Configuring the Deployment Subaccount

Objective

After completing this lesson, you will be able to set up the deployment environment to prepare for deploying and hosting your SAP Fiori application

Steps to Configure the Deployment Subaccount

The SAP BTP, Cloud Foundry environment provides a flexible runtime for building polyglot cloud applications, supporting multiple languages, runtimes, and services. It contains the SAP BTP, Cloud Foundry runtime, which is based on the open-source application platform managed by the Cloud Foundry Foundation.

Before you can deploy and host the SAP Fiori application you developed, you must perform several steps to configure the deployment subaccount. These steps will help you to set up the deployment environment and ensure that the necessary services and configurations are in place for hosting the application.

The steps include the following:

The six steps involved in configuring the deployment subaccount as outlined in the following text.
  1. Create a subaccount for isolated deployment environment.
  2. Enable SAP BTP, Cloud Foundry environment.
  3. Configure Principal Propagation.
  4. Configure Trust between the SAP Authorization and Trust Management service and Identity Authentication service for the business user.
  5. Subscribe to SAP Build Work Zone, standard edition for managed router and add and assign users and roles.
  6. Add the SAP Authorization and Trust Management service application plan to the subaccount.

This lesson will demonstrate how you can perform each of these steps.

Step 1: Creating a Subaccount for Isolated Deployment Environment

The six steps involved in configuring the deployment subaccount with the first step highlighted: Create a deployment subaccount.

The first step is to create a subaccount for isolated deployment environment to deploy and host the SAP Fiori application that you have developed. To create the subaccount, perform the following actions:

Complete the three steps outlined in the following text on the Account Explorer screen.
  1. Navigate to the Account Explorer section in the SAP BTP global account.
  2. Choose Create.
  3. Select Subaccount from the dropdown list. Complete the three steps outlined in the following text in the Create Subaccount pop-up window.
  4. In the pop-up window, enter a Display Name.
  5. Select a region.
  6. To provision the subaccount, choose Create. When the Creation Pending progress bar disappears, you can enter the subaccount.
  7. To enter the subaccount, select the subaccount when the progress bar is gone.

Step 2: Enabling the SAP BTP, Cloud Foundry Environment

The six steps involved in configuring the deployment subaccount with the second step highlighted: Enable SAP BTP, Cloud Foundry environment.

The next step is to enable the SAP BTP, Cloud Foundry environment to deploy and host the SAP Fiori application. However, before you can do this, you need to check that the subaccount has an entitlement for the SAP BTP, Cloud Foundry environment.

The following video shows how to:

  • Add the entitlement, if it hasn’t already been added.
  • Enable the SAP BTP, Cloud Foundry environment.

Step 3: Configuring Principal Propagation

The six steps involved in configuring the deployment subaccount with the third step highlighted: Configure Principal Propagation.

In the previous unit, you configured Principal Propagation in the SAP Business One Extension Single Sign On Manager. This was to enable the SAP BTP development subaccount’s SAP Authorization and Trust Management service to set up Principal Propagation in the development environment.

In this step, you need to replicate this procedure for the SAP BTP Deploy subaccount to enable Principal Propagation in the deployment environment. As a reminder, here is a summary of the steps to enable this:

Complete the four steps outlined in the following text in the SAP Business One Extension Single Sign-On Manager.
  1. From the SAP Business One Extension Single Sign On Manager, go to Principal PropagationIdentity Providers.
  2. Choose Register.
  3. Complete the registration for a new Identity Provider based on the following parameters:
    • Name: Name of SAP Authorization and Trust Management service.
    • Discovery Endpoint: Discovery URL of the SAP BTP Deploy subaccount’s SAP Authorization and Trust Management service- https://<BTP Deploy subaccount subdomain>.authentication.<region>.hana.ondemand.com/.well-known/openid-configuration
  4. Choose Save and Confirm. Complete the five steps outlined in the following text in the Tenant Binding pop-up window.
  5. To bind the registered IDP with companies which you want the SAP BTP applications to connect with, go to Principal Propagation  Tenants.
  6. Choose + Bind.
  7. Select the Identity Provider you just registered.
  8. Select the tenants you want to bind.
  9. Choose Save.
  10. Copy one company ID that you want the SAP BTP application to connect with. The Company ID will be used on the SAP BTP destination configuration.

Note

Maintain the same destination names as in the Dev subaccount. Because the developed SAP Fiori application uses a fixed destination name in the manifest.json file, it is essential to keep the destination name consistent. You can also implement code to dynamically read and use the destination within an SAP BTP subaccount.

If your target SAP Business One system URL for SAP BTP Deploy subaccount is different from that of the SAP BTP Dev subaccount, adjust the URL accordingly.

Step 4: Configuring Trust with Identity Authentication Service

The six steps involved in configuring the deployment subaccount with the fourth step highlighted: Configure Trust with Identity Authentication service.

The next step is to configure Trust between SAP Authorization and Trust Management service and Identity Authentication service for the business user.

The SAP Authorization and Trust Management service acts as the central infrastructure component of the SAP BTP, Cloud Foundry environment for the business user authentication and authorization.

By establishing a Trust configuration between SAP BTP account’s SAP Authorization and Trust Management service and the Identity Authentication service, business users can be authenticated to services in the SAP BTP subaccount.

Step 5: Configuring Managed Router and Users

Configure Managed Router and Users

The six steps involved in configuring the deployment subaccount with the fifth step highlighted: Configure managed router and users.

An application router is required for applications in SAP BTP, Cloud Foundry environment as it acts as the central entry point handling authentication, routing, and secure access to backend services. By using SAP Build Work Zone, standard edition as the managed application router, you can handle these tasks without needing to build and run your own application router in SAP BTP, Cloud Foundry environment.

In this video, you’ll learn how to subscribe to SAP Build Work Zone, standard edition for managed router. In preparation for the next lesson (on how to build and deploy your SAP Fiori application to the SAP BTP Deploy subaccount), this video will also show you how to add a business user and assign the SAP Build Work Zone Administrator role.

Step 6: Adding the SAP Authorization and Trust Management Service Application Plan to the Subaccount

The six steps involved in configuring the deployment subaccount with the fifth step highlighted: Configure managed router and users..

When deploying an application from SAP Business Application Studio (which you’ll learn how to do in the next lesson), it is deployed to a designated space within the SAP BTP, Cloud Foundry environment of the SAP BTP subaccount, with the required service instances created automatically. For example, sapb1businesspartners-xsuaa-srv relies on the SAP Authorization and Trust Management service with the application plan to manage authentication, authorization, and integration with external identity providers. For these service instances to be created, the Entitlements for the corresponding services must be pre-configured in the SAP BTP subaccount. Otherwise, the deployment may fail, as shown in the following error message:

Error creating or updating service instance: Could not create service"sapb1businesspartners-xsuaa-srv" : Service plan application not found.

The SAP Destination Service (lite plan) and HTML5 Application Repository (app-host) have entitlements by default. However, the SAP Authorization and Trust Management service (application) does not. Therefore, the final step for configuring the deployment subaccount is to add the SAP Authorization and Trust Management service application plan to the SAP BTP Deploy subaccount. To do this, perform the following actions:

Complete the three steps outlined in the following text on the Entitlements screen in the SAP BTP Subaccount.
  1. Navigate to the Entitlements section.
  2. In the search bar, enter XSUAA.
  3. If no service is found, choose Edit. The Add Service Plans button is highlighted on the Entitlements screen in the SAP BTP Subaccount
  4. Choose Add Service Plans. Complete the four steps outlined in the following text in the Add Service Plans pop-up window.
  5. In the search bar in the pop-up window, enter XSUAA.
  6. Select Authorization and Trust Management Service.
  7. Select an application plan.
  8. Choose Add 1 Service Plan.
  9. To apply the change, choose Save.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn