SAP has introduced SAP Start, our new default central entry point, designed to easily engage with all cloud business solutions across the SAP portfolio. It is included out-of-the-box, at no additional cost, with all integrated SAP cloud business solutions.
If you want to learn more about SAP Start in general, have a look at our recent "Things You Need to Know About SAP Start” blog post.
Today, we want to show you how easy it is to set up SAP Start seamlessly integrated with SAP S/4HANA Cloud, private edition. Please note that there is also the possibility to integrate SAP SuccessFactors already today, and more SAP cloud business solutions in the future, which we are covered in blog entries. (see links at the end of this blog post)
Prerequisites
To follow along with this how-to, please make sure you already fulfill the following prerequisites:
You have an existing global account on the SAP Business Technology Platform
Your global account has these entitlements assigned
Service Plan Required QuotaCloud Management Service Local 1 SAP Build Work Zone, standard edition foundation 1 SAP Build Work Zone, standard edition foundation (Application) 1 SAP Task Center standard 1 Cloud Identity Services connectivity 1 You have (admin) access to your S/4HANA Cloud Private Edition system with minimum required version 2023 FPS1
You have an Identity Authentication Service available in your global account
You have set up a SAP Cloud Connector as outlined by the SAP Cloud Connector documentation
Setting up SAP Start with S/4HANA Cloud Private Edition
You first need to create a new subaccount in your BTP global account. Open the Account Explorer page of your global account in the BTP cockpit. You should see a dropdown menu called Create where you select Subaccount. Follow the wizard and enter all required fields.
Create Subaccount
In your created subaccount, go to the Entitlements section and entitle the subaccount for:
SAP Build Work Zone, standard edition (plan: foundation & foundation (Application))
Configure Workzone Entitlement
SAP Task Center (plan: standard)
Configure Task Center Entitlement
Expand the Services section to open the Instances and Subscriptions section for the subaccount and create a subscription for SAP Build Work Zone, standard edition
SAP Build Work Zone, standard edition plan foundation subscription form
Go to the Overview section of the subaccount and Enable Cloud Foundry in the subaccount
Go to the Overview section of the subaccount and click Create Space
Add your user as Space Developer, Space Manager, and Space Auditor
Create Space
In your created space, expand the Services section to open the Instances section for the space and create a service instance for SAP Task Center
Create a service key for your created service instance of SAP Task Center
- This blog article only covers the creation of the Task Center service instance. For all necessary steps please follow the SAP Task Center Initial Setup guide.
In your subaccount, expand the Connectivity section to navigate to the Destinations section of your subaccount and create a new destination based on the service instance of Task Center
Create Task Center Destination
In your global account, select System Landscape from the left panel, and select the Formations tab
Click Create Formation (in the top right corner)
Enter a Formation Name and select Integration with SAP Start as the Formation Type and click Next Step
Select the SAP Start system that reflects your SAP Build Work Zone subscription which you created in step 3 and click Next Step
Double check on the review page that everything looks correct and click Create
Set Up S/4HANA Cloud Private Edition as a Content Provider for SAP Start
Important: SAP Build Workzone automatically proxies a system connected to it via the SAP Cloud Connector. All paths that you configure in your cloud connector will be reachable via the public internet. Please make sure that you only configure necessary paths and that your S/4HANA Cloud Private Edition system is properly secured to prevent unauthorized access.
Follow the SAP Cloud Connector documentation to establish trust between your created subaccount and your S/4 Private Cloud System
- Please pay attention to the Setup Principal Propagation part of the documentation
- Ensure to disable System Certificate for Logon (if no Principal is received from Cloud) to enable principal propagation and basic authentication via the SAP Cloud Connector
Open the Cloud To On-Premise tab in your SAP Cloud Connector Administration UI
Create a new mapping for the SAP Build Work Zone with SAP Start integration following the Workzone SAP Cloud Connector Setup documentation
- Expose the following paths for protocol HTTPS
- The path to fetch card manifests and i18n files (/sap/bc/lrep/)
- The path to fetch the UI5 App Index (/sap/bc/ui2/app_index/)
- The path to fetch CDM3 content (/sap/bc/ui2/cdm3/)
- The path for fetching data from OData services (/sap/opu/odata/)
- The path for fetching data from OData V4 services (/sap/opu/odata4/)
Expose Paths in SAP Cloud Connector
NOTE: This is a default configuration with the purpose to cover most use cases. From a security perspective it is recommended to investigate which services are really used in your use case and restrict the paths further.
- Expose the following paths for protocol HTTPS
Create a new mapping for the integration with the Identity Provisioning Service (IPS)
- Back-end Type: ABAP System
- Protocol: RFC or RFC SNC
- Connection Type: With load balancing (system ID and message server)
- Message Server: <Your S/4HANA message server host e.g. ldcsuct>
- System ID: <Your S/4HANA system id e.g. UCT>
- SAProuter: leave empty
- Virtual Message Server: ldcsuct
- Virtual System ID: UCT
With these example properties you would get ldcsuct:sapmsUCT as internal host
Allow access to the following resources with Naming Policy Exact Name as outlined by the IPS documentation for SAP Application Server ABAP
- BAPI_USER_GETLIST
- BAPI_USER_GET_DETAIL
- PRGN_ACTIVITY_GROUPS_LOAD_RFC
- PRGN_ROLE_GETLIST
Allowed RFC Resources
Open your S/4HANA Cloud Private Edition system and follow the Manage Launchpad Content for Exposure documentation to preview and expose your content. Pay attention to select Version 2 as the Exposure Version. The Result should look like this:
Setup Launchpad Content Exposure
To check that your content exposure was successful you can use the SAP Gateway Client (transaction /IWFND/GW_CLIENT)
Test Content Exposure in SAP Gateway Client
Create a technical service user that fulfills the Prerequisites for Launchpad Content Exposure
Open transaction SU01 to create a technical service user
Select Service as User Type
S/4HANA Service User From
Ensure the business users have Insights Cards assigned in the MyHome Settings of your S/4 HANA Private Cloud system
Insights Cards in MyHome Settings
Configure BTP Destinations
In your subaccount, expand the Connectivity section and navigate to the Destinations section.
Follow the Configure Destinations section to create the Design-Time and Runtime destinations.
S/4HANA Cloud Private Edition Design-Time Destination
S/4HANA Cloud Private Edition Runtime-Time Destination
Create a destination for retrieving nominations via the SAP Cloud Connector
- Set the following additional properties
- HTML5.DynamicDestination: true
- nameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- sap-card-nominations-path: /sap/opu/odata4/ui2/insights_srv/srvd/ui2/insights_cards_read_srv/0001/CEP_Cards?$expand=DescriptorResources
- Make sure to set the Location ID if you have configured a location ID in your SAP Cloud Connector
- Note that for principal propagation to work, the BTP users for your IAS identity provider (Subaccount > Security > Users) have to set the correct user name i.e. the identifier that is accepted by your S4 private cloud system
- When a user authenticates for the first time with the subaccount’s authentication url and the IAS identity provider, a new BTP user will be created automatically.
- The value of the user name for automatically created users is determined by how you Configure the Subject Name Identifier Sent to the Application in your IAS.
- Set the following additional properties
Navigate to the Channel Manager section in SAP Build Work Zone and add a new Content Provider with the following properties:
Content Provider Creation
Create a PFCG Role to Maintain the Global User ID
- Open transaction PFCG in your S/4HANA Cloud Private Edition system to create a new role MAINTAIN_USER_GLOBAL_ID
- Enter the following authorization values
- Object class AAAB (Cross-application Authorization Objects)
- Authorization Object S_RFC (Authorization Check for RFC Access)
- Authorizat. 00 (Authorization Check for RFC Access)
- RFC_TYPE: Function Module (Type of RFC object to which access is to be allowed)
- RFC_NAME: BAPI_USER_CHANGE, BAPI_USER_GETLIST, BAPI_USER_GET_DETAIL (Name (Allowlist) of RFC object to which access is allowed)
- ACTVT: Execute (Activity)
- Authorizat. 01 (Authorization Check for RFC Access)
- RFC_TYPE: Function group (Type of RFC object to which access is to be allowed)
- RFC_NAME: SU_USER (Name (Allowlist) of RFC object to which access is allowed)
- ACTVT: Execute (Activity)
- Authorizat. 00 (Authorization Check for RFC Access)
- Authorization Object S_RFC (Authorization Check for RFC Access)
- Object class BC_A (Maintained Basis: Administration)
- Authorization Object S_USER_ATT (Standard User Attributes Assignment)
- Authorizat. 00 (User Attributes Assignment)
- Authorization Object S_USER_GRP (Maintained User Master Maintenance: User Groups)
- Authorizat. 01 (User Master Maintenance: User Groups)
- CLASS: <Groups of the users that should be maintained> (User Group)
- ACTVT: Add or Create, Change, Display, Lock, Extended maintenance, Move, Set Productive (Activity)
- Authorizat. 01 (User Master Maintenance: User Groups)
- Authorization Object S_USER_UID (Maintained User Master Maintenance: Assignment of External UID)
- Authorizat. 00 (User Master Maintenance: Assignment of External UID)
- ACTVT: Display, Enter, Include, Assign (Activity)
- CLASS: <Groups of the users that should be maintained> (User Group)
- EXTUID_TYP: Global User ID (Type of the External User ID (UID))
- Authorizat. 00 (User Master Maintenance: Assignment of External UID)
- Authorization Object S_USER_ATT (Standard User Attributes Assignment)
- Object class AAAB (Cross-application Authorization Objects)
- Save and generate the role
NOTE: The role MAINTAIN_USER_GLOBAL_ID is required by IPS to synchronize the Global User ID. The Global User ID is required for the Task Center integration to display the tasks of the business users.
Configure Identity Provisioning Service (IPS)
Open your S/4HANA Cloud Private Edition system
Open transaction SU01 to add the role SAP_BC_JSF_COMMUNICATION_RO to the technical service user used for reading the CDM content
Open your subaccount and navigate to your created Cloud Foundry space, expand the Services section to select Instances for the space and create a service instance for SAP Build Work Zone, standard edition
Create a service key for the service instance of SAP Build Work Zone, standard edition
Open your subaccount, expand the Security section to open the Trust Configuration section
Click on the Establish Trust button and select your IAS tenant
- Ensure your IAS Tenant is connected using Open ID Connect (OIDC)
Navigate to the Instances and Subscriptions section
Subscribe to Cloud Identity Services with plan connectivity
Expand the Connectivity section to navigate to the Destinations section and create a new destination for the IPS integration as outlined by the IPS documentation for SAP Application Server ABAP
An example for a connection with load balancing:
- Location ID: <Location ID of your SAP Cloud Connector e.g. DLM_MAIL>
- Only required if your SAP Cloud Connector is configured with a location ID
- Type: RFC
- ProxyType: OnPremise
- User: <Username of your technical S/4HANA service user>
- Password: <Password of your technical S/4HANA service user>
- Additional Properties
- jco.client.client: <The client of you S/4HANA system e.g. 950>
- jco.client.mshost: <Virtual host of your SAP Cloud Connector configuration for IPS integration until the colon e.g. uctclnt950rfc>
- jco.client.r3name: <System ID of your S/4HANA system e.g. UCT>
IPS Source System RFC Destination
- Location ID: <Location ID of your SAP Cloud Connector e.g. DLM_MAIL>
Open your IAS administrator console at <IAS domain>/admin
Navigate to the Identity Provisioning section and open the Source Systems section
Click on + Add to add a new Source System
Select SAP Application Server ABAP as type
Give the source system a meaningful name
IPS Source System Form
Open the Transformations tab, click on Edit and switch into the JSON mode to paste the following standard transformation
{ "user": { "mappings": [ { "sourcePath": "$.USERNAME", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.USERNAME", "targetPath": "$.userName", "correlationAttribute": true }, { "sourcePath": "$.ALIAS.USERALIAS", "targetPath": "$.externalId", "optional": true, "correlationAttribute": true }, { "sourcePath": "$.SAPUSER_UUID.SAP_UID", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "optional": true }, { "targetPath": "$.schemas[0]", "constant": "urn:ietf:params:scim:schemas:core:2.0:User" }, { "sourcePath": "$.ADDRESS.E_MAIL", "targetPath": "$.emails[0].value", "optional": true, "correlationAttribute": true }, { "targetPath": "$.emails[0].primary", "condition": "$.ADDRESS.E_MAIL EMPTY false", "constant": true }, { "targetPath": "$.emails[0].type", "condition": "$.ADDRESS.E_MAIL EMPTY false", "constant": "work" }, { "sourcePath": "$.ADDRESS.FIRSTNAME", "targetPath": "$.name.givenName", "optional": true }, { "sourcePath": "$.ADDRESS.LASTNAME", "targetPath": "$.name.familyName" }, { "sourcePath": "$.ADDRESS.MIDDLENAME", "targetPath": "$.name.middleName", "optional": true }, { "sourcePath": "$.ADDRESS.NICKNAME", "targetPath": "$.nickName", "optional": true }, { "sourcePath": "$.ADDRESS.TITLE_P", "targetPath": "$.name.honorificPrefix", "optional": true }, { "sourcePath": "$.ADDRESS.COUNTRY", "targetPath": "$.addresses[0].country", "optional": true }, { "targetPath": "$.addresses[0].primary", "condition": "$.ADDRESS.COUNTRY EMPTY false", "constant": true }, { "targetPath": "$.addresses[0].type", "condition": "$.ADDRESS.COUNTRY EMPTY false", "constant": "work" }, { "sourcePath": "$.ADDRESS.TEL1_NUMBR", "targetPath": "$.phoneNumbers[0].value", "optional": true }, { "targetPath": "$.phoneNumbers[0].primary", "condition": "$.ADDRESS.TEL1_NUMBR EMPTY false", "constant": true }, { "targetPath": "$.phoneNumbers[0].type", "condition": "$.ADDRESS.TEL1_NUMBR EMPTY false", "constant": "work" }, { "sourcePaths": [ "$.DEFAULTS.LANGU" ], "targetPath": "$.locale", "valueMappings": [ { "key": [ "W" ], "mappedValue": "bg" } ], "optional": true, "type": "valueMapping", "defaultValue": "en" }, { "sourcePaths": [ "$.ADDRESS.LANGUP_ISO" ], "targetPath": "$.preferredLanguage", "optional": true, "type": "valueMapping", "functions": [ { "function": "toLowerCaseString" } ] }, { "sourcePaths": [ "$.LOGONDATA.TZONE" ], "targetPath": "$.timezone", "valueMappings": [ { "key": [ "EET" ], "mappedValue": "Europe/Sofia" } ], "optional": true, "type": "valueMapping", "defaultValue": "Europe/Berlin" }, { "targetPath": "$.active", "constant": false }, { "targetPath": "$.active", "condition": "($.ISLOCKED.LOCAL_LOCK != 'L') && ($.ISLOCKED.GLOB_LOCK != 'L') && ($.ISLOCKED.WRNG_LOGON != 'L')", "constant": true }, { "sourcePath": "$.ACTIVITYGROUPS[*].AGR_NAME", "targetPath": "$.groups[?(@.value)]", "optional": true, "preserveArrayWithSingleElement": true } ] }, "group": { "mappings": [ { "sourcePath": "$.ROLE_NAME", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.ROLE_NAME", "targetPath": "$.displayName", "functions": [ { "function": "concatString", "condition": "'%abap.role.prefix%' !== 'null'", "prefix": "%abap.role.prefix%" } ] }, { "targetPath": "$.schemas[0]", "constant": "urn:ietf:params:scim:schemas:core:2.0:Group" }, { "sourcePath": "$.USERLIST[*].USERNAME", "targetPath": "$.members[?(@.value)]", "optional": true, "preserveArrayWithSingleElement": true } ] } }IPS Source System Transformations Form
Navigate to the Identity Provisioning section and open the Target Systems section
Click on + Add to add a new Target System
Select SAP Build Work Zone, standard edition as type
Give the target system a meaningful name
Select your created source system for S/4HANA Cloud Private Edition as the source system
IPS Traget System Form
Open the Transformations tab, click on Edit and switch into the JSON mode to paste the following standard transformation
{ "user": { "condition": "($.emails EMPTY false) && ($['urn:ietf:params:scim:schemas:extension:sap:2.0:User'].userUuid EMPTY false)", "skipOperations": [ "update" ], "mappings": [ { "targetPath": "$.id", "sourceVariable": "entityIdTargetSystem" }, { "targetPath": "$.schemas[0]", "constant": "urn:ietf:params:scim:schemas:core:2.0:User" }, { "targetPath": "$['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId']", "constant": "%cflp.providerId%" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.emails[0].value", "condition": "$.emails[?(@.primary == true)].value == []", "optional": true }, { "sourcePath": "$.emails[?(@.primary == true)].value", "targetPath": "$.emails[0].value", "condition": "$.emails[?(@.primary == true)].value != []", "optional": true, "preserveArrayWithSingleElement": true, "functions": [ { "function": "elementAt", "index": 0 } ] }, { "targetPath": "$.emails[0].primary", "condition": "$.emails[0].length() > 0", "constant": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "targetPath": "$.externalId", "optional": true }, { "sourcePath": "$.groups[*].value", "targetPath": "$.groups[?(@.value)]", "optional": true, "preserveArrayWithSingleElement": true, "functions": [ { "function": "resolveEntityIds", "entityType": "group" } ] } ] }, "group": { "mappings": [ { "targetPath": "$.id", "sourceVariable": "entityIdTargetSystem" }, { "targetPath": "$['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId']", "constant": "%cflp.providerId%" }, { "targetPath": "$.schemas[0]", "constant": "urn:ietf:params:scim:schemas:core:2.0:Group" }, { "targetPath": "$.schemas[1]", "constant": "urn:ietf:params:scim:schemas:core:2.0:mapping", "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$.externalId" }, { "sourcePath": "$.externalId", "targetPath": "$.externalId", "optional": true, "functions": [ { "function": "replaceAllString", "regex": "(?i)(^pcd:)", "replacement": "" }, { "function": "replaceString", "target": "/", "replacement": ":" }, { "function": "replaceString", "target": "(", "replacement": "@" }, { "function": "replaceString", "target": ")", "replacement": "+" } ] }, { "sourcePath": "$.members[*].value", "targetPath": "$.members[?(@.value)]", "optional": true, "preserveArrayWithSingleElement": true, "functions": [ { "function": "resolveEntityIds" } ] } ] } }IPS Target System Transformations Form
Open the Properties tab and add the following properties
- Authentication: BasicAuthentication
- cflp.group.unique.attribute: externalId,['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId']
- cflp.patch.group.members.above.threshold: 5000
- cflp.providerId: <ID of the created content provider in your SAP Build Work Zone tenant e.g. S4_PC_UCT950>
- cflp.user.unique.attribute: emails[0].value,['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId'],externalId
- ips.trace.failed.entity.content: false
- OAuth2TokenServiceURL: <Value of the url property of your created SAP Build Work Zone service key + /oauth/token>
- Password: <Value of the clientsecret property of your created SAP Build Work Zone service key>
- ProxyType: Internet
- Type: HTTP
- URL: <Value of the portal-service property of your created SAP Build Work Zone service key>
- User: <Value of the clientid property of your created SAP Build Work Zone service key>
IPS Target System Properties Form
Navigate to the Identity Provisioning section and open the Source Systems section
Select your created source system for your S/4HANA Cloud Private Edition tenant
Open on the Jobs tab
Click on Run Now for the Read Job to start the synchronization of your S/4HANA users and roles into your SAP Build Work Zone tenant
Navigate to the Identity Provisioning section and open the Provisioning Logs section to see the logs and status of your synchronization jobs
Final Result
You should now have a working setup of SAP Build Work Zone, standard edition with SAP Start and S/4HANA Cloud Private Edition. For the blog post copy and adjust the section Accessing SAP Start and That is it! from one of the following existing blog posts instead of this Final Result section.
- SAP Managed Tags:
