
Note: This blog post is the third part of a tutorial series. If you arrived here without reading the first and second part, please do so before you continue, and then come back here again. Part I describes principal propagation between an application frontend running on Microsoft Azure, calling a Web Service deployed to SAP Business Technology Platform (BTP). Part II extends the scenario by propagating the Azure-authenticated user via BTP and SAP Cloud Connector to an SAP Gateway system for displaying the user's data. Part III (this blog post) adds the application layer on top of the infrastructure and shows how to use and configure common platform services in Azure and BTP for principal propagation in the context of a chat bot in Microsoft Teams. A live demo of this scenario is also available on Episode #31 of the great SAP on Azure Video podcast series (starting at min 23:30) from hobruche , goran-condric, and roboban. Part IV uses a “low-code” approach for implementing the chatbot of this part with Microsoft Power Platform, demonstrated in episode #40 of the SAP on Azure Video Podcast series. Part V looks at different aspects for production readiness, such as API management, monitoring and alerting (live demo available on episode #83 in the SAP on Azure video podcast series). Part VI turns the scenario into the opposite direction by propagating the SAP-authenticated user of a BTP business application to call the Microsoft Graph API and retrieve the user’s Microsoft Outlook events. Finally, part VII looks at principal propagation from Microsoft Power Platform to SAP in the context of making Remote Function Calls (RFCs) and using Business Application Programming Interfaces (BAPIs) with the Kerberos protocol. See episode 142 of the SAP on Azure video podcast series for a live demo of this scenario. |
Create message
takes the HTTP header productId
containing the product identifier entered by the user in the conversation with the bot from the incoming request and creates a message header from it. This message header is referenced in the next process step (label Call OData Service
) to pass it as a parameter in the OData call to the backend.@AbapCatalog.sqlViewName: 'ZPRVIEW'
@AbapCatalog.compiler.compareFilter: true
@AbapCatalog.preserveKey: true
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Product view'
@OData.publish: true
define view ZPRODUCTSVIEW as select from SEPM_I_Product {
key ProductUUID,
Product,
ProductType,
ProductCategory,
Price,
Currency,
Height,
Width,
Depth,
DimensionUnit,
ProductPictureURL,
SupplierUUID,
Weight,
WeightUnit
}
SEPM_I_Product
and enforces an authorization check by setting the AccessControl.authorizationCheck
annotation to true
. The corresponding DCL defines a PFCG condition (aspect pfcg_auth
) that associates the CDS element ProductCategory
with the authorizations of the current user for the authorization object S_EPM_PD
. You will configure the authorization object to restrict the user's access to specific product categories in the catalogue, such as Headsets, Tablers or PCs.@EndUserText.label: 'Access control for product category'
@MappingRole: true
define role ZDCLPRODUCTCATEGORY {
grant select on ZPRODUCTSVIEW
where (ProductCategory) = aspect pfcg_auth(S_EPM_PD,
PDCATEGORY, ACTVT = '03');
}
part3
of the blog series GitHub repository with a Git client of you choice:git clone https://github.com/raepple/azure-scp-principal-propagation.git
cd azure-scp-principal-propagation
git checkout part3
Step | Description | Screenshot |
01 | Start Eclipse and click on Open Perspective | ![]() |
02 | Change to the ABAP Perspective | ![]() |
03 | Select Create an ABAP Project | ![]() |
04 | Select a system from the list. As outlined in part II, I am choosing my local instance of the free developer edition for AS ABAP 7.52, SP04, running on Hyper-V. Click Next. | ![]() |
05 | Keep the default connection parameters and click Next. | ![]() |
06 | Enter the login credentials of a user with developer permissions in the system (e.g. user DEVELOPER in the free developer edition). Click Next. | ![]() |
07 | Choose a name for the new project (e.g. ProductSearchService). Click Finish. | ![]() |
08 | In the context menu of your package choose New. Select Other ABAP Repository Object. | ![]() |
09 | Select Data Definition. Click Next. | ![]() |
10 | Enter the name ZPRODUCTSVIEW, and a description (e.g. Product Items). Click Next. | ![]() |
11 | Accept the default transport request (local). Click Next. | ![]() |
12 | Select the Define View template. Click Finish. | ![]() |
13 | Open the file zproductsview.asddls from the Git repository subfolder /SAPGateway . Copy & paste the content into the new Data Definition.Save the file with Ctrl+S. Then click Ctrl+F3 to activate it. | ![]() |
14 | In the context menu of the new ZPRODUCTSVIEW Data Definition, choose New Access Control. | ![]() |
15 | Enter the name ZDCLPRODUCTCATEGORY and choose a description (e.g. DCL for product category). Click Next. | ![]() |
16 | Again, accept the default transport request (local) and click Next. Select the Define Role with PFCG Aspect template. Click Finish. | ![]() |
17 | Open the file zdclproductcategory.asdcls from the Git repository subfolder /SAPGateway . Copy & paste the content into the new Access Control.Save the file with Ctrl+S. Then click Ctrl+F3 to activate it. | ![]() |
18 | Login to the SAP Gateway system with SAP GUI. Start transaction /IWFND/MAINT_SERVICE for activating the new CDS-based OData service. Click Add Service. | ![]() |
19 | Enter Local for the System alias. Enter Z* as the Technical Service Name. Click Get Services. | ![]() |
20 | Activate the checkbox for the service PPRODUCTSVIEW_CDS from the result list. Click Add selected Services. | ![]() |
21 | Enter $TMP for the Package Assignment and activate Enable OAuth for Service. Click OK. | ![]() |
Step | Description | Screenshot |
22 | Start the role maintenance with transaction /nPFCG. Create a new role by entering the name (e.g. PRODUCT_SEARCH). Click Single Role. | ![]() |
23 | Press Ctrl+S to save the new role, then switch to the Authorizations tab. | ![]() |
24 | Click the pencil symbol to change the new role's authorization data | ![]() |
25 | Click Do not select templates. | ![]() |
26 | Select More -> Manual entry of authorization objects | ![]() |
27 | Enter the following authorization objects:
Click OK. | ![]() |
28 | Change the value of the field SRV_NAME from the authorization object S_SERVICE to restrict the user's access to the CDS-based OData Product Search service only. Click on the pencil symbol for the field. | ![]() |
29 | Select TADIR Service from the Type box. In the first row of the table, select object type IWSV and click on the value help to search for the service object name. | ![]() |
30 | Browse through the list and select ZPRODUCTSVIEW_CDS. Click OK. | ![]() |
31 | In the second row of the table, select object type IWSG and click on the value help to search for the service object name. | ![]() |
32 | Browse through the list and select the entry ZPRODUCTSVIEW_CDS_0001. Click OK. | ![]() |
33 | Click Save. | ![]() |
34 | Open the tree view for the fields of the S_EPM_PD authorization object. Change the value of the field PDCATEGORY to limit access to only a selected product category for the user. Click the pencil symbol for the field. | ![]() |
35 | Select a product category (e.g. Flat Screen Monitors) from the list and click OK. | ![]() |
36 | Click Save. | ![]() |
37 | Click on the pencil symbol for the field ACTVT. | ![]() |
38 | Select (03) Display from the list and click Save. | ![]() |
39 | Click Save and confirm the dialog to assign the suggested profile name with OK. | ![]() |
40 | Click Generate to generate the profile. | ![]() |
41 | You can now close the Authorization editor by clicking Exit. | ![]() |
42 | Switch to the User tab. Enter the User ID of your test user (e.g. JDOE from the previous part of the blog series) to assign the new role. Make sure that this user has an e-mail address set in its profile that matches the e-mail address of your Azure AD-logged-in user in Teams. Click Save. | ![]() |
43 | Update the assignments of the role profile to the newly added user by clicking on the button User comparison. Then confirm the dialog with Complete comparison. | ![]() |
44 | The status of the User comparison should now turn to green. Save the role and user assignment. | ![]() |
45 | Click Exit. | ![]() |
Step | Description | Screenshot |
46 | Open the BTP Cockpit in a new browser tab and login with your (trial) account admin. Navigate to your trial account and select Services –> Instances and Subscriptions from the left side navigation menu. Click Create to create the subscription for the integration suite. | ![]() |
47 | Enter "Integration" in the search filed and select Integration Suite with plan trial. Click Create. | ![]() |
48 | Select the new subscription after successful creation and click on Go to Application. | ![]() |
49 | The Integration Suite application opens in a new tab. Click Add Capabilities. | ![]() |
50 | For this scenario you only need to select the first capability for process integration. Click Next. | ![]() |
51 | Click Next on the second step of the wizard. Click Activate to enable the selected capability. | ![]() |
52 | Wait until the status changes to Active. Then close the browser tab. | ![]() |
53 | Back in the previous browser tab, click Create again. | ![]() |
54 | Enter "Process" in the search field and select Process Integration from the results. | ![]() |
55 | Enter or select the following values:
Click Next. | ![]() |
56 | Paste the following JSON snippet into the text field:
Click Create. | ![]() |
57 | Select the newly created instance from the list. Click Create in the Service Keys section. | ![]() |
58 | Enter a name (e.g. "productsearch") for the new service key. Click Create. | ![]() |
59 | Select View from the context menu of the newly created service key. | ![]() |
60 | Download the service key for later use. The credentials included in this file are required by the bot to request the access token from SCP. | ![]() |
61 | Assign yourself the necessary roles to access and use the BTP Integration capabilities. Select Security -> Trust Configuration from the left side navigation menu. Select the Default Identity Provider from the list. | ![]() |
62 | Enter your account admin/user's email address and click Show Assignments. Click Assign Role Collections and select the role collection PI_Administrator from the list. Click Assign Role Collection. Repeat this step for the role collections PI_Business_Expert and PI_Integration_Developer. | ![]() |
63 | Select Instances and Subscriptions from the left side navigation. | ![]() |
64 | Click on the Go to Application icon of the Integration Suite subscription. | ![]() |
65 | The application opens in a new tab. Click on the Process Integration tile. | ![]() |
66 | Click the pencil icon on the left side naviation. | ![]() |
67 | Click Import and select the file ProductSearchIntegrationFlow.zip from the folder SCP of the cloned Git repository. | ![]() |
68 | Click on the imported content package for the Product Search Integration Flow. | ![]() |
69 | Select the tab Artifacts and click on the Product Search integration flow. | ![]() |
70 | Click Deploy to create a new process instance. | ![]() |
71 | Switch to the Operations view by clicking on the eye icon. Wait until the tile for processes in state Started shows the count 1. | ![]() |
Step | Description | Screenshot |
72 | In the BTP Cloud Cockpit browser tab, navigate to Security - Role Collections in the left side navigation. Select Application User from the ist. | ![]() |
73 | Click Edit. | ![]() |
74 | Click the value help for the new role name. | ![]() |
75 | Select MessagingSend from the list of Role Name. Activate the checkbox for the new entry in the table and click Add. | ![]() |
76 | Click Save to update the existing Role Collection. | ![]() |
Step | Description | Screenshot |
77 | Login to the Azure Portal and move over the Resource groups icon. Click on the + Create button to create a new resource group for the bot resources. | ![]() |
78 | Enter ProductSearchBotRG as the name for the new resource group and a region closest to you. Click Review + create. Upon successful validation, click Create. | ![]() |
79 | After a few seconds, click on the Notification icon and Go to resource group | ![]() |
80 | Click + Add to create a new resource in the group. | ![]() |
81 | Start searching for the new resource by entering "Bot" in the search field. Select Bot Channels Registration from the list. | ![]() |
82 | Click Create | ![]() |
83 | Enter the following data for the new Bot registration:
Click on Microsoft App ID and Password at the end of the form to avoid the automatic creation of an Azure AD app registration for the new bot. You will reuse the existing app registration from part I (step 16ff). | ![]() |
84 | Click + Create New | ![]() |
85 | Enter the following values:
If you don't have these values any more, repeat steps 16 to 20 from part I. Just as a reminder, you may have them also stored in your Postman collection configuration. Click OK. | ![]() |
86 | Click Create. | ![]() |
87 | After a few seconds, click on Go to resource in the notifications. | ![]() |
88 | Select Configuration from the left navigation menu and click on the Manage link to open your bot's Azure AD application registration. | ![]() |
89 | Select Authentication from the left side menu and click on Add URI. | ![]() |
90 | Enter the value https://token.botframework.com/.auth/web/redirect in the field. This is the authorization callback URL used by the bot to receive the token from Azure AD. Click Save. | ![]() |
91 | Select Expose an API from the left-side navigation. Click on the pencil symbol to edit the Application ID URI. Change the URI to api://botid-<AAD client id> Save the changes. | ![]() |
92 | Click + Add a client application | ![]() |
93 | Add the client id 1fec8e78-bce4-4aaf-ab1b-5451cc387264 to the list. This is the id of the Teams mobile/desktop application. By adding it here you will avoid that users in Teams are asked to give their consent when using the Product Search Bot application. Click Add application. | ![]() |
94 | Repeat the previous step and add the client id 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 for the Teams web application. | ![]() |
95 | Close the Expose an API settings to go back to the bot configuration. | ![]() |
96 | Click the Add setting button. | ![]() |
97 | Enter or select the following values:
Click Save. | ![]() |
98 | Test the new connection by selecting it again from the list | ![]() |
99 | Click on Test Connection | ![]() |
100 | As a result you should see a successful login confirmation. If you are interested in the token content, copy the token value in the clipboard and analyse its content at https://aka.ms/jwt. Close the tab. | ![]() |
101 | Select Channels from the left side navigation and click on the Teams tile to add a new channel for Microsoft Teams to your bot. | ![]() |
102 | Click Save to add the new channel and confirm the Terms of Use. | ![]() |
Step | Description | Screenshot |
103 | Start Visual Studio Code. Select File -> Open Folder... from the menu and open the subfolder /ProductSearchBot containing the bot source code from the directory where you cloned the Git repository. | ![]() |
104 | Run a build task to compile the bot sources by pressing Ctrl+Shift+B. Select Build from the list. | ![]() |
105 | Open the file appsettings.json from the root of the /ProductSearchBot directory.Replace the <placeholders> in the file appsettings.json with the following values:
Press Ctrl+S to save the changes to the file. | ![]() |
106 | Open the file manifest.json from the subfolder /TeamsAppManifest and replace all <placeholders> for <AAD bot app client id> with the value from step 23 of part I of the blog series.Note: This is the same value used for the MicrosoftAppId setting in the previous step. Press Ctrl+S to save the changes to the file. | ![]() |
107 | Go back to your web browser tab in the Azure Portal and select your ProductSearchBotRG resource group from the lop-level navigation | ![]() |
108 | Create a new App Service resource to deploy the bot in Azure. Click + Add. | ![]() |
109 | Enter "Web App" in the search field and select Web App from the search results | ![]() |
110 | Click Create. | ![]() |
111 | Enter or select the following values for the new Web App resource:
Click Review + create. Click Create. Wait until the deployement has finished. | ![]() |
112 | Open the notifications and click Go to resource | ![]() |
113 | In the App Service Overview, click Copy to clipboard for the URL. | ![]() |
114 | Select CORS from the left side navigation. Enter the following URLs to the list of allowed URLs: Click Save. | ![]() |
115 | Select Overview from the left side navigation. Navigate back to the ProductSearchBotRG Resource Group for the Bot. | ![]() |
116 | Select your Bot Channel Registration from the resource group. | ![]() |
117 | Select Configuration from the left side navigation. Paste the URL from the clipboard in the field Messaging endpoint. Append the path /api/messages to it. Click Apply. | ![]() |
118 | Open a command prompt or new Terminal in Visual Studio Code, and change to the subdirectory /ProductSearchBot of your cloned Git repository.Login to Azure with the Azure CLI command az login .A browser window opens to process the login. | ![]() |
119 | Upon successfull login, use a ZIP tool of your choice to compress the subdirectory /ProductSearchBot in a ZIP-file (ProductSearchBot.zip ). | ![]() |
120 | Deploy the ZIP file to your App Service instance with the command az webapp deployment source config-zip --resource-group "ProductSearchBotRG" --name "<YourCompany>ProductSearchBot" --src "./ProductSearchBot.zip" Make sure that you replace <YourCompany> in the name parameter of the command with the name chosen in step 57.Wait until the deployment is completed. | ![]() |
Step | Description | Screenshot |
121 | In the command prompt, change to the subfolder /TeamsAppManifest of the ProductSearchBot.Use your ZIP tool to compress the three files in a ZIP-file ( manifest.zip ). | ![]() |
122 | Login to Teams Admin Center with your M365 administrator account. Select Teams apps - Manage apps from the left side navigation. | ![]() |
123 | Click + Upload. In the dialog windows, click Select a file. Select the manifest.zip file you created in step 121. | ![]() |
124 | Upon successful upload you should see the confirmation that the Product Search Bot has been added to the apps catalogue. | ![]() |
125 | Open your Teams desktop app. If it is not installed yet you can download it from here. Login with the credentials of your test user in Azure AD. Note: This user must have an email address in Azure AD matching the user's email address in the SAP backend system. | ![]() |
126 | Click the Apps icon. | ![]() |
127 | Select the tile for the Product Search Bot app. | ![]() |
128 | Click Add. | ![]() |
129 | The bot starts with a welcome message. Follow the instructions and type anything in the chat (e.g. "Hi there!") The bot confirms that your are (single) signed-on based on your existing login to Teams. Confirm the question to show your Azure AD token with Yes. | ![]() |
130 | The Base64-encoded access token is shown in the chat. Answer the question on which product to look for with the input HT-1000 | ![]() |
131 | The bot replies that no products were found. HT-1000 is a product in the Notebooks product category. However, the user assigned to the PRODUCT_SEARCH role in the backend only has access to the Flat Screen Monitor products. You will extend the authorizations of the user now in the backend to also lookup Notebooks from the catalogue. | ![]() |
132 | In the SAP Gateway system,start transaction PFCG and navigate to the authorization settings of role PRODUCT_SEARCH. See steps 22ff for more detail. | ![]() |
133 | Select Notebooks in the second row of this table. Click OK. | ![]() |
134 | Update the authorizations by (re-)generating the profiles. | ![]() |
135 | Continue with the chat flow. This time click No when being asked to orint out the access token. | ![]() |
136 | Again, enter the product name "HT-1000" in the textfield. | ![]() |
137 | Thits time the bot shows the result from the query. This proves that the user has been single-signed on through Teams at the Bot and successfully propagated via CPI to the backend. There the DCL kicked in when calling the CDS-based OData Service and ensured that the user can only view products from categories she is allowed to access. | ![]() |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
10 | |
7 | |
7 | |
7 | |
5 | |
5 | |
5 | |
4 | |
4 | |
4 |