Thank you for attending the Cloud Platform Integration Suite Quarterly update from labs for Q1/2019.
Recording | Presentation
Here’s a recap for those who could not attend the webinar:
We started off with a high-level overview on SAP Cloud Platform Open Connectors, a service that accelerates connectivity to non-SAP applications via160+ (and growing) feature rich, pre-built connectors.
Following this, we demonstrated an end-to-end developer engagement in SAP Cloud Platform API Management, straight from Discovering APIs, Try Outs, Subscribe and Getting Cost and Usage Analytics, specially focusing on managing III party APIs and developer portal.
In the Cloud Platform Integration slot, we shared insights on Principal Propagation, OAuth, Enterprise Messaging and PEPPOL support in SAP Cloud Platform Integration.
Finally wrapped the session with an overview of the new features on SAP Cloud Platform Integration Content Advisor like introduction to User-defined code-list - its creation, use in MIGs , creating qualifier variations and finally getting codelist level recommendation in MAGs.
Kindly refer the recording and sides attached above for more details.
How can we unlock the integration flow, which is locked by any user? A locked integration flow cannot be unlocked by any other users?
This is right. A flow can only be unlocked by the user who locked it. It is not possible for any one else to unlock it.
Is it possible to use our own IDP for authentication in SAP Cloud Platform Integration?
It is possible to use an own IDP configured at a subaccount level. Additionally, each subaccount can have a differ IDP that it trusts. More details here.
Do you provide AS4 sender? I can see only AS4 receiver.
Yes, AS4 sender is generally available since beginning of this year.
With OAuth, is there a common trust lookup to confirm the trust in the pipeline?
The trust is established in the beginning during the configuration - with the signed assertion, client ID and secret, the trust is assumed.
This OAuth authorization server is in Neo.
It is in Neo. There is one also available on Cloud Foundry to validate the OAuth requirements for the Cloud Platform Applications and Services there.
Does RFC support Principal Propagation?
RFC also supports Principal propagation. This gets configured via the destination.
Can you please put that example into a spreadsheet, so we can calculate this the right way?
Please drop me a note at Meghna.Shishodiya@sap.com so I can share the excel:
Snapshot of the excel:
While using CPI for an integration can we use principal propagation for authentication?
Principal propagation is a means to login once and allow the logged in user context to be used across the message execution pipeline without the need to authenticate at each entity in the pipeline. The authentication is defined during configuration via trusting IDPs, User mapping or User-certificate mapping, etc. Principal Propagation during runtime is a means to impose the trust defined during configuration.
Can you please confirm if we now have the JDBC capability in CPI to connect to on-premise database?
JDBC connectivity to connect to on-premise databases is planned to release soon. Please check the Cloud Platform Integration release notes to know the latest.
Are there any documentation on the decision criteria for selecting CPI or PO for cloud-on prem connectivity? Eg: pros and cons of both options?
Yes, see slides 16+17 of the CPI L2 deck.
Any guide describing feature parity of both products for cloud-OnPrem integration?
The maintenance of PRO is extended until 2024. Feature parity is much earlier. You find more information on PRO here.
Also, do you know if there is a way to contact the Authorization service to check if an Access token is still valid, before making the actual request? Or Where can we see the list of tokens issued for a client?
Refer the screenshot below:
Is there an Introspection Endpoint for OAuth Service to validate the OAuth token validity?
No, we do not have any such endpoint.
Is it a good practice to define scopes and verify the validity of the token on the receiving end?
In general it is good practice to define scopes and validate the scopes for OAuth for fine grain authorization checks. A good set of security blue prints explaining various authentication can be found in here.
Which adapters support OAUTH SAML Bearer authentication?
Supporting receiver adapters - HTTP, OData V2, SFSF OData V2.
Is this validation of token implicit?
Yes, the token is validated implicitly along with all the steps before the request is served.
Can we use these queues, when any message wants to retry?
You will need to model a JMS queue into your flow, so if your message fails it will be added to the JMS and be read after regular interval until it is processed successfully. Refer more details here.
Is it possible to access the API Proxies dynamically in Policies?
Yes, callout policies are available in the API Management that can help in accessing API Proxies dynamically.
I want to restrict the API proxy access for one of the consumers. API Dev portal access restriction is something different isn’t it?
That is also possible. You can whitelist your customers to whom you want to provide access to the endpoint. This will be done as an administrator when you are defining the policies of the API proxy on API portal.
I am the Admin in APIM and could not see any possible way to restrict the access. Can we please connect after the call if possible?
Please check out this blog.
Is it possible to access the API Provider dynamically in Policies?
If you are referring to service call out - yes. It is possible. API provider as a concept refers to the connection to services which are available from a backend system e.g. Netweaver Gateway is a API provider.
How about for the Actual Backend service call itself for setting of target URL dynamically?
Yes, for sure. You can do that as well. Refer this blog.
Alternatively, if your usecase is to dynamically define the target end point - you can make use of one of the extension policies to define the logic based on which you would redirect the call to the appropriate system.
We have a scenario where we have one product (ABC) and we have developed one generic API proxy bound to that product. Now, this API proxy is the endpoint for many customers and we have APIKey as the authorization. Let's say in future we need to block one of the customers from accessing the API proxy. Other than maintaining KeyPairs with customer specific details and using basic auth policy in API Proxy, do we have any other workaround to restrict the access?
You can also define who can discover(view) as well as subscribe(consume) the APIs. Access control at the Developer portal level is enabled.
What are the options to publish proxy on API Management directly from Cloud Integration tenant instead of creating provider explicitly?
This is something we are considering and is part of our roadmap.
Is the app-key created per application or per user subscription on that app?
It is per developer per application - every application/subscription created for a given product would be provided with a unique application key and secret.
Are they any plans to support multiple target endpoint for an API proxy, as its available in Apigee?
Via the API or proxy zip approach multiple target endpoint is supported. The support for multiple target endpoint for UI is planned this year.
Does it mean that, for now, we need to change the API proxy files manually using some text editors?
Yes, for the time being - till by Q2 2019 we add the support for it in the UI as well.
Why is Verify API key not defaulted/ mandated in all APIs in API management?
Verify API key is not mandated by default because it would be depended on the customer scenario. Sometimes customer might opt for OAuth, sometimes with API key.
Is it a secure methodology to expose APIs without an API key at the minimum?
API key would allow you to identify the application developer. For full API security best practices, the following blog can be referred. There could be scenarios where you would be exposing an API without any authentication like public APIs, in such a scenario, do add in polices like Quota, Spike arrest etc.
How do we transfer content from Dev to QA to Prod tenants once we have the setup done in Dev?
In order to transfer content from dev->test->prod in API Management import export option can be used. We also have the import/export PF APIs available in API Business Hub, which can be used for integration with CI/CD pipeline https://api.sap.com/api/APIPortal_Transport/resource.
So, is there a CTS+ / TMS mechanism for moving content in API Management?
CTS+ integration is planned for Q3 2019. More detailed roadmap on API Management here.
Why do we need SAP Open connectors? We can consume SalesForce APIs via any integration tool like SAP CPI and transform/consume the SalesForce Content.
Open Connectors was released to offer pre-built connectivity to those services that can be re-used. Furthermore, any connector available within Open Connectors is maintained/versioned by SAP
Can we expect more connectors from SAP in future other than 170 connectors as of now?
Yes - we are typically release ~10 connectors per quarter. Furthermore, Open Connectors does offer the ability to build your own connectors to that same specification via the tooling called Open Connector Builder.
Does that mean SAP Cloud Platform Integration's Adapter Development Kit will be deprecated soon?
No, the Adapter Development Kit will stay as is. It can be used by those who want to build their own adapters or implement connectivity to III party applications without buying a license of Open Connectors.
Is there a way to use SAP Open connector (let's say SugarCRM) in SAP CPI?
You can get the endpoint URL from OpenConnectors and using HTTP receiver adapter you can connect to SAP Open Connector. Although the Open Connectors adapter in CPI is coming soon and will streamline this experience.
Can Open Connector lead to an integration flow I can manage?
Yes, you can consume the connectors from an integration flow.
And from SAP PRO?
From SAP PRO you would be able to connect to connectors via the rest/http adapters.
SAP Cloud Platform is available on many hyperscalers. Is Open Connector also available on AWS, Azure, GCP as is CPI?
We are starting on this journey for Multi-Cloud and as first step we would be enabling Open Connectors on Cloud Foundry, this is planned for Q1.2019. and today Open Connector is only available on AWS.
Is Webhooks feature also possible with Connector + SAP CPI Integration flows?
Yes, in the eventing configuration on Open Connectors you can provide CPI integration flow endpoint as a webhook configuration.
Any Roadmap to integrate Open connectors with Workflows and Enterprise Messaging for tight integration and reusability?
Yes, we plan to integrate Open Connectors into all the services within the integration suite services including Workflow and Enterprise Messaging. We started this with integrating Open Connectors with API Management, next would be CPI and more to follow during the year.
Blog on using Open Connectors with enterprise messaging + functions as a service.
Any dedicated components usable via API Hub?
The connectors are RESTful APIs with interactive API documents. We are planning to publish these connectors and corresponding API definitions into SAP API Business Hub as well.
Can we expect OpenConnectors adapter to support passing headers, body and attachments?
Passing of headers, body would be supported. Since connectors are RESTful APIs, attachments would be taken in via multi-part form body request.
Who looks after the Open Connectors definitions? How quickly are they updated if an end service API (e.g. Paypal API) is changed?
Cloud Elements is managing these connectors. They have dedicated people who ensure that the updates are effectively being done.
How is it different or integrated with SAP Data Hub?
The Open Connectors is creating a normalization of all APIs across 3rd party systems. This means you don't need to specifically understand the format, the access permissions, ... required to extend or integrate a 3rd party app.
Is there a possibility to persist payloads temporarily inside of the Open Connector instance? Or it's completely transient?
It is not possible to store payloads as a part of Open Connectors.
Open Connectors derives commonality across various 3rd party apps/services and builds a baseline using which we can do further development. I hope it does not persist any data?
You are correct. No payload persistence happens. No data is stored by Open Connectors. In bulk use cases the data is stored as it’s being downloaded/chunked/uploaded, but transiently and not to disk.
Is it possible to create a self-sufficient application, which would perform polling of different API's based on timer or event-driven?
The offering is available for folks building an application (adapter targeted for H2 2019 for Web IDE and Mobile SDK). From the language’s perspective, any data payloads will be presented in their native language. At this time, for the metadata, localization is not supported, however has been requested and is potentially a roadmap initiative.
I know that we can check out the Open Connectors service in the Cloud Platform trial account. Are there some sandpit systems like the salesforce system which might be available to do some connecting to?
They’re not available through Open Connectors, but the recommendation is to go create sandboxes for a few services for exploring/testing - as many of the cloud vendors offer free trials. A few examples are Dropbox, Box, HubSpot CRM, ServiceNow, Zendesk, Freshdesk, etc.
Will be open Connectors service available in CF? If yes, when?
Yes, we plan to go GA by 2nd week of March.
Does CloudElements run on CF? Probably not, right?
No, we have integrated Open Connectors with the SAP Cloud Platform tenants in CF.
When you purchase or enable OpenConnector service, are all pre-built open source APIs available in the catalog included in the cost of purchase of Open connector service?
Yes, you shall be charged based on the number of API calls.
Is OpenConnector bundled by default in API Management?
Open Connector Provider type is available in API Management. Under subscription model, it is an add-on with API Management. So, you would have to buy Open Connectors separately. If you are under CPEA, then all it can be used with API Management as both services are part of CPEA (Cloud Credits)
What is the authentication method to connect API provider in API management with Open Connector?
You would have to provide your Open Connector org secret & User secret.
Do you have any blogs for connecting Open connectors with CPI directly?
All blogs on Open Connectors are available here
CPI and Open Connectors blogs are available here.
In that blog, we have explained how you can replicate a billing document from SAP S/4HANA Cloud to a third-party document storage like Dropbox/OneDrive/GoogleDrive.
Are the code lists downloadable?
No. User defined codelist. You could assign it to a node and download the MIG as a PDF. The codelist can be found in the PDF.
How do I access Integration Content Advisor?
Integration Content Advisor can be licensed as a part of the SAP Cloud Platform Integration or through the Cloud Platform Enterprise Agreement.
Recording | Presentation
Here’s a recap for those who could not attend the webinar:
We started off with a high-level overview on SAP Cloud Platform Open Connectors, a service that accelerates connectivity to non-SAP applications via160+ (and growing) feature rich, pre-built connectors.
Following this, we demonstrated an end-to-end developer engagement in SAP Cloud Platform API Management, straight from Discovering APIs, Try Outs, Subscribe and Getting Cost and Usage Analytics, specially focusing on managing III party APIs and developer portal.
In the Cloud Platform Integration slot, we shared insights on Principal Propagation, OAuth, Enterprise Messaging and PEPPOL support in SAP Cloud Platform Integration.
Finally wrapped the session with an overview of the new features on SAP Cloud Platform Integration Content Advisor like introduction to User-defined code-list - its creation, use in MIGs , creating qualifier variations and finally getting codelist level recommendation in MAGs.
Kindly refer the recording and sides attached above for more details.
Questions & Answers:
How can we unlock the integration flow, which is locked by any user? A locked integration flow cannot be unlocked by any other users?
This is right. A flow can only be unlocked by the user who locked it. It is not possible for any one else to unlock it.
Is it possible to use our own IDP for authentication in SAP Cloud Platform Integration?
It is possible to use an own IDP configured at a subaccount level. Additionally, each subaccount can have a differ IDP that it trusts. More details here.
Do you provide AS4 sender? I can see only AS4 receiver.
Yes, AS4 sender is generally available since beginning of this year.
With OAuth, is there a common trust lookup to confirm the trust in the pipeline?
The trust is established in the beginning during the configuration - with the signed assertion, client ID and secret, the trust is assumed.
This OAuth authorization server is in Neo.
It is in Neo. There is one also available on Cloud Foundry to validate the OAuth requirements for the Cloud Platform Applications and Services there.
Does RFC support Principal Propagation?
RFC also supports Principal propagation. This gets configured via the destination.
Can you please put that example into a spreadsheet, so we can calculate this the right way?
Please drop me a note at Meghna.Shishodiya@sap.com so I can share the excel:
Snapshot of the excel:
While using CPI for an integration can we use principal propagation for authentication?
Principal propagation is a means to login once and allow the logged in user context to be used across the message execution pipeline without the need to authenticate at each entity in the pipeline. The authentication is defined during configuration via trusting IDPs, User mapping or User-certificate mapping, etc. Principal Propagation during runtime is a means to impose the trust defined during configuration.
Can you please confirm if we now have the JDBC capability in CPI to connect to on-premise database?
JDBC connectivity to connect to on-premise databases is planned to release soon. Please check the Cloud Platform Integration release notes to know the latest.
Are there any documentation on the decision criteria for selecting CPI or PO for cloud-on prem connectivity? Eg: pros and cons of both options?
Yes, see slides 16+17 of the CPI L2 deck.
Any guide describing feature parity of both products for cloud-OnPrem integration?
The maintenance of PRO is extended until 2024. Feature parity is much earlier. You find more information on PRO here.
Also, do you know if there is a way to contact the Authorization service to check if an Access token is still valid, before making the actual request? Or Where can we see the list of tokens issued for a client?
Refer the screenshot below:
Is there an Introspection Endpoint for OAuth Service to validate the OAuth token validity?
No, we do not have any such endpoint.
Is it a good practice to define scopes and verify the validity of the token on the receiving end?
In general it is good practice to define scopes and validate the scopes for OAuth for fine grain authorization checks. A good set of security blue prints explaining various authentication can be found in here.
Which adapters support OAUTH SAML Bearer authentication?
Supporting receiver adapters - HTTP, OData V2, SFSF OData V2.
Is this validation of token implicit?
Yes, the token is validated implicitly along with all the steps before the request is served.
Can we use these queues, when any message wants to retry?
You will need to model a JMS queue into your flow, so if your message fails it will be added to the JMS and be read after regular interval until it is processed successfully. Refer more details here.
Is it possible to access the API Proxies dynamically in Policies?
Yes, callout policies are available in the API Management that can help in accessing API Proxies dynamically.
I want to restrict the API proxy access for one of the consumers. API Dev portal access restriction is something different isn’t it?
That is also possible. You can whitelist your customers to whom you want to provide access to the endpoint. This will be done as an administrator when you are defining the policies of the API proxy on API portal.
I am the Admin in APIM and could not see any possible way to restrict the access. Can we please connect after the call if possible?
Please check out this blog.
Is it possible to access the API Provider dynamically in Policies?
If you are referring to service call out - yes. It is possible. API provider as a concept refers to the connection to services which are available from a backend system e.g. Netweaver Gateway is a API provider.
How about for the Actual Backend service call itself for setting of target URL dynamically?
Yes, for sure. You can do that as well. Refer this blog.
Alternatively, if your usecase is to dynamically define the target end point - you can make use of one of the extension policies to define the logic based on which you would redirect the call to the appropriate system.
We have a scenario where we have one product (ABC) and we have developed one generic API proxy bound to that product. Now, this API proxy is the endpoint for many customers and we have APIKey as the authorization. Let's say in future we need to block one of the customers from accessing the API proxy. Other than maintaining KeyPairs with customer specific details and using basic auth policy in API Proxy, do we have any other workaround to restrict the access?
You can also define who can discover(view) as well as subscribe(consume) the APIs. Access control at the Developer portal level is enabled.
What are the options to publish proxy on API Management directly from Cloud Integration tenant instead of creating provider explicitly?
This is something we are considering and is part of our roadmap.
Is the app-key created per application or per user subscription on that app?
It is per developer per application - every application/subscription created for a given product would be provided with a unique application key and secret.
Are they any plans to support multiple target endpoint for an API proxy, as its available in Apigee?
Via the API or proxy zip approach multiple target endpoint is supported. The support for multiple target endpoint for UI is planned this year.
Does it mean that, for now, we need to change the API proxy files manually using some text editors?
Yes, for the time being - till by Q2 2019 we add the support for it in the UI as well.
Why is Verify API key not defaulted/ mandated in all APIs in API management?
Verify API key is not mandated by default because it would be depended on the customer scenario. Sometimes customer might opt for OAuth, sometimes with API key.
Is it a secure methodology to expose APIs without an API key at the minimum?
API key would allow you to identify the application developer. For full API security best practices, the following blog can be referred. There could be scenarios where you would be exposing an API without any authentication like public APIs, in such a scenario, do add in polices like Quota, Spike arrest etc.
How do we transfer content from Dev to QA to Prod tenants once we have the setup done in Dev?
In order to transfer content from dev->test->prod in API Management import export option can be used. We also have the import/export PF APIs available in API Business Hub, which can be used for integration with CI/CD pipeline https://api.sap.com/api/APIPortal_Transport/resource.
So, is there a CTS+ / TMS mechanism for moving content in API Management?
CTS+ integration is planned for Q3 2019. More detailed roadmap on API Management here.
Why do we need SAP Open connectors? We can consume SalesForce APIs via any integration tool like SAP CPI and transform/consume the SalesForce Content.
Open Connectors was released to offer pre-built connectivity to those services that can be re-used. Furthermore, any connector available within Open Connectors is maintained/versioned by SAP
Can we expect more connectors from SAP in future other than 170 connectors as of now?
Yes - we are typically release ~10 connectors per quarter. Furthermore, Open Connectors does offer the ability to build your own connectors to that same specification via the tooling called Open Connector Builder.
Does that mean SAP Cloud Platform Integration's Adapter Development Kit will be deprecated soon?
No, the Adapter Development Kit will stay as is. It can be used by those who want to build their own adapters or implement connectivity to III party applications without buying a license of Open Connectors.
Is there a way to use SAP Open connector (let's say SugarCRM) in SAP CPI?
You can get the endpoint URL from OpenConnectors and using HTTP receiver adapter you can connect to SAP Open Connector. Although the Open Connectors adapter in CPI is coming soon and will streamline this experience.
Can Open Connector lead to an integration flow I can manage?
Yes, you can consume the connectors from an integration flow.
And from SAP PRO?
From SAP PRO you would be able to connect to connectors via the rest/http adapters.
SAP Cloud Platform is available on many hyperscalers. Is Open Connector also available on AWS, Azure, GCP as is CPI?
We are starting on this journey for Multi-Cloud and as first step we would be enabling Open Connectors on Cloud Foundry, this is planned for Q1.2019. and today Open Connector is only available on AWS.
Is Webhooks feature also possible with Connector + SAP CPI Integration flows?
Yes, in the eventing configuration on Open Connectors you can provide CPI integration flow endpoint as a webhook configuration.
Any Roadmap to integrate Open connectors with Workflows and Enterprise Messaging for tight integration and reusability?
Yes, we plan to integrate Open Connectors into all the services within the integration suite services including Workflow and Enterprise Messaging. We started this with integrating Open Connectors with API Management, next would be CPI and more to follow during the year.
Blog on using Open Connectors with enterprise messaging + functions as a service.
Any dedicated components usable via API Hub?
The connectors are RESTful APIs with interactive API documents. We are planning to publish these connectors and corresponding API definitions into SAP API Business Hub as well.
Can we expect OpenConnectors adapter to support passing headers, body and attachments?
Passing of headers, body would be supported. Since connectors are RESTful APIs, attachments would be taken in via multi-part form body request.
Who looks after the Open Connectors definitions? How quickly are they updated if an end service API (e.g. Paypal API) is changed?
Cloud Elements is managing these connectors. They have dedicated people who ensure that the updates are effectively being done.
How is it different or integrated with SAP Data Hub?
The Open Connectors is creating a normalization of all APIs across 3rd party systems. This means you don't need to specifically understand the format, the access permissions, ... required to extend or integrate a 3rd party app.
Is there a possibility to persist payloads temporarily inside of the Open Connector instance? Or it's completely transient?
It is not possible to store payloads as a part of Open Connectors.
Open Connectors derives commonality across various 3rd party apps/services and builds a baseline using which we can do further development. I hope it does not persist any data?
You are correct. No payload persistence happens. No data is stored by Open Connectors. In bulk use cases the data is stored as it’s being downloaded/chunked/uploaded, but transiently and not to disk.
Is it possible to create a self-sufficient application, which would perform polling of different API's based on timer or event-driven?
The offering is available for folks building an application (adapter targeted for H2 2019 for Web IDE and Mobile SDK). From the language’s perspective, any data payloads will be presented in their native language. At this time, for the metadata, localization is not supported, however has been requested and is potentially a roadmap initiative.
I know that we can check out the Open Connectors service in the Cloud Platform trial account. Are there some sandpit systems like the salesforce system which might be available to do some connecting to?
They’re not available through Open Connectors, but the recommendation is to go create sandboxes for a few services for exploring/testing - as many of the cloud vendors offer free trials. A few examples are Dropbox, Box, HubSpot CRM, ServiceNow, Zendesk, Freshdesk, etc.
Will be open Connectors service available in CF? If yes, when?
Yes, we plan to go GA by 2nd week of March.
Does CloudElements run on CF? Probably not, right?
No, we have integrated Open Connectors with the SAP Cloud Platform tenants in CF.
When you purchase or enable OpenConnector service, are all pre-built open source APIs available in the catalog included in the cost of purchase of Open connector service?
Yes, you shall be charged based on the number of API calls.
Is OpenConnector bundled by default in API Management?
Open Connector Provider type is available in API Management. Under subscription model, it is an add-on with API Management. So, you would have to buy Open Connectors separately. If you are under CPEA, then all it can be used with API Management as both services are part of CPEA (Cloud Credits)
What is the authentication method to connect API provider in API management with Open Connector?
You would have to provide your Open Connector org secret & User secret.
Do you have any blogs for connecting Open connectors with CPI directly?
All blogs on Open Connectors are available here
CPI and Open Connectors blogs are available here.
In that blog, we have explained how you can replicate a billing document from SAP S/4HANA Cloud to a third-party document storage like Dropbox/OneDrive/GoogleDrive.
Are the code lists downloadable?
No. User defined codelist. You could assign it to a node and download the MIG as a PDF. The codelist can be found in the PDF.
How do I access Integration Content Advisor?
Integration Content Advisor can be licensed as a part of the SAP Cloud Platform Integration or through the Cloud Platform Enterprise Agreement.
- SAP Managed Tags:
4 Comments
