Skip to Content
Technical Articles
Author's profile photo Harjeet Judge

Setup SAP Task Center with SAP S/4HANA Cloud

SAP Task Center service enables integration with SAP applications to provide a single entry point for end users to access all their assigned approval tasks. The tasks can be accessed by end users through the SAP Task Center Web application.

As shown in the picture below, SAP Task Center is an infrastructure kernel service on SAP Business Technology Platform (SAP BTP), Cloud Foundry environment. It enables business users to manage their workflow tasks in one place by integrating tasks from multiple SAP applications (cloud and on premise).  In this blog I will focus on the steps necessary to integrate Task Center with SAP S/4HANA Cloud.

To configure Task Center with SAP S/4HANA Cloud, you will need to perform the following steps:

  1. Configure Trust between BTP Subaccount and SAP Identity Authentication service (IAS)
  2. Setup BTP Subaccount for Task Center
  3. Configure S/4HANA Cloud
  4. Create/Update a destination in SAP BTP for your S/4HANA Cloud system
  5. Generate an approval task in S/4HANA Cloud

Configure Trust between BTP Subaccount and SAP Identity Authentication service (IAS)

In order to use Task Center with S/4HANA Cloud, you will need to establish a trust between your BTP subaccount and SAP Cloud Identity Authentication Service used with your S/4HANA Cloud.  The easiest way to setup the trust is to use the Automatic Trust option.  To setup an automatic trust:

  • Log into BTP subaccount and under Security >> Trust Configuration, click Establish Trust.
  • Select your IAS tenant from the dropdown list, and click Establish Trust.

Do you see multiple IAS tenants listed in the dropdown?  Which one should you use? 

You should use the IAS tenant that S/4HANA Cloud system is using.  Customers may have multiple IAS tenants provisioned for various reasons, but ideally all your SAP applications should be setup with a common IAS tenant for production use.

  • If all goes well, you will see OpenID Connect trust established between BTP subaccount and IAS tenant.
  • Access your IAS tenant and review the trust setup.  Notice the trust is setup using E-Mail as the Subject Name Identifier.
  • Click on Assertion Attributes and confirm that the User UUID field is included in the assertion attribute. This field is present by default when using the automatic trust option to setup trust between BTP and IAS.  Notice that the “groups” attribute is also included and we can use this to dynamically assign roles to the user in our BTP subaccount.

Why is the UUID field important?

For Task Center to work correctly the User UUID field is used to uniquely identity the users in the source system(S/4HANA Cloud in my case).  This field must exist in the user profile of S/4HANA Cloud instance and match the User UUID field in IAS.  The User UUID field in IAS maps to the Global User ID field in S/4HANA Cloud.

Is the Global User ID blank in your S/4 system?

If so, read my other blog on how to provision users from SAP Cloud Identity Authentication Service(IAS) to SAP S/4HANA Cloud

  • Optionally, create groups in IAS and add users to the group who will access Task Center.  I’ve created groups called TaskCenterAdmin, TaskCenterTenantOperator and LaunchPadAdmin.

 

Setup BTP Subaccount for Task Center

The process of setting configuring the BTP subaccount for SAP Task Center is already well documented.  The are 2 options available to setup up your subaccount for use with Task Center:

  1. Manual setup
  2. Automatic setup using a booster

The booster greatly simplifies the setup and I strongly recommend using it to setup your subaccount.  The automatic setup process is covered in the help guide and also in this blog written by my colleague Murali Shanmugham.

Manual setup of the BTP subaccount is also covered in detail in the help guide.

The booster performs all the steps shown in the screenshot below:

 

I am not going to cover the setup here in detail because they are covered in the blog link I shared earlier, but I would like to point out couple things that you should be aware of.  As you can see from the screenshot above, one of the tasks that the booster does is to map user groups to role collections.  To see this mapping, navigate to your BTP subaccount and go to Security >> Trust Configuration >> Custom IAS tenant >> Role Collection Mappings.  The mappings should look like the screenshot below:

The problem with these automatic mappings is that the attribute field is populated with “Groups” instead of “groups”.  The role assignment won’t work with these mapping unless you either:

  1. update IAS configuration to ensure that the assertion groups attribute is setup with upper case “G”.  The automatic trust setup between IAS and BTP will normally expose the groups attribute with lowercase “g”.
  2. or delete these role collection mappings and create them again using the lowercase “g” for “groups” field.  In the screenshot below, I re-created the mappings and also added another one to assign the user Launchpad_admin role.

Follow the help guide or the blog link above to setup Launchpad so that you see the Task Center applications.

Configure S/4HANA Cloud

  • In your BTP subaccount, click Destinations >> Download Trust.  A file will be downloaded to your downloads folder.  This file is required when creating the communication system in S/4HANA Cloud.
  • Log into your S/4HANA Cloud system and access Maintain Communication Users.
  • Click New and create a new communication user.  Specify a User Name, Description, and Password.  Click Create.
  • Access Communication Systems.
  • Click New and specify a System ID and System Name and click Create.
  • Specify a value for Host Name to match your S/4Cloud hostnameFor eg. myXXXXX.s4hana.ondemand.com
  • Enable OAuth 2.0 Identity Provider by setting the toggle to ON.
  • Click Upload Signing Certificate and upload the file your downloaded from the BTP subaccount earlier.
  • Copy the value after CN= and paste it in the OAuth 2.0 SAML Issuer box.  Switch the User ID Mapping Mode to User UUID.

I switched the mapping mode to User UUID because that’s the field included in the SAML assertion coming from IAS.

  • Click + under Users for Inbound Communication.
  •  Select the Communication user created earlier and click OK.
  • Save your Communication System.
  • Access Communication Arrangements.
  • Click New and choose the value help icon to open up the list of available communication scenarios.
  • Search for SAP_COM_0501 which is the communication scenario relevant for Task Center integration.  Select it.
  • Specify a name for the arrangement and click Create.
  • Use the value help icon and select the Communication System created earlier.  The User Name for inbound communication should automatically populate.  Confirm the Authentication Method is set to OAuth 2.0 and save your Communication Arrangement.

Click OAuth 2.0 Details and make a note of the Client ID, Token Service URL and SAML2 Audience.  These fields are required to configure the destination setting in the BTP subaccount.

Since we are already in the S/4 system, it’s a good idea to make sure the user who will approve/reject tasks in SAP Task Center has the business catalog SAP_CORE_BC_BPM_01NB assigned to them via one of the Business roles.  If this catalog item is not assigned, the approve/reject workflow in SAP Task Center will throw an error message.

Create/Update a destination in SAP BTP for your S/4HANA Cloud system

  • Access your BTP Subaccount. Under Destinations, select S4HANACloud destination that is created when you run the booster to setup Task Center.
  • Edit the pre-created destination and update the properties below:
    • URL: <Your S/4HANA Cloud API URL> eg: https://myXXXXX-api.s4hana.ondemand.com
    • Audience: <Paste the SAML2 Audience value captured from OAuth 2.0 details in S/4)
    • Token Service URL: <Paste the Token Service URL value captured from OAuth 2.0 details in S/4>
    • Client Key: <Paste the Client ID value captured from OAuth 2.0 details in S/4>
    • Token Service User: <Communication user created in S/4 Cloud earlier>
    • Token Service Password: <Password for the Communication User>
    • Additional Properties:
      • URL.queries.sap-client: 100
      • tc.enabled: true  //Click New Property and type property name and value.  Make sure ‘t’ is lowercase in “tc.enabled”.
  • Confirm that your setup looks similar to the one in the screenshot and Save your configuration.
  • Under Instance and Subscriptions, click Launchpad Service to access the application.
  • Authenticate using the SAP Cloud Identity Authentication Service setup with your BTP subaccount.  Don’t use the Default Identity Provider.
  • After login, you should see Launchpad home page.  Click Go to site icon.  It’s a good idea to bookmark the site URL so that it can be accessed directly without the need to go through BTP Cockpit.
  • Click the Task Center Administration tile.
  • Confirm the S4HANACloud destination status is OK.

Generate an approval task in S/4HANA Cloud

To validate the setup is working correctly we need to generate a task in S/4HANA Cloud.  I used the Manage Purchase Orders App in S/4HANA Cloud to create a purchase order.

The purchase order should now be visible to the approver in SAP Task Center.  To validate, click on the Task Center tile and Approve or Reject the purchase order.

The real value of SAP Task Center comes from the fact that it provides a central place to manage tasks created from variety of SAP systems.  In this blog, I showcased how Task Center can integrated with S/4HANA Cloud, but you will also need to integrate with other LOB applications to really appreciate the power of Task Center.

Assigned Tags

      12 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Manjunath GUDISI
      Manjunath GUDISI

      Thanks Harjeet Judge for this technical article. Much appreciated.

      Author's profile photo Anfal Al Zadjali
      Anfal Al Zadjali

      Thanks for the article it is very informative.

      I just have a question, is the implementation process of adopting the task center in S/4HANA on-premise version will differ from S/4HANA cloud ? Is there any additional steps should be considered ?

      Author's profile photo Harjeet Judge
      Harjeet Judge
      Blog Post Author

      Hi Anfal,

      Task Center configuration in BTP will be the similar, but there are important differences between the setup in S/4 on-prem and S/4Cloud.  For eg, you will need the Cloud Connector setup in order to create a destination in BTP that talks to S/4 on-prem.  You will also need the Cloud connector to provision users from in S/4 on prem so that user profile in the ABAP system has the UUID field.  We are working on an end to end Discovery Center Mission for this setup, but it will take some time before this is released.  In the meantime, take a look at the help links below:

      https://help.sap.com/docs/TASK_CENTER/08cbda59b4954e93abb2ec85f1db399d/143af9bb452f4aa5a9980035d9edee5b.html

      https://help.sap.com/docs/SAP_S4HANA_ON-PREMISE/0f18dddf28764f5b807ecd80549044cc/1da230b82a984cda85d0041e13060a87.html

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Harjeet,

      does the Discovery Center Mission does already make progress?

      Unfortunately I'm already struggling in the first step: Maintain URL Settings. How do I come to this URL? Is it the one which is generated for my runtime destination when I expose the S/4HANA Backend via the Launchpad Service?

      Best regards
      Gregor

      Author's profile photo Marco Holzwarth
      Marco Holzwarth

      Hi Gregor Wolf

      as far as I recall from our set up this URL (host, port etc) is from the OnPrem Fiori Lauchpad. This IMG activity is for the local FLP in order to open the task with the “My Inbox”-app on local S4 FLP. 

      Check also the documentation of the Customizing:

      (in Display mode you can also test with a Work Item)

      For Task Center Integration the steps for enabling the API is quite relevant.

      And yes, DC mission for OnPrem is "work in Progress" 😉

      Best regards, Marco

      Author's profile photo Marco Holzwarth
      Marco Holzwarth

      and to be more specific: this URL points to Frontend Server/My Inbox of the corresponding backend system is running (which might be different than the actual system; for deplpoyment options see also: SAP Fiori Launchpad – Deployment Options and Recommendations | SAP Blogs). The exposed URL points you then to a Task instance in "My Inbox" (triggered by the “Open Task” button in Task Center Web app; meaning you jump from TC app to the Inbox app of the specific LoB solution (here S/4HANA OnPrem). The IMG activity has nothing to do with Launchpad service on BTP, it is a configuration for the local S/4HANA "My Inbox" app. Best Regards, Marco

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Marco,

      thank you for the quick response. In our case the S/4HANA System uses the embedded Launchpad. If I configure this in the customizing is my assumption correct that the link "Open Task" will point to the embedded launchpad? That would require that the user has a VPN Connection active or is working inside the corporate network. Hope that this is not the case as it would restrict the usage of Task Center in the Launchpad service. Also usage in Mobile Start would not easily be possible.

      Best Regards
      Gregor

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Dear Harjeet Judge,

      I'm in the process to connect our SAP S/4HANA with SAP Task Center. But when following the Documentation:

      Prepare SAP Cloud Connector and SAP S/4HANA for the SAP Task Center Connection

      I face the issue that the step 1. f. describes:

      "Configure ${user_uuid} as a subject pattern, following the instructions in Configure a Subject Pattern for Principal Propagation."

      But in the step 2. h. there is no mentioning where to maintain the UUID, but only the E-Mail Address:

      "Make sure that the users have emails configured in the SAP S/4HANA system (transaction SU01)."

      It seems to me that the instructions on where to maintain the UUID are missing. Also it would be great to have information where to get the UUID from in the first place.

      I've also filed the incident 577661 / 2022 on this topic. Maybe you can have a look at it.

      Best Regards
      Gregor Wolf

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Harjeet Judge,

      in the meantime I made some progress. In the blog post Identity Lifecycle: SAP Reference Architecture for Identity Access Management – Part 2 by Gunnar Kosche I found SAP Note 3047993 - IDM: Support for user UUID in S/4HANA on-premise and Identity Authentication. In there theNote 3003462 - Interface enhancement for global user ID was linked that described that the BAPI_USER_CHANGE was enhanced and got the new field SAPUSER_UUID. So for my first test I've created a simple ABAP that allowed me to update the UUID of my user. And now the requests to the OData V4 Service:

      /sap/opu/odata4/sap/api_task_spi_replication/default/sap/api_task_spi_replication/0001/tasks?modifiedAfter=2022-08-09T07%3A29%3A16.361Z&$top=1000&languages=en-US%2Cde-DE&lastId=urn%3Asap.odm.bpm.task%3As4hana%3As4b%3A060%3A000000160109

      contain:

            "recipientUsers" : [
             
      "c8779abf-32cc-479c-891d-a8fb7581eca2"
            ],

      The only step that is missing now is that our IAS adds the UUID as an assertion attribute.

      Best Regards
      Gregor

      Author's profile photo Gunnar Kosche
      Gunnar Kosche

      Hi Gregor,

      please have also a look at this blog post from Sonia Petrescu about the Identity Directory which is required by SAP Task Center (and more apps) and offers ways to add (even with forwarded authentications to a Corp.IdP) the User UUID to the token.

      Please also check out the Global User ID concept which is opening up the ways to define and distribute the value of the user_uuid field.

      Cheers,
      Gunnar

      Author's profile photo Harjeet Judge
      Harjeet Judge
      Blog Post Author

      Thanks for the update on your work in this area.  I will check with the internal colleagues working on S/4 HANA on-prem setup to see if they can share additional tips on the setup.  Feel free to reach out directly.

      Author's profile photo Somaskandan K
      Somaskandan K

      Hello All,

      We have a requirement to integrate SAP Task center with on-premise S/4HANA system. Request you to clarify the below questions

      1. The customer does not have SAP Identity Management system(IDM), Customer use Azure ADFS and IAS as IDM.
      In this scenario does the customer need SAP IDM solution at on-premise to create user in S/4HANA with UUID or the same can be achieved without SAP IDM using SAP IAS or Azure ADFS. ?

      2. I understand that UUID has to be maintained in IAS, Task Center and S/4HANA on-premise for seamless integration.
      Can this UUID be propagated form IAS to on-premise S/4HANA using IPS?
      Does IPS has the ability to propagate UUID to S/4HANA without SAP IDM, because the note 3047993 stated that IPS lack ability in propagating uuid to on-premise.

      3. Can IAG be used to synch propagate the UUID field from IAS to On-premise S/4HANA

       

      Thanks.