface from 3rd Party System Integrations and gradually ring fencing the S/4HANA away from being directly accessed by 3rd Party Systems as it is today with API's.</SPAN></P><P>&nbsp;</P><P><SPAN><STRONG>Section 3.0: The How is it,&nbsp; of RingFencing and DeCoupling S/4HANA, and Enterprise Blockchain</STRONG></SPAN></P><P>The goal of this blog was to show how instead of using the legacy fire and forget approach of replicating data to 3rd Party Business Partners, the Enterprise Blockchain can be deployed as a common shared single source of truth running, with an Enterprise Blockchain Tenant running close to your S/4HANA and another Enterprise Blockchain Tenant running close to your Business Partner's Application. Thus Ring Fencing and Digitally DeCoupling S/4HANA Digital Core and bringing the highest level of Cyber Security and attacked surface reduction.</P><P>In this section of the blog we will show all of the possible potential Technical Solution Architectures which will enable you to implement this next generation approach to sharing Data with the highest level of Cyber Security already today.</P><P>As described above one of the many beauties of this approach is your S/4HANA writes to the Enterprise Blockchain and your Business Partner's Application reads from the same Enterprise Blockchain. This achieves a number of things including:</P><P>. Total Control - you have total control over the Data you are sharing with the Business Partner, and you know that as long as your Business Partner's Application reads the Data from the common shared source, the Enterprise Blockchain</P><P>. Ultimate Cyber Security - then you know the maximum has been done to minimise the S/4HANA attack surface and the chance for Cyber Security risks and the maximum has been done to protect originality, integrity, and confidentiality of the Data</P><P>. S/4HANA Ring Fenced and&nbsp; Digitally DeCoupled from the Business Process - and on top of this, the S/4HANA has been digitally disconnected from the Business Process, because no longer do any 3rd Party Applications directly call API's on the S/4HANA</P><P>In the Technical Solution Archecture there would be two main ways for getting the data from the S/4HANA and writing it to the Enterprise Blockchain, these would be:</P><P>. API's</P><P>. Events</P><P>In these Technical Solution Architecture examples we will prioritise using S/4HANA Events to write the Data to the Enterprise Blockchain, we will be sending the Event Notification and the Event Payload, we could of course draw the same Technical Solution Architecture with API's, but we prefer the Events for the simplicity and reduced call backs to the S/4HANA and therefore making the S/4HANA more Ring Fenced and Digitally DeCoupled and therefore, enabling the S/4HANA to be protected to the higher security level and exposed to less Cyber Security risk.</P><P>S/4HANA Data Events write the Data to the Enterprise Blockchain and S/4HANA Notification Events notify the Partner that something has happened, then, instead of calling an API on your SAP S/4HANA, the Partner then calls the API of the Enterprise Blockchain and Reads the Data from there.</P><P>The Enterprise Blockchain Database software is running on your SAP BTP Kyma Runtime and in your Partner's Servers, therefore, creating natively, out of the box, the most secure and resilient common shared single source of truth. Your have a Distributed Ledger running from your SAP BTP to the Partner's Servers.</P><P>Ok, let's go with the Technical Solution Architectures, in these examples we will focus on the OutSourced Payroll as the integration and B2B Business Process Example.</P><P>What do we have and what do we need:</P><P>Your Company will need:</P><P style=" padding-left : 30px; ">. S/4HANA</P><P style=" padding-left : 30px; ">. SAP EM and preferably SAP AEM since it has richer Security and Event Payload size capabilities and can Publish Events from Non-SAP Enterprise Applications and connect to your Enterprise Event Mesh</P><P style=" padding-left : 30px; ">. SAP BTP</P><P style=" padding-left : 30px; ">. SAP BTP Kyma Runtime Service - this is where the Enterprise Blockchain Container will run</P><P style=" padding-left : 30px; ">. Enterprise Blockchain Platform Software which can run on Kubernetes&nbsp;</P><P style=" padding-left : 30px; ">. If there will be larger Data objects then you will need Large Storage for Large Data and the Enterprise Blockchain Wallet in the form of&nbsp;&nbsp;<A href="https://www.sap.com/norway/products/technology-platform/hana/features/cloud-data-lake.html" target="_self" rel="noopener noreferrer">SAP HANA Cloud (Data Lake)</A></P><P>Your Business Partner will need:</P><P style=" padding-left : 30px; ">. Obviously their Payroll Application</P><P style=" padding-left : 30px; ">. Either SAP BTP with Kyma Runtime, or Servers which can run Kubernetes Containers</P><P style=" padding-left : 30px; ">. n.b. there is an Optional Technical Solution Architecture where you simply allow your Business Partner to read data from your Enterprise Blockchain where the Enterprise Blockchain Platform is running exclusively on your BTP, we will show that Option as well</P><P>Technical Reference Solution Architecture for SAP S/4HANA and SAP SuccessFactors and OutSourced 3rd Party Payroll Provider using Enterprise Blockchain as a Common Shared Single Source of Truth for Data and the Ultimate Cyber Data Security for B2B Business Processes...</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to Enterprise Blockchain atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109796iAAEB8B150B86C587/image-size/large?v=v2&amp;px=999" role="button" title="OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to Enterprise Blockchain atkrypto.io.png" alt="OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to Enterprise Blockchain atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to Enterprise Blockchain atkrypto.io</span></span></P><P>&nbsp;</P><P>In the next example, we have the same basic Technical Solution Architecture as the previous example, except, this Reference Use Case is ready for the Enterprise Blockchain needed to be able to handle large volumes of data and brings the Enterprise Wallet in to the picture. In the Enterprise Blockchain Platform the Enterprise Wallet storage is configurable and therefore could be SAP HANA Cloud (DataLake) or AWS S3 Buckets or other HyperScaler Data stores.</P><P>All of the other Cyber Security characteristics remain the same, S/4 is ring fenced and digitally decoupled from the Business Partner, Enterprise Blockchain is used as a common shared single source of truth for Master and Transactional Data, and the Enterprise Blockchain Tenants are running in both your DataCenter (AnyPremise) and the Business Partner's DataCenter (AnyPremise):</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to Enterprise Blockchain &amp; Enterprise Wallet atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109798i2EF01053D4CE9FE3/image-size/large?v=v2&amp;px=999" role="button" title="OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to Enterprise Blockchain &amp; Enterprise Wallet atkrypto.io.png" alt="OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to Enterprise Blockchain &amp; Enterprise Wallet atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to Enterprise Blockchain &amp; Enterprise Wallet atkrypto.io</span></span></P><P>&nbsp;</P><P>The next example Reference Technical Solution Architecture is a little bit different, let's assume, for their own reasons, your Business Partner is not going to run an Enterprise Blockchain Tenant in their (AnyPremise) DataCenter.</P><P>This is still fine, you will set up the Enterprise Blockchain Platform in your DataCenter(s) (AnyPremise) and your B2B Business Partner, in this case the outsourced 3rd Party Payroll Vendor will simply use API's to read and write to and from your Enterprise Blockchain.</P><P>All of the other benefits of the design remain the same, all of the other next generation Data sharing Cyber Security characteristics are still there,&nbsp;S/4 is ring fenced and digitally decoupled from the Business Partner, Enterprise Blockchain is used as a common shared single source of truth for Master and Transactional Data.</P><P>Here it is:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to your Enterprise Blockchain atkrypto.io" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109799iF8BF786F376184ED/image-size/large?v=v2&amp;px=999" role="button" title="OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to your Enterprise Blockchain atkrypto.io.png" alt="OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to your Enterprise Blockchain atkrypto.io" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">OutSourced Payroll Process B2B Business Processes with S4HANA and Ultimate Data Cyber Security thanks to your Enterprise Blockchain atkrypto.io</span></span></P><P>&nbsp;</P><P>Finally, we have the same Reference Technical Architecture as above, but to be able to cater for large volumes of Data we include the Enterprise Wallet in the design.</P><P>&nbsp;</P><P>Ok let's wrap this up, the conclusions:</P><P>Ring Fencing the S/4HANA Digital Core substantially raises the Cyber Security and reduces the attack surface for 3rd Party Attackers, Ultimate Cyber Security for Ring Fencing S/4HANA&nbsp; is the Enterprise Blockchain, where the Enterprise Blockchain acts a common shared single source of truth for Data across Organisations</P><P>Enterprise Blockchain is:</P><P style=" padding-left : 30px; ">. Ring Fencing and Digitally DeCoupling the S/4HANA Digital Core</P><P style=" padding-left : 30px; ">. A Secure Store of Data</P><P style=" padding-left : 30px; ">. A Secure Communication Channel for Data</P><P style=" padding-left : 30px; ">. A Common Shared Single Source of Truth in your Organisation and across Organisations</P><P style=" padding-left : 30px; ">. The next generation Data Integration is about having a Common Shared Single Source of Truth</P><P>The next generation Integrations don't allow direct access to API's published in the S/4HANA and replicate Data, that's legacy, the next generation Integrations use Enterprise Blockchain as a common shared single source of truth.</P><P><STRONG>The configurable Enterprise Blockchain Wallet enables you to store Big Data 'Off-Chain' and the hashes of the Data are stored safely and securely on the Enterprise Blockchain Database.</STRONG></P><P>&nbsp;</P><P>The good news is, as we discussed in the previous blog, this is no longer hype, we can do all of this today,<SPAN>&nbsp;</SPAN><SPAN>and now, within the&nbsp;</SPAN><A href="https://www.sap.com/norway/partners/partner-program/build.html" target="_self" rel="noopener noreferrer">SAP Partner Edge Open EcoSystem</A><SPAN>&nbsp;there are enabling technology Blockchain Products designed and built by SAP Experts specifically for the needs of SAP Customers to make doing Blockchain and SAP easy, and so you can do SAP and Blockchain, today it's real and there's nothing stopping you.</SPAN></P><P>So what are we waiting for ? Oh yeah, deep dive in to more use cases, ok, that will be the next blog.&nbsp;</P><P><SPAN>What do you think, are the words Blockchain, Web3, Distributed Ledger Technology, starting to appear in your Company's visions and technology visions ? What use cases are you looking at ? Let's chat about it in the comments.</SPAN></P><P>For now, over and out.</P><P>Andy Silvey.</P><P>Independent SAP Technical Architect and CEO of atkrypto.io</P><P>Author Bio:</P><P>Andy Silvey is a 25 years SAP Technology veteran&nbsp;[<EM>15 years SAP Basis and 10 years SAP Tech Arch including Tech, Integration, Security, Data from 3.1H to S/4HANA PCE on RISE and the BTP and everything in between, and<SPAN>&nbsp;</SPAN><A href="https://community.sap.com/t5/welcome-corner-blog-posts/andy-silvey-scn-moderator-spotlight/ba-p/13054438" target="_self">former SCN Moderator and Mentor alumni</A>].</EM></P><P data-unlink="true">Andy is also co-Founder of<SPAN>&nbsp;</SPAN>atkrypto&nbsp;<SPAN>&nbsp;</SPAN>inc, an startup whose ambition is to make Blockchain easy for Enterprise.</P><P>atkrypto.io's flagship product is the atkrypto Enterprise Blockchain Platform for SAP,&nbsp; and atkrypto.io is a SAP Partner Edge Open EcoSystem Partner.&nbsp;</P><P>The&nbsp;atkrypto Enterprise Blockchain Platform for SAP has been designed by SAP Independent Experts for the needs of SAP Customers and to be deployed on the SAP BTP Kyma Runtime Service and leverage native integration to SAP Products.</P><P>atkrypto&nbsp;Enterprise Blockchain Platform for SAP has a number of unique qualities, including being the only Blockchain software in the world which has a DataCenter version and a light mobile version which can run on Edge/IoT/Mobile devices and enables data to be written to the Blockchain at the Edge where that same Blockchain is running on a Server in the DataCenter, protecting the integrity and originality of data from the Edge to Insights. Taking Blockchain to the Data at the Edge instead of taking the Data to the Blockchain.</P><P><SPAN>All of this makes atkrypto,io the DePIN Decentralised Physical Infrastructure Network solution for Enterprise.</SPAN></P><P data-unlink="true"><SPAN>atkrypto is one of the&nbsp;Next20 startups&nbsp;&nbsp;being featured at&nbsp;TM Forum's DTW Ignite in Copenhagen in June&nbsp;</SPAN></P><P>If you will be at DTW24 come and talk to us about Cyber Security of SAP Data with Enterprise Blockchain.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> 2024-05-14T13:56:58.227000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/sap-advanced-financial-closing-afc-security/ba-p/13712434 SAP Advanced Financial Closing (AFC) Security 2024-05-26T07:41:23.672000+02:00 Krishan_Singh_Chauhan https://community.sap.com/t5/user/viewprofilepage/user-id/14777 <H1 id="toc-hId-886530848"><STRONG>Introduction</STRONG></H1><P>SAP Advanced Financial Closing (SAP AFC) is a solution offered by SAP to streamline and optimize financial closing processes for organizations. It provides a comprehensive suite of tools and functionalities to automate and accelerate tasks involved in the financial close process, such as reconciliations, journal entries, and financial reporting.</P><P>SAP AFC helps improve the efficiency and accuracy of financial closing activities by integrating data from various sources, standardizing processes, and providing real-time visibility into financial close status. This allows finance teams to reduce manual efforts, minimize errors, and meet regulatory requirements more effectively. Overall, SAP AFC aims to enhance the financial close process, enabling organizations to close their books faster and with greater confidence.</P><H3 id="toc-hId-948182781"><STRONG>What are we discussing here?</STRONG></H3><P>Setting up security&nbsp;in&nbsp;SAP Advanced Financial Closing (SAP AFC) i.e.</P><UL><LI>Roles &amp; users creation.</LI><LI>Granting access to users.</LI></UL><H3 id="toc-hId-751669276"><STRONG>Pre-requisite:</STRONG></H3><UL><LI>BTP Onboarding.</LI><LI>User has access to BTP cockpit.</LI></UL><H3 id="toc-hId-555155771"><STRONG>Security Activities:</STRONG></H3><P>Following activities/steps are carried out while setting up security in&nbsp;SAP Advanced Financial Closing:</P><H4 id="toc-hId-487724985"><STRONG>Step 1: Create custom role collection</STRONG></H4><P>Login to BTP cockpit and based on the business requirement, create custom role collections in SAP BTP for SAP AFC.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_4-1716695911017.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115444iBAD63D9F90065588/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_4-1716695911017.png" alt="Krishan_Singh_Chauhan_4-1716695911017.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_2-1716695736690.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115442i2DFE0E381BFCFCCA/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_2-1716695736690.png" alt="Krishan_Singh_Chauhan_2-1716695736690.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_3-1716695784322.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115443iC4FA3DE470EC94B4/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_3-1716695784322.png" alt="Krishan_Singh_Chauhan_3-1716695784322.png" /></span></P><H4 id="toc-hId-291211480"><STRONG>Step 2: Create user and assign custom role collection</STRONG></H4><P>Create users in SAP BTP for SAP AFC</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_5-1716696237882.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115445iAC6B0EDCAB098C2A/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_5-1716696237882.png" alt="Krishan_Singh_Chauhan_5-1716696237882.png" /></span></P><P>Assign custom role collection to get access to tiles in SAP AFC</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_6-1716696332269.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115446iD1D683003FFE7FEE/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_6-1716696332269.png" alt="Krishan_Singh_Chauhan_6-1716696332269.png" /></span></P><H4 id="toc-hId-94697975"><STRONG>Step 3: Create user in SAP AFC</STRONG></H4><P>Create users in SAP AFC to segregate access based on Task List Creation and Task Processing.</P><P>Navigate to Manage Users tile, download the template, maintain the data and upload the file to create users into AFC</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_0-1716697423745.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115447i4078E99B59C69840/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_0-1716697423745.png" alt="Krishan_Singh_Chauhan_0-1716697423745.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_1-1716697446878.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115448i8C18DAB4C7640D46/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_1-1716697446878.png" alt="Krishan_Singh_Chauhan_1-1716697446878.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_2-1716697468294.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115449iB3BC0BB0A8CDC691/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_2-1716697468294.png" alt="Krishan_Singh_Chauhan_2-1716697468294.png" /></span></P><P>Note: File should be in .csv format</P><H4 id="toc-hId--101815530"><STRONG>Step 4: Create user group in SAP AFC</STRONG></H4><P>Navigate to Configuration tile -&gt; User Groups -&gt; Create</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_3-1716697730368.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115450i14CE7771A7FFAED2/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_3-1716697730368.png" alt="Krishan_Singh_Chauhan_3-1716697730368.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_4-1716697799886.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115451i894184493A958523/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_4-1716697799886.png" alt="Krishan_Singh_Chauhan_4-1716697799886.png" /></span></P><P>Note: User group can be created via upload as well.</P><H4 id="toc-hId--298329035"><STRONG>Step 5: Create user group in SAP AFC</STRONG></H4><P>Navigate to Configuration tile -&gt; User Groups -&gt; User-to-Group Assignment. Download the template, maintain the data and upload the template to map users to user group</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_1-1716702541944.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115460i7CA4D4971715BC3C/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_1-1716702541944.png" alt="Krishan_Singh_Chauhan_1-1716702541944.png" /></span></P><H4 id="toc-hId--494842540"><STRONG>Step 6: Define scoped user role</STRONG></H4><P>Navigate to Configuration tile -&gt; User Roles. Create scoped roles i.e. Task to be performed (Task List Creation or Task Processing)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_0-1716698779322.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115453iF505FD53CC170092/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_0-1716698779322.png" alt="Krishan_Singh_Chauhan_0-1716698779322.png" /></span></P><P>Select restrictions based on requirement i.e. Restricted or Unrestricted Access</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_1-1716699099635.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115454iD9939C3F3C3B4E3E/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_1-1716699099635.png" alt="Krishan_Singh_Chauhan_1-1716699099635.png" /></span></P><P>Note: Restricted access won't allow user to create task but gives only display access. Also, make sure authorizations i.e. Create, Read etc. access is assigned based on the requirement.</P><H4 id="toc-hId--1189073140"><STRONG>Step 7: Manage User Role Assignments</STRONG></H4><P>Navigate to Manage User Role Assignments tile, select the created scoped role, click Add to assign the scoped role.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Krishan_Singh_Chauhan_0-1716699688897.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115457i81FBED73A0D5C8B3/image-size/medium?v=v2&amp;px=400" role="button" title="Krishan_Singh_Chauhan_0-1716699688897.png" alt="Krishan_Singh_Chauhan_0-1716699688897.png" /></span></P><P>After performing above mentioned steps, user will get access to execute activities in SAP AFC.</P><P>&nbsp;</P><H1 id="toc-hId--505377624"><STRONG>Conclusion</STRONG></H1><P><SPAN>Hope this article gave an insight about the activities carried out setting up security in&nbsp;SAP Advanced Financial Closing (SAP AFC).</SPAN></P><H4 id="toc-hId--1582100150"><STRONG>List of Important Notes:</STRONG></H4><P><A href="https://me.sap.com/notes/2873915/E" target="_blank" rel="noopener noreferrer">2873915 - FAQ SAP Advanced Financial Closing</A></P><P><STRONG>Feedbacks, questions and comments are most welcome!!</STRONG><BR /><BR /><EM>Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via&nbsp;</EM><EM><STRONG><U><A href="https://www.linkedin.com/in/krishan-singh-chauhan-6bb474119/" target="_blank" rel="noopener nofollow noreferrer">LinkedIn</A></U></STRONG></EM></P><P><STRONG><EM>Happy Learnings!</EM></STRONG><BR />Krishan Singh Chauhan</P> 2024-05-26T07:41:23.672000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/sap-enablement-service-for-nis2-cybersecurity/ba-p/13637332 SAP enablement service for NIS2 Cybersecurity 2024-05-27T16:55:00.381000+02:00 Oliver_Derksen https://community.sap.com/t5/user/viewprofilepage/user-id/191918 <P><FONT size="5"><STRONG>NIS2 stands for the most expansive Cybersecurity directive in Europe to date and regardless if you RISE or GROW with SAP, Cybersecurity remains critical and satisfying regulations a challenge.</STRONG></FONT></P><UL class="lia-list-style-type-square"><LI><FONT size="5"><STRONG>Learn how to navigate current security measures in your SAP landscape and to identify potential gaps.</STRONG></FONT></LI><LI><FONT size="5"><STRONG>O</STRONG><STRONG>btain guidance on aligning Cybersecurity measures with this new regulation and how to implement standards-based Cybersecurity management.</STRONG></FONT></LI></UL><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2024-05-24_17-24-50.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115305i6818710266D0A79F/image-size/large?v=v2&amp;px=999" role="button" title="2024-05-24_17-24-50.png" alt="2024-05-24_17-24-50.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>Key Takeaways</STRONG></P><UL><LI>The EU's NIS2 Directive is a revised version of the existing Network and Information Security (NIS) Directive. It was officially signed and published in December 2022. The "Gesetz zur Umsetzung von EU NIS2 und Stärkung der Cybersicherheit" (NIS2UmsuCG) transposes the directive into German regulation, getting effective October 2024.</LI><LI>The NIS2 Directive expands the scope and sharpens the requirements for Cybersecurity through structured requirements for security processes, technical and organizational measures, and reporting obligations.</LI><LI>The NIS2 Directive introduces stricter penalties for violations.</LI><LI>The implementation of an Information Security Management System (ISMS) facilitates the execution of the NIS2 Directive.</LI><LI>SAP supports its customers in preparing for the NIS2 Compliance of their SAP systems and cybersecurity processes with dedicated consulting services.</LI></UL><P>&nbsp;</P><H2 id="toc-hId-988979450">EU NIS2 – Network and Information Security in the European Union</H2><P>NIS2 is designed to address the shortcomings of its predecessor, NIS, particularly in terms of discrepancies among member states regarding the implementation and requirements of cybersecurity measures. This updated directive has a broader reach and enhances NIS.</P><P>The directive aims to protect important sectors and services from Cybersecurity threats. Institutions that meet the thresholds defined in the directive, such as electricity and water plants or banks, must comply with legal requirements to make their systems and networks more secure. The European Union (EU) Member States must transpose the NIS2 directive into national law. In Germany, the directive is transposed into German regulation via the "Gesetz zur Umsetzung von EU NIS2 und Stärkung der Cybersicherheit" (NIS2UmsuCG)“, effective October 18th, 2024.</P><P>In short, NIS2 is responsible for the following key modifications:</P><UL><LI>The applicability scope has been extended to incorporate sectors such as telecommunications, social media platforms, public administration, and the food sector. NIS2 also includes subcontractors with access to critical infrastructure, recognizing the significant implications of infrastructure threats that could potentially compromise the security of an entire organization.</LI><LI>Introduction of a size cap, whereby medium to large entities (with over 50 employees and an annual turnover exceeding €10 million) in the relevant sectors will be subject to NIS2.</LI><LI>An increase in sanctions to a maximum of 10 million EURO or 2% of the total annual global turnover, mirroring the level of GDPR fines.&nbsp;</LI></UL><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2024-05-24_17-08-47.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/115299i59594B1EDED5C633/image-size/large?v=v2&amp;px=999" role="button" title="2024-05-24_17-08-47.png" alt="2024-05-24_17-08-47.png" /></span></P><P>&nbsp;</P><P>The NIS2 directive impacts approximately 160.000 organizations in the EU due to the expansion in the number of sectors defined by the directive. NIS2 differentiates between "essential" and "important" sectors:</P><P>For the first time, NIS2 introduces the concept of "important facilities", broadening the scope of the critical infrastructure. As a result, companies in sectors such as digital marketplaces or the food industry now also fall under the NIS2 directive. In Germany, the legislature estimates about 30,000 companies will be affected by NIS2, with "important institutions" making up over 20,000 of these companies.</P><P>&nbsp;</P><H2 id="toc-hId-792465945">Challenges for Businesses</H2><P>NIS2 heightens the requirements for companies. There are four main areas to comply and to ensure security on an organizational level:</P><UL class="lia-list-style-type-disc"><LI>Risk Management: Organizations need to take measures to minimize cyber risks. It includes enhanced network security, incident management, strong access control, and encryption.</LI><LI>Corporate Accountability: Management must oversee, approve, and be prepared to address cyber risks when needed. Breaches might result in different penalties for management, which can potentially become a temporary ban from management roles.</LI><LI>Reporting Obligations: Essential and important entities must have processes to report security incidents with a significant impact on their services. NIS2 can set notification deadlines: For instance, initial threat notifications must be made within 24 hours of identifying an incident, with further updates required within 72 hours.</LI><LI>Business Continuity: Organizations must have a plan to show how they ensure business continuity in case of major cyber incidents. It is important to include considerations about system recovery, emergency procedures, and having a crisis response team.</LI></UL><P>&nbsp;</P><H2 id="toc-hId-595952440">NIS2 minimum measures to address Cybersecurity threads</H2><P>Beyond the four primary areas of requirement, NIS2 mandates that essential and important entities establish baseline security measures to counter potential types of cyberthreats. The following are among these:</P><UL><LI>Risk management procedures and security policies for information systems.</LI><LI>Policies and procedures for evaluating the effectiveness of security measures as well as policies and procedures for the use of cryptography.</LI><LI>A strategy for managing and mitigating security incidents and for managing business operations during and after a security incident.</LI><LI>Supply chain security and company-supplier relations require tailored security measures for each supplier, followed by an overall security assessment.</LI><LI>Cybersecurity training and a practice for basic computer hygiene.</LI><LI>Security measures around the acquisition, development, and operation of systems. It also necessitates having procedures for handling and reporting vulnerabilities.</LI><LI>Security procedures for employee access to confidential or critical information must be established, which includes data access policies. It's also essential for concerned organizations to maintain an inventory of all pertinent assets, ensuring their appropriate use and management.</LI><LI>The use of multi-factor authentication, continuous authentication solutions, voice, video, and text encryption, along with secure internal emergency communication, when appropriate.</LI></UL><P>&nbsp;</P><H2 id="toc-hId-399438935">SAP enablement service for NIS2 Cybersecurity</H2><P>SAP offers a SAP Store Service to interactively delve into the potential impacts of NIS2 requirements on SAP landscapes, utilizing S/4HANA as an illustrative case study. During this interactive session we present our viewpoints on Cybersecurity Compliance:</P><P>&nbsp;</P><H3 id="toc-hId-332008149">Cybersecurity Architecture point of view</H3><P>The objective to secure business processes in your SAP landscape end-to-end, leveraging all relevant capabilities of SAP’s Cybersecurity and Compliance solutions and services.</P><P>&nbsp;</P><H3 id="toc-hId-135494644">Cybersecurity Compliance &amp; Assurance point of view&nbsp;</H3><P>The need to adhere to Cybersecurity regulations, hence to rely on standards-based security and control management as well as auditing and monitoring your SAP landscape.</P><P>&nbsp;</P><H3 id="toc-hId--61018861">Cybersecurity Assessment point of view</H3><P>The desire for detailed insights into the Cybersecurity as-is situation, induced by uncertainty surrounding the current measures in the SAP landscape and the fear of "open flanks".</P><P>&nbsp;</P><H2 id="toc-hId--386615085">A service available in SAP Store</H2><P>Find out what EU NIS2 Article 21.2 (i) has to do with ABAP profile parameter rfc/selftrust and<FONT size="4"><STRONG>&nbsp;</STRONG></FONT><SPAN>learn more about the related SAP Customer Success service offering in SAP Store:&nbsp;<A href="https://store.sap.com/dcp/en/" target="_self" rel="noopener noreferrer">https://store.sap.com/dcp/en/</A></SPAN></P><P>&nbsp;</P><P><U>About the Author</U><BR /><STRONG>Oliver Derksen</STRONG>, CISA, M.A. Risk and Compliance Management<BR />Principal Consultant Information Security Management and Integrated Assurance<BR />Success Delivery Center DTS Cybersecurity &amp; Compliance |&nbsp;<A href="mailto:cscm4s-service@sap.com" target="_self" rel="nofollow noopener noreferrer">cscm4s-service@sap.com</A></P><P>&nbsp;</P> 2024-05-27T16:55:00.381000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/new-cio-guide-identity-lifecycle-in-sap-landscapes/ba-p/13720776 New CIO Guide: Identity Lifecycle in SAP Landscapes 2024-06-04T13:27:48.243000+02:00 Martina_Kirschenmann https://community.sap.com/t5/user/viewprofilepage/user-id/5013 <P>We just published our new, comprehensive CIO Guide: Identity Lifecycle in SAP Landscapes!</P><P><STRONG>This new CIO guide explores the SAP approach to identity and access management (IAM) in the context of the identity lifecycle. It explains how IAM software from SAP supports building successful system integrations in cloud and hybrid environments and includes diagrams and a reference architecture to illustrate the concepts. With SAP Cloud Identity Services and well-established IAM-related industry standards, SAP improves system integration and helps provide a seamless user experience while also improving security and compliance.</STRONG></P><P>The first version of this CIO guide was released in 2018 and quickly became one of the most popular documents in the SAP security community. Despite an update of the guide in 2021, a lot has changed again since then, so we decided to issue another update that builds on the proven format while adding new technical developments and strategic recommendations.</P><P>The most important change is that we have brought the capabilities of authentication, authorization, and provisioning together into one seamless solution, SAP Cloud Identity Services. At the same time, the Identity Directory service has assumed a much more prominent role as the backbone of IAM tools and processes.</P><P>The new guide explains the identity lifecycle and the SAP Cloud Identity Services strategy and explores the SAP offerings for each area. We also introduce a section on the reference architectures for IAM to provide you with an overview and comprehensive technical diagrams for the major IAM areas of authentication, identity lifecycle, and authorization.</P><P><A href="https://www.sap.com/documents/2018/05/38ce7d25-067d-0010-87a3-c30de2ffd8ff.html" target="_blank" rel="noopener noreferrer"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="CIO Guide Identity Lifecycle in SAP Landscapes.png" style="width: 283px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/119193i67FFC4EEB104BA59/image-size/medium?v=v2&amp;px=400" role="button" title="CIO Guide Identity Lifecycle in SAP Landscapes.png" alt="CIO Guide Identity Lifecycle in SAP Landscapes.png" /></span></A></P><P style=" text-align: center; "><FONT size="5"><STRONG><A href="https://www.sap.com/documents/2018/05/38ce7d25-067d-0010-87a3-c30de2ffd8ff.html" target="_blank" rel="noopener noreferrer">Read the new CIO guide!</A></STRONG></FONT></P><P>&nbsp;</P><P><SPAN>For more information about <STRONG>SAP Cloud Identity Services</STRONG> and to stay up to date on the latest developments, visit our topic page in SAP Community:</SPAN></P><P><A href="https://pages.community.sap.com/topics/cloud-identity-services" target="_blank" rel="noopener noreferrer"><STRONG>https://pages.community.sap.com/topics/cloud-identity-services</STRONG></A></P><P>&nbsp;</P> 2024-06-04T13:27:48.243000+02:00 https://community.sap.com/t5/technology-blogs-by-members/boosting-sap-netweaver-security-a-guide-to-integrating-sap-netweaver-abap/ba-p/13728234 Boosting SAP Netweaver Security: A Guide to Integrating SAP Netweaver (ABAP Stack) with IBM Verify 2024-06-13T08:10:17.838000+02:00 TusharTrivedi https://community.sap.com/t5/user/viewprofilepage/user-id/150726 <P><STRONG>Introduction</STRONG></P><P>Effective user provisioning is essential for both organisational security and productivity in the context of digital operations. But controlling user access across many systems can be complicated and difficult at times. This blog article will discuss how IBM Verify SaaS integrates seamlessly with SAP NetWeaver and explain how this works together to improve overall operational efficiency, strengthen security, and streamline user provisioning processes.</P><P>SAP NetWeaver (on-premise) is a widely used platform that acts as the foundation for various SAP applications, including SAP ECC and S/4HANA. Users typically log in to these applications through the SAP NetWeaver interface.</P><P>IBM Security Verify SaaS adds an extra layer of security to the login process for SAP ECC and S/4HANA systems. By integrating with SAP NetWeaver, it allows users to log in securely using a web browser, but also requires an additional verification step (Multi-Factor Authentication or MFA) provided by IBM Security Verify. This MFA could be a code from a mobile app, a fingerprint scan, or another secure method.</P><P><STRONG>SAP Netweaver on ABAP Stack vs SAP Netweaver on Java Stack</STRONG></P><P>Development stacks for Java and ABAP are provided by SAP NetWeaver. Java offers open-source flexibility and meets the demands of contemporary development, while ABAP excels in fundamental business logic and connects with SAP with ease. Select Java for modern apps, scalability, and a larger talent pool, or ABAP for deep integration and current SAP expertise. Although it's less prevalent, both allow interoperability and can coexist on a single server.</P><P>While IBM Security Verify offers an adapter for integrating with SAP NetWeaver applications on the Java stack, this blog focuses specifically on the integration process for SAP NetWeaver applications built on the ABAP stack with IBM Security Verify SaaS.</P><P><STRONG><U>Architecture</U></STRONG></P><P>IBM Security Verify SaaS can be integrated with a hybrid SAP landscape, including on-premise SAP Netweaver, cloud-based SAP BTP, and other SAP SaaS offerings (such as SAP SuccessFactors, SAP ARIBA, SAP Fieldglass). This centralized approach offers strong security with Multi-Factor Authentication and simplifies user experience through Single Sign-On. Users authenticate through IBM Security Verify, which then communicates with the relevant SAP application (Netweaver, BTP, or SAP SaaS offering) to grant access. This architecture enhances security and streamlines user experience for accessing SAP resources.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 1.png" style="width: 671px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122463i268D170DCB03E403/image-dimensions/671x269?v=v2" width="671" height="269" role="button" title="Picture 1.png" alt="Picture 1.png" /></span></P><P><STRONG><U>Prerequisites</U></STRONG></P><UL><LI>SAP NetWeaver&nbsp;</LI><LI>IBM Security Verify (for trial instance check this <A href="https://www.ibm.com/docs/en/security-verify?topic=overview-accessing-security-verify" target="_blank" rel="noopener nofollow noreferrer">link</A>)</LI><LI>A smartphone with IBM Security Verify App</LI></UL><P><STRONG><U>Configurations and Settings in IBM Security Verify and SAP NetWeaver</U></STRONG></P><P><STRONG>IBM Security Verify Configuration : </STRONG></P><P>Log in into <A href="https://ibmlabs.verify.ibm.com/ui/admin" target="_blank" rel="noopener nofollow noreferrer">IBM Security Verify</A> as an administrator&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 2.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122464i56CED75434412416/image-size/large?v=v2&amp;px=999" role="button" title="Picture 2.png" alt="Picture 2.png" /></span></P><P>You will be navigated to the home screen, as displayed below, after logging in.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 3.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122466i7668A637EDAAD691/image-size/large?v=v2&amp;px=999" role="button" title="Picture 3.png" alt="Picture 3.png" /></span></P><P>Now, follow these steps:</P><OL><LI>On the left panel, click "<STRONG>Applications</STRONG>" under "<STRONG>Applications</STRONG>."</LI><LI>On the right side of the screen, click the "<STRONG>Add application</STRONG>" button.</LI><LI>In the default applications list, search for "<STRONG>SAP NetWeaver</STRONG>" instead of creating a custom application.</LI></OL><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 4.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122468i6F6DB01D039B7387/image-size/large?v=v2&amp;px=999" role="button" title="Picture 4.png" alt="Picture 4.png" /></span></P><P>As indicated below, complete the "<STRONG>General</STRONG>" section with the relevant information, then save it.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 5.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122469i6F0B1DE6E55A6DD9/image-size/large?v=v2&amp;px=999" role="button" title="Picture 5.png" alt="Picture 5.png" /></span></P><P>Select the "<STRONG>Sign on</STRONG>" tab and complete the fields as indicated by the screenshots below. The required data is available through your individual SAP NetWeaver account. Furthermore, adhere to the conditions listed in “<STRONG>Prerequisites</STRONG>” in order to receive the necessary information from SAP NetWeaver.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 6.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122470iF6089758F4E25AEE/image-size/large?v=v2&amp;px=999" role="button" title="Picture 6.png" alt="Picture 6.png" /></span></P><P>Now we need to upload "Metadata" file into SAP Netweaver which we can download from IBM Verify dashboard as mentioned in below steps.</P><OL><LI>Go to "Sign on" section of the application and scroll on the right side of the screen where you can find prerequisites</LI><LI>Scroll down as mentioned on below screenshots to the download metadata step and click on the link.</LI><LI>The metadata file will be saved to device which you can upload to in SAP NetWeaver Cloud as highlighted below:</LI></OL><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 7.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122471i26EEB5AD9C828C32/image-size/large?v=v2&amp;px=999" role="button" title="Picture 7.png" alt="Picture 7.png" /></span></P><P>Refer to SAP Netweaver user details to create a user in IBM Security Verify. Follow the instructions outlined below.<BR />1. Log in to SAP Netweaver via SAP GUI.<BR />2. Navigate to transaction code "<STRONG>SU01D</STRONG>".<BR />3. Choose the user for whom you want to create details in IBM Security Verify.<BR />4. Gather user information, including first and last names, email addresses, etc.</P><P>For reference see below screenshot:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 8.png" style="width: 934px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122472i29DCDF5B8C907C67/image-size/large?v=v2&amp;px=999" role="button" title="Picture 8.png" alt="Picture 8.png" /></span></P><P>As we have completed the configurations in IBM Security Verify. Now, let's add a user with the appropriate attributes in IBM Security Verify and check if it maps to the SAP NetWeaver dashboard.</P><OL><LI>Go to the "<STRONG>Users</STRONG>" tab under the "<STRONG>Directory</STRONG>" section on the left side of the IBM Security Verify dashboard.</LI></OL><P>Click on the "<STRONG>Add</STRONG> <STRONG>User</STRONG>" button as shown in the screenshot below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 9.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122473iB69220D16B61940D/image-size/large?v=v2&amp;px=999" role="button" title="Picture 9.png" alt="Picture 9.png" /></span></P><P>Complete all required fields in the user information section depicted in the image below, then proceed to click on the "<STRONG>Save</STRONG>" button within the user tab interface.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 10.png" style="width: 390px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122474iE29190B1B18DF143/image-dimensions/390x725?v=v2" width="390" height="725" role="button" title="Picture 10.png" alt="Picture 10.png" /></span></P><P>Navigate downwards to access additional fields for adding further details about the user. In the provided screenshot, you can observe that we have included the email address for the user.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 11.png" style="width: 390px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122475i766D5B23271126E3/image-dimensions/390x645?v=v2" width="390" height="645" role="button" title="Picture 11.png" alt="Picture 11.png" /></span></P><P>After completing the necessary user details, proceed to click on the "<STRONG>Save</STRONG>" button to ensure the user information is stored. Set up the SAP Netweaver configuration and then access the SAP NetWeaver application to ensure that the newly formed user is correctly mapped within the system.</P><P><STRONG><U>SAP Netweaver Configuration</U></STRONG></P><P><STRONG>Establish a local SAML 2.0 provider</STRONG>: Enter into the SAP Netweaver login page using SAP GUI. Here, access the transaction "<STRONG>SAML2</STRONG>" by navigating to the command field at the top of the screen, as indicated below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 12.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122476iFA35311A751B7BA4/image-size/large?v=v2&amp;px=999" role="button" title="Picture 12.png" alt="Picture 12.png" /></span></P><P>A web browser configuration screen will be displayed, requiring you to choose "<STRONG>Create SAML2.0 Local Provider</STRONG>" and press the "<STRONG>Next</STRONG>" button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 13.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122477iB2615E8307F9DCB9/image-size/large?v=v2&amp;px=999" role="button" title="Picture 13.png" alt="Picture 13.png" /></span></P><P>Enter "IBM_Security_Verify" as the provider name in the Initial settings.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 14.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122480i54D6F0951DEEE467/image-size/large?v=v2&amp;px=999" role="button" title="Picture 14.png" alt="Picture 14.png" /></span></P><P>Click "<STRONG>Next</STRONG>" since there is no need to modify the options in the "<STRONG>General Settings</STRONG>" box.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 15.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122481iD8A30B0F10292315/image-size/large?v=v2&amp;px=999" role="button" title="Picture 15.png" alt="Picture 15.png" /></span></P><P>Select the "<STRONG>Finish</STRONG>" option, we'll leave the "Service Provider Settings" as they are by default, as seen below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 16.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122482i07BEAABBFCBA5A6E/image-size/large?v=v2&amp;px=999" role="button" title="Picture 16.png" alt="Picture 16.png" /></span></P><P>You will now be taken to the screen below, where you can see the details that you customised in accordance with the previous instructions.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 17.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122483iE19F904BFA534C4A/image-size/large?v=v2&amp;px=999" role="button" title="Picture 17.png" alt="Picture 17.png" /></span></P><P><STRONG>Upload Metadata File</STRONG>: As indicated below, click the "<STRONG>Trusted Providers</STRONG>" section. Then, click the "<STRONG>Add</STRONG>" button to bring up a drop-down menu, from which choose "<STRONG>Upload Metadata File</STRONG>" and upload the file which was downloaded from IBM Security Verify to local device.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 18.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122485i43DBF1D4337821EA/image-size/large?v=v2&amp;px=999" role="button" title="Picture 18.png" alt="Picture 18.png" /></span></P><P>There should be a new line item shown in the trusted providers list. You can configure in the "<STRONG>Endpoints</STRONG>" area as seen in the screenshot below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 19.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122484iE386AA9BC903863F/image-size/large?v=v2&amp;px=999" role="button" title="Picture 19.png" alt="Picture 19.png" /></span></P><P>Click "<STRONG>Add</STRONG>" after selecting the "<STRONG>Identity Federation</STRONG>" section, then enter the user's email address under "<STRONG>Supported NameID Formats</STRONG>". Additionally, as seen in the screenshot below, set "<STRONG>Email</STRONG>" as the User ID mapping mode and “<STRONG>email</STRONG>” for the "<STRONG>Assertion Attribute Name</STRONG>" field.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 20.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122486iD1122D2C1D56C429/image-size/large?v=v2&amp;px=999" role="button" title="Picture 20.png" alt="Picture 20.png" /></span></P><P>The following step will take us to a different section called "<STRONG>Signature and Encryption</STRONG>" where we will check the value of "<STRONG>Digest Algorithm</STRONG>" and, if it isn't already, set it to "<STRONG>SH-256</STRONG>". We will also check the values of the remaining fields, as indicated in the screenshot below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 21.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122487i0EF0B3BF4E033F11/image-size/large?v=v2&amp;px=999" role="button" title="Picture 21.png" alt="Picture 21.png" /></span></P><P>We'll now select the "<STRONG>Authentication Requirements</STRONG>" option and review the default settings as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 22.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122488i5E9C0D729D534F03/image-size/large?v=v2&amp;px=999" role="button" title="Picture 22.png" alt="Picture 22.png" /></span></P><P><STRONG>Include a policy for web applications</STRONG>: To access "<STRONG>Policies</STRONG>," follow the instructions in the screenshot below. After choosing "<STRONG>Web Applications Policies</STRONG>" press "<STRONG>Add</STRONG>".</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 23.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122490iB6D72A32B50C7FD6/image-size/large?v=v2&amp;px=999" role="button" title="Picture 23.png" alt="Picture 23.png" /></span></P><P>Name the policy "<STRONG>SSO</STRONG>" and describe it as such. And confirm the information as displayed in the screenshots below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 24.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122491i706A2831D66570B9/image-size/large?v=v2&amp;px=999" role="button" title="Picture 24.png" alt="Picture 24.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 25.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122492i971C6E9950E95299/image-size/large?v=v2&amp;px=999" role="button" title="Picture 25.png" alt="Picture 25.png" /></span></P><P><STRONG><U>Let’s test :</U></STRONG></P><P>Use the web browser to log in to SAP Netweaver as shown below. Please be aware that in order to access SAP Netweaver on a web browser, you must utilise a login link.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 26.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122493i7BD72DFA1E049480/image-size/large?v=v2&amp;px=999" role="button" title="Picture 26.png" alt="Picture 26.png" /></span></P><P>Here, I’ll use the IBMid for further login into the system.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 27.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122494i862FEF2D41394B26/image-size/large?v=v2&amp;px=999" role="button" title="Picture 27.png" alt="Picture 27.png" /></span></P><P>Give your IBMid and click on “<STRONG>Continue</STRONG>”.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 28.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122495iFB9ADFE034DE210C/image-size/large?v=v2&amp;px=999" role="button" title="Picture 28.png" alt="Picture 28.png" /></span></P><P>Select “<STRONG>w3id Credentials</STRONG>” as below :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 29.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122497iE2954C5642D80EEA/image-size/large?v=v2&amp;px=999" role="button" title="Picture 29.png" alt="Picture 29.png" /></span></P><P>Give your username and password details and click on “<STRONG>Sign in</STRONG>”.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 30.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122498iB6A001351A37BFC9/image-size/large?v=v2&amp;px=999" role="button" title="Picture 30.png" alt="Picture 30.png" /></span></P><P>You should be able to access the SAP Netweaver as below in your web browser.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 31.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/122499i18B3EAD58C73B2D8/image-size/large?v=v2&amp;px=999" role="button" title="Picture 31.png" alt="Picture 31.png" /></span></P><P><STRONG><U>Conclusion</U></STRONG></P><P>The integration of IBM Verify with SAP NetWeaver presents a powerful synergy that not only simplifies user provisioning but also fortifies organisational security and enhances operational efficiency. By combining the robust authentication features of IBM Verify with the versatile platform of SAP NetWeaver, businesses can streamline user access management, reduce manual effort, and bolster security measures. This integration not only ensures compliance and consistency but also elevates the overall user experience. As organizations navigate the complexities of the digital landscape, leveraging this integration can provide a competitive edge while effectively managing user identities and access controls.</P><P><STRONG><U>More information:</U></STRONG></P><P><A href="https://www.ibm.com/verify?utm_content=SRCWW&amp;p1=Search&amp;p4=43700070793889564&amp;p5=e&amp;gclid=Cj0KCQjwsp6pBhCfARIsAD3GZua8URNQFluq_9-aRG4WTa5kSlX5FYPrg35Bgtro-R8boDCRu973diUaArTjEALw_wcB&amp;gclsrc=aw.ds" target="_blank" rel="noopener nofollow noreferrer">IBM Security Verify</A></P><P><A href="https://community.sap.com/t5/technology-blogs-by-members/step-by-step-guide-to-integrate-ibm-security-verify-as-custom-identity/ba-p/13580998" target="_blank">Blog for setting up Multi factor authentication using IBM Verify</A></P><P><A href="https://community.sap.com/t5/financial-management-blogs-by-members/using-ibm-security-verify-as-password-less-authentication-for-sap-btp/ba-p/13578513" target="_blank">Blog for setting up Password less MFA using IBM Verify</A></P><P><A href="https://help.sap.com/docs/btp/sap-business-technology-platform/trust-and-federation-with-identity-providers" target="_blank" rel="noopener noreferrer">SAP BTP Trust and federation with identity providers</A></P><P><A href="https://community.sap.com/t5/technology-blogs-by-members/streamlining-user-provisioning-from-ibm-verify-to-sap-cloud-identity/ba-p/13695010" target="_blank">Streamlining User Provisioning from IBM Verify to SAP Cloud Identity Services</A></P><P><A href="https://community.sap.com/t5/technology-blogs-by-members/integrating-ibm-security-verify-with-sap-cloud-identity-services-in-sap-btp/ba-p/13651722" target="_blank">Integrating IBM Security Verify with SAP Cloud Identity Services in SAP BTP</A></P><P>If you have any question or query about&nbsp;SAP Netweaver please refer to <A href="https://community.sap.com/" target="_blank">SAP Community</A> and for any question or query about IBM Security Verify refer to <A href="https://community.ibm.com/community/user/security/communities/community-home?CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d" target="_blank" rel="noopener nofollow noreferrer">IBM Security Verify Community</A></P> 2024-06-13T08:10:17.838000+02:00 https://community.sap.com/t5/technology-blogs-by-members/sap-btp-global-account-directories-and-subaccounts/ba-p/13734715 SAP BTP Global Account, Directories and Subaccounts 2024-06-18T16:04:45.762000+02:00 Daniel_Enderli https://community.sap.com/t5/user/viewprofilepage/user-id/2995 <H3 id="toc-hId-1146605732"><SPAN>SAP BTP Cockpit</SPAN></H3><P><SPAN>Start the SAP BTP cockpit</SPAN></P><P><A href="https://cockpit.btp.cloud.sap" target="_blank" rel="noopener nofollow noreferrer">https://cockpit.btp.cloud.sap</A></P><H3 id="toc-hId-950092227"><SPAN>Big Picture and Overview</SPAN></H3><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Enderli_0-1718719394446.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/124993iF107B72A000ACAEE/image-size/medium?v=v2&amp;px=400" role="button" title="Daniel_Enderli_0-1718719394446.png" alt="Daniel_Enderli_0-1718719394446.png" /></span></P><H3 id="toc-hId-753578722"><SPAN>How you can structure your SAP BTP account</SPAN></H3><P><SPAN>Go to Account Explorer</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Enderli_0-1718717795492.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/124982i16622B632D4297B4/image-size/medium?v=v2&amp;px=400" role="button" title="Daniel_Enderli_0-1718717795492.png" alt="Daniel_Enderli_0-1718717795492.png" /></span></P><P>Here you can create "Directories" and "Subaccounts"</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Enderli_1-1718717847229.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/124983i193147F16BC2A81A/image-size/medium?v=v2&amp;px=400" role="button" title="Daniel_Enderli_1-1718717847229.png" alt="Daniel_Enderli_1-1718717847229.png" /></span></P><P><SPAN>Possible structures are: </SPAN></P><UL><LI><SPAN>by country/region </SPAN></LI><LI><SPAN>by department </SPAN></LI><LI><SPAN>by project </SPAN></LI><LI><SPAN>etc.</SPAN></LI></UL><P>Example</P><P>As a simple example I use a headquarter in Switzerland and a branch in Italy.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Enderli_0-1718718344519.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/124984i905260A0EC048CA1/image-size/medium?v=v2&amp;px=400" role="button" title="Daniel_Enderli_0-1718718344519.png" alt="Daniel_Enderli_0-1718718344519.png" /></span></P><P><SPAN>Now you can configure additional functions for the relevant areas.</SPAN></P><P>&nbsp;</P> 2024-06-18T16:04:45.762000+02:00 https://community.sap.com/t5/technology-blogs-by-members/sap-btp-role-templates-roles-and-role-collections/ba-p/13737057 SAP BTP Role Templates, Roles and Role Collections 2024-06-20T08:40:15.861000+02:00 Daniel_Enderli https://community.sap.com/t5/user/viewprofilepage/user-id/2995 <H3 id="toc-hId-1146688504">SAP BTP Big Picture for Role Templates, Roles and Role Collections</H3><UL><LI><STRONG>Role Templates:</STRONG> Roles for a specific Application, defined by a Developer.</LI><LI><STRONG>Role</STRONG>: Classic single Role with rights.</LI><LI><STRONG>Role Collection</STRONG>: A collection of single roles.</LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Enderli_0-1718864550212.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/125970iCCA8DB5D7B8C118A/image-size/medium?v=v2&amp;px=400" role="button" title="Daniel_Enderli_0-1718864550212.png" alt="Daniel_Enderli_0-1718864550212.png" /></span></P><H3 id="toc-hId-950174999">SAP BTP Cockpit - User Management</H3><P>In the SAP BTP Cockpit you find this section under "Security"</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="btp3.jpg" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/125984i14767BC77A7A95E7/image-size/large?v=v2&amp;px=999" role="button" title="btp3.jpg" alt="btp3.jpg" /></span></P><DIV class="">&nbsp;</DIV><H3 id="toc-hId-753661494">Create a new Role Collection</H3><P>Create a new Role Collection, for example for Key Users of an Application</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Enderli_2-1718864966458.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/125972i44F8833059D244B9/image-size/medium?v=v2&amp;px=400" role="button" title="Daniel_Enderli_2-1718864966458.png" alt="Daniel_Enderli_2-1718864966458.png" /></span></P><P>Select the relevat Roles ad add them to the Role Collection</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Enderli_3-1718865141068.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/125973i6A35D865D5217960/image-size/medium?v=v2&amp;px=400" role="button" title="Daniel_Enderli_3-1718865141068.png" alt="Daniel_Enderli_3-1718865141068.png" /></span></P><P>Now it should look like this</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Enderli_4-1718865187305.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/125974i155E00AD10AA5716/image-size/medium?v=v2&amp;px=400" role="button" title="Daniel_Enderli_4-1718865187305.png" alt="Daniel_Enderli_4-1718865187305.png" /></span></P><P>Click "save"</P><H3 id="toc-hId-557147989">Assign Role Collection to a User</H3><P>Now you can assign the newly created Role Collection to a User</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Enderli_5-1718865349854.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/125975i88E0205A9A0A0B21/image-size/medium?v=v2&amp;px=400" role="button" title="Daniel_Enderli_5-1718865349854.png" alt="Daniel_Enderli_5-1718865349854.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Enderli_0-1718865466140.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/125976i3A82EEB1AF712A8D/image-size/medium?v=v2&amp;px=400" role="button" title="Daniel_Enderli_0-1718865466140.png" alt="Daniel_Enderli_0-1718865466140.png" /></span></P><P>Finally it looks like this</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Enderli_1-1718865522073.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/125977iCECF6C298508FEAD/image-size/medium?v=v2&amp;px=400" role="button" title="Daniel_Enderli_1-1718865522073.png" alt="Daniel_Enderli_1-1718865522073.png" /></span></P><P>&nbsp;</P> 2024-06-20T08:40:15.861000+02:00 https://community.sap.com/t5/technology-blogs-by-members/safeguarding-enterprise-personal-and-financial-data-in-sap-hana-with-ibm/ba-p/13747421 Safeguarding Enterprise Personal and Financial Data in SAP HANA with IBM Security Guardium 2024-07-01T11:41:50.926000+02:00 TusharTrivedi https://community.sap.com/t5/user/viewprofilepage/user-id/150726 <P><STRONG><U>Introduction</U></STRONG></P><P>In the modern digital world, protecting sensitive business data is more important than ever. SAP HANA Cloud databases, known for their high performance and advanced analytics, serve as essential to many organisations' operations. However, the huge amounts of personal and financial data they handle make them potential targets for cyber-attacks. Implementing advanced security measures is critical for protecting these datasets from any possible breaches.</P><P>This blog explains how IBM Security Guardium offers an additional level of safety to SAP HANA Cloud databases. You can ensure that enterprise personal and financial data is secure and meets regulatory standards by leveraging Guardium's complete capabilities. Learn how this powerful combo may improve your data security strategy and safeguard your company's most precious assets.</P><P><STRONG><U>Importance of Data classification and identification for Data security</U></STRONG></P><P>Identifying and classifying data is crucial for maintaining data security and ensuring compliance with regulatory standards. It helps in understanding the sensitivity and value of data, enabling organisations to implement appropriate security measures. Proper classification aids in protecting sensitive information from unauthorised access and potential breaches, while also facilitating efficient data management and retrieval.</P><P><STRONG><U>About this blog </U></STRONG></P><P>In this blog, IBM Guardium can be utilised to discover sensitive data within an SAP HANA DB. By scanning the database, Guardium identifies and classifies sensitive information, such as personal data, financial records, and intellectual property. Once discovered, this data is added to specific groups of fields or objects for continuous observation. This grouping facilitates targeted monitoring and protection, ensuring that sensitive data is safeguarded against unauthorized access and potential breaches. Guardium's scanning and classification capabilities help maintain data security and compliance with regulatory standards for data protection in SAP HANA environments.</P><P><STRONG><U>Prerequisites</U></STRONG></P><UL><LI>SAP BTP Account with access to SAP HANA Cloud Database</LI><LI>IBM Security Guardium</LI></UL><P><STRONG><U>Architecture</U></STRONG></P><P><STRONG><U><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 1.png" style="width: 689px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130662i1C96C12985D06E76/image-dimensions/689x349?v=v2" width="689" height="349" role="button" title="Picture 1.png" alt="Picture 1.png" /></span></U></STRONG></P><P>SAP HANA Cloud, a cloud-based version of the SAP HANA database, offers a multi-model platform for storing and processing diverse data. It integrates with SAP S/4HANA, the latest ERP suite, and SAP Business Technology Platform for application development. SAP HANA itself has a comprehensive set of security measures to ensure data safety. Additionally, security is further enhanced through IBM Security Guardium. IBM Security Guardium will scan the SAP HANA Cloud DB for the identification and classification of sensitive data such as personal details, financial details ... etc. This data classification will enable administrator to keep an eye on specific table fields and help them formulate further business strategies such as data masking of data hiding for the database for the security purpose. Hence, this architecture positions SAP HANA Cloud as a secured and strong foundation for building versatile cloud-based enterprise applications.</P><P><STRONG><U>Steps for integration</U></STRONG></P><P>Log in to Guardium, and you will be directed to the home page as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 2.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130664iAB8A19939626826C/image-size/large?v=v2&amp;px=999" role="button" title="Picture 2.png" alt="Picture 2.png" /></span></P><P>Go to the Discover button on the left-hand panel, open the "Classification" dropdown, and select "Datasource Definitions" as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 3.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130667iD49CB48E29B87678/image-size/large?v=v2&amp;px=999" role="button" title="Picture 3.png" alt="Picture 3.png" /></span></P><P>Click the "New" button, as highlighted below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 4.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130668i54D07CD8604D1017/image-size/large?v=v2&amp;px=999" role="button" title="Picture 4.png" alt="Picture 4.png" /></span></P><P>Enter details such application type, name, database type and other details in the pop-up screen as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 5.png" style="width: 442px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130669i0602A952203E4773/image-size/large?v=v2&amp;px=999" role="button" title="Picture 5.png" alt="Picture 5.png" /></span></P><P>Please keep in mind that the username and password for the SAP HANA Cloud database must be entered here.</P><P><STRONG>Disclaimer</STRONG>: SAP does not recommend their customers to use the DBADMIN user for daily tasks. Please note that the DBADMIN user is used only for demonstration purposes. Refer to <A href="https://help.sap.com/docs/hana-cloud-database/sap-hana-cloud-sap-hana-database-security-guide/deactivate-dbadmin-user?locale=en-US" target="_blank" rel="noopener noreferrer">SAP User Management</A>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 6.png" style="width: 444px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130670iEC3E404D83630A1C/image-dimensions/444x115?v=v2" width="444" height="115" role="button" title="Picture 6.png" alt="Picture 6.png" /></span></P><P>To obtain the host name/IP address and port number, log into your SAP BTP account and click to the space for which you want to integrate Guardium with SAP HANA Cloud DB.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 7.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130671i9D3C2C59C2B62B14/image-size/large?v=v2&amp;px=999" role="button" title="Picture 7.png" alt="Picture 7.png" /></span></P><P><STRONG>Disclaimer</STRONG>: For enhanced security, SAP recommend their customers to adhere to user connect restriction policies. More details on these policies can be found here: <A href="https://help.sap.com/docs/hana-cloud-database/sap-hana-cloud-sap-hana-database-security-guide/connect-restrictions?locale=en-US" target="_blank" rel="noopener noreferrer">SAP HANA Cloud Database Security Guide - Connect Restrictions</A>. This is an important feature that customers should utilise.</P><P>Select "SAP HANA Cloud" as indicated below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 8.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130672iE682F6EE74DE120F/image-size/large?v=v2&amp;px=999" role="button" title="Picture 8.png" alt="Picture 8.png" /></span></P><P>Now, click "Actions" and choose "Copy SQL Endpoint".</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 9.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130673i214DCD76F58479AD/image-size/large?v=v2&amp;px=999" role="button" title="Picture 9.png" alt="Picture 9.png" /></span></P><P>Securing public endpoints is a significant concern for customers. It is relevant to note that SAP HANA Cloud will support these endpoints in the near future.</P><OL><LI>Product Vision roadmap entry for all Platform-as-a-Service (PaaS) support across hyperscalers: <A href="https://roadmaps.sap.com/board?PRODUCT=73554900100800002881&amp;range=CURRENT-LAST#;INNO=000D3ABE772D1EEC91BFC1E05F384551" target="_blank" rel="noopener noreferrer">SAP Roadmap</A></LI><LI>2023-Q4 support for AWS Private Link (PL) connections to HC HDB SQL Endpoints: <A href="https://roadmaps.sap.com/board?PRODUCT=73554900100800002881&amp;range=CURRENT-LAST#;INNO=C10D295AC83C1EDF86C20D403AA10584" target="_blank" rel="noopener noreferrer">SAP Roadmap</A></LI><LI>2023-Q4 support for AWS PL connections to both HDLRE SQL Endpoints and HDLFS REST Endpoints: <A href="https://roadmaps.sap.com/board?PRODUCT=73554900100800002881&amp;range=CURRENT-LAST#;INNO=C10D295AC83C1EDF86C20D403AA10584" target="_blank" rel="noopener noreferrer">SAP Roadmap</A></LI></OL><P>Paste the copied SQL endpoint and receive the hostname/IP data as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 10.png" style="width: 630px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130674iD9FAB81BA3B2D710/image-dimensions/630x26?v=v2" width="630" height="26" role="button" title="Picture 10.png" alt="Picture 10.png" /></span></P><P>And get the port number details displayed follows from the same:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 11.png" style="width: 631px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130678i3AC54F4683FEF2A1/image-dimensions/631x26?v=v2" width="631" height="26" role="button" title="Picture 11.png" alt="Picture 11.png" /></span></P><P>To check the status of your connection, click the "Test Connection" button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 12.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130682i0581D27DA2AA98DE/image-size/large?v=v2&amp;px=999" role="button" title="Picture 12.png" alt="Picture 12.png" /></span></P><P>The SAP HANA Cloud database setup is now complete. You can see the details as follows:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 13.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130684iD75680459DE5B3DD/image-size/large?v=v2&amp;px=999" role="button" title="Picture 13.png" alt="Picture 13.png" /></span></P><P>Click the Discover button on the left-hand panel, then open the drop-down menu by clicking "Classification" and selecting "Discover Sensitive Data". Refer to the image below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 14.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130683i3DE015F555D3B3A6/image-size/large?v=v2&amp;px=999" role="button" title="Picture 14.png" alt="Picture 14.png" /></span></P><P>On the following screen, select "PII [template]". Check out the information as recommended below, then click "Roles" to assign them, and then click the "Next" button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 15.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130688iED3260CCC409BF09/image-size/large?v=v2&amp;px=999" role="button" title="Picture 15.png" alt="Picture 15.png" /></span></P><P>Select the check box for the template pattern you wish to include (for example, birth date, city) and click the "Copy" button as displayed below and click on “Next” button:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 16.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130689i9CD55164881781D0/image-size/large?v=v2&amp;px=999" role="button" title="Picture 16.png" alt="Picture 16.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 17.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130690i305124B397AC2A17/image-size/large?v=v2&amp;px=999" role="button" title="Picture 17.png" alt="Picture 17.png" /></span></P><P>Once we've completed "What to discover," we'll go on to "Where to search" and choose the integrated SAP HANA Cloud database and click on “Next”.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 18.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130691i167A0F76D3C81CED/image-size/large?v=v2&amp;px=999" role="button" title="Picture 18.png" alt="Picture 18.png" /></span></P><P>"Run discovery" is a convenience feature that allows you to conduct classification and check the status. Click "Next".</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 19.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130692i60ED4C391EB54056/image-size/large?v=v2&amp;px=999" role="button" title="Picture 19.png" alt="Picture 19.png" /></span></P><P>We are now in the "Review report" stage, where we select a list of fields and select "Add to Groupof Object/Field" from the "Add to Group" drop-down and click on the “Next” button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 20.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130693iEAC9C79EC6FDEB15/image-size/large?v=v2&amp;px=999" role="button" title="Picture 20.png" alt="Picture 20.png" /></span></P><P>Select group “SAP Sensitive Data” and click on the “OK” button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 21.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130694iB4245B77518DE8C4/image-size/large?v=v2&amp;px=999" role="button" title="Picture 21.png" alt="Picture 21.png" /></span></P><P>Select group “SAP Sensitive Data” and click on the “OK” button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 21.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130695iB011F44C167A0058/image-size/large?v=v2&amp;px=999" role="button" title="Picture 21.png" alt="Picture 21.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 22.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130696iD2FFF1217B180AA1/image-size/large?v=v2&amp;px=999" role="button" title="Picture 22.png" alt="Picture 22.png" /></span></P><P><STRONG><U>Let’s Test</U></STRONG></P><P>Click the "Setup" button on the left-hand panel and choose "Group Builder" from the "Tools and Views" drop-down list.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 23.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130697i13E4480B5D6A5C6E/image-size/large?v=v2&amp;px=999" role="button" title="Picture 23.png" alt="Picture 23.png" /></span></P><P>Select "Object/Field" from the "Action" drop-down, then select "SAP Sensitive Data" from the list. Click the "Edit" button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 24.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130698iBB7B007EC8767CE0/image-size/large?v=v2&amp;px=999" role="button" title="Picture 24.png" alt="Picture 24.png" /></span></P><P>In the pop-up screen, select "Members".</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 25.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130703iB791CE4DE6419F3B/image-size/large?v=v2&amp;px=999" role="button" title="Picture 25.png" alt="Picture 25.png" /></span></P><P>You will be able to see the relevant personal and financial table and fields from SAP HANA Cloud database.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 26.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130704i147988AFC8510852/image-size/large?v=v2&amp;px=999" role="button" title="Picture 26.png" alt="Picture 26.png" /></span></P><P>Now that you identified and categorised that sensitive data in your HANA database, IBM Security Guardium can further help to improve data security by adoption of specialised security measures, such as to</P><P>- Add encryption or access controls, to safeguard important data from unauthorised access and breaches; or by</P><P>- Masking or blocking data access requests that violate regulations or policies</P><P>- Configuring alerts for unauthorised access attempts, e.g. if someone from a non-finance department tries to access financial data, an alert can be triggered.</P><P>In general, classifying data based on its sensitivity in the first place helps to increase visibility and in turn to comply with regulatory obligations (e.g. by generating detailed reports for audits), prevent data loss, and reduce risks associated with data misuse. These features ensure that data handling procedures are consistent with organisational rules and legal standards, hence improving overall data security.</P><P><STRONG><U>Conclusion</U></STRONG></P><P>Securing SAP HANA Cloud databases is critical for safeguarding company personal and financial information from evolving cyber threats. SAP HANA Cloud offers a robust set of security features. More information on these security measures can be found in the <A href="https://help.sap.com/docs/hana-cloud-database/sap-hana-cloud-sap-hana-database-security-guide/connect-restrictions?locale=en-US" target="_blank" rel="noopener noreferrer">SAP HANA Cloud Security Guide</A>.</P><P>IBM Security Guardium complements the existing security capabilities of SAP HANA Cloud by providing additional data protection, continuous monitoring, and compliance features. This enhancement can be particularly valuable for customers seeking extra layers of security or specific functionalities that they feel are necessary.</P><P>Investing in advanced security measures like IBM Security Guardium not only protects essential data but also demonstrates your company's strong commitment to data privacy and compliance. As cyber threats become more sophisticated, leveraging IBM Security Guardium in conjunction with SAP HANA Cloud's comprehensive security offerings is a proactive step toward strengthening your database's security posture and ensuring the integrity and safety of your company data.</P><P>IBM Security Guardium provides enterprise data protection for a variety of databases and data sources, and with the HANA integration, it incorporates it into a corporate-wide data security concept.</P><P><STRONG><U>More Information</U></STRONG></P><P>If you have any question or query about&nbsp;SAP Netweaver please refer to <A href="https://community.sap.com/" target="_blank">SAP Community</A> and for any question or query about IBM Security Guardium refer to <A href="https://community.ibm.com/community/user/security/communities/community-home?CommunityKey=aa1a6549-4b51-421a-9c67-6dd41e65ef85" target="_blank" rel="noopener nofollow noreferrer">IBM Security Guardium Community</A></P> 2024-07-01T11:41:50.926000+02:00 https://community.sap.com/t5/technology-blogs-by-members/integration-of-sap-task-center-azure-and-servicenow-sso-user-provisioning/ba-p/13766332 Integration of SAP Task Center, Azure and ServiceNow - SSO, User Provisioning and Token exchange 2024-07-19T16:10:57.124000+02:00 ITCE https://community.sap.com/t5/user/viewprofilepage/user-id/1474919 <P>During the configuration of <A href="https://www.itce.com/integrate-your-sap-task-center-with-servicenow/" target="_self" rel="nofollow noopener noreferrer">Task Connect</A>, an integration between ServiceNow and SAP Task center, <SPAN>we devoted significant effort to addressing security concerns</SPAN><SPAN>, particularly focusing on user authentication and user provisioning. Given the widespread use of Azure as an identity and token provider, we developed a method to synchronize users and groups across ServiceNow, SAP Task Center, and Azure.&nbsp;</SPAN></P><P>In this document, you will find the scenario overview, related architectural diagrams presenting the different components and how they interact with each other and what are the steps to follow to configure the connection between ServiceNow, SAP Task Center and Azure.&nbsp;</P><P><FONT size="4"><STRONG>1. Scenario overview</STRONG></FONT></P><P>The starting point in this scenario is the user's authentication and access token issued by the SAP Cloud Identity tenant's authentication service (IAS), indicated as AT (IAS) APP in returned by step 2 in figure 1 below and following the notation &lt;token type&gt; (&lt;issuer&gt;) &lt;audience&gt;. The complete token exchange is orchestrated by the <A href="https://www.rfc-editor.org/rfc/rfc6749" target="_blank" rel="noopener nofollow noreferrer">OAuth 2.0</A> and <A href="https://openid.net/developers/specs/" target="_blank" rel="noopener nofollow noreferrer">OpenID Connect</A> (OIDC) authorization and authentication frameworks and their respective token types, which are <A href="https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens" target="_blank" rel="noopener nofollow noreferrer">access tokens</A> (AT), <A href="https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens" target="_blank" rel="noopener nofollow noreferrer">refresh tokens</A> (RT), and <A href="https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens" target="_blank" rel="noopener nofollow noreferrer">identity tokens</A> (ID). Thus, AT (IAS) IAS is an access token, issued by the IAS tenant's OAuth 2.0 authorization server, with an audience set to the IAS tenant's client ID. All tokens except for refresh tokens are formatted as JWTs. Compared to the token exchange in the previous parts of this blog series (see <A href="https://blogs.sap.com/2020/07/17/principal-propagation-in-a-multi-cloud-solution-between-microsoft-azure-and-sap-cloud-platform-scp/" target="_blank" rel="noopener noreferrer">part I</A>, <EM>Interoperability and standards</EM>, for more details), <A href="https://wiki.oasis-open.org/security/FrontPage#SAML_V2.0_Standard" target="_blank" rel="noopener nofollow noreferrer">SAML 2.0</A> - or more precisely the SAML assertion as an OAuth 2.0 authorization grant defined in section 2.1 of <A href="https://www.rfc-editor.org/rfc/rfc7522#section-2.1" target="_blank" rel="noopener nofollow noreferrer">RFC 7522</A> - is no longer used in this scenario. Instead of transforming between different token formats (JWT to SAML and back to JWT), this scenario only uses JWTs for the token exchange. It is important to note that for this token exchange no direct trust relationship between the application on BTP and Azure AD is required. The application only has a trust relationship to the IAS tenant, and the IAS tenant maintains the trust relationship to the Azure AD tenant (and vice versa).&nbsp;&nbsp;&nbsp;</P><P>All authentication requests for the business application on BTP (SAP TASK CENTER) are forwarded by the IAS tenant to the Azure AD tenant which is configured as a <A href="https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/19f3eca47db643b6aad448b5dc1075ad.html?locale=en-US" target="_blank" rel="noopener noreferrer">corporate identity provider (IdP) in IAS</A>. IAS acts as a proxy and delegates authentication to Azure AD in the role of the relying party to the corporate identity provider. The IAS tenant therefore requires an application registration in Azure AD. &nbsp;</P><P><STRONG>Note</STRONG>: For the TaskConnect integration configuration to work, the SAP Task Center should be configured according to the following documentation: <A href="https://help.sap.com/docs/task-center/sap-task-center/initial-setup" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/task-center/sap-task-center/initial-setup</A></P><P><FONT size="4"><STRONG>2. Users authentication and token exchange</STRONG></FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_0-1721388770253.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139020i40DB8BEAFEB8A62C/image-size/large?v=v2&amp;px=999" role="button" title="ITCE_0-1721388770253.png" alt="ITCE_0-1721388770253.png" /></span></P><OL><LI>The user accesses the BTP business application's SAP Task Center. The app delegates authentication to the IAS tenant using OIDC. It starts the authentication process by redirecting the user' browser to the IAS tenant's OAuth server authorization endpoint at <EM><U>https://&lt;IAS</U> tenant name&gt;.accounts.ondemand.com/oauth2/authorize </EM>and sending an OAuth authorization request.&nbsp;</LI><LI>Because the user is not yet authenticated at the IAS tenant, the user's browser is redirected to the IAS tenant's single sign-on (SSO) endpoint at <EM><U>https://&lt;IAS</U> tenant name&gt;.accounts.ondemand.com/saml2/idp/sso</EM>.&nbsp;</LI><LI>The business application is configured in IAS to pass all authentication requests to Azure AD as its corporate IdP. Therefore, IAS sends an OAuth authorization request to the Azure AD tenant's OAuth authorization endpoint.&nbsp;</LI><LI>The user gets prompted by Azure AD to enter the credentials. Upon successful authentication, Azure AD sends the authorization code to IAS by redirecting the user's web browser to the URI specified in the previous request.&nbsp;</LI><LI>IAS receives the authorization code and sends an access token request to Azure AD's token. Azure AD issues an access token and refresh token (RT(AAD)IAS which is cached for later use in step for the authenticated user with an audience set to the IAS tenant's OIDC name.&nbsp;</LI><LI>The BTP business application requests a <EM>client assertion</EM> from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant's OIDC proxy. The client application sends a token request to the IAS tenant's token endpoint. The POST request is authenticated with the client ID and secret of the business application in IAS. The client assertion from IAS takes the form of a signed JWT that proofs the application's identity to AAD when requesting tokens via the IAS corporate IdP OIDC proxy.&nbsp;</LI><LI>The business application exchanges the IAS-issued ID token into an Azure AD-issued access token via the IAS tenant's OIDC proxy token exchange endpoint. The POST request uses the assertion parameter to pass the base64-encoded IAS ID token of the user.&nbsp;</LI><LI>IAS token service sends a refresh token request using RT(AAD)IAS cached in step 5 to obtain a new access token AT(AAD)APP for the business application,&nbsp;</LI><LI>The business application uses the Azure AD On-behalf-Of (ObO) flow for requesting the access token&nbsp;&nbsp;</LI><LI>Finally, the business application calls the ServiceNow to take actions to the signed-in user's tasks.&nbsp;</LI><LI>ServiceNow validate the token using OIDC provider to verify ID tokens configuration with the same application registered in Azure which issues an access token and refresh token in step 5.&nbsp;</LI></OL><P><FONT size="4"><STRONG>3. User provisioning - Azure SAP</STRONG></FONT></P><P>Use SAP Cloud Identity Services - Identity Provisioning to provision users from Microsoft Azure Active Directory to SAP Cloud Identity Services - Identity Authentication.&nbsp;</P><P><STRONG><FONT size="4">4. User provisioning &amp; SSO - Azure-ServiceNow</FONT></STRONG></P><OL><LI>Use ServiceNow enterprise application in Azure to provision users from Microsoft Azure Active Directory to ServiceNow instance&nbsp;</LI><LI>Use the same ServiceNow enterprise application created in step 13 in Azure to authenticate users from Microsoft Azure Active Directory to ServiceNow instance&nbsp;</LI></OL><P><FONT size="4"><STRONG>5. Technical service flow</STRONG></FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_1-1721389027561.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139026i46BDAAB0DAC790CD/image-size/large?v=v2&amp;px=999" role="button" title="ITCE_1-1721389027561.png" alt="ITCE_1-1721389027561.png" /></span></P><P>You need to create integration user for SAP Technical connection&nbsp;and choose how SAP Task Center will authenticate when technical connection is used (delta jobs in SAP are using this technical connection)</P><P>For example, you can use Basic Auth or OAuth:&nbsp;</P><OL><LI>For basic auth provide username and password to the team who is configuring the connection to ServiceNow.&nbsp;</LI><LI>The BTP business application requests a <EM>client assertion</EM> from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant's OIDC proxy.</LI><LI>For OAuth follow these steps in ServiceNow (account with admin role is required)&nbsp;<OL class="lia-list-style-type-lower-alpha"><LI>Open System OAuth -&gt; Application Registry. Click New and choose "Create an OAuth API endpoint for external clients". Configure the record and share username, user password, client id and client secret with the team configuring the connection to ServiceNow&nbsp;</LI></OL></LI></OL><P><FONT size="4"><STRONG>6. Register the applications in Azure AD for IAS tenant and SN OIDC provider to verify ID tokens.&nbsp;</STRONG></FONT></P><P>The token exchange and OIDC proxy setup between the SN, IAS, and the Azure AD tenant, requires a trust relationship which is established by registering one application in the Azure AD tenant&nbsp;&nbsp;&nbsp;&nbsp;</P><P>“SAPIASTenant” represents the SAP Cloud Identity Service tenant.<BR /><BR /><STRONG>Step 1</STRONG><BR />Login to <A href="https://portal.azure.com/" target="_blank" rel="noopener nofollow noreferrer">Azure Portal</A> (e.g. with your Microsoft 365 E5 developer subscription’s admin account) and select <STRONG>Azure Active Directory </STRONG>from the portal menu.&nbsp;&nbsp;</P><P>Select <STRONG>App registrations </STRONG>from the left-side menu.&nbsp;&nbsp;</P><P><STRONG>Step 2</STRONG><BR />Click <STRONG>+ New registration&nbsp;</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_4-1721391713497.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139143i95F1F1B49D0BDFA3/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_4-1721391713497.png" alt="ITCE_4-1721391713497.png" /></span></P><P><STRONG>Step 3&nbsp;<BR /></STRONG>Enter "&lt;SAP IAS Tenant&gt;" for the <STRONG>Name </STRONG>of the new application registration.&nbsp;&nbsp;</P><P>Replace &lt;SAP IAS Tenant&gt; with your friendly name&nbsp;&nbsp;</P><P>Select "Web" from the dropdown list in the <STRONG>Redirect UR I </STRONG>section.&nbsp;&nbsp;</P><P>Enter your IAS tenant's <STRONG>redirect UR I</STRONG>in the Redirect URI section's text field:<EM><U>https://&lt;IAS</U></EM><EM>tenant name&gt;.accounts.ondemand.com/oauth2/callback.</EM>Replace &lt;IAS tenant name&gt; with your tenant's name.</P><P>Click <STRONG>Register</STRONG>.&nbsp;&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_5-1721391793724.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139144iF19D6555EB9974F6/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_5-1721391793724.png" alt="ITCE_5-1721391793724.png" /></span></P><P><STRONG>Step 4</STRONG><BR /><SPAN>Copy the newly generated <STRONG>Application (client) ID </STRONG>to a temporary text file. You will need it in the next step for deploying the sample application.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_6-1721391924140.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139146i52D8C3E06BC2A392/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_6-1721391924140.png" alt="ITCE_6-1721391924140.png" /></span></P><P><STRONG>Step 5<BR /></STRONG>Select <STRONG>Manifest </STRONG>from the navigation menu to edit the application registration's manifest file.&nbsp;&nbsp;<BR />Change the value for the field "accessTokenAcceptedVersion" from null to <STRONG>2</STRONG>.&nbsp;&nbsp;&nbsp;&nbsp;<BR /><SPAN>Click <STRONG>Save</STRONG>.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_7-1721391960742.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139147iFB4CEBAED9F60E2C/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_7-1721391960742.png" alt="ITCE_7-1721391960742.png" /></span></P><P><STRONG><FONT size="4"><BR />7. Configure trust to the IAS tenant in Azure AD</FONT></STRONG></P><P>Trust to the IAS tenant is configured in Azure AD with a new federated identity credential. In addition, a client secret is required for the initial token exchange in step 5 of figure 1. Both credentials will be configured for the application registrations in the following step.&nbsp;&nbsp;</P><P><STRONG>Step 6</STRONG><BR />Select the <EM>SAPIASTenant </EM>app from the list. (created in step 3)&nbsp;&nbsp;<BR />Select <STRONG>Certificates &amp; secrets </STRONG>from the menu and switch to the <STRONG>Client secrets </STRONG>tab.&nbsp;&nbsp;<BR /><SPAN>Click <STRONG>+ New client secret</STRONG>.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_8-1721392162592.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139148i69480B049CF5D253/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_8-1721392162592.png" alt="ITCE_8-1721392162592.png" /></span></P><P><STRONG>Step 7<BR /></STRONG>Enter "&lt;SAPOIDCProxy&gt;" for the <STRONG>Description</STRONG>.&nbsp;&nbsp;<BR /><SPAN>Click</SPAN> <STRONG>Add</STRONG><SPAN>.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_9-1721392189260.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139149iD7F1930022AE6587/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_9-1721392189260.png" alt="ITCE_9-1721392189260.png" /></span></P><P><STRONG>Step 8</STRONG><BR /><SPAN>Click <STRONG>Copy to clipboard </STRONG>in the <STRONG>Value </STRONG>column and paste it to a temporary text file. You will need it later in the setup process.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_10-1721392218908.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139150i771633F0E6266613/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_10-1721392218908.png" alt="ITCE_10-1721392218908.png" /></span></P><P><STRONG>Step 9<BR /></STRONG>Create another one secret for ServiceNow&nbsp;&nbsp;&nbsp;<BR />Enter "&lt;ServiceNow&gt;" for the <STRONG>Description</STRONG>.&nbsp;&nbsp;<BR />Click <STRONG>Add</STRONG>.&nbsp;&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_11-1721392246014.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139151iF29340E5CB799372/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_11-1721392246014.png" alt="ITCE_11-1721392246014.png" /></span></P><P><FONT size="4"><STRONG><BR />8. Configure permissions and scopes in Azure AD</STRONG></FONT></P><P>To request the Outlook calendar event on behalf of the user, the business application (SAPBTPGraphApp) requires the Graph API permission <EM>Calendars.Read</EM>. SAPBTPGraphApp also exposes the custom scope "<EM>token.exchange".</EM>This scope is referred to as a (downstream) API permission for the SAPIASTenant application registration and required for steps 7 and 8 in figure 1. For the initial token request to Azure AD (see step 5 in figure 1 and figure 2), the SAPIASTenant application exposes the custom scope "<EM>ias.access</EM>".&nbsp;&nbsp;</P><P><STRONG>Step 10</STRONG><BR /><SPAN>Go to </SPAN><STRONG>Expose an API </STRONG><SPAN>in the navigation menu. &nbsp;<BR /></SPAN><SPAN>Click <STRONG>+ Add a scope</STRONG>.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_12-1721392320639.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139152iC13AA6059661C3AD/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_12-1721392320639.png" alt="ITCE_12-1721392320639.png" /></span></P><P><STRONG>Step 11<BR /></STRONG>Accept the default value for the <STRONG>Application ID URI</STRONG>.&nbsp;&nbsp;<BR /><SPAN>Click <STRONG>Save and continue</STRONG>.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_13-1721392351197.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139153i02AC97FECE81EE70/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_13-1721392351197.png" alt="ITCE_13-1721392351197.png" /></span></P><P><STRONG>Step 12<BR /></STRONG>Enter "ias.access" for the new <STRONG>Scope name</STRONG>. Provide an <STRONG>Admin consent display name </STRONG>and <STRONG>description</STRONG>.&nbsp;&nbsp;<BR />Click <STRONG>Add scope</STRONG>. &nbsp;<BR /><SPAN><BR /><U>Scope name:&nbsp;<BR /></U></SPAN>ias.access&nbsp;</P><P><U>Admin consent display name:&nbsp;</U><BR />IAS Tenant Access&nbsp;<BR /><SPAN><BR /><U>Admin consent description:&nbsp;</U><BR />Access to SAP Cloud Identity service Application</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_14-1721392410098.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139154iD03A0444F56921A5/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_14-1721392410098.png" alt="ITCE_14-1721392410098.png" /></span></P><P><STRONG>Step 13</STRONG><BR /><SPAN>Copy the full-qualified URI of the new scope (<I>api://&lt;client id&gt;/ias.access</I>) from the clipboard to temporary text file. It will be used in a later setup step.&nbsp;&nbsp;<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_15-1721392473937.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139155i3270EA357C5861C0/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_15-1721392473937.png" alt="ITCE_15-1721392473937.png" /></span></P><P><STRONG>Step 14<BR /></STRONG>Add <STRONG>Optional</STRONG> claim to the token.&nbsp;&nbsp;<BR />Navigate to <STRONG>Token</STRONG> <STRONG>configuration</STRONG>&nbsp;&nbsp;<BR />+ Add optional claim&nbsp;&nbsp;<BR />Token Type - ID&nbsp;&nbsp;<BR /><SPAN>Select "email" and add&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_16-1721392521039.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139156i6522FD311C891215/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_16-1721392521039.png" alt="ITCE_16-1721392521039.png" /></span></P><P><STRONG>Step 15</STRONG><BR />If message about API permissions required appear&nbsp;&nbsp;<BR />select the checkbox - Turn On Microsoft Graph email permission (required for claim to appear in token)&nbsp;&nbsp;<BR /><SPAN>Click<STRONG> "add"</STRONG></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_17-1721392551461.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139157i7FECBDEB8BF05AEE/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_17-1721392551461.png" alt="ITCE_17-1721392551461.png" /></span></P><P><STRONG>Step 16</STRONG><BR /><SPAN>Grant<STRONG> Admin Consent</STRONG>&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_18-1721392573010.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139158iA2D9063ECC43A14F/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_18-1721392573010.png" alt="ITCE_18-1721392573010.png" /></span></P><P><STRONG>Step 17<BR /></STRONG>Navigate to authentication&nbsp;&nbsp;<BR />Scroll down to Implicit grant and hybrid flows&nbsp;&nbsp;<BR />Select the tokens you would like to be issued by the authorization endpoint:&nbsp;&nbsp;<BR />Select the checkbox<STRONG> ID tokens&nbsp;</STRONG>&nbsp;<BR /><SPAN>Click<STRONG> Save&nbsp;</STRONG></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_19-1721392604385.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139159i48375DDD83A980ED/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_19-1721392604385.png" alt="ITCE_19-1721392604385.png" /></span></P><P><FONT size="4"><STRONG><BR />9. Configure Azure as an OAUTH OIDC provider on ServiceNow</STRONG></FONT></P><P><STRONG>Step 18</STRONG><BR />Open the ServiceNow instance&nbsp;&nbsp;<BR />Navigate to All &gt; System OAuth &gt; Application Registry.&nbsp;&nbsp;<BR /><SPAN>Click New, click Configure an OIDC provider to verify ID tokens.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_20-1721392708919.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139160i510A6B332A47DAE8/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_20-1721392708919.png" alt="ITCE_20-1721392708919.png" /></span></P><P><STRONG>Step 19<BR /></STRONG>Fill the form.&nbsp;&nbsp;&nbsp;&nbsp;</P><TABLE width="590"><TBODY><TR><TD width="154"><P>Field&nbsp;&nbsp;</P></TD><TD width="436"><P>Description&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Name&nbsp;&nbsp;</P></TD><TD width="436"><P>A unique name that identifies the OAuth OIDC entity.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Client ID&nbsp;&nbsp;</P></TD><TD width="436"><P>The client ID of the application registered in Azure in step 4. The instance uses the client ID when requesting an access token.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Client Secret&nbsp;&nbsp;</P></TD><TD width="436"><P>The client secret of the application registered in Azure in step 31.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>OAuth OIDC Provider Configuration&nbsp;&nbsp;</P></TD><TD width="436"><P>The OIDC provider (ADFS, Auth0, Azure AD, Google, Okta) can be used to validate the JWT token. Click the record of your OIDC provider configuration to validate the User Claim and User Field are set appropriately. If you check Enable JTI claim verification, the ServiceNow JWT token validation also validates the JTI sent by the provider.&nbsp;&nbsp;</P><P>See next step for more details&nbsp;&nbsp;</P><P>&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Clock Skew&nbsp;&nbsp;</P></TD><TD width="436"><P>The number, in seconds, for the constraint to be considered valid. The default is 300.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Comments&nbsp;&nbsp;</P></TD><TD width="436"><P>Additional information to associate with the application.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Application&nbsp;&nbsp;</P></TD><TD width="436"><P>The name of the application containing this entity.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Accessible from&nbsp;&nbsp;</P></TD><TD width="436"><P>Select an option to make it accessible from all application scopes, or this application scope only. (all scope by default)&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Enforce Token Restrictions&nbsp;&nbsp;</P></TD><TD width="436"><P>Select to only allow tokens to be used with APIs set to allow the authentication profile. You can set grant access using an API access policy. For more information, see<A href="https://docs.servicenow.com/bundle/washingtondc-platform-security/page/integrate/authentication/task/create-api-access-policy.html" target="_blank" rel="noopener nofollow noreferrer">Create REST API access policy</A>.&nbsp;&nbsp;</P><P>Default: Unselected.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Active&nbsp;&nbsp;</P></TD><TD width="436"><P>Select the check box to make the OAuth application active.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Redirect URL&nbsp;&nbsp;</P></TD><TD width="436"><P>The URL of the OAuth application for receiving the authorization code. (automatically added when save the application&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>End Session Endpoint URL&nbsp;&nbsp;</P></TD><TD width="436"><P>The URL endpoint which enables after a session ends.(not required&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Enable force authentication&nbsp;&nbsp;</P></TD><TD width="436"><P>Option to enable force authentication for users. (not required)&nbsp;&nbsp;</P></TD></TR></TBODY></TABLE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_22-1721392758973.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139162iDC77EF643B60AB1A/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_22-1721392758973.png" alt="ITCE_22-1721392758973.png" /></span></P><P><STRONG>Step 20<BR /></STRONG>OAuth OIDC Provider Configuration&nbsp;&nbsp;<BR /><SPAN>Click on the search icon and then New</SPAN></P><P><U>OIDC Provider</U> - A unique name that identifies the OIDC provider&nbsp;&nbsp;</P><P><U>OIDC Metadata URL</U> - the OIDC provider OpenID Connect metadata document&nbsp; (details in next step)&nbsp;&nbsp;</P><P>User claim: email&nbsp;&nbsp;<BR />User Field: the field in SN which contain mail value&nbsp;&nbsp;</P><P><SPAN>Enable JTI claim verification: Disable</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_24-1721392870114.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139164i79DF73CAB66764A6/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_24-1721392870114.png" alt="ITCE_24-1721392870114.png" /></span></P><P><STRONG>Step 21</STRONG><BR /><SPAN>Navigate to azure application which created in step 3 - Overview - Endpoints - OpenID Connect metadata document&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_25-1721392902312.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139165iCF1D5CD29ACA04B2/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_25-1721392902312.png" alt="ITCE_25-1721392902312.png" /></span></P><P><STRONG>Step 22<BR /></STRONG>Navigate to Oauth Entity Scope and add&nbsp;&nbsp;<BR />offline_access,&nbsp;&nbsp;&nbsp;<BR />Open id&nbsp;&nbsp;</P><P><SPAN>Click Update.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_26-1721392944387.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139166i849E44A753A0B5B7/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_26-1721392944387.png" alt="ITCE_26-1721392944387.png" /></span></P><P><STRONG>Step 23<BR /></STRONG>Navigate to the Oauth Entity Profiles which is automatically created when Save Oauth OIDC entity.&nbsp;&nbsp;<BR /><BR />Verify that the Grant type is is Resource Owner Password Credentials&nbsp;<SPAN>and then add the OAuth Entity Scopes created in the above step.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_27-1721392984612.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139167iAC57E49CE9075C33/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_27-1721392984612.png" alt="ITCE_27-1721392984612.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_28-1721392990570.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139168i8C828D24A90815FC/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_28-1721392990570.png" alt="ITCE_28-1721392990570.png" /></span></P><P><STRONG>Step 24</STRONG><BR /><SPAN>Add Auth Scope:&nbsp;<BR />useraccount</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_29-1721393015741.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139169i6D24846BA6911851/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_29-1721393015741.png" alt="ITCE_29-1721393015741.png" /></span></P><P><STRONG>Step 25<BR /></STRONG>Navigate to the created in step 34 Oauth OIDC Entity and copy the redirect url&nbsp;&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_31-1721393042174.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139171i5E7E9D23B1E5C62E/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_31-1721393042174.png" alt="ITCE_31-1721393042174.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_32-1721393043578.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139172i287AE8534394A9EB/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_32-1721393043578.png" alt="ITCE_32-1721393043578.png" /></span></P><P><STRONG>Step 26<BR /></STRONG>Navigate to Azure App registered in step 3&nbsp;&nbsp;<BR />Authentication&nbsp;&nbsp;<BR />Add the url from the previous step. (do not remove or replace the url added in step 3 when create the application)&nbsp;&nbsp;<BR /><SPAN>Save</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_33-1721393081723.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139173i02E0E7383A814392/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_33-1721393081723.png" alt="ITCE_33-1721393081723.png" /></span><BR /><BR /></P><P><FONT size="4"><STRONG>10. Setup user provisioning - Azure &gt;&gt; SAP</STRONG></FONT></P><P><STRONG>Step 27</STRONG><BR /><SPAN>Launch a browser window and access your Azure portal using the URL: </SPAN><SPAN><A href="https://portal.azure.com/" target="_blank" rel="noopener nofollow noreferrer"><STRONG>https://portal.azure.com/</STRONG></A></SPAN><STRONG><SPAN>.&nbsp;</SPAN></STRONG></P><P><FONT color="#3366FF"><STRONG><SPAN>You will need to authenticate to your Azure AD using your admin credentials.</SPAN></STRONG><SPAN>&nbsp;</SPAN></FONT></P><P><STRONG>Step 28<BR /></STRONG>Click <STRONG>Microsoft Entra ID.</STRONG>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_34-1721393313874.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139174i4701DA7957C33F35/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_34-1721393313874.png" alt="ITCE_34-1721393313874.png" /></span></P><P><STRONG>Step 29</STRONG><BR />Click <STRONG>App Registration</STRONG> &gt;&gt;<STRONG> New registration</STRONG>.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_35-1721393339071.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139175i2ED7A7EB0C5AEFBE/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_35-1721393339071.png" alt="ITCE_35-1721393339071.png" /></span></P><P><STRONG>Step 30<BR /></STRONG>Specify a name for your app and click <STRONG>Register</STRONG>&nbsp;</P><P><STRONG>Step 31<BR /></STRONG>Click <STRONG>API permission &gt;&gt; Add a permission</STRONG>.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_36-1721393393375.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139176iD72EC529CCFD1A15/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_36-1721393393375.png" alt="ITCE_36-1721393393375.png" /></span></P><P><STRONG>Step 32</STRONG><BR /><SPAN>Select <STRONG>Microsoft Graph</STRONG>.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_37-1721393415459.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139177i97568B444FAC1AEF/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_37-1721393415459.png" alt="ITCE_37-1721393415459.png" /></span></P><P><STRONG>Step 33<BR /></STRONG>Click <STRONG>Application permissions</STRONG>.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_38-1721393439583.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139178i7F1957CD8E10E786/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_38-1721393439583.png" alt="ITCE_38-1721393439583.png" /></span></P><P><STRONG>Step 34<BR /></STRONG>From the list of API permissions, expand <STRONG>User</STRONG> and select <STRONG>User.Read.All.</STRONG>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_39-1721393458635.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139179i6E39C79EBBAE41A9/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_39-1721393458635.png" alt="ITCE_39-1721393458635.png" /></span></P><P><STRONG>Step 35<BR /></STRONG>From the API list also select <STRONG>Group &gt;&gt; Read.All</STRONG> and <STRONG>Directory &gt;&gt; Read.All</STRONG>.&nbsp; Click <STRONG>Add permissions</STRONG> at the bottom of the screen once done.&nbsp;</P><P><STRONG>Step 36<BR /></STRONG>The permissions are not granted by default.&nbsp; To grant the permissions, click <STRONG>Grant admin consent for Default Directory</STRONG>.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_40-1721393500214.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139181i9C2A8D19DA28A349/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_40-1721393500214.png" alt="ITCE_40-1721393500214.png" /></span></P><P><STRONG>Step 37</STRONG><BR /><SPAN>Click Yes on the popup message and confirm that all permissions are granted.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_41-1721393517168.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139182i38D86F56F4F4B9C4/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_41-1721393517168.png" alt="ITCE_41-1721393517168.png" /></span></P><P><STRONG>Step 38</STRONG><BR /><SPAN>Click <STRONG>Overview </STRONG>from the left panel.&nbsp; Make a note of the <STRONG>Application (client) ID</STRONG>.&nbsp; You will need this later when creating the source system in IPS.&nbsp;&nbsp; Click <STRONG>Add a certificate or secret</STRONG>.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_42-1721393534448.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139183i097E17CB56F3FCE9/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_42-1721393534448.png" alt="ITCE_42-1721393534448.png" /></span></P><P><STRONG>Step 39</STRONG><BR /><SPAN>Click <STRONG>New client secret</STRONG>.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_43-1721393550840.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139184iB3D59E6F975F9978/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_43-1721393550840.png" alt="ITCE_43-1721393550840.png" /></span></P><P><STRONG>Step 40</STRONG><BR /><SPAN>Specify a description and expiry time for the client secret.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_44-1721393570018.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139185i3EE4774B880737D3/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_44-1721393570018.png" alt="ITCE_44-1721393570018.png" /></span></P><P><STRONG>Step 41</STRONG><BR /><SPAN>You should have client secret added successfully.&nbsp; Make a note of the value field as you will need it later when creating the source system in IPS.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_45-1721393595594.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139186iE22B34B9F29FA22D/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_45-1721393595594.png" alt="ITCE_45-1721393595594.png" /></span></P><P><STRONG>Step 42</STRONG><BR /><SPAN>Navigate to the main overview page of Azure AD and make a note of your<STRONG> Primary domain</STRONG>.&nbsp; You will need this value when creating the source system in IPS.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_46-1721393612994.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139187i8653F93DEC94A456/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_46-1721393612994.png" alt="ITCE_46-1721393612994.png" /></span></P><P><STRONG>Step 43<BR /></STRONG>Follow the blog&nbsp; <A href="https://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services/ba-p/13546054" target="_blank">https://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services/ba-p/13546054</A> and specific hint on filtering users by a group in Identiy Provisionning Source system Properties, add aad.group.filter=displayName eq '&lt;group_name&gt;':&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_47-1721393638444.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139188iA3AB7BF33A35871F/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_47-1721393638444.png" alt="ITCE_47-1721393638444.png" /></span></P><P><FONT size="4"><STRONG><BR />11. Establish trust between task sub account and IAS</STRONG></FONT></P><P><STRONG>Step 44</STRONG><BR /><SPAN>Go to BTP Cockpit-&gt;Security-&gt;Trust Configuration&nbsp;</SPAN></P><P><STRONG>Step 45</STRONG><BR /><SPAN>Select "Establish trust" and choose the IAS</SPAN></P><P><STRONG>Step 46</STRONG><BR />Select "Establish trust" and choose the IAS&nbsp;</P><P>Note: This creates an OIDC application in IAS for the subaccount&nbsp;</P><P><SPAN>NB: <STRONG>Task Center/Service Now integration works only with OIDC trust between Task Center subaccount and IAS</STRONG></SPAN></P><P><STRONG>Step 47<BR /></STRONG>This would create an application in iAS&nbsp;</P><P>For more information, you can check: <A href="https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication</A><BR /><BR /></P><P><FONT size="4"><STRONG>12. Setup the corporate identity provider and OIDC proxy in SAP Cloud Identity tenant</STRONG></FONT></P><P><STRONG>Step 48</STRONG><BR />Login as an administrator to your SAP Cloud Identity service administration console at&nbsp;<BR /><EM><U>https://&lt;IAStenant<SPAN> name&gt;.accounts.ondemand.com/admin&nbsp;</SPAN></U></EM></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_48-1721393838179.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139189i3779AF1F8EA76B8B/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_48-1721393838179.png" alt="ITCE_48-1721393838179.png" /></span></P><P><STRONG>Step 49<BR /></STRONG>Go to <STRONG>Identity Providers &gt; Corporate Identity Providers </STRONG>and click <STRONG>Create</STRONG>.&nbsp;&nbsp;<BR /><SPAN>Enter a <STRONG>Display name</STRONG>(e.g. "Azure Active Directory") and click <STRONG>Save</STRONG>.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_0-1721395913437.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139201iC0CD8E38F7476244/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_0-1721395913437.png" alt="ITCE_0-1721395913437.png" /></span></P><P><STRONG>Step 50</STRONG><BR /><SPAN>Click on <STRONG>Identity Provider Type </STRONG>from the Trust settings of the new corporate identity provider.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_1-1721395934806.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139202i579741B52C780B6E/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_1-1721395934806.png" alt="ITCE_1-1721395934806.png" /></span></P><P><STRONG>Step 51<BR /></STRONG>Select <STRONG>OpenID Connect Compliant </STRONG>from the list.&nbsp;&nbsp;<BR /><SPAN>Click <STRONG>Save</STRONG>.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_2-1721395961468.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139203i560EAD88536F6F15/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_2-1721395961468.png" alt="ITCE_2-1721395961468.png" /></span></P><P><STRONG>Step 52</STRONG><BR /><SPAN>Click on <STRONG>OpenID Connect Configuration </STRONG>from the Trust settings of the new corporate identity provider.</SPAN><SPAN> </SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_3-1721395983702.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139204i7020E307084663E1/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_3-1721395983702.png" alt="ITCE_3-1721395983702.png" /></span></P><P><STRONG>Step 53<BR /></STRONG>Enter your Azure AD tenant's OIDC <STRONG>Discovery URL </STRONG><U>(</U><A href="https://login.microsoftonline.com/%3cAAD" target="_blank" rel="noopener nofollow noreferrer">https://login.microsoftonline.com/&lt;AAD</A><U> tenant ID&gt;/v2.0)</U>&nbsp;Click <STRONG>Load</STRONG>.&nbsp;&nbsp;<BR /><BR /><SPAN>The Issuer field gets populated from the loaded Azure AD tenant's OIDC metadata.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_4-1721396016741.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139205i729511E4B37B92F0/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_4-1721396016741.png" alt="ITCE_4-1721396016741.png" /></span></P><P><STRONG>Step 54</STRONG><BR />Enter the SAPIASTenant's client ID in the <STRONG>Client ID </STRONG>field. In the <STRONG>Client Secret </STRONG>field, enter the value of the<EM>OIDCProxy</EM>secret copied in <STRONG>step 8</STRONG>.&nbsp;&nbsp;</P><P><SPAN>Click <STRONG>Validate</STRONG>.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_5-1721396041390.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139206i1C5E71AA2AE4C9B9/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_5-1721396041390.png" alt="ITCE_5-1721396041390.png" /></span></P><P><STRONG>Step 55<BR /></STRONG>Verify a successful validation of the OIDC configuration.&nbsp;&nbsp;</P><P><SPAN>Click <STRONG>OK</STRONG>.&nbsp;<BR /><BR /></SPAN><STRONG>Step 56</STRONG><BR /><SPAN>Click <STRONG>+ Add&nbsp;</STRONG>&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_6-1721396081656.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139207i45640799A988C0DB/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_6-1721396081656.png" alt="ITCE_6-1721396081656.png" /></span></P><P><STRONG>Step 57<BR /></STRONG>Copy and paste the full-qualified URI of the SAPIASTenant application's custom scope (<EM>api://&lt;client id&gt;/ias.access) </EM>copied in <STRONG>step 13 </STRONG>for the new scope.&nbsp;&nbsp;</P><P><SPAN>Click <STRONG>Save</STRONG>.&nbsp;&nbsp;</SPAN></P><P><SPAN><STRONG>Step 58<BR /></STRONG></SPAN>Click<STRONG>+ Add </STRONG>again and add the scope:&nbsp;<BR />"email"&nbsp;<BR />"openid"&nbsp;<BR />"offline_access"&nbsp;</P><P><SPAN>Click <STRONG>Save</STRONG>.&nbsp;<BR /></SPAN></P><P><SPAN><STRONG>Step 59</STRONG><BR />Click <STRONG>Save</STRONG>.&nbsp;&nbsp;<BR /></SPAN></P><P><SPAN><STRONG>Step 60<BR /></STRONG></SPAN>Go to <STRONG>Applications &amp; Resources &gt; Applications&nbsp;</STRONG>&nbsp;<BR />Select the application from <STRONG><U>"Establish trust between Task subaccount and IAS" step</U></STRONG>&nbsp;– step 47</P><P><SPAN>Click <STRONG>Attributes</STRONG><BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_7-1721396184485.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139208iC3DF6E28598F7F9F/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_7-1721396184485.png" alt="ITCE_7-1721396184485.png" /></span></P><P><STRONG>Step 61<BR /></STRONG>Navigate to Attributes and add&nbsp;&nbsp;<BR /><BR /><U>Name</U>: "xsuaa-persist-corporate-idp-token"&nbsp;<BR /><U>Source</U>: Expression&nbsp;<BR /><U>Value</U>: true&nbsp;</P><P><SPAN>Save</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_8-1721396237130.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139209iC0DBCB9FE1D12035/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_8-1721396237130.png" alt="ITCE_8-1721396237130.png" /></span></P><P><STRONG>Step 62<BR /></STRONG>Select "Conditional Authentication"&nbsp;&nbsp;<BR /><SPAN>In the "Default Identity Provider", choose the Azure provider configured in steps 48-59, Click Save<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_9-1721396411574.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139210i8708634B85151D48/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_9-1721396411574.png" alt="ITCE_9-1721396411574.png" /></span></P><P><BR /><FONT size="4"><STRONG>13. Configure destinations&nbsp;<SPAN>for SAP in the BTP sub-account</SPAN></STRONG></FONT></P><P>SAP Task Center uses destinations to connect to Service Now task provider&nbsp;</P><P> <STRONG>Client Specific configuration:</STRONG>&nbsp;</P><UL><LI><STRONG>aadTokenEndpoint</STRONG>: Azure AD token endpoint at<A href="https://login.microsoftonline.com/%3CAAD" target="_blank" rel="noopener nofollow noreferrer"><EM>https://login.microsoftonline.com/&lt;AAD</EM></A> <EM>tenant ID&gt;/oauth2/v2.0/token&nbsp;</EM>&nbsp;</LI><LI><STRONG>iasTokenEndpoint</STRONG>: SAP Cloud Identity service tenant's token endpoint at<EM><U>https://&lt;IAS</U>tenant name&gt;.accounts.ondemand.com/oauth2/token&nbsp;</EM>&nbsp;</LI><LI><STRONG>iasTokenExchange</STRONG>: SAP Cloud Identity service's token exchange service endpoint at<EM><U>https://&lt;IAS</U>tenant name&gt;.accounts.ondemand.com/oauth2/exchange/corporateidp&nbsp;</EM>&nbsp;</LI></UL><P><STRONG>Step 63<BR /></STRONG>Go back to the <A href="https://cockpit.sap.hana.ondemand.com/" target="_blank" rel="noopener nofollow noreferrer">SAP BTP Cockpit </A>and navigate to your CF subaccount.&nbsp;&nbsp;<BR />Select <STRONG>Connectivity &gt; Destinations </STRONG>from the navigation menu.&nbsp;&nbsp;<BR /><SPAN>Click <STRONG>New Destination</STRONG>.</SPAN></P><P><SPAN><STRONG>Step 64<BR /></STRONG></SPAN>Enter the following values for the first destination:&nbsp;&nbsp;<BR /><STRONG>Refer to 6. TECHNICAL SERVICE FLOW</STRONG></P><P><SPAN>Click <STRONG>Save</STRONG>.<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_10-1721397811178.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139211i19581BA67D61F34E/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_10-1721397811178.png" alt="ITCE_10-1721397811178.png" /></span></P><P><STRONG>Step 65<BR /></STRONG>Repeat steps 63 and 64 with following values for the second destination:&nbsp;&nbsp;<BR /><BR />Refer to 10.&nbsp;CONFIGURE AZURE AS AN OAUTH OIDC PROVIDER ON THE SERVICENOW , step 21.</P><P><U>AuthnContextClassRef</U> = urn:oasis:names:tc:SAML:2.0:ac:classes:X509&nbsp;<BR /><U>clientKey&nbsp;</U>= token service password=client secret&nbsp;<BR /><U>Token service user</U> = client id&nbsp;</P><P>Task Center documentation for Third Party destination setup: <A href="https://help.sap.com/docs/task-center/sap-task-center/connect-third-party-task-provider-and-sap-task-center" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/task-center/sap-task-center/connect-third-party-task-provider-and-sap-task-center</A> &nbsp;</P><P>Click <STRONG>Save</STRONG>.&nbsp;&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_11-1721397858391.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139212iB88EAADFF8D1DFD8/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_11-1721397858391.png" alt="ITCE_11-1721397858391.png" /></span></P><P><FONT size="4"><STRONG>14. Test the scenario&nbsp;</STRONG></FONT></P><P><SPAN><STRONG>Step 66<BR /></STRONG>Use SAP Task Center Administration app to check the status of the configured connector destination, following: <A href="https://help.sap.com/docs/task-center/sap-task-center/working-with-task-center-administration-app" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/task-center/sap-task-center/working-with-task-center-administration-app</A><STRONG><BR /></STRONG></SPAN></P><P><SPAN><STRONG>Step 67<BR /></STRONG>Use SAP Task Center Web app, to validate that tasks from the new destination are seen by business users (for more information, see: <A href="https://help.sap.com/docs/task-center/sap-task-center/sap-task-center-web-app" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/task-center/sap-task-center/sap-task-center-web-app</A>)<STRONG><BR /></STRONG></SPAN></P> 2024-07-19T16:10:57.124000+02:00 https://community.sap.com/t5/technology-blogs-by-members/nice-patch-sap-revisiting-your-sap-btp-security-measures-after-ai-core/ba-p/13770662 Nice patch SAP! Revisiting your SAP BTP security measures after AI Core vulnerability fix 2024-07-25T10:46:43.272000+02:00 Martin-Pankraz https://community.sap.com/t5/user/viewprofilepage/user-id/143781 <P>Dear community,</P><P>SAP recently fixed a critical vulnerability in the SAP AI Core service that could have allowed attackers to access sensitive data in the multi-tenant environment. This issue, dubbed "SAPwned", was responsibly disclosed and publicly shared on July 18 after it was patched. You can read more about it <A href="https://thehackernews.com/2024/07/sap-ai-core-vulnerabilities-expose.html" target="_blank" rel="noopener nofollow noreferrer">here</A>.</P><P>Bottom line: SAP shows its commitment to security and timely patching of its cloud services. But remember, SAP BTP - like any cloud platform - is based on a shared responsibility model. That means you need to do your part to protect your data and applications too:</P><UL><LI>Pick secure authentication means (no Basic AUTH is not one of them!),</LI><LI>Be conscious that every endpoint exposed by SAP BTP like Microsoft365 lives on the Internet by design,</LI><LI>Scope Cloud Foundry + Kyma app access, and user roles to the minimum rights needed,</LI><LI>When using the popular” OAuth2 client credentials grant” with service keys rotate your secrets (at best automatically regularly)! Have your pick from app based solution <A href="https://github.com/Azure/AzureAD-AppSecretManager" target="_blank" rel="noopener nofollow noreferrer">like this</A>, PowerShell <A href="https://github.com/Azure/KeyVault-Secrets-Rotation-AADApp-PowerShell" target="_blank" rel="noopener nofollow noreferrer">module</A> and <A href="https://community.sap.com/t5/technology-blogs-by-members/automatic-sap-btp-trust-store-certificate-renewal-with-azure-key-vault-or/ba-p/13565138" target="_blank">blog on automatic cert renewal</A>.</LI><LI>Establish a continuous process to harden your SAP cloud workloads. It is not a one stop shop.</LI></UL><P>Ever heard about “MFA fatigue”? Plain Multi-Factor-Authentication is not good enough anymore today. Additionally, enforce Conditional Access to SAP BTP service through integration the SAP ID Service or the SAP Identity Authentication Service with the corporate identity provider of your choice. See <A href="https://learn.microsoft.com/entra/fundamentals/scenario-azure-first-sap-identity-integration" target="_blank" rel="noopener nofollow noreferrer">here</A> how to do it with Microsoft Entra ID.</P><P>&nbsp;</P><H1 id="toc-hId-892014405">Second line of defense: Automatic detections based on the SAP Audit Log Service</H1><P>Most of the <A href="https://help.sap.com/docs/btp/sap-business-technology-platform/security-events-logged-by-cf-services" target="_blank" rel="noopener noreferrer">BTP based services</A> in the Cloud Foundry environment provided by SAP automatically write to the SAP Audit Log Service. Each service lists the standardized events that are propagated.</P><P>SAP&nbsp;has a <A href="https://community.sap.com/t5/technology-blogs-by-sap/exploring-the-sap-audit-log-service/ba-p/13533521" target="_blank">nice video</A> on the general workings of the SAP Audit Log Service on BTP.</P><P><FONT size="4"><STRONG>This is a good start, but how useful are log entries that record a compromise if they are overlooked and hidden among countless normal entries?</STRONG></FONT></P><P data-unlink="true">I use the <A href="https://learn.microsoft.com/azure/sentinel/sap/sap-btp-solution-overview" target="_blank" rel="noopener nofollow noreferrer">Microsoft Sentinel for SAP BTP solution</A>&nbsp;- which went into General Availability state this week - as an example for running automatic detections via built-in analytic rules. It connects to your subaccounts and global account ingesting all audit logs that are written to your registered Audit Log Management service instances. Polling interval is 10mins when deployed from the Azure Portal by default. Configure&nbsp;down to 1 min if needed using <A href="https://learn.microsoft.com/azure/sentinel/data-connector-connection-rules-reference#request-configuration" target="_blank" rel="noopener nofollow noreferrer">ARM API</A>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Architecture diagram of Sentinel solution for SAP BTP" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/142567iC8BC0EABCD04CA60/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Architecture diagram of Sentinel solution for SAP BTP" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Architecture diagram of Sentinel solution for SAP BTP</span></span></P><P><SPAN>It comes with out-of-the-box content. Check out the alert “Failed access attempts across multiple Business Application Studio accounts” for instance. Password spray attack anyone?</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of Sentinel for SAP BTP solution content with out-of-the-box detections and workbooks" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141134iB15E352F76DACEF1/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Screenshot of Sentinel for SAP BTP solution content with out-of-the-box detections and workbooks" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of Sentinel for SAP BTP solution content with out-of-the-box detections and workbooks</span></span></P><P>Once I have <A href="https://learn.microsoft.com/azure/sentinel/sap/deploy-sap-btp-solution" target="_blank" rel="noopener nofollow noreferrer">onboarded my subaccount</A>&nbsp;(I named it SAP-AI-Core-playground), I can go wild on the ingested log entries, apply the threat intel functions, and built analytic rules. Let's browse the entries via the Kusto query language. The standard table SAPBTPAuditLog_CL holds all audit log info for your registered SAP BTP subaccounts:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of simple KQL for SAP BTP" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141367i6D94B79A7A79F68B/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Screenshot of simple KQL for SAP BTP" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of simple KQL for SAP BTP</span></span></P><P>The Message contains the JSON payload BTP provides for each message as well as the involved BTP service identifier.</P><P><FONT size="4"><STRONG>Looking at audit messages is nice, but you may<SPAN>&nbsp;go one step further by applying automatic action like blocking the SAP BTP users.</SPAN></STRONG></FONT></P><P><SPAN>Below Screenshot shows the part of the process triggered by the included playbook. The SAP security team gets notified with evidence of the compromise, offering an approval option to block the user from a Microsoft Teams channel flow. Find more info </SPAN><A href="https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/from-zero-to-hero-security-coverage-with-microsoft-sentinel-for-your/ba-p/13557852" target="_blank">here</A><SPAN>. Below screenshot shows the adaptive card with a trigger from SAP Business Suite. The same is possible with triggers coming from BTP too.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of sap btp user block approval request to SAP security team on Microsoft Teams" style="width: 498px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141135i425AD2C35CD48194/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.png" alt="Screenshot of sap btp user block approval request to SAP security team on Microsoft Teams" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of sap btp user block approval request to SAP security team on Microsoft Teams</span></span></P><H1 id="toc-hId-695500900">&nbsp;</H1><H1 id="toc-hId-498987395">The AI Core Service audit log entries alone are not useful</H1><P>Threat protection-wise correlation with other signals in your company is required, because a single SAP AI Core event like “Successful retrieval of object store secret” does not tell you anything. See below a Kusto query working off the AI Core audit log info ingested by the Sentinel for SAP BTP solution.</P><P><EM>Note:&nbsp;SAP publishes the available events for all the Cloud Foundry based services&nbsp;<A href="https://help.sap.com/docs/sap-ai-core/sap-ai-core-service-guide/auditing-and-logging-information" target="_blank" rel="noopener noreferrer">here</A>.&nbsp;</EM></P><P>It identifies entries on my BTP subaccount related to AI Core activity and cross-references the IP address involved in the login and its country of origin. In my sample below I use the built-in function <A href="https://learn.microsoft.com/azure/data-explorer/kusto/query/geo-info-from-ip-address-function" target="_blank" rel="noopener nofollow noreferrer">geo_info_from_ip_address()</A> to learn if the BTP client remote address originated from Germany or not. Assumption here is that all my BTP developers are based there. Think about sanctioned countries lists etc.</P><P>&nbsp;</P><P>&nbsp;</P><pre class="lia-code-sample language-javascript"><code>//flag unexpected logins from countries other than Germany let myBTPDevelopers = dynamic(['Germany']); let login_messages = dynamic(['ClientAuthenticationSuccess','UserAuthenticationSuccess']); SAPBTPAuditLog_CL | where SubaccountName == "SAP-AI-Core-playground" | where Message has_any (login_messages) | extend ip_ = tostring(Message.ip) | extend country = geo_info_from_ip_address(ip_)['country'] | where country !in (myBTPDevelopers);</code></pre><P>&nbsp;</P><P>&nbsp;</P><P>For a smoke test I teleported myself into the land of leprechauns<span class="lia-unicode-emoji" title=":rainbow:">🌈</span>, steep cliffs, and mysterious celtic culture<span class="lia-unicode-emoji" title=":four_leaf_clover:">🍀</span> using an Azure VM. Marvel at the rule that identifies that mischieveous btp user!</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of found btp login from Ireland" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141499iD40F77EF87B0AF7F/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.png" alt="Screenshot of found btp login from Ireland" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of found btp login from Ireland</span></span></P><P>The next sample uses the <A href="https://learn.microsoft.com/azure/sentinel/understand-threat-intelligence" target="_blank" rel="noopener nofollow noreferrer">Threat Intelligence</A> feature to verify if the BTP remote access can be traced back to a feed of known problematic IP indicators (e.g. a bot network). I maintained it on Sentinel on the Threat Management section using the IP known to BTP for my recent logins to the SAP AI Core service to trigger a result. In real life you would take the IPs from a threat intel feed of course. I don't have a bot net handy though<span class="lia-unicode-emoji" title=":winking_face:">😉</span>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of Sentinel Threat Management experience" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141136i039C7B6EA1D1B723/image-size/large?v=v2&amp;px=999" role="button" title="Picture3.png" alt="Screenshot of Sentinel Threat Management experience" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of Sentinel Threat Management experience</span></span></P><P>&nbsp;That makes it available to my Kusto query as below. See below the screenshot of the result:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot of Kusto query result filtered by problematic IPs" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/141137iB57CB9FC2D659821/image-size/large?v=v2&amp;px=999" role="button" title="Picture4.png" alt="Screenshot of Kusto query result filtered by problematic IPs" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of Kusto query result filtered by problematic IPs</span></span></P><P>&nbsp;</P><P>&nbsp;</P><pre class="lia-code-sample language-javascript"><code>//flag unexpected logins from IP indicators from Sentinel let ips = ThreatIntelligenceIndicator | distinct NetworkIP = tostring(NetworkIP); let login_messages = dynamic(['ClientAuthenticationSuccess','UserAuthenticationSuccess']); SAPBTPAuditLog_CL | where SubaccountName == "SAP-AI-Core-playground" | where Message contains "aicore" and Message has_any (login_messages) | extend ip_ = trim(" ", replace(@"\s", "", replace(@"\r|\n|\t", "", tostring(Message.ip)))) | join kind=inner ( ips | extend NetworkIP_ = trim(" ", replace(@"\s", "", replace(@"\r|\n|\t", "", tostring(NetworkIP)))) ) on $left.ip_ == $right.NetworkIP_;</code></pre><P>&nbsp;</P><P>&nbsp;</P><P>A natural next evolution of the detection would be to extend it to the "impossible travel" scenario.</P><P>These queries are simple to set up and are good to go to serve as <A href="https://learn.microsoft.com/azure/sentinel/threat-detection" target="_blank" rel="noopener nofollow noreferrer">new analytics rule</A> on the solution, don’t you think?</P><P>Let me know what other scenarios you would like to see <span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></P><H1 id="toc-hId-302473890">&nbsp;</H1><H1 id="toc-hId-105960385">Thoughts on production readiness</H1><P>SAP’s Audit Log Service is widely adopted across the SAP BTP services and foundational to the platform.</P><P>Sentinel for SAP BTP recently went into “General Availability” state, making it good to use for anyone who doesn’t like previews <span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">😎</span></P><P>To create meaningful detections based on the SAP BTP audit log at minimum other sources, such as the Authorization and Trust Management service (XSUAA) must be considered. Enriching your threat signals with indicators from the rest of your IT landscape gets you from "SAP-security-acolyte"🧑🏻‍<span class="lia-unicode-emoji" title=":school:">🏫</span> to master of disaster🥷🏼.</P><P>The built-in Sentinel for SAP playbooks use SAP BTP public APIs for automatic remediation. See the user API documentation for disabling users <A href="https://api.sap.com/api/PlatformAPI/path/getUserUsingGET" target="_blank" rel="noopener noreferrer">here</A>.</P><H1 id="toc-hId--90553120">&nbsp;</H1><H1 id="toc-hId--287066625">Final words</H1><P>Constantly staying ahead of attackers all the time is impossible. However, putting up a fight so they move on without doing more serious damage or at least being automatically informed about the incident puts you back in the driver’s seat.</P><P>The <A href="https://learn.microsoft.com/azure/sentinel/sap/sap-btp-solution-overview" target="_blank" rel="noopener nofollow noreferrer">Sentinel for SAP BTP solution</A> enables you to bring the SAP BTP audit log information for cross-correlation with your wider IT landscape to the Microsoft SIEM solution Sentinel. Furthermore, it powers <STRONG>automatic remediations like user block, password reset</STRONG>, and more.</P><P>For true confidence in drastic actions like blocking users, you require signals from as many sources as possible. <STRONG>Think beyond the SAP boundary and towards your complete IT landscape</STRONG>: Devices, endpoints, and suspicious logins etc. All of those touchpoints leave a trail of your attacker long before they reach SAP BTP, because of the prior phishing attempts or lateral movement etc. Have a look at <A href="https://learn.microsoft.com/azure/sentinel/sap/deployment-attack-disrupt" target="_blank" rel="noopener nofollow noreferrer">Defender XDR</A> for further info.</P><P><STRONG>What detections are you running for your BTP landscape?</STRONG> Let the community know so we can learn from each other’s security practices.</P><P>Cheers</P><P>Martin</P> 2024-07-25T10:46:43.272000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/to-be-posting/ba-p/13771094 to be posting 2024-07-25T13:54:39.738000+02:00 asitkumarbehe https://community.sap.com/t5/user/viewprofilepage/user-id/111618 2024-07-25T13:54:39.738000+02:00