Personal Insights

Piotr Tesny

May 22, 2023 11 minute read

SAP SuccessFactors extensibility easy with SAP BTP, Kyma runtime

OAuth2SAMLBearerAssertion

This brief is to showcase the SAP SuccessFactors extensibility service when used directly from SAP BTP, Kyma runtime environment.

Please check the code sample below:

build a SAP SuccessFactors app on Kyma runtime with SAP CAP framework.

SAP SuccessFactors extensibility service comprises SuccessFactors ODATA api-access automation and SSO configuration service plans, as documented here:

Extending SAP SuccessFactors in the Cloud Foundry and Kyma Environment | Process Flow | SAP Help

Putting it all together

Here goes the agenda for this brief.

main course	coffee corner
api-access automation service plan sso-configuration service plan destinations testing using a managed approuter on a BTP subaccount level	build a SAP SuccessFactors app on Kyma runtime with SAP CAP framework. with SAP SuccessFactors Recruiting and SAP SuccessFactors Employee Central ODATA APIs using Paketo – Cloud Native Buildpacks (no Dockerfiles) to build the docker images using helm charts to deploy and un-deploy to a kyma cluster Troubleshooting SFSF ODATA API access more than words…

api-access automation service plan

The system registration is done on a SAP BTP Global Account level.

The generated system registration token needs to be added in the SFSF Extension Center to complete the registration process. From now on, the SFSF system will be known to all sub-accounts under its symbolic system name.

You can register the same SFSF system with several SAP BTP Global Accounts at a time. Likewise you may register several SFSF systems with one single SAP BTP Global Account.

Configure the Entitlements for the SAP SuccessFactors Extensibility Service

These extensibility service plans will be added automatically to every sub-account of the global account. But you will need to entitle them before being able to use them.

Then you can look up the service in the service market place as follows:

Create a Service Instance to Consume the SAP SuccessFactors HXM Suite OData API

With sap-successfactors-extensibility service entitled on a BTP sub-account level you can start creating service instances with the api-access plan with Kyma runtime.

Each service instance will result in creating:

a separate OAuth2 client application on SFSF side and
a separate destination definition on a BTP sub-account level.

Please note the externalName is the destination name!

apiVersion: services.cloud.sap.com/v1
kind: ServiceInstance
metadata:
  name: quovadis-sap-jwt
  labels:
    app.kubernetes.io/name: sap-successfactors-extensibility
  annotations: {}
  namespace: <namespace>
spec:
  serviceOfferingName: sap-successfactors-extensibility
  servicePlanName: api-access
  externalName: Quovadis-SAP-JWT ### destination name
  parameters: 
    systemName: SFPART058654 ### SAP BTP Global Account system name

Two api-access instances (shown above) have two corresponding OAuth2 client applications as depicted below:

Good to know:

When you dispose of a service instance both the SFSF side OAuth2 client and BTP side destination definition will be removed.
Furthermore, you can leverage btp service operator multi-tenancy and use other namespaces of your kyma cluster to implement SFSF automation against a different BTP subaccount within the same Global Account or belonging to a different Global Account.

sso-configuration service plan

Configure Single Sign-On Between a Subaccount in SAP BTP and SAP SuccessFactors

Quoting after SAP help:

SAP BTP supports the following authentication scenarios for SAP SuccessFactors:

OData access with OAuth 2.0 SAML bearer assertion

OData access with OAuth 2.0 SAML bearer assertion with technical user

Steps

Good to know:

If OAuth2SAMLBearerAssertion with the technical user then you can skip the sso-configuration part.
The SSO configuration is between a SFSF system and a BTP sub-account

Destinations testing using a managed approuter on a BTP subaccount level

Given the fact the destinations have been created on a BTP sub-account level and assuming there is a managed approuter instance on the BTP sub-account as well we could leverage the approuter dynamic_dest construct as follows:

https://<tenant>.launchpad.cfapps.<region>.hana.ondemand.com/dynamic_dest/Quovadis-SAP-JWT/odata/v2/PerPersonal,EmpJob/$metadata

https://<tenant>.launchpad.cfapps.<region>.hana.ondemand.com/dynamic_dest/Quovadis-SAP-JWT/odata/v2/User?$top=1&$format=json

Conclusion

The SAP BTP automation makes it easy to set up integrations between SAP LOB applications and the SAP BTP platform.

The SAP BTP, Kyma runtime together with the btp service operator allow for the out-of-the-box automation multi-tenancy. For instance you can deploy same set of SFSF destination to different subscribers (different BTP sub-accounts) to cater for geographical proximity etc…

The Cloud Application Programming model provides a productivity framework to help create beautiful business application with the BTP runtimes you want.

Now it’s time to shine and create this kyma app you always wanted to make.

Please share your feedback and continue reading through to the coffee corner below…

Coffee corner

Build a SAP SuccessFactors app on Kyma runtime with SAP CAP framework.

Indeed, CAPire is a popular cloud programming framework with SAP BTP runtime environments.

There is plenty of public code samples with CAP applications with both CF and Kyma runtimes. There is also a great deal of blogs, tutorials, and an excellent CAP documentation.

So what about using a wizard, a code generator to help scaffold a minimal viable CAP application and even deploy it straight away to your kyma cluster?

Let’s use the following CAP code generator (VScode or terminal):

Please get familiar with the wizard’s documentation. There are also hands-on video tutorials here.

To help you get started, please find the prompt values for a minimal viable CAP application with Kyma runtime using SAP SuccessFactors Recruiting and SAP SuccessFactors Employee Central external APIs:

sfk8s with terminal

$ yo saphanaacademy-cap

prompt	value
? What project name would you like?	sfk8s
? Would you like to create a new directory for this project?	Yes
? What is the display name of your app?	sfk8s
? What is the description of your app?	sfk8s
? Which runtime will you be deploying the project to?	SAP BTP, Kyma runtime
? What SAP BTP, Kyma runtime namespace will you be deploying to?	<namespace>
? What is your Docker ID?	<docker_id>
? What is your Docker repository name? Leave blank to create a separate repository for each microservice.	<docker_repo_name>
? What is your Docker repository visibility?	Private (Only visible to you)
? What is the name of your Docker Registry Secret? It will be created in the namespace if you specify your Docker Email Address and Docker Personal Access Token or Password.	docker-registry-config
? What is your Docker Server URL?	https://index.docker.io/v1/
? What is your Docker Email Address? Leave blank if your Docker Registry Secret already exists in the namespace.	<docker hub user email address>
? What is your Docker Personal Access Token or Password? Leave blank if your Docker Registry Secret already exists in the namespace.	<docker hub user password/token>
? What is the path of your Kubeconfig file? Leave blank to use the KUBECONFIG environment variable instead.	/Users/<username>/.kube/kubeconfig–team-kyma.yaml
? How would you like to build container images?	Paketo (Cloud Native Buildpacks)
? Will you be using an existing SAP HANA Cloud HDI Container? If so please enter the HDI Container service instance name here or leave blank for none.
? Will you be using an existing SAP HANA Cloud schema? If so please enter the schema name here or leave blank for none. Note: schema names in mixed case are case sensitive!
? Would you like to create an entity with SAP HANA Cloud persistence?	No
? Would you like to use an external API?	Yes
? Which external API(s) would you like to use?	SAP SuccessFactors Recruiting, SAP SuccessFactors Employee Central
? What is the name of your SAP SuccessFactors Extensibility service instance (api-access plan)? Leave blank for the SAP API Business Hub sandbox.	Quovadis-SAP
? What is your API Key for the SAP API Business Hub sandbox?	********************************
? Would you like authentication?	Yes
? Would you like authorization?	Yes
? Would you like to configure an App2App authorization scenario?	No
? Would you like to enable OData v2 support?	No
? Would you like a UI?	Yes
? Would you like to use the HTML5 Application Repository?	No
? Will you be using a wildcard custom domain (eg: apps.domain.com)? If so please enter the custom domain name here. Leave blank to use the platform default.	<shoot>.kyma.ondemand.com
? What is the gateway for the custom domain in your SAP BTP, Kyma runtime?	kyma-gateway.kyma-system.svc.cluster.local
? Would you like to configure external session management (using Redis)?	No
? Would you like to include an additional backend service using SAP Cloud Application Programming Model?	No
? Would you like to include an additional backend service using regular Node.js?	No
? Would you like to enable messaging with SAP Event Mesh?	No
? Would you like to enable Continuous Integration and Delivery (CI/CD)?	No
? Would you like to enable GraphQL?	No
? Would you like to enable a Swagger UI?	No
? Would you like to build and deploy the project immediately?	No

The prompt values are purely for guidance. Feel free to alter your answers and then inspect and amend the generated code.

📦srv
 ┣ 📂external
 ┃ ┣ 📜ECEmploymentInformation.csn
 ┃ ┣ 📜ECEmploymentInformation.edmx
 ┃ ┣ 📜RCMCandidate.csn
 ┃ ┗ 📜RCMCandidate.edmx
 ┣ 📜Dockerfile
 ┣ 📜catalog-service.cds
 ┗ 📜catalog-service.js

📦app
 ┣ 📂resources
 ┃ ┣ 📂html5
 ┃ ┃ ┗ 📂webapp
 ┃ ┃ ┃ ┣ 📜index.html
 ┃ ┃ ┃ ┗ 📜map.html
 ┃ ┗ 📜index.html
 ┣ 📜Dockerfile
 ┣ 📜package.json
 ┗ 📜xs-app.json

You can test your project locally from the command line as follows:
 cd sfk8s
 cds watch

You can build and deploy your project as follows or use a CI/CD pipeline:
 cd sfk8s
 make docker-push
 make helm-deploy

Before compiling the CAP project, let’s make sure we use nodejs 18 and latest versions of some of the SAP libraries, for instance:

package.json

{
  "name": "sfk8s",
  "version": "0.0.1",
  "repository": "<Add your repository here>",
  "license": "UNLICENSED",
  "description": "sfk8s",
  "engines": {
    "node": "^18"
  },
  "dependencies": {
    "@sap/cds": "^6.8",
    "@sap/audit-logging": "^5",

    "@sap-cloud-sdk/http-client": "latest",
    "@sap/xsenv": "latest",
    "@sap/xssec": "latest",

............

      ,
      "RCMCandidate": {
        "kind": "odata-v2",
        "model": "srv/external/RCMCandidate",
        "credentials": {
          "[production]": {
            "destination": "Quovadis-SAP",
            "path": "odata/v2"
          },
          "[development]": {
            "url": "https://sandbox.api.sap.com/successfactors/odata/v2"
          }
        }
      }
      ,
      "ECEmploymentInformation": {
        "kind": "odata-v2",
        "model": "srv/external/ECEmploymentInformation",
          "credentials": {
            "[production]": {
              "destination": "Quovadis-SAP",
              "path": "odata/v2"
            },
            "[development]": {
              "url": "https://sandbox.api.sap.com/successfactors/odata/v2"
            }
          }
        }
    }
  }
}

Time to build the project…

It may take several minutes to build, and may even take longer if this is the first time you are using the buildpacks…

$ cd sfk8s/
$ make docker-push
cds build --production
[cds] - the following build tasks will be executed
[cds] -    {
     "build": {
       "target": "gen",
       "tasks": [
         {"for":"nodejs", "src":"srv", "options":{"model":["srv","app","srv/external/RCMCandidate","srv/external/ECEmploymentInformation"]}}
       ]
     }
   }

[cds] - building project [/Users/<username>/.kube/sfk8s], clean [true]
[cds] - cds [6.8.1], compiler [3.9.2], home [/Users/<user name>/.kube/sfk8s/node_modules/@sap/cds]

[cds] - done > wrote output to:
   gen/srv/package-lock.json
   gen/srv/package.json
   gen/srv/srv/Dockerfile
   gen/srv/srv/catalog-service.js
   gen/srv/srv/csn.json
   gen/srv/srv/external/ECEmploymentInformation.edmx
   gen/srv/srv/external/RCMCandidate.edmx

[cds] - build completed in 1496 ms

pack build <docker_id>/<docker_repo>:sfk8s-srv -p gen/srv -B paketobuildpacks/builder:base
....................

📦gen
 ┗ 📂srv
 ┃ ┣ 📂srv
 ┃ ┃ ┣ 📂external
 ┃ ┃ ┃ ┣ 📜ECEmploymentInformation.edmx
 ┃ ┃ ┃ ┗ 📜RCMCandidate.edmx
 ┃ ┃ ┣ 📜Dockerfile
 ┃ ┃ ┣ 📜catalog-service.js
 ┃ ┃ ┗ 📜csn.json
 ┃ ┣ 📜package-lock.json
 ┃ ┗ 📜package.json

Eventually all the project artefacts have been built and pushed to the docker repository….

Let’s deploy it to kyma runtime environment:

📦helm
 ┣ 📂sfk8s-app
 ┃ ┣ 📂templates
 ┃ ┃ ┣ 📜NOTES.txt
 ┃ ┃ ┣ 📜_helpers.tpl
 ┃ ┃ ┣ 📜apirule.yaml
 ┃ ┃ ┣ 📜configmap.yaml
 ┃ ┃ ┣ 📜deployment.yaml
 ┃ ┃ ┗ 📜service.yaml
 ┃ ┣ 📜.helmignore
 ┃ ┣ 📜Chart.yaml
 ┃ ┗ 📜values.yaml
 ┗ 📂sfk8s-srv
 ┃ ┣ 📂templates
 ┃ ┃ ┣ 📜NOTES.txt
 ┃ ┃ ┣ 📜_helpers.tpl
 ┃ ┃ ┣ 📜apirule.yaml
 ┃ ┃ ┣ 📜binding-dest.yaml
 ┃ ┃ ┣ 📜binding-uaa.yaml
 ┃ ┃ ┣ 📜configmap.yaml
 ┃ ┃ ┣ 📜deployment.yaml
 ┃ ┃ ┣ 📜service-dest.yaml
 ┃ ┃ ┣ 📜service-uaa.yaml
 ┃ ┃ ┗ 📜service.yaml
 ┃ ┣ 📜.helmignore
 ┃ ┣ 📜Chart.yaml
 ┃ ┗ 📜values.yaml

$ make helm-deploy
helm upgrade -n team-kyma -i sfk8s-srv helm/sfk8s-srv --install --kubeconfig /Users/<username>/.kube/kubeconfig--team-kyma.yaml
Release "sfk8s-srv" does not exist. Installing it now.
NAME: sfk8s-srv
LAST DEPLOYED: *************
NAMESPACE: team-kyma
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing sfk8s-srv. Your release is named sfk8s-srv and was deployed to the namespace team-kyma.
helm upgrade -n team-kyma -i sfk8s-app helm/sfk8s-app --install --kubeconfig /Users/<username/>.kube/kubeconfig--team-kyma.yaml
Release "sfk8s-app" does not exist. Installing it now.
NAME: sfk8s-app
LAST DEPLOYED: *************
NAMESPACE: team-kyma
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing sfk8s-app. Your release is named sfk8s-app and was deployed to the namespace team-kyma.

As a result the following kyma cluster resources get created automatically:

and last but not least the API rules that allow to expose the frontend app and backend service to the public internet:

The access to app and srv is protected with the BTP SAP ID service. Please make sure to assign the sfk8s application role collection(s) to all business users who should be granted access to the application. This is done from a BTP sub-account cockpit or with btp cli.

Failure to do it will result in a Forbidden error message.

Now it’s time to run the frontend app:

Last but not least, the deployment clean-up:

$ make helm-undeploy

Troubleshooting SFSF ODATA API access

In order to be able to register a SFSF system with a BTP Global Account you must grant the admin user the following permissions:

Admin access to MDF OData API
Create Integration with SAP BTP

Permission Role List	Permission Role Detail
You need to pick a permission role (the one which your admin user has been assigned to) and make sure it has the required permissions	I have chosen a System Admin role as the sfadmin user has this role assigned
Create Integration with SAP BTP	Admin access to MDF OData API

The OData API Candidate Export role permission must be assigned to the business user that is about to call SAP SuccessFactors Recruiting ODATA API via a BTP destination: