SAP Best Practices integrations have already been preloaded into your SAP S/4HANA Cloud system as Communication Arrangements. The set-up instructions found in SAP Signavio Process Navigator, or instructions provided in the SAP Help Portal will provide the details about the prerequisites (e.g. access to other productive systems required for integration, authorizations, etc.), the Communication Arrangement ID, and how to set up and name the Communication User and Communication System(s) involved in the arrangement.
Note
You can check which role is required for your business user to access an application on the Fiori launchpad by looking up the relevant app in the SAP Fiori Apps Reference Library.
Create a Communication User
The Communication User is created to define how the Communication System will be authenticated when sending messages to, or receiving messages from, another system. This is a technical user, meaning not an actual person within the organization. Within the app, Maintain Communication Users, you create a name (all capitals, no spaces) and description for the user, and either enter your own password, have the system propose a complex password, or upload a security certificate. It's not necessary to have both a password and security certificate; these are different types of authentication. The set-up instructions typically recommend a name to use, and if a certificate is required, how to generate the certificate from another system.
The Communication User covers two types of authentication:
- Basic Authentication - Manually defined technical user name and password.
- Authentication with Certificate - Secure Socket Layer (SSL) certificate generated from the sending or receiving system.
- For example, you can generate an X509 certificate from SAP SuccessFactors Employee Central and upload the certificate to the Communication User in SAP S/4HANA Cloud for one type of HR integration scenario.
Create a Communication System - Inbound Communication
The Communication System is created to define technical information about the system sending or receiving data, and how the messages will be authenticated.
For inbound communication scenarios, data is being received into SAP S/4HANA Cloud from an external system. You can select the checkbox in the Technical Data section → Inbound Only, which hides fields and sections that aren't necessary for inbound communication scenarios, such as the Host Name. You will still need to assign a User for Inbound Communication to provide authentication. The set-up instructions from SAP Signavio
Create a Communication System - Outbound Communication
For outbound communication scenarios, the Technical Data section is important, because the details entered here and the User for Outbound Communication are used to register the sending system with the external receiving system. Outbound communication often requires a more stringent level of authorization. Depending on the integration scenario, you may not need to create a Communication User through the Maintain Communication Users app, because OAuthentication (OAuth) token-based authorizations can only be defined in the Communication System itself.
OAuth is an open standard for applications and websites to handle authorization. Instead of using passwords, OAuth uses authorization tokens to prove an identity between systems exchanging data. It allows you to approve on application interacting with another on your behalf without giving away a password. These types of OAuth can be defined in the Communication System:
- Authentication with OAuth 1.0
- Authentication with OAuth 2.0
- Authentication with OAuth 2.0 mTLS (mutual Transport Layer Security)
For example, in a different HR integration scenario between SAP SuccessFactors Employee Central and SAP S/4HANA Cloud, you subscribe to the Master Data Service on SAP Business Technology Platform (BTP) and generate a Service Key. The Service Key provides certain credentials (clientid, clientsecret, url, uri) you enter in the Technical Data section of the Communication System. This creates a secure connection between SAP S/4HANA Cloud and the Master Data Integration Service on SAP BTP.
Note
Get a deeper understanding of OAuth in this SAP Blog: Fundamentals of Security in SAP BTP.
Create a Communication Arrangement
Finally, you create the Communication Arrangement defined in the set-up instructions from SAP Signavio Process Navigator or the SAP Help Portal and attach the Communication System. Because the Communication System already has a Communication User attached, both are pulled into the arrangement. The Communication Arrangement defines exactly what inbound and/or outbound messages are being received or sent from the Communication System. Some arrangements have additional parameters you can use to control the data being received/sent, and for outbound communication, you may be able to define a schedule and/or package size for the data. After entering the required information and saving the arrangement, it will be activated. If you have been following set-up instructions for a business process and have configured the rest of the process, now is the time to complete the test script to verify the end-to-end process functions as expected.
