SAP/Microsoft Manufacturing Reference Architecture
Extend the capabilities of the existing SAP MII product to better support collaborative Manufacturing reporting. The goal is to modernize this composition environment by converting it to a web-based application that can interact with the SAP Mfg. EMI layer (MII) to host live reports and provide live manufacturing data to these reports and supporting visualization for both PC and Mobile devices.
- There should be an enterprise reporting component that leverages the MS SharePoint environment for global reporting
- The solution includes Excel web API as this leverages a large existing business user skill set at many manufacturing facilities
- Web based client applications allow for reports to be visible from a server rather than only on the PC where it is stored
- Provides a single view of the data for all users and security around how the data is presented to the end-users
- Provide a Single sign-on capability in spite of the multiple technologies and capabilities involved
Additional overview content is available here:
The purpose of the document is to provide a reference architecture for setting up the infrastructure that would support collaborative
Manufacturing reporting. The document provides guidance on provisioning various components in Windows Azure, Microsoft O365 and SAP MII to provide live manufacturing data to these reports and supporting visualization for both PC and Mobile devices.
This document is intended for Enterprise Architects and developers who can use this information and the provided scenarios to extend the capabilities of the SAP MII product to better support collaborative Manufacturing reporting and provide live manufacturing data to these reports and supporting visualization for both PC and Mobile devices. The document is created with the assumption that Enterprisepersonnel are proficient in Windows Azure, Microsoft O365 and SAP MII and SAP Netweaver products.
- Visualization on both PC and mobile devices of the live manufacturing data feed from the SAP MII will be provided by multiple Consuming Applications and Services such as Office Applications on Microsoft O365, Web Services/Applications hosted in the web, custom clients on PC/mobile devices and Excel on PC.
- Data is made available to the consuming applications using Open Standards (OData/SAML) based approach to alleviate any potential enterprise data access concerns
- SAP Azure add-on application running on Windows Azure environment decouples the consuming clients from the SAP MII and provides an Open Standards (OData/SAML) based interface for the clients to consume. It provides additional access control and security on top of the MII service endpoints
- SAP MII instance(s) running on the enterprise on premise environment provides the data feeds from sources as the SRM, CRM, ERP, Plant Database, Plant Data Historian and Sensor data.
- Security of the system is achieved by authenticating and authorizing the users accessing the reports, using their Domain credentials stored in Windows Active Directory via Active Directory Federation Services (ADFS).
The SAP MII Instance is hosted either on the Enterprise On-Premise or in their Data Center. The SAP MII provides an OData feed of the live manufacturing data directly from various source systems with the need to replicate the data. For this the SAP MII instance connects to the various sources as local Plant Databases, Plant Data Historian and Sensor data, Enterprise ERP, CRM, SRM, and Business Warehouses.
The sample OData response is in the link below:
The Windows Azure Infrastructure as a Services (IaaS) hosts the SAP Azure add-on cloud service that decouples the consuming clients from the SAP MII and provides an Open Standards (OData/SAML) based interface for the clients to consume. It provides additional access control and security on top of the MII service endpoints.
- Configuration information such as OData URL endpoint, application configuration is stored in Windows Azure SQL Database
- Optionally Odata response from MII can also be cached and persisted in the Azure Table Storage or Azure SQL Database
Data consumers such as Web Application, Web Services, Excel Thick Client and Office Web App can be used to consume MII data. For the reference architecture, Excel Web App hosted in SharePoint Online (Office 365) has been chosen as one of the consumers of the MII data.
Using the new Office App Model, an Office App which hosts the MII façade has been used to populate the excel spreadsheet. The MII Facade Office App can populate the spreadsheet both in the browser as well as in the Excel Thick Client.
Note:Office App Model works only with Office 2013.
Figure: MII Façade Office App in Excel 2013 Desktop Client.
Figure: MII Façade Office App in Internet Explorer 10.
As part of the reference architecture, PowerView is used to visual MII data. Excel Thick Client is populated with the MII data using the MII Façade Office App. PowerView Addin for Excel is then used to visual and interact with the MII Data.
The PowerView report below shows the Overall Equipment Effectiveness (OEE) across various plants in USA.
The below PowerView report shows the OEE, Availabiltiy, Quality and Production Rate across all the plants in USA.
The same PowerView reports also render in the web browser without any additional modifications required.
User Authentication & Authorization
User credentials are stored in the on premises Active Directory. Active Directory Federation Services (ADFS) components are hosted on premises to enable WS-federation trust between MII Facade and Active Directory. A Federation trust is established between MII Façade and ADFS.
The SAP MII is hosted securely in the enterprise data centre and only the OData feed is exposed over the internet via a secure Reverse Proxy. The SAP MII running on the SAP Netweaver (Java) stack provides Certificate based authentication for Enterprise users accessing the OData interface.
The SAP MII trusts the Active Directory Certificate Services Root CA running in the VM on Windows Azure IaaS. MII is configured with Client certificate authentication and authorization is based on users email address or UPN on SAP MII.
The MII Facade application is a Claims aware .NET web application built using Microsoft Windows Identity Foundation toolkit and accepts Claims of the Enterprise users. Once the user is successfully authenticated on ADFS, the MII Facade application generates a temporary certificate that is valid for a few minutes for the user using Microsoft Active Directory Certificate Services. It uses the certificate to request the data from the SAP MII that is running in Enterprise On-Premise.
The SAP MII uses the User Certificate to authenticate the request from MII façade. Upon successful authentication and authorization, it retrieves the manufacturing data and returns it as an OData response to the MII Façade which in turn returns the response to the consuming application.
The temporary user certificate generated for the user by the MII Façade application is immediately deleted upon completion of the request.
The below sequence diagram shows the User Identity flow across Office 365, MII Façade and MII instance.
Identify Flow Diagram
Claims Based Authentication for the Enterprise users accessing the MII reports is done with Active Directory Federation Services as the Identity Provider. Users use their Enterprise credentials to authenticate themselves over the internet against the Enterprise Active Directory via this ADFS proxy.
The reference architecture provides a Single Sign-On experience for the user accessing the reports with all the layers being Claims Aware and the users Claims being used to authenticate and authorize the user.
The reference architecture uses Client certificate authentication between the Azure MII Facade and SAP MII running on SAP Netweaver Java stack. The client Certificate Authentication is achieved using Microsoft Active Directory Certificate Services.
- All communication protocol is over HTTPS.
- No data or user credentials or user certificates is cached or stored on Azure by the MII Façade application.
- The user certificate generated for a user is valid only for that request from the user. The certificate is deleted immediately after the request is serviced
Enterprise Data Center or On premise infrastructure will host the SAP MII, and the data sources SRM, CRM, ERP, Plant Database and Plant Data Historian and Sensor Data. It will also host the Windows Active Directory and Active Directory Federation Services.
Windows Azure Environment will host the MII facade application which provides the Intermediary layer that provides MII data sources to consumers as ODATA feeds
Consuming Applications and Services:
- The User PC or Mobile devices can host the custom clients that consumes the data and generates the reports
- The User PC can host the Excel thick client that consumes the data and generates the reports
- The Excel Services, Power View, Performance Point clients and the Office Applications will be hosted on Microsoft Office 365
- Custom Web Applications and Web Services, Microsoft SharePoint can be hosted on premise or in the Enterprise data centre
Clients – Users can access the Visualization of the reports from their PC or Mobile devices from the Organization intranet. Users on the move can access it from the Internet.
Assumptions & Limitations
- The consuming applications are claims aware and will be accessing the MII Facade using SAML tokens.
- Web SSO is applicable to users who are using the Web Browser as the user interface
- Thick clients such as Windows 8 applications and any other forms based applications will need to use the Active authentication protocol to get data from MII Façade.
- MII Facade cannot be deployed as a Multi-tenant application
- This solution is not tested for SAP MII on premise instance
- This solution is not tested for very large OData sets. This might require additional architecting such as queues and storage on Azure.
- Performance benchmark Tests have not been conducted for this solution to ascertain the data set size, latency etc.
- Setting up Single Sign-On (SSO) between O365 and Active Directory Federation Service (ADFS) is not part of the reference architecture
The future version of the MII Façade can incorporate the following capabilities where required:
- Caching on the Office Client side – Address Security/Data Confidentiality
- Addressing very large data sets
- Single point of failure(s)