Connect SAP Business Application Studio and SAP S/4HANA Cloud Tenant
- How to create an HTTP destination on SAP Business Technology Platform with SAML assertion authentication to an SAP S/4HANA Cloud tenant
- How to create a communication system for an SAP Business Application Studio subaccount in an S/4HANA ABAP tenant
Ulrike LiebherrJuly 11, 2021Prerequisites
- You have an SAP S/4HANA Cloud tenant and a business user with Communication Management authorizations (this requires a business role with unrestricted write access containing business catalog
SAP_CORE_BC_COM). - You have an SAP Business Technology Platform trial account with an SAP Business Application Studio subscription
To follow this tutorial, you can either use a subaccount in your trial account on SAP BTP or you can use a subaccount in a customer account. However, for the customer account subaccount, you have to do the following:
-
Set up mutual trust between the SAP BTP subaccount and the Identity Provider, see
-
ABAP Environment Documentation: Setup of a Custom Identity Service
-
Tutorial: Set Up Trust Between Identity Authentication and SAP Cloud Platform which is showing the process in SAP BTP Neo Environment instead of here needed Cloud Foundry environment. Nevertheless it’s that similar, that in can help, you only have to omit setting the subaccount as service provider
-
SAP BTP Documentation: Trust and Federation with Identity Providers
-
-
Assign the developer users permission for SAP Business Application Studio, see ABAP Environment Documentation: Assigning Permissions for SAP Business Application Studio
Alternatively, see Integrating SAP Business Application Studio documentation for this tutorial’s content with a customer account.
The communication system for an SAP Business Application Studio subaccount in an S/4HANA ABAP tenant is needed to develop a custom UI with SAP Business Application Studio for a custom business object running in an S/4HANA ABAP tenant and for deploying that UI.
Tutorial last updated with SAP S/4HANA Cloud Release 2105
- Step 1
SAP Business Application Studio requires connection information to request custom business object data from your SAP S/4HANA Cloud tenant and to deploy a UI into this tenant. That information is stored in the SAP Business Application Studio subaccount as a so-called destination. To create that destination, do the following:
-
In your web browser, open the SAP BTP Trial cockpit https://account.hanatrial.ondemand.com and Enter Your Trial Account, which is a so-called global account.
-
On your global account page, select default subaccount
trial.
-
In the navigation pane expand the Connectivity section.
-
Select Destinations.
-
Select New Destination.
Log in to complete tutorial -
- Step 2
Configure the new destination with the following standard field values.
Field Name Value Name <YOUR_SYSTEMS_ID>_SAML_ASSERTIONType HTTPDescription SAML Assertion Destination to SAP S/4HANA Cloud tenant <YOUR_SYSTEMS_ID>URL In the SAP S/4HANA Cloud tenant, navigate to the Communication Systems app and copy the Host Name from Own System = Yesand paste it with prefix
https://for examplehttps://my12345-api.s4hana.ondemand.com.Proxy Type InternetAuthentication SAMLAssertionAudience Enter the URL of your system and remove -api, for examplehttps://my12345.s4hana.ondemand.com.AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSessionSelect New Property and maintain the following Additional Properties and values.
Field Name Value Remark HTML5.DynamicDestination trueHTML5.Timeout 60000value stated in milliseconds. 60000 equals 1 minute. Required as deployment needs longer than the standard of 30 seconds. WebIDEEnabledtrueWebIDEUsageodata_abap,dev_abapnameIDFormaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressRequired in case your subaccount sends mail address as SAML Name ID for authentication (**Subject Name Identifier** in Identity Authentication tenant), although SAP S/4HANA Cloud tenant expects user login by default. That is the case with a trial Account. This also requires the mail address to be maintained for SAP S/4HANA Cloud tenant business users. Make sure that the Use default JDK truststore checkbox is ticked.
Click Save.
Log in to complete tutorial - Step 3
On the SAP S/4HANA Cloud tenant side, you need to allow SAP Business Application Studio to make inbound calls.
To set SAP Business Application Studio as a trusted caller in the SAP S/4HANA Cloud tenant, you first have to download the public key of the SAP Business Application Studio subaccount.To do this, in the Destinations section, select Download Trust.
An untyped file with name
pk-\<your subaccounts ID\>(for examplepk_9zy8xw7v-6u54-3tsr-21qp-1pqr234st56uv;) is downloaded. Save this file for later.Log in to complete tutorial - Step 4
With the downloaded public key from the SAP Business Application Studio subaccount, you can now maintain it as a trusted caller in SAP S/4HANA Cloud tenant.
-
Log on to your SAP S/4HANA Cloud tenant with the business user that is authorized for communication management.
-
From the dashboard home screen, choose Communication Management > Communication Systems
-
Select New.
-
Enter a System ID and System Name, for example
BAS_<YOUR SUBACCOUNTS_SUBDOMAIN>likeBAS_12AB34CDTRIALand choose Create.
Log in to complete tutorial -
- Step 5
This is how you have to configure the communication system that represents the SAP Business Application subaccount as a trusted caller.
-
Navigate to General > Technical Data
-
Tick the Inbound Only checkbox.
-
Navigate to General > SAML Bearer Assertion Provider and slide the button to ON.
-
Choose Upload Signing Certificate, browse for the SAP BTP certificate and upload it.
-
Set the Provider Name by inserting the CN attribute of the Signing Certificate Subject.
-
Choose Save.
The connection is now set up and you can use of the custom business object OData services of the SAP S/4HANA Cloud tenant in SAP Business Application Studio.
Log in to complete tutorial -