In today’s world end-users are spending valuable time accessing multiple access points to gain access to their required apps and content. Even business processes are often spanned across multiple entry points and do not provide this single point of entry that users require.
With companies adopting the Two-Tier strategy, SAP is also providing various deployment options for realizing this two-tier ERP strategy. Two-Tier provides enterprises with an opportunity to standardize the end-to-end business processes across multiple tiers. By using SAP S/4HANA Cloud for their Tier 2, customers get the benefit of Software as a Service (SaaS) which can be implemented by standard template, thereby reducing the cost and ancillary IT expenses by having pre-configured solution. But this also introduces an additional entry point from an end user perspective.
A central entry point for business applications simplifies access and increases user productivity. Designing and configuring a central point of access to SAP and third-party solutions (both cloud and on-premise), in particular accessing multiple SAP S/4HANA systems from one common launchpad on SAP Business Technology Platform alleviates a lot of the pain points mentioned above for end-users
You will find below, a depiction of the target architecture
Through this blog we will look at the process of establishing content federation between SAP S/4HANA Cloud and SAP BTP Launchpad site
You can split the setup tasks into two major steps
◉ Exposing Content to SAP Launchpad Service
◉ Consuming Content in SAP Launchpad Service
Exposing Content to SAP BTP Launchpad Service
1. Create Communication System with Inbound and Outbound Users
◉ Open the Communication system app in the SAP S/4HANA Cloud Fiori Launchpad. Create a new Communication system and provide the following details
◉ Define an ID and a name for the new system.
◉ In the Host Name field, enter the callback URL, such as portal-service.cfapps.<datacenter>.<domain>. The URL is needed to enable the content change notification.
◉ Add a technical user for inbound communication.
I have used User ID & Password as the authentication method. It is recommended to use client-based authentication method. In this case, create a new communication user and provide the password.
◉ Add a technical user for outbound communication. Under Users for Outbound Communication, choose Add. In the New Outbound Communication User dialog, choose New User. You will be redirected to the Communication User app. In the New Outbound Communication User dialog, choose None as authentication method. Choose Create
2. Create Communication Arrangement
◉ Open the Communication Arrangements app from the SAP Fiori launchpad. Already existing communication arrangements are listed on the initial screen. In the New Outbound Communication User dialog, choose None as authentication method. Select Create. The Communication Arrangement Screen opens
◉ Under Common Data in the Communication System field, select the communication system that you have created earlier using the value help.
◉ Under Additional Properties in the Logical Target Identifier field, enter an ID of your choice to uniquely identify the target of the callback URL. This ID is used in the content change notification process. Example: LAUNCHPAD_SERVICE_01.
◉ Enter the job execution details for scheduling the exposure job. We recommend to set the job frequency to hourly. After the communication arrangement is saved, it might take a while until the job is scheduled by the job framework. When the Job Status field is displayed as active, the job will run as defined. Save the arrangement.
3. Select roles for Exposure
◉ Open the Maintain Business Roles app from the SAP Fiori launchpad.
◉ Select the roles relevant for exposure.
◉ Choose Expose to SAP Launchpad Service.
◉ Confirm your selection by clicking Expose in the dropdown list.
◉ The Expose to SAP Launchpad Service column now indicates that the role you selected will be exposed.
4. Configure Communication for the content consumption
◉ In SAP BTP cockpit, download the trust certificate from the subaccount runtime destinations, by navigating to Connectivity -> Destinations and selecting Download Trust.
◉ Log in to SAP S/4HANA Cloud Launchpad as an administrator.
◉ Launch the app Communication Systems.
◉ Create a new communication system, as follows:
◉ Specify the System ID and System Name.
◉ Select Inbound Only.
◉ Set SAML Bearer Assertion Provider to ON.
◉ Keep the User ID Mapping Mode setting to User Name.
◉ Upload the certificate file that you downloaded from your subaccount as the Signing Certificate.
◉ Specify a unique Provider Name as SAML Bearer Issuer, in the following format:
◉ cfapps.<region>.hana.ondemand.com/<unique_name>
◉ Save the communication system.
Consuming Content in SAP Launchpad Service
1. Establish Trust
◉ Configure the Identity Authentication Tenant as a Proxy
◉ In the SAP BTP cockpit, navigate to your subaccount, select from the side panel Security ->Trust -> Configuration, and then download the SAML metadata from the SAP Launchpad service subaccount.
◉ In the Identity Authentication tenant, navigate to Applications & Resources -> Applications, and click +Add to create an application for the SAP Launchpad service subaccount.
◉ Select the application you just created, and click SAML 2.0 Configuration.
◉ Under Define from Metadata, browse for the metadata file that you downloaded from the cockpit.
◉ Save and use the back arrow to go back to the main screen.
◉ Click Subject Name Identifier, select Advanced Configuration, and in the Dynamic subject name identifier value field, enter the following value:
◉ ${corporateIdP.mail}
2. Configure Trust between subaccount and Proxy
Download the SAML 2.0 metadata file from the Identity Authentication tenant as proxy.
◉ In the SAP BTP cockpit, navigate to your subaccount and select Security Trust Configuration New Trust Configuration.
◉ In the Metadata field, upload the SAML 2.0 metadata file that you downloaded, and select the Available for User Logon option.
3. Configure Destinations
Create a design-time destination, runtime & runtime (default) destinations as below.
◉ Choose Download Trust to download the trust certificate from the subaccount destinations
4. Manage Content Providers
◉ Within the Launchpad Service, The administrator uses the Channel Manager to define, edit, and get updates from remote content providers running on cloud.
◉ Create a new remote content editor as below. Refer the following link for list of additional parameters to be maintained.
5. Add Specific Roles to Your Subaccount Manually
◉ In the Content Explorer, select the content provider you defined. The roles that it contains are displayed in a table.
◉ Select the roles you want and click Add to My Content.
6. Complete Role Configuration
◉ To be able to view the content in the site at runtime, you need to assign the roles to the site.
◉ To assign the roles to the site, open the Site Settings, switch to Edit mode, and in the Assignment panel on the right, select the roles you want to assign to this site.
7. Assign the generated platform role to your user
Launch the SAP BTP Launchpad Site to verify that the SAP S/4HANA Cloud Launchpad content is visible and accessible.
The SAP S/4HANA Cloud launchpad app is opened within in-place within the SAP BTP Launchpad site without any additional authentication.
No comments:
Post a Comment