Part 4: Discover, Consume and Manage third-party connectors from SAP Cloud Platform API Management

SAP Cloud Platform Open Connectors simplifies and accelerates connectivity to third-party cloud applications. It provides robust, feature rich, prebuilt connectors to an extensible library of over 160 of the most popular third-party cloud applications.

In Easily consume data from third-party in a Fiori application using SAP Cloud Platform Open Connectors blog, a simple Fiori application consuming the third-party RESTFul APIs was covered. In this blog, steps to secure and manage the third-party connectors would be showcased.

Building an enterprise application is not just about programming the core functionality, it is also about how DevOps will manage, operate the application, handle continuous development and maintenance and much more. Decoupling the actual API endpoint using SAP Cloud Platform API Management enables API Management as the access point to the actual API implementation, hiding internal information and providing specific behaviors that otherwise would need to be coded in the API itself, such as Authentication, Traffic Management or Data Transformation.

Prerequisites

• SAP Cloud Platform trial tenant
• SAP Cloud Platform API Management trial tenant.

Manage APIs using SAP Cloud Platform API Management

• Logon to your SAP Cloud Platform trial and Navigate to the Neo Environment.

• Navigate to the Services tab, search for API Management service tile and click to open API Management service.

• Click on the link Access API Portal to open API Portal.

• Navigate to the Develop tab from the hamburger icon.
• From API tab, click on the Create button to create an API Proxy to the third-party CRM application.

• In Create API wizard enter your API Proxy name, URL, API Proxy Base Path as provided below and then click on Create Button

• From the API Proxy details page, open up Policy designer by clicking on the more button and selecting Policies from the drop down menu.

• SAP Cloud Platform API Management provides more than 40 policies which enables customers to govern, set the behavior of their APIs based on their enterprise needs. These XML based policies enables administrators to define the API functionalities using just simple configurations. In this scenario, the Assign Message policy would be used to set the Authorization token as required by the SAP Cloud Platform Open Connectors. This ensures that authorization token need not be specified by the application developers in a JavaScript file on client side.
• Select PreFlow from the ProxyEndPoint and then click on the + button next to the AssignMessage Policy available under the Mediation Policies segment. This would open up the Create Policy wizard.
• In the Create Policy wizard set the name of the Policy say setAuthorization and then click on the Add button.

• In policy snippet window provide the policy snippet provided below. In the snippet provide your third-party CRM connectors authorization from SAP Cloud Platform Open Connectors. Refer the blog Simplify connectivity to third-party application to know more about this token.

<!-- This policy can be used to create or modify the standard HTTP request and response messages -->
<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>

<!-- Sets a new value to the existing parameter -->
<Set>
<Headers>
<Header name="Authorization">provide_your_authenticated_connector_token_from_SAP_Cloud_Platform_Open_Connectors</Header>
</Headers>
</Set>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<AssignTo createNew="false" type="request">request</AssignTo>
</AssignMessage>

Note:- SAP Cloud Platform API Management, also supports storing of encrypted key value maps which can be used to further securely use this authorization. More information about encrypted key value map is available in help documentation.

• Click on the Update button to save the Policy changes.

• Click on the Save and Deploy button to persists and activate the API Proxy.

• With this we have now created an API Proxy which can be consumed from the Fiori application. In order to apply the changes for the Principal propagation or single sign of user refer this blog series.

Note:- Only the first part of Single Sign On from Fiori application to SAP Cloud Platform API Management blog needs to be applied. The rest of the blogs and policies for SAML assertion generation is not required for this flow. This is because the connection to the third-party applications would be via the authorization token.

• From the API Proxy overview page, copy the API Proxy URL till /{your_user_id}trial. This host URL would be specified in the Fiori destination created in the Easily consume data from third-party in a Fiori application using SAP Cloud Platform Open Connectors blog.

Destination to SAP Cloud Platform API Management

To connect the Fiori application to SAP Cloud Platform API Management managed Open Connectors CRM APIs, the destination openconnectors needs to be updated to the API Proxy host URL. In this section steps to update the destination to the API Proxy host URL is covered.

• Navigate to SAP Cloud Platform trial tenant
• Click on Neo Trial

• Click on Destinations tab under Connectivity. Select the destination named openconnectors and click on the Edit ( pencil icon) button.
• Change the URL to the API Proxy URL which for trial should be in the format https://{your_useridtrial}-trial.apim1.hanatrial.ondemand.com/{your_userid}trial

With this have updated the openconnectors destination to connect to the API Proxy created on SAP Cloud Platform API Management.

Changes on Fiori applications

In this section, the changes required on Fiori application to remove the authorization token has been covered.

• Open SAP Cloud Platform Web IDE Full stack service.
• Expand the generated thirdpartydemo application from the previous blog.
• Click on model.js from the expanded project in WorkSpace explorer and change the createDataModel function to remove the authorization token header as shown in the screen shot below.
• Save and run the fiori application to connect securely via SAP Cloud Platform API Management.

• This will launch the Fiori application in a new browser tab and after successful user login, data from your third-party application would be shown.

SAP Cloud Platform, API Management also offers many out of the box API Security best practices which includes security policies for Authentication and Authorization, Traffic Management and many more.

Further Reads

• API Security Best Practices blog series.
• Monitor and Analytics blog.
• Enchanced developer experience blog.