Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results forΒ 
Search instead forΒ 
Did you mean:Β 
quovadis
Product and Topic Expert
Product and Topic Expert







OAuth2SAMLBearerAssertion










This brief is to showcase the SAP SuccessFactors extensibility service when used directly from SAP BTP, Kyma runtime environment.




Please check the code sample below:


SAP SuccessFactors extensibility service comprises SuccessFactors ODATA api-access automation and SSO configuration service plans, as documented here:

Putting it all together


Here goes the agenda for this brief.











main course coffee corner





api-access automation service plan
















Register an SAP SuccessFactors System in a Global Account in SAP BTP.




The system registration is done on a SAP BTP Global Account level.


The generated system registration token needs to be added in the SFSF Extension Center to complete the registration process. From now on, the SFSF system will be known to all sub-accounts under its symbolic system name.


You can register the same SFSF system with several SAP BTP Global Accounts at a time. Likewise you may register several SFSF systems with one single SAP BTP Global Account.


Configure the Entitlements for the SAP SuccessFactors Extensibility Service




These extensibility service plans will be added automatically to every sub-account of the global account. But you will need to entitle them before being able to use them.

Then you can look up the service in the service market place as follows:




Create a Service Instance to Consume the SAP SuccessFactors HXM Suite OData API




With sap-successfactors-extensibility service entitled on a BTP sub-account level you can start creating service instances with the api-access plan with Kyma runtime.

Each service instance will result in creating:

  • a separate OAuth2 client application on SFSF side and

  • a separate destination definition on a BTP sub-account level.


Please note the externalName is the destination name!
apiVersion: services.cloud.sap.com/v1
kind: ServiceInstance
metadata:
name: quovadis-sap-jwt
labels:
app.kubernetes.io/name: sap-successfactors-extensibility
annotations: {}
namespace: <namespace>
spec:
serviceOfferingName: sap-successfactors-extensibility
servicePlanName: api-access
externalName: Quovadis-SAP-JWT ### destination name
parameters:
systemName: SFPART058654 ### SAP BTP Global Account system name


Two api-access instances (shown above) have two corresponding OAuth2 client applications as depicted below:

Good to know:




  • When you dispose of a service instance both the SFSF side OAuth2 client and BTP side destination definition will be removed.

  • Furthermore, you can leverage btp service operator multi-tenancy and use other namespaces of your kyma cluster to implement SFSF automation against a different BTP subaccount within the same Global Account or belonging to a different Global Account.



sso-configuration service plan










Configure Single Sign-On Between a Subaccount in SAP BTP and SAP SuccessFactors






Quoting after SAP help:
SAP BTP supports the following authentication scenarios for SAP SuccessFactors:


  • OData access with OAuth 2.0 SAML bearer assertion




  • OData access with OAuth 2.0 SAML bearer assertion with technical user





Steps




  1. Configure SAP SuccessFactors as a Trusted Identity Provider in SAP BTP.

  2. Configure the Subaccount as a Trusted Service Provider in SAP SuccessFactors.


Good to know:

  • If OAuth2SAMLBearerAssertion with the technical user then you can skip the sso-configuration part.

  • The SSO configuration is between a SFSF system and a BTP sub-account



Destinations testing using a managed approuter on a BTP subaccount level


Given the fact the destinations have been created on a BTP sub-account level and assuming there is a managed approuter instance on the BTP sub-account as well we could leverage the approuter dynamic_dest construct as follows:

https://<tenant>.launchpad.cfapps.<region>.hana.ondemand.com/dynamic_dest/Quovadis-SAP-JWT/odata/v2/...

https://<tenant>.launchpad.cfapps.<region>.hana.ondemand.com/dynamic_dest/Quovadis-SAP-JWT/odata/v2/...














Conclusion


The SAP BTP automation makes it easy to set up integrations between SAP LOB applications and the SAP BTP platform.

The SAP BTP, Kyma runtime together with the btp service operator allow for the out-of-the-box automation multi-tenancy. For instance you can deploy same set of SFSF destination to different subscribers (different BTP sub-accounts) to cater for geographical proximity etc...

The Cloud Application Programming model provides a productivity framework to help create beautiful business application with the BTP runtimes you want.

Now it's time to shine and create this kyma app you always wanted to make.

Please share your feedback and continue reading through to the coffee corner below...




 

Coffee corner


Build a SAP SuccessFactors app on Kyma runtime with SAP CAP framework.










Indeed, CAPire is a popular cloud programming framework with SAP BTP runtime environments.

There is plenty of public code samples with CAP applications with both CF and Kyma runtimes. There is also a great deal of blogs, tutorials, and an excellent CAP documentation.

So what about using a wizard, a code generator to help scaffold a minimal viable CAP application and even deploy it straight away to your kyma cluster?

Let's use the following CAP code generator (VScode or terminal):

Please get familiar with the wizard's documentation. There are also hands-on video tutorials here.

To help you get started, please find the prompt values for a minimal viable CAP application with Kyma runtime using SAP SuccessFactors Recruiting and SAP SuccessFactors Employee Central external APIs:

sfk8s with terminal


$ yo saphanaacademy-cap




































































































































































prompt value
? What project name would you like? sfk8s
? Would you like to create a new directory for this project? Yes
? What is the display name of your app? sfk8s
? What is the description of your app? sfk8s
? Which runtime will you be deploying the project to? SAP BTP, Kyma runtime
? What SAP BTP, Kyma runtime namespace will you be deploying to? <namespace>
? What is your Docker ID? <docker_id>
? What is your Docker repository name? Leave blank to create a separate repository for each microservice. <docker_repo_name>
? What is your Docker repository visibility? Private (Only visible to you)
? What is the name of your Docker Registry Secret? It will be created in the namespace if you specify your Docker Email Address and Docker Personal Access Token or Password. docker-registry-config
? What is your Docker Server URL? https://index.docker.io/v1/
? What is your Docker Email Address? Leave blank if your Docker Registry Secret already exists in the namespace. <docker hub user email address>
? What is your Docker Personal Access Token or Password? Leave blank if your Docker Registry Secret already exists in the namespace. <docker hub user password/token>
? What is the path of your Kubeconfig file? Leave blank to use the KUBECONFIG environment variable instead. /Users/<username>/.kube/kubeconfig--team-kyma.yaml
? How would you like to build container images? Paketo (Cloud Native Buildpacks)
? Will you be using an existing SAP HANA Cloud HDI Container? If so please enter the HDI Container service instance name here or leave blank for none.
? Will you be using an existing SAP HANA Cloud schema? If so please enter the schema name here or leave blank for none. Note: schema names in mixed case are case sensitive!
? Would you like to create an entity with SAP HANA Cloud persistence? No
? Would you like to use an external API? Yes
? Which external API(s) would you like to use? SAP SuccessFactors Recruiting, SAP SuccessFactors Employee Central
? What is the name of your SAP SuccessFactors Extensibility service instance (api-access plan)? Leave blank for the SAP API Business Hub sandbox. Quovadis-SAP
? What is your API Key for the SAP API Business Hub sandbox? ********************************
? Would you like authentication? Yes
? Would you like authorization? Yes
? Would you like to configure an App2App authorization scenario? No
? Would you like to enable OData v2 support? No
? Would you like a UI? Yes
? Would you like to use the HTML5 Application Repository? No
? Will you be using a wildcard custom domain (eg: apps.domain.com)? If so please enter the custom domain name here. Leave blank to use the platform default. <shoot>.kyma.ondemand.com
? What is the gateway for the custom domain in your SAP BTP, Kyma runtime? kyma-gateway.kyma-system.svc.cluster.local
? Would you like to configure external session management (using Redis)? No
? Would you like to include an additional backend service using SAP Cloud Application Programming Model? No
? Would you like to include an additional backend service using regular Node.js? No
? Would you like to enable messaging with SAP Event Mesh? No
? Would you like to enable Continuous Integration and Delivery (CI/CD)? No
? Would you like to enable GraphQL? No
? Would you like to enable a Swagger UI? No
? Would you like to build and deploy the project immediately? No

The prompt values are purely for guidance. Feel free to alter your answers and then inspect and amend the generated code.
πŸ“¦srv
┣ πŸ“‚external
┃ ┣ πŸ“œECEmploymentInformation.csn
┃ ┣ πŸ“œECEmploymentInformation.edmx
┃ ┣ πŸ“œRCMCandidate.csn
┃ β”— πŸ“œRCMCandidate.edmx
┣ πŸ“œDockerfile
┣ πŸ“œcatalog-service.cds
β”— πŸ“œcatalog-service.js


πŸ“¦app
┣ πŸ“‚resources
┃ ┣ πŸ“‚html5
┃ ┃ β”— πŸ“‚webapp
┃ ┃ ┃ ┣ πŸ“œindex.html
┃ ┃ ┃ β”— πŸ“œmap.html
┃ β”— πŸ“œindex.html
┣ πŸ“œDockerfile
┣ πŸ“œpackage.json
β”— πŸ“œxs-app.json



You can test your project locally from the command line as follows:
cd sfk8s
cds watch

You can build and deploy your project as follows or use a CI/CD pipeline:
cd sfk8s
make docker-push
make helm-deploy

Before compiling the CAP project, let's make sure we use nodejs 18 and latest versions of some of the SAP libraries, for instance:

package.json
{
"name": "sfk8s",
"version": "0.0.1",
"repository": "<Add your repository here>",
"license": "UNLICENSED",
"description": "sfk8s",
"engines": {
"node": "^18"
},
"dependencies": {
"@sap/cds": "^6.8",
"@sap/audit-logging": "^5",

"@sap-cloud-sdk/http-client": "latest",
"@sap/xsenv": "latest",
"@sap/xssec": "latest",

............

,
"RCMCandidate": {
"kind": "odata-v2",
"model": "srv/external/RCMCandidate",
"credentials": {
"[production]": {
"destination": "Quovadis-SAP",
"path": "odata/v2"
},
"[development]": {
"url": "https://sandbox.api.sap.com/successfactors/odata/v2"
}
}
}
,
"ECEmploymentInformation": {
"kind": "odata-v2",
"model": "srv/external/ECEmploymentInformation",
"credentials": {
"[production]": {
"destination": "Quovadis-SAP",
"path": "odata/v2"
},
"[development]": {
"url": "https://sandbox.api.sap.com/successfactors/odata/v2"
}
}
}
}
}
}

Time to build the project...

It may take several minutes to build, and may even take longer if this is the first time you are using the buildpacks...
$ cd sfk8s/
$ make docker-push
cds build --production
[cds] - the following build tasks will be executed
[cds] - {
"build": {
"target": "gen",
"tasks": [
{"for":"nodejs", "src":"srv", "options":{"model":["srv","app","srv/external/RCMCandidate","srv/external/ECEmploymentInformation"]}}
]
}
}

[cds] - building project [/Users/<username>/.kube/sfk8s], clean [true]
[cds] - cds [6.8.1], compiler [3.9.2], home [/Users/<user name>/.kube/sfk8s/node_modules/@sap/cds]

[cds] - done > wrote output to:
gen/srv/package-lock.json
gen/srv/package.json
gen/srv/srv/Dockerfile
gen/srv/srv/catalog-service.js
gen/srv/srv/csn.json
gen/srv/srv/external/ECEmploymentInformation.edmx
gen/srv/srv/external/RCMCandidate.edmx

[cds] - build completed in 1496 ms

pack build <docker_id>/<docker_repo>:sfk8s-srv -p gen/srv -B paketobuildpacks/builder:base
....................

πŸ“¦gen
β”— πŸ“‚srv
┃ ┣ πŸ“‚srv
┃ ┃ ┣ πŸ“‚external
┃ ┃ ┃ ┣ πŸ“œECEmploymentInformation.edmx
┃ ┃ ┃ β”— πŸ“œRCMCandidate.edmx
┃ ┃ ┣ πŸ“œDockerfile
┃ ┃ ┣ πŸ“œcatalog-service.js
┃ ┃ β”— πŸ“œcsn.json
┃ ┣ πŸ“œpackage-lock.json
┃ β”— πŸ“œpackage.json

Eventually all the project artefacts have been built and pushed to the docker repository....

Let's deploy it to kyma runtime environment:
πŸ“¦helm
┣ πŸ“‚sfk8s-app
┃ ┣ πŸ“‚templates
┃ ┃ ┣ πŸ“œNOTES.txt
┃ ┃ ┣ πŸ“œ_helpers.tpl
┃ ┃ ┣ πŸ“œapirule.yaml
┃ ┃ ┣ πŸ“œconfigmap.yaml
┃ ┃ ┣ πŸ“œdeployment.yaml
┃ ┃ β”— πŸ“œservice.yaml
┃ ┣ πŸ“œ.helmignore
┃ ┣ πŸ“œChart.yaml
┃ β”— πŸ“œvalues.yaml
β”— πŸ“‚sfk8s-srv
┃ ┣ πŸ“‚templates
┃ ┃ ┣ πŸ“œNOTES.txt
┃ ┃ ┣ πŸ“œ_helpers.tpl
┃ ┃ ┣ πŸ“œapirule.yaml
┃ ┃ ┣ πŸ“œbinding-dest.yaml
┃ ┃ ┣ πŸ“œbinding-uaa.yaml
┃ ┃ ┣ πŸ“œconfigmap.yaml
┃ ┃ ┣ πŸ“œdeployment.yaml
┃ ┃ ┣ πŸ“œservice-dest.yaml
┃ ┃ ┣ πŸ“œservice-uaa.yaml
┃ ┃ β”— πŸ“œservice.yaml
┃ ┣ πŸ“œ.helmignore
┃ ┣ πŸ“œChart.yaml
┃ β”— πŸ“œvalues.yaml

$ make helm-deploy
helm upgrade -n team-kyma -i sfk8s-srv helm/sfk8s-srv --install --kubeconfig /Users/<username>/.kube/kubeconfig--team-kyma.yaml
Release "sfk8s-srv" does not exist. Installing it now.
NAME: sfk8s-srv
LAST DEPLOYED: *************
NAMESPACE: team-kyma
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing sfk8s-srv. Your release is named sfk8s-srv and was deployed to the namespace team-kyma.
helm upgrade -n team-kyma -i sfk8s-app helm/sfk8s-app --install --kubeconfig /Users/<username/>.kube/kubeconfig--team-kyma.yaml
Release "sfk8s-app" does not exist. Installing it now.
NAME: sfk8s-app
LAST DEPLOYED: *************
NAMESPACE: team-kyma
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing sfk8s-app. Your release is named sfk8s-app and was deployed to the namespace team-kyma.

As a result the following kyma cluster resources get created automatically:



and last but not least the API rules that allow to expose the frontend app and backend service to the public internet:


The access to app and srv is protected with the BTP SAP ID service. Please make sure to assign the sfk8s application role collection(s) to all business users who should be granted access to the application. This is done from a BTP sub-account cockpit or with btp cli.

Failure to do it will result in a Forbidden error message.


Now it's time to run the frontend app:


 

Last but not least, the deployment clean-up:
$ make helm-undeploy





Troubleshooting SFSF ODATA API access




In order to be able to register a SFSF system with a BTP Global Account you must grant the admin user the following permissions:

  • Admin access to MDF OData API

  • Create Integration with SAP BTP






















Permission Role List



Permission Role Detail




You need to pick a permission role (the one which your admin user has been assigned to) and make sure it has the required permissions



I have chosen a System Admin role as the sfadmin user has this role assigned


Create Integration with SAP BTP



Admin access to MDF OData API



The OData API Candidate Export role permission must be assigned to the business user that is about to call SAP SuccessFactors Recruiting ODATA API via a BTP destination:



more than words...







Video tutorials













__________

SAP Kyma Community and SAP BTP, Kyma runtime Q&A Tags

Follow me in SAP Community: piotr.tesny