Skip to Content

It seems very close, you use extended notifications with http links to user decisions, those links activate web services which do not require SAP GUI and you can see your e-mails from your mobile devices. So close, but not there.

In more and more organization there is a demand to approve workitems from mobile devices; this usually starts with the CEO and a few other high ranking personal of the company. CFO’s want to impress the CEO and they too usually see that this is a very close possibility. However smaller organizations want simple solutions for this.

Well, there are some options:

  1. Use a VPN (virtual private network), there are VPNs for mobile devices as well as computers, and since the links are web services they will work. This solution doesn’t need development or any other installation except the VPN on the user’s devices. There are problems however; the web services are not adapted for mobile phones so the display will be small. And the users will have to give a password two times – once for the VPN and once for the web service. This is a big problem as this is a solution for the higher ranking personal of the company, and they are usually, well, a bit spoiled…
  2. Another solution is using a reverse proxy (a server running in front of a Web server),  , it does not even require installation on the user’s devices, as described for example in:  Configuring Reverse Proxy Servers – Administration – SAP Library. This has the same problems as the last solution and is more viewed as a security risk by the internet security team I have talked to. Although there are solutions to this to, for example, allowing the proxy to interact only with specific MAC addresses.  However this doesn’t require any installation at all except changing the links in the extended notification to point to the reverse proxy server.  
  3. A third solution in to use incoming mails to process the users decision, this also requires no installation on the users device, and only a few developments to process the incoming mails. It also requires no logon from the users and enables them to enter comments in their reply which makes this a good option to implement.

The most common way I have seen to bypass part of the SSO problem is using the SAP portal, since it has a SSO with the ECC and with the active directory, which the BSP of the extended notification doesn’t.

To be more specific, I think there is a way to enable SSO for SAP web services but in all the organizations I asked for a way to solve this problem the portal solution was selected. If anyone has implemented an SSO for the workflow web services I would love to hear about it.

Another advantage for using SAP portal is that you can add the option to add remarks since you are create a new iview anyway (I haven’t found a way to create a link to a specific workitem in the UWL, again if anyone has, do share).  

Whatever solution you think might be good for your organization, all of them should be checked with the organization internet security team, I received very different responses from different security specialists, one of them didn’t want to allow any access to the SAP ECC servers and another pushed for the reverse proxy solution with is the least secure to the best of my understanding.

Also, I do think that SAP Fiori and SMP (SAP Mobile Platform) are going the right way (see for example Which #Workflow Inbox When? Pros and cons for SAP Business Workflow and SAP NetWeaver #BPM ) are a great solution to this problem and will be implemented more and more as time goes by. For now installing a SAP NetWeaver gateway server and a SMP server, I my opinion, seem to be a bit too much for smaller organizations if their only demand is workflow approval.

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Connie Volk

    We ARE doing SSO with NO Portal right now for FIORI/HTML5 apps and using extended notifications (I’m having to enhance a little here too), maybe if I can get unburied with work I’ll BLOG about our experience…we are experiencing difficulties with SSO for Safari – truncation of cert (Having to upgrade ADFS from 2.2 to ADFS 3.0 for SSO w/SAML2.0) I do know of another company who deployed FIORI with PORTAL (Likely due to this very reason). — feeling the pain of a pioneer though…

    HOWTO link specific workitem in UWL!   (I did this a long while ago with ESS Portal, uwl, extended notifications etc.)

    Transaction SWFVISU – Easy to configure and direct the LINK to the format you want for individual task display from your portal.  (VP1: APPLICATION VV1: Your WDA or WD wi approval app name, VP2: NAMESPACE VV2 ‘SAP’) — then your application parm for the WDA needs to have “WI_ID” to accept the workitem… SWN_SELSEN will do the link trick to specific uwl wi.

    Lastly, SAP Gateway is foundational to companies running ERP/ECC who want a better UI/UX for their users on any device.  Simple really to setup — GW HUB configuration (GW HUB AS server – best!!!) and load on one component to your backend ERP (EHP7 it comes preloaded). Then MANY things become possible — smaller companies can take advantage of the GW with 3rd party solutions, FIORI (out of the box FREE!), and UI5 dev… You can do without SMP but larger companies gravitate toward some EMM – the emm space is hot though and you’d need to take on that “pioneer” spirit…

    (0) 
    1. Ronen Weisz Post author

      What you have accomplished seems very interesting, I do hope you blog about them and I agree that now FIORI is free it will give smaller organizations an incentive to install a GW server. 

      As for the SSO with no portal in the way, I didn’t understand completely, have you been able to create an SSO to the swn_wiexecute web services? if so I would definitely love to hear about it, especially with note 1964571 enabling the addition of comments directly from the web service.

      (0) 

Leave a Reply