Skip to Content
Technical Articles
Author's profile photo Domnic Savio Benedict

Sending OPC UA data from SAP PCo to SAP Leonardo IoT


The OPC UA provides a standardization of data and interfaces of devices and machines in a uniform manner. A lot have been talked about this specification and widely adopted way before the Industrial Internet of Things kick started. SAP has been a long time adopter of this specification. Products such as SAP Plant Connectivity (SAP PCo) or the IoT Services Edge Gateway SDK do support this standard as servers and clients.

In this blog, I would like to share my experience of using SAP PCo together with the SAP Leonardo IoT especially how to consume the IoT AE Timeseries APIs to persist data coming from a PLC which hosts an OPC UA Server.

In this concrete example we have a PLC which models data tags in the server based on the OMAC standards (Organization for Machine Automation and Control). This model is defined based on the companion specification for OPC UA data model. In SAP PCo, we connect to this OPC UA and we build our source systems. We subscribe to some of the data tags in its Instances. This part is fairly easy and simple, also explained in detailed in various blogs at SAP.

I would like to explain the second part of the exercise a bit more in detail, where I leverage the oAuth Settings for generating tokens and send data to the SAP Leonardo IoT time series APIs.


  1. SAP Plant Connectivity (at least Version 15.2.3.xxxx) installed.
  2. SAP IoT AE Subscription – Version 1.60 and above
  3. We first connect to the Cloud Foundry authentication service, in this example to the UAA. Make sure you have a valid client credentials for the authentication service.
  4. A valid Thing ID, its thing type, names property set (nPST) and properties that belongs to the right tenant where you have the client credentials.
  5. A self-generated certificate (Optional).
  6. Certificate to connect to the OPC UA Server

Token Generation

Create a new Destination System of type – Universal Web Service Destination, called – IoTAE_TS_Ingestion

  1. Under Security Settings, select oAuth authentication Method.
  2. Press the Edit icon the right after Authorization Server URI.
  3. In the following screen, enter the Client ID and the Client Secret.
  4. Also add the URL with two additional URI parameters to your authentication service.
  5. These URI Parameters and values are grant_type=client_credentials & response_type=token
  6. You would have to select your certificate in the SAML Details. Your final OAuth authentication method would look like:-

Fig 1. Configuration of the Authentication Service

IoT AE – /Things API call

  1. Select the Operation Configuration. The Endpoint of this service is It is a PUT method call.
  2. The Request Message Configuration should contain the IoT AE /Things API payload. for example, it must have the value JSON Object with _time as one key followed by multiple properties that are sent by the OPC UA Server. It could look like,

Fig 2. PUT Request with IoT AE – /Things payload

Here you can observe that the property set types and thing id are passed on to the call via the variables under “call” parameter. Ofcourse one can rename these. Under Advanced Configuration – enter the Template URI as  /Things(‘{call.thingId}’)/{call.thingType}/{call.nPST},

Fig 3. Template URI settings for sending data


Fig 4. Testing the call with variables and data

Agent Instance

We create a new Agent instance for the OPC UA Source system called LocalOPCUA. When we create the Agent Instance, we browse thru the OPC UA Tag structure provided by the OMAC definitions and select all the tags which are relevant for the data storage in the SAP Leonardo IoT. Upon subscription, these tags are later available for the Tag based Notification instance.


We can also drag and drop the Universal Web Service Destination System definition IoTAE_TS_Ingestion under this agent instance as a Tag based Notification. After we complete this step, we can now see all the Tags we have subscribed from the OPC UA server. We can also add new tags for the rest of the variables in the above two calls. Here is how my notification definition looks like,

Fig 5. Assigning OPC UA Tags from the OMAC definition to Input variables in the destination.

After giving values, either statically or dynamically from OPC UA Sources, it is possible to shape the data using regular or mathematical expressions here. It is also possible to derive new values or calculate new ones like the current time stamp (currTs).


The Destinations tab in Notifications would also contain the Output destination mapping. Here we can assign which variable have to be filled with an output expression.  This is basically the mapping between what you would see in Fig. 2 & 5. This assignment could look like,

Fig 6. Mapping the variable in the Destination with values

After this step, one can save and start the Agent Instance. You can also check the logging tab of the instance to see the call sequence.

Data in the SAP Leonardo IoT

In the SAP Leonardo IoT, we have a Thing Model defined which has the properties representing the subscribed OPC UA Tags in PCo. One can open the Thing Model to see the data from the OPC UA server.

Fig 7. Values for Beat and Temperature from the OPC UA Server at SAP Leonardo Thing Modeler

Next Steps

If the OPC UA server is sending data very frequently, say every 500 milliseconds, it is advisable to buffer the JWT token, check for the validity of the token and then generate if needed. SAP PCo supports this by adding additional logic at the result of each request in a Multiple Call flow.

It is also possible to route the data to a local or a cloud based Message Queue system for temporary buffering or storage.



Special thanks to colleagues from the development and consulting teams from SAP PCo and SAP Leonardo IoT who advised, corrected and guided during the entire work.


Domnic Savio Benedict



UPDATED:- Multiple call destination and oAuth calls were improvised to more simple means using standard features from SAP PCo.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Christian Mohr
      Christian Mohr


      Entering the client secret as plain text locally within the PCo seems a wonderful idea to me. Congratulations. Do you know about DMC(Digital Manufacturing Cloud)?

      Author's profile photo Domnic Savio Benedict
      Domnic Savio Benedict
      Blog Post Author

      Thanks for the remarks. I have it updated accordingly.