Setup SAP Task Center with SAP S/4HANA Cloud
SAP Task Center service enables integration with SAP applications to provide a single entry point for end users to access all their assigned approval tasks. The tasks can be accessed by end users through the SAP Task Center Web application.
As shown in the picture below, SAP Task Center is an infrastructure kernel service on SAP Business Technology Platform (SAP BTP), Cloud Foundry environment. It enables business users to manage their workflow tasks in one place by integrating tasks from multiple SAP applications (cloud and on premise). In this blog I will focus on the steps necessary to integrate Task Center with SAP S/4HANA Cloud.
To configure Task Center with SAP S/4HANA Cloud, you will need to perform the following steps:
- Configure Trust between BTP Subaccount and SAP Identity Authentication service (IAS)
- Setup BTP Subaccount for Task Center
- Configure S/4HANA Cloud
- Create/Update a destination in SAP BTP for your S/4HANA Cloud system
- Generate an approval task in S/4HANA Cloud
Configure Trust between BTP Subaccount and SAP Identity Authentication service (IAS)
In order to use Task Center with S/4HANA Cloud, you will need to establish a trust between your BTP subaccount and SAP Cloud Identity Authentication Service used with your S/4HANA Cloud. The easiest way to setup the trust is to use the Automatic Trust option. To setup an automatic trust:
- Log into BTP subaccount and under Security >> Trust Configuration, click Establish Trust.
- Select your IAS tenant from the dropdown list, and click Establish Trust.
Do you see multiple IAS tenants listed in the dropdown? Which one should you use?
You should use the IAS tenant that S/4HANA Cloud system is using. Customers may have multiple IAS tenants provisioned for various reasons, but ideally all your SAP applications should be setup with a common IAS tenant for production use.
- If all goes well, you will see OpenID Connect trust established between BTP subaccount and IAS tenant.
- Access your IAS tenant and review the trust setup. Notice that the default trust is setup using E-Mail as the Subject Name Identifier. You will need to switch the identifier from E-Mail to Global User ID.
- Click on Assertion Attributes and notice that the “groups” attribute is also included and we can use this to dynamically assign roles to the user in our BTP subaccount.
Why is the Global User ID field important?
For Task Center to work correctly the Global User ID field is used to uniquely identity the users in the source system(S/4HANA Cloud in my case). This field must exist in the user profile of S/4HANA Cloud instance and match the Global User ID field in IAS. The Global User ID field (formerly User UUID) in IAS maps to the Global User ID field in S/4HANA Cloud.
Is the Global User ID blank in your S/4 system?
If so, read my other blog on how to provision users from SAP Cloud Identity Authentication Service(IAS) to SAP S/4HANA Cloud
- Optionally, create groups in IAS and add users to the group who will access Task Center. I’ve created groups called TaskCenterAdmin, TaskCenterTenantOperator and LaunchPadAdmin.
Setup BTP Subaccount for Task Center
The process of setting configuring the BTP subaccount for SAP Task Center is already well documented. The are 2 options available to setup up your subaccount for use with Task Center:
- Manual setup
- Automatic setup using a booster
The booster greatly simplifies the setup and I strongly recommend using it to setup your subaccount. The automatic setup process is covered in the help guide and also in this blog written by my colleague Murali Shanmugham.
Manual setup of the BTP subaccount is also covered in detail in the help guide.
The booster performs all the steps shown in the screenshot below:
I am not going to cover the setup here in detail because they are covered in the blog link I shared earlier, but I would like to point out couple things that you should be aware of. As you can see from the screenshot above, one of the tasks that the booster does is to map user groups to role collections. To see this mapping, navigate to your BTP subaccount and go to Security >> Trust Configuration >> Custom IAS tenant >> Role Collection Mappings. The mappings should look like the screenshot below:
The problem with these automatic mappings is that the attribute field is populated with “Groups” instead of “groups”. The role assignment won’t work with these mapping unless you either:
- update IAS configuration to ensure that the assertion groups attribute is setup with upper case “G”. The automatic trust setup between IAS and BTP will normally expose the groups attribute with lowercase “g”.
- or delete these role collection mappings and create them again using the lowercase “g” for “groups” field. In the screenshot below, I re-created the mappings and also added another one to assign the user Launchpad_admin role.
Follow the help guide or the blog link above to setup Launchpad so that you see the Task Center applications.
Configure S/4HANA Cloud
- In your BTP subaccount, click Destinations >> Download Trust. A file will be downloaded to your downloads folder. This file is required when creating the communication system in S/4HANA Cloud.
- Under Instances and Subscriptions, find the SAP Task Center service instance that was created either manually or by using the booster. Click the service key link for the service.
- Switch from JSON view to Form view and make a note of the following parameters:
- uaa –> clientid
- uaa –> client secret
- uaa –> url
- Log into your S/4HANA Cloud system and access Maintain Communication Users.
- Click New and create a new communication user. Specify a User Name, Description, and Password. Click Create.
- Access Communication Systems.
- Click New and specify a System ID and System Name and click Create.
- Set the Host Name to match the inbox_rest_url copied earlier. Remove https:// from the front and /task-center-service from the end.
- Under OAuth 2.0 Settings specify the following:
- Auth. Endpoint: uaa –> url value copied earlier and append /oauth/authorize at the end.
- Token Endpoint: uaa –> url value copied earlier and append /oauth/token at the end.
- Enable OAuth 2.0 Identity Provider by setting the toggle to ON.
- Click Upload Signing Certificate and upload the file your downloaded from the BTP subaccount earlier.
- Copy the value after CN= and paste it in the OAuth 2.0 SAML Issuer box. Switch the User ID Mapping Mode to Global User ID.
- Click + under Users for Inbound Communication.
- Select the Communication user created earlier and click OK.
- Click + under User for Outbound Communication, set the following and click Create:
- Authentication Method: OAuth 2.0
- OAuth 2.0 Client ID: uaa –> clientid copied earlier
- Client Secert: uaa –> clientsecret copied earlier
- Save your Communication System.
- Access Communication Arrangements.
- Click New and choose the value help icon to open up the list of available communication scenarios.
- Search for SAP_COM_0501 which is the communication scenario relevant for Task Center integration. Select it.
- Specify a name for the arrangement and click Create.
- Use the value help icon and select the Communication System created earlier. The User Name for inbound communication should automatically populate. Confirm the Authentication Method is set to OAuth 2.0 and save your Communication Arrangement.
Click OAuth 2.0 Details and make a note of the Client ID, Token Service URL and SAML2 Audience. These fields are required to configure the destination setting in the BTP subaccount.
Since we are already in the S/4 system, it’s a good idea to make sure the user who will approve/reject tasks in SAP Task Center has the business catalog SAP_CORE_BC_BPM_01NB assigned to them via one of the Business roles. If this catalog item is not assigned, the approve/reject workflow in SAP Task Center will throw an error message.
Create/Update a destination in SAP BTP for your S/4HANA Cloud system
- Access your BTP Subaccount. Under Destinations, select S4HANACloud destination that is created when you run the booster to setup Task Center.
- Edit the pre-created destination and update the properties below:
- URL: <Your S/4HANA Cloud API URL> eg: https://myXXXXX-api.s4hana.ondemand.com
- Audience: <Paste the SAML2 Audience value captured from OAuth 2.0 details in S/4)
- Token Service URL: <Paste the Token Service URL value captured from OAuth 2.0 details in S/4>
- Client Key: <Paste the Client ID value captured from OAuth 2.0 details in S/4>
- Token Service User: <Communication user created in S/4 Cloud earlier>
- Token Service Password: <Password for the Communication User>
- Additional Properties:
- URL.queries.sap-client: 100
- tc.enabled: true //Click New Property and type property name and value. Make sure ‘t’ is lowercase in “tc.enabled”.
- Confirm that your setup looks similar to the one in the screenshot and Save your configuration.
- Under Instance and Subscriptions, click Launchpad Service to access the application.
- Authenticate using the SAP Cloud Identity Authentication Service setup with your BTP subaccount. Don’t use the Default Identity Provider.
- After login, you should see Launchpad home page. Click Go to site icon. It’s a good idea to bookmark the site URL so that it can be accessed directly without the need to go through BTP Cockpit.
- Click the Task Center Administration tile.
- Confirm the S4HANACloud destination status is OK.
Generate an approval task in S/4HANA Cloud
The purchase order should now be visible to the approver in SAP Task Center. To validate, click on the Task Center tile and Approve or Reject the purchase order.
The real value of SAP Task Center comes from the fact that it provides a central place to manage tasks created from variety of SAP systems. In this blog, I showcased how Task Center can integrated with S/4HANA Cloud, but you will also need to integrate with other LOB applications to really appreciate the power of Task Center.