Technical Articles
Setting up SAP Launchpad Service and SAP Mobile Start with Content Federation
In this blog I would like to cover how the content (roles, groups, apps etc.) that is already defined in SAP S/4HANA on-premise system can be easily made available on SAP Launchpad service using content federation and to then make it available for mobile users on SAP Mobile Start.
Scenario
You have an SAP S/4HANA on premise solution with SAP Fiori Launchpad configured with standard or custom business roles, containing apps, groups and catalogs.
You want to reuse the existing content on the SAP Launchpad service and on SAP Mobile Start using content federation.
Required Systems and Components
- Embedded deployment for SAP Fiori Frontend server
- Application content for SAP S/4HANA On-Premise 1809 or above
- For cloud notification functionality, you’ll need a S/4HANA release 1909 with component SAP_GWFND 7.54 SP06 or above. For lower releases in 755 (SP00 and SP01) implement SAP note 3005409
- SAP BTP sub-account
- SAP Launchpad service subscription
- SAP Cloud Connector with principal propagation already set up between SAP BTP sub-account and SAP S/4HANA on-premise system (not covered in this blog)
- iOS device with software version 14 or above
Note: you can find more information on the supported platforms/products in the documentation.
Configuration Steps
- Expose content from SAP S/4HANA
- Setup the Runtime and Design-Time destinations in SAP BTP
- Import the content in SAP Launchpad service
- Create a Site and assign the imported roles
- Add the roles to the user
- Review the SAP Mobile Start app settings in Mobile Services and onboard the site on SAP Mobile Start
Expose Content from SAP S/4HANA
Pre-requisites
Some technical settings are required in SAP S/4HANA before exposing any content. These steps are also described in this tutorial.
FLP entries
Go to transaction /n/UI2/FLP_SYS_CONF where you need to add an additional FLP configuration parameter.
Click on “New Entries”.
And enter the following values:
| FLP Property ID | Category | Type | Property Value |
| EXPOSURE_SYSTEM_ALIASES_MODE | Automatically filled | Automatically filled | CLEAR |
Save the entry and select a transport request when prompted.
Activate Clickjacking Protection
Go to transaction UCONCOCKPIT and select the “HTTP Whitelist Scenario” from the list.
Then select in the menu More – HTTP Whitelist – Setup.
Tick both options in the setup menu and save it.
You will now see that the entry “Clickjacking Framing Protection” is added with the logging mode, meaning that connections are just logged but not checked. In production, it is recommended to set it to “Active Check” and to maintain the patterns for the SAP Launchpad service as described in the next step.
If you double click on the row “Clickjacking Framing Protection”, you’ll be able to see and edit the blocked and allowed connections.
Exposure Service
Go in transaction SICF and activate the service /sap/bc/ui2/cdm3.
Then make sure in to check “use all logon procedures” for the service in the Logon Data tab.
Check the exposing user
Go in the user maintenance (transaction SU01) and check the parameters for the user who will expose the content.
Go in the tab parameters and make sure that the parameter /UI2/PAGE_CACHE_OFF does not show up there. If it does, remove it.
Your SAP S/4HANA system is now ready for exposure.
Expose content from SAP S/4HANA
Go to transaction /n/UI2/CDM3_EXP_SCOPE
Click on the multiple selection icon to select the roles you want to expose.
Then fill in the business roles you want to expose. In this example I have a set of custom and standard roles.
Then copy the list to your selection, F8 or with the second icon from the left.
Click on Save Selected Roles
Click on Expose.
As a result, the business content is exposed from your SAP S/4HANA system as a json file and accessible with the service path /sap/bc/ui2/cdm3/entities.
With the buttons “Preview” and “View Exposed Content” of the transaction, you can have a more comprehensive view of the exposed content.
Create SAP BTP Destinations
We need to create two destinations in the SAP Business Technology Platform, a Design-Time and a Runtime destination.
The Design-Time destination is used by SAP Launchpad service to fetch the exposed data from the SAP S/4HANA system.
The Runtime destination is used during runtime i.e., whenever a user is working on the Launchpad and access backend data.
Logon to your SAP BTP sub-account, navigate to the Destinations and click on “New Destination”.
Design-Time
Clicking the “New Destination” will open a destination template – fill in the following information for the Design-Time destination. For Name use the SAP S/4HANA system ID with the suffix “dt” for Design-Time; for e.g., he4dt.
Important – the destination name must be lower case and must not contain the underscore character (_).
Configuration
| Name | e.g., he4dt |
| Type | HTTP |
| Description | e.g., HE4 Design Time |
| URL | http ://<virutal hostname> :<port>/sap/bc/ui2/cdm3/entities |
| Proxy Type | OnPremise |
| Authentication | BasicAuthentication |
| Location ID | <Location ID defined in the SAP Cloud Connector> |
| User | User in the backend |
| Password | Password of the above user |
Parameter
| sap-client | <client> e.g., 400 |
Save the entered information.
Other authentication methods are supported for this destination but not principal propagation, you can find additional information in the documentation.
Runtime
Create an additional destination for the runtime destination and fill in the following information. For name we use the SAP S/4HANA system ID and the suffix “rt” for Runtime; for e.g., he4rt.
Important – the destination name must be lower case and must not contain the underscore character (_).
Configuration
| Name | e.g., he4rt |
| Type | HTTP |
| Description | e.g., HE4 Runtime Destination |
| Proxy Type | OnPremise |
| URL | http://<virutal hostname>:<port> |
| Authentication | Principal Propagation |
| Location ID | <Location ID defined in the SAP Cloud Connector> |
Parameters
| HTML5.DynamicDestination | true |
| MobileEnabled | true |
| sap-client | <client> e.g., 400 |
| sap-platform | ABAP |
| sap-service | 32<service number> e.g., 3200 |
| sap-sysid | <systID> e.g., HE4 |
| NOTIF_SERVICEPATH | /sap/opu/odata4/iwngw/notification/default/iwngw/notification_srv/0001 |
Save the entered information.
HTML5.DynamicDestination is for enabling dynamic tiles.
MobileEnabled is required for SAP Mobile Start.
NOTIF_SERVICEPATH is used in combination with sap-sysid and sap-client by the Notification Service to perform callbacks.
More information on the parameters is available in the documentation.
Import Content in the SAP Launchpad Service
Logon into SAP BTP sub-account and navigate to the Instances and Subscriptions.
If you haven‘t already done it, create a subscription for the SAP Launchpad service from the Service Marketplace and assign yourself the role collection “Launchpad Admin”.
From the three little dots at the right select „Go To Application“, this will open the Site Manager.
Go to the Provider Manager to create a provider for SAP S/4HANA content.
Note that he HTML5 Apps provider is created by default, you can find more information in the documentation.
Click on New and complete the required information.
| Title | Name of the content provider |
| Description | A meaningful description |
| ID | Automatic generated based on Title |
| Design-Time Destination | Select the design-time destination from the dropdown – the one created earlier |
| Runtime Destination | Select the runtime destination from the dropdown – the one created earlier |
| Content Addition Mode | Select Manual or Automatic |
| Runtime Destination for OData | Use default runtime destination |
| Do not create role collection | Leave it unchecked |
After a few seconds, you should see a new content provider with the green status “created”.
If something goes wrong and the status is in error, check the pre-requisite settings in SAP S/4HANA. If this doesn’t help you may check the SAP note 2548392 for connectivity between BTP and SCC with basic authentication.
Now navigate to the content manager. In the tab “Content Explorer” you should see the new content provider.
Click on it.
Select the roles and add them to your content with the button “Add to My Content”.
Now you can see the selection in the tab “My Content”.
Clicking on a role will show you the apps included and their parameters.
NOTE: You won’t be able to change anything, remote content can only be edited in the source system.
You can notice the supported devices for the displayed application, it is coming from the backend catalog configuration and apply to the SAP Launchpad service and SAP Mobile Start.
Create a Site in SAP Launchpad Service
Navigate to the Site Directory and create a new site.
Give your site a name and click “Create”, it will not display anywhere on your final site, it is just reference.
You can review all options.
Make sure to enable SAP Mobile Start under User Capabilities.
Note: The toggle button is enabled by default for new sites. For existing sites, the setting is disabled by default and you’ll need to manually toggle it to Yes.
Assign the Roles to the Site
We now need to assign the roles to the site. In the Site Directory, you can access your site settings by clicking on the gear icon.
In edit mode, you can now assign the roles imported from SAP S/4HANA. In the “Assignments” box on the right you can search for the roles to assign to the site.
Click on the + button to assign the roles to the site and save.
Ex:
Assign the roles to the users
The last step before testing the site is to assign the roles to the users.
In the SAP BTP sub-account navigate to the security section and select “users”.
Click on a user row, this will open an overview with its details and assigned role collections.
Right to the Role collection search box, click on the three little dots and select “Assign Role Collection”.
Select the role collections you want to assign to the user and click on “Assign Role Collection”. Note you can search with the content provider name.
Note: in a productive scenario and using your own IAS, you’ll prefer to use the Role collection mapping against Idp groups. Please refer to the documentation for more information
Test the Site
Back to the Site Manager, you’ll find your site in the Site Directory.
With the arrow icon you can launch it, with the gear icon you’ll access its setting and the three little dots give you more option like export, set an alias or delete it.
Launch your site, it is now ready to use.
SAP Mobile Start Enablement and Onboarding
Create the role collection to access Mobile Services
As an admin with this role collection, you can access the Mobile Services included in SAP Launchpad service.
This role collection doesn’t need to be assigned to the SAP Mobile Start end users.
In the SAP BTP sub-account go into the role collections and click on the + button to create a new role collection.
In the dialog pop-up name it “MobileTenantAdmin”, give it a description and click on Create.
In the role collection list, select your new role collection to edit it.
Open the value help and search for the role MobileAdmin and add it to the role collection. Save it.
Review the Mobile Services Settings
As an admin, with this role collection you can access the Mobile Services with the url https://<subdomain>.m.launchpad.cfapps.<region>.hana.ondemand.com/mobileservices/Admin/index.html
Tip: open the Launchpad service and change the bold part in the url.
https://smsleanbeta.dt.launchpad.cfapps.eu10.hana.ondemand.com/sites#Site-Directory
https://smsleanbeta.m.launchpad.cfapps.eu10.hana.ondemand.com/mobileservices/Admin/index.html
In the Mobile Services admin page, no additional configuration is required. But you can review its properties, see the user registrations and optionally edit the passcode policy and the feature flags for the app under Mobile Settings Exchange.
Mobile Settings Exchange:
Important: by default the feature flag for the widgets (GlobalWidget) is not active. Set it to active if you want to allow users to add widgets on their device for SAP Mobile Start.
Onboard the Site on SAP Mobile Start
First open the site in a browser.
In your user settings you can see the QR Code for onboarding in the SAP Mobile Start Application section.
The first QR code is for the app installation from Apple store. If you already have SAP Mobile Start installed on your device select the QR code for registration.
On your device start the application, you’ll be prompted to scan the registration QR code and follow the onboarding process.
Here is the result on a smartphone (Home tab with grouped KPI, app suggestions and the applications tab)
Summary
Setting up an SAP Launchpad Site can be quick with content federation. Check the SAP documentation for the current restrictions.
We look forward to your comments.
Stay up to date with latest news and post your questions or feedback about SAP Mobile Start in the Q&A area. Start by visiting your SAP Mobile Experience community page and click “follow”. We’ll be publishing more informative blog posts.
Want to be notified? Check your profile settings to ensure you have your settings activated.
Thanks for that blog.
Everyone who faced with error "Not Found", when executing Fiori application in SAP Launchpad Service, read carefully that blog.
Runtime destination should have only lower case chars and must not contain the underscore character (_).
Hello,
thanks for the blog post.
I have a problem with the launchpad service subscription.
I don't have the service on my BTP.
The service also doesn't appear on the entitlement page on the btp.
I've also tried to use the booster "Configure Access to the Authorization Service", but that doesn't had any effort.
Do you know why I don't have the launchpad service on my btp subaccounts? Or do I need to create a new subaccount?
Best regards,
Vincent
Hi Vincent,
Thanks for your comment.
It looks like a license issue, and I can't really help. I suggest that you contact your SAP account manager for more information.
But if you want to try the Launchpad service for free, it is available on any trial account.
Kind regards,
Pierre
Hi.
I made same configurations for one role. All was fine. After then add some other roles to sync. As result all roles deleted from BTP.
I see roles in Site Manager, but it doesn't exists in BTP Cockpit.
1. Site Manager
Hi Anton,
Did you made any change in the content provider ? If you checked the last option "Synchronize existing authorizations" the roles won't be created in your BTP sub-account.
If that doesn't solve your issue, I suggest that you post the question in the community with the tag SAP Launchpad service. Personally I never faced this issue.
I not set that checkbox. It some issue in last time. I have one role synced but after some time I need extra roles. I add them in SAP S/4HANA to sync. Press provider refresh and lost all roles in BTP.
Resolved https://answers.sap.com/comments/13528946/view.html
Or you could set Automatic mode
Following Anton's issue. It is related to the content addition mode feature in the content provider.
If you select "Manual addition of selected content items" you need to manually add the roles to your content in the content manager in order to create the role collections.
If you select "Automatic addition of all content items" the role collections will be created in your sub-account automatically.
Do we need to assign security roles to users in S/4HANA (content provider system) and role collection to users in BTP too?
Hi Vinod,
Yes, in the backend (S/4HANA), the users need all the required authorisations (classic and for OData).
In BTP they need to be assigned to role collections (directly or via role collections mapping against IdP groups).
Pierre
Thanks Pierre
Launchpad service uses latest SAPUI5 version. However S/4HANA applications have tighter dependencies on UI5 version.
Does this mean launchpad service uses different UI5 version while S/4HANA applications use their own UI5 version as S/4 Fiori applications are launched inside frame?
How does this impact performance?
Hi Pierre,
Great blog!
I have followed the steps from your blog. Unfortunately I can't see any tiles in my Launchpad service.
I see that the status of my content provider remains updated.
Does the content provider need to have the status "activated" so that I can see tiles on my Fiori launchpad?
Hi Gene,
Thanks for your comment.
The status "updated" is fine for your content provider, if you click on "Report" you should see how many roles, groups, apps etc. have been loaded in the Launchpad service.
Then you, if you didn't select the automatic mode for the content addition (see the previous comments), you'll need to go in the content explorer and add the new roles to your content.
Finally add the role collections to your site and assign them to the users as well.
Note that after adding the roles to the site and assigning them to the user, you won't see the new tiles immediately with a simple refresh. You need to sign out and sign in again to see the changes.
I hope this will help.
Pierre
Hi Pierre
I have a launchpad which should have translation of the tiles in 2 languages. English and Dutch.
In the FLP of the hana backend system there isn't any problem.
But in the FLP of the BTP, when i choose Dutch there as my language of choice for the FLP, the tiles are not be translated who are coming from the hana backend system.
What are the steps to make it work in the FLP of the BTP like it is working in the FLP of the backend? Do you know it?
Kind regards,
Anton
Hi Anton,
Sorry for the late reply but in your site settings you can choose the available languages, up to 10.
Did you tried that ?
Hello Pierre,
When I am trying to add an entry in "/n/UI2/FLP_SYS_CONF" I am getting an error saying "EXPOSURE_SYSTEM_ALIASES_MODE does not exist in "/UI2/FLPSETPD".
Is there any configuration needed for this?
Thanks,
Shubham
Hi Shubham,
I would check the software components level, probably your system does not meet all the requirements for content federation.
If you can't use the content federation you still can add local content in the Launchpad service pointing to your S/4HAAN solution.
So keep on and experience SAP Mobile Start.
Pierre
Hi Shubham,
Can you please let me know what configuration is required to add "EXPOSURE_SYSTEM_ALIASES_MODE" in "/n/UI2/FLP_SYS_CONF"
Thanks
Nikhil
Hi Pierre,
I went through all the steps, till the very end.
The SAP Mobile start page and Apps Page both return the same error : Something went wrong
The logs reveal no errors. I should mention, I have an Android Version 12, I maybe wrongly assumed , that It should be working now...Any idea?
So if we have a Hub architecture instead of Embed we can't use Mobile Start?
Please explain why that is the case?
Well,
With a Hub architecture you can use SAP Mobile Start but you won't be able to activate push notifications. The main reason is that the NW Gateway as standalone is delivered up to version 7.52, for a NW 7.54 and beyond, you need an S/4HANA installation (so embedded). And push notifications are supported from NW 7.54.
Hope that helps.
Pierre
Thanks for this blog.
Please share for s4 hana cloud system.
Thanks.
You said this:
Other authentication methods are supported for this destination but not principal propagation, you can find additional information in the documentation.
in that documentation only Basic Authentication method is supported for design-time destination.
That a gap in the product design because all BTP documentation always said this:
Even if transport level security is used, clear text passwords can be retrieved on intermediate network hops (for example, load balancers) that terminate the TLS connection.
Short and poorly designed passwords can easily be unveiled by brute-force attacks.
The user can be locked because of too many failed login attempts, which opens the door for denial-of-service attacks.
For these reasons, always consider using more secure authentication methods, if available. that is the key message try to avoid BASIC and also OAUTH.
Then currently I saw a security gap in the product desing for the Design-Time destination, the runtime destination is OK.
Hello @Pierre VANHOOVE ,
Thanks for your blog. I setup SAP Mobile Start by following your blog and other two below blogs.
https://blogs.sap.com/2021/09/05/installation-and-configuration-of-sap-cloud-connector/
https://blogs.sap.com/2021/09/06/setting-up-principal-propagation/
am facing below issue after done all the configuration.
Accessing my Site and scrolling through it, raises an authentication popup:
Please help me with this. This urgent requirement from my company.
Hello Pierre,
Thanks for your blog. It helped me alot.
I done SAP Mobile Start setup by following your blog and two below blogs. But am facing authentication pop-up error while accessing application.
https://blogs.sap.com/2021/09/05/installation-and-configuration-of-sap-cloud-connector/
https://blogs.sap.com/2021/09/06/setting-up-principal-propagation/
Please help me to resolve this error.
Accessing My Site and scrolling through it, raises an authentication popup:
Thank you
Hi,
It's clearly an issue with the principal propagation. I can't really help with it.
Double check the two other blogs from my colleague you've mentioned, you probably miss something.
You also can install the extension SAML Tracer on Chrome to see what get wrong, the subject name identifier can be mail or email depending on versions.
But, sorry I can't help much more, post your question on Claus's Bog posts.
Dear Pierre
First of all thanks for the great blog , we followed all the mentioned steps for our S4HANA and this works as expected.
Now we have a similar requirement whereby some of the apps are still using SAP NWG ( Netweaver Gateway running on NW 752 ) and not migrated to S4HANA , here also we followed the similar steps as per your blog. We could see the application on the launch pad but while launching it's taking the UI version as 1.71.40 by default which is now outdated and the working version is 1.71.49.
https://ui5.sap.com/1.71.40/resources/sap/ushell_abap/bootstrap/appruntime-min-0.js
SAP NWG Product Version
SAP UI Version
Kindly suggest how to fix the issue.
Best Regards
Chandrashekhar
Hi Pierre,
Excellent blog and everything works as you have described.Mobile start is setup and shows all the apps as expected. I do however have an issue when I am trying to launch an app on the mobile start it ends with an error like below.
I have activated all the SICF services and followed this link as well to do everything required.
https://me.sap.com/notes/2420897
Any help would be appreciated.
Thanks,
Rahul
Hi,
First time I see this issue. The note is for the old Java portal, can you check this doc instead ? https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_752/864321b9b3dd487d94c70f6a007b0397/966b6233e5404ebe80513ae082131132.html?version=7.52.8&locale=en-US and try to set t up with UCONCOCKPIT ?
Pierre
Hi Pierre,
Thanks for your reply, I found the issue was with the setup of principle propagation and re-configuring it fixed the problem.
Cheers,
Rahul