Setting up an SAP BTP Destination for Service Layer

Objective

After completing this lesson, you will be able to set up an SAP BTP Destination for Service Layer

Configure Trust Between the SAP Authorization and Trust Management Service and Identity Authentication Service

In this lesson, you’ll learn how to set up an SAP BTP destination for Service Layer. However, before you can configure this, an administrator must enable a business user from Identity Authentication service to authenticate the SAP BTP application for an end-to-end identity flow.

Diagram illustrating the authentication flow in SAP BTP. A business user authenticates through Identity Authentication service, which establishes a trust relationship with the SAP Authorization and Trust Management service. The SAP BTP application accesses the SAP Business One Service Layer through a destination.

This is achieved by establishing trust between the SAP Authorization and Trust Management Service and Identity Authentication service, either at the SAP BTP global or subaccount level.

With this configuration, when a business user accesses an SAP BTP application, they are redirected to the Identity Authentication service login page to authenticate and access the application.

To configure this, follow the directions provided in this SAP Help Portal Link.

Note

The SAP Authorization and Trust Management Service is a core service that secures applications on the SAP BTP by handling authentication, authorization, and trust between systems. For more information on this core service, refer to SAP Authorization and Trust Management Service | SAP Help Portal.

SAP BTP Destination Configuration for Service Layer for Technical Users

There are two types of configurations to connect SAP Business One Service Layer in SAP BTP:

  • Configurations for technical users, which represent non employees or non SAP Business One named users
  • Configurations for business users, which represent SAP Business One named users.

Let’s first look at configurations for technical users. The technical user is used where an SAP BTP app user (business user) doesn’t need to match the Business One user recorded in transactions. This technical user requires an "Indirect Access by Non-Employees" or "Indirect Access, user-based" license among the SAP Business One license types, depending on the Business User’s type.

To implement this configuration, you must maintain a credential for the technical user in the SAP BTP destination using the Basic Authentication type in the SAP BTP subaccount. You may use different technical users in different SAP BTP subaccounts, such as a development subaccount and a deployment subaccount.

Diagram showing SAP BTP authentication flow: Business User authenticates through Identity Authentication service, which establishes trust with the SAP Authorization and Trust Management service. The SAP BTP application uses Destination for basic authentication to access SAP Business One Service Layer.

With this configuration, when a business user accesses an SAP BTP application, the user is redirected to the Identity Authentication service login page to log in and access the application.

When the application accesses the SAP Business One Service Layer, it uses an SAP BTP destination to authenticate to SAP Business One Service Layer with the stored technical user credentials, along with the company ID.

Setting Up the SAP BTP Destination with Basic Authentication

As a prerequisite for configuring the destinations, the SAP Business One Service Layer must be available and accessible by SAP BTP. This can be accomplished by either making the Service Layer publicly available through a reverse proxy or by establishing a secure tunnel to the Service Layer within a corporate network using the SAP BTP Cloud Connector.

The following screenshot and steps use a publicly available Service Layer endpoint to demonstrate how to set up an SAP BTP destination with the Basic Authentication type to connect to the Service Layer.

Screenshot showing how to configure a new destination in SAP BTP Cockpit, as described in the following steps.

Steps

  1. Go to the SAP BTP subaccount and navigate to Connectivity>Destinations.

  2. Choose Create Destination to create a new destination.

  3. Fill out the fields according to the following table:

    FieldValueValue Example
    NameEnter a destination name without spaceB1si-basicauth
    TypeKeep the default valueHTTP
    DescriptionEnter any description 
    URL<Root URL and service port of SAP Business One Service Layer>https://erp.acme.com:50000
    AuthenticationChoose BasicAuthentication 
    User

    Provide a key-value pair of CompanyDB and UserName in JSON format as SAP Business One requires Company DB information in addition, for authentication.

    {"CompanyDB":"<Schema Name>", "UserName":"<User Code of Technical User>"}    		{"CompanyDB":"SBODEMOGB", "UserName":"manager"}
    Password<Password of the UserName> 

  4. Select New Property three times to create three Additional Properties fields.

  5. Add the additional properties to use the destination in SAP Business Application Studio for building a Fiori application with an OData source.

    PropertyValue
    WebIDEEnabledtrue
    HTML5.DynamicDestinationtrue
    WebIDEUsageodata_gen

  6. Choose Save.

  7. Choose Check Connection to verify the connectivity. This action only checks if the destination is reachable – it does not validate user authentication.

    This screenshot shows a successful connection test for the destination b1sl-basicauth in SAP BTP Cockpit. The pop-up confirms the connection was established with the response 200: OK.

    Note

    You can also create a destination from the SAP Business Application Studio under the Service Center menu. Refer to this blog, which explains how to add an SAP Business One system as a destination from the SAP Business Application Studio.

SAP BTP Destination Configuration for Service Layer for Business Users

The second type of configuration is for business users, which represents SAP Business One named users. This configuration is used when an SAP BTP app user (Business User) needs to match the SAP Business One user recorded in transactions and is subject to authorizations and checks. This business user requires a Named User license (Professional/Limited users) or an Indirect Access, user-based license, among the SAP Business One license types.

Diagram showing SAP BTP authentication flow: Business User authenticates through Identity Authentication service, which establishes trust with the SAP Authorization and Trust Management service. The SAP BTP application uses the Destination service to access SAP Business One SLD and Service Layer with tokens.

Next, in SAP Business One Extension SSO Manager, the administrator must configure Principal Propagation so that the identity (principal) of the business user is propagated from the SAP Authorization and Trust Management service (after authentication through Identity Authentication service into SAP Business One SLD). Then, configure the SAP BTP Destination using the NoAuthentication type with additional properties such as AuthToken and CompanyID.

With this configuration, when a business user authenticates through Identity Authentication service, the business user's identity is propagated to SAP Business One SLD. When the application accesses the SAP Business One Service Layer, it uses an SAP BTP destination to forward the Authtoken and CompanyID stored in the additional properties to SAP Business One Service Layer, where the token is verified with SAP Business One SLD.

How to Set Up the SAP BTP Destination for Service Layer with Principal Propagation

In this video, you’ll learn how to:

  • Set up Principal Propagation in SAP Business One Extension SSO Manager, to propagate the identity (principal) from the SAP Authorization and Trust Management service to SAP Business One SLD.
  • Configure the SAP BTP Destination using NoAuthentication type with additional properties – AuthToken and CompanyID.

Note

To access the SAP Business One Extension SSO Manager, amend the following URL sample:

https://<SAP Business One SLD Address>:<SLD Port>/ExtensionSSOManager

For example: https://erp.acme.com:40000/ExtensionSSOManager

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn