SAP has introduced SAP Start, our new default central entry point, designed to easily engage with all cloud business solutions across the SAP portfolio. It is included out-of-the-box, at no additional cost, with all integrated SAP cloud business solutions.
If you want to learn more about SAP Start in general, have a look at our recent "Things You Need to Know About SAP Start” blog post.
Today, we want to show you how easy it is to set up SAP Start seamlessly integrated with SAP Fieldglass. Please note that there is also the possibility to integrate SAP S/4HANA Cloud, public edition already today, and more SAP cloud business solutions in the future, which we are covered in blog entries. (see links at the end of this blog post)
To follow along with this how-to, please make sure you already fulfill the following prerequisites:
You have an existing global account on the SAP Business Technology Platform
Your global account has these entitlements assigned
Service Plan Required QuotaSAP Build Work Zone, standard edition | foundation | 1 |
SAP Build Work Zone, standard edition | foundation (Application) | 1 |
SAP Task Center | standard | 1 |
You have (admin) access to your SAP Fieldglass system with the role “Configuration Manager”
You have Contact to your SAP Fieldglass representative
You have an Identity Authentication Service available in your global account
You first need to create a new subaccount in your BTP global account. Open the Account Explorer page of your global account in the BTP cockpit. You should see a dropdown menu called Create where you select Subaccount. Follow the wizard and fill out all the required fields.
In your created subaccount, go to the Entitlements section and entitle the subaccount for:
Expand the Services section to open the Instances and Subscriptions section for the subaccount and create a subscription for SAP Build Work Zone, standard edition
Go to the Overview section of the subaccount and Enable Cloud Foundry in the subaccount
Go to the Overview section of the subaccount and click Create Space
Add your user as Space Developer, Space Manager.
In your created space, expand the Services section to open the Instances section for the space and create a service instance for SAP Task Center
Create a service key for your created service instance of SAP Task Center
In your subaccount, expand the Connectivity section to navigate to the Destinations section of your subaccount and create a new destination based on the service instance of Task Center
In your global account, select System Landscape from the left panel, and select the Formations tab
Click Create Formation (in the top right corner)
Enter a Formation Name and select Integration with SAP Start as the Formation Type and click Next Step
Select the SAP Start system that reflects your SAP Build Work Zone subscription which you created in step 3 and click Next Step
Double check on the review page that everything looks correct and click Create
For this process it’s recommended to create a new user before you continue. For more information please refer to the Fieldglass User Documentation.
Before we can create the required destinations for the Fieldglass connection, you need to establish trust between the destination service and Fieldglass.
You need to create three destinations in your subaccount in the BTP cockpit.
Open the Destinations page within the Connectivity section of your subaccount in the BTP cockpit.
Click New Destination and enter the following values:
Field Name ValueName | Fieldglass-<Company Code>_DT |
Type | HTTP |
Description | Fieldglass <Company Code> Design Time |
URL | <Your Fieldglass url>/api/v1/cdm/entities |
Proxy Type | Internet |
Authentication | OAuth2ClientCredentials |
Client ID: | Value of Virtual Person Name (Username) |
Client Secret: | Password of the username selected as Virtual Person Name (Username) |
Token Service URL Type | Dedicated |
Token Service URL | <Your Fieldglass url>/api/oauth2/v2.0/token |
Token Service User | Value of Virtual Person Name (Username) |
Token Service Password | Password of the username select as Virtual Person Name (Username) |
Add the following values as “additional properties” by clicking the “New Property” button on the right-hand side.
Property Name ValuenameIdFormat | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
URL.headers.X-ApplicationKey | Value of API Application Key e.g. DQe20IMhQZd4m46FA43qwIZcb8C |
Click Save to create the destination.
Create the second destination by clicking New Destination and enter the following values:
Field Name ValueName | Fieldglass-<Company Code>_RT |
Type | HTTP |
Description | Fieldglass <Company Code> Runtime Default |
URL | <Your Fieldglass url> |
Proxy Type | Internet |
Authentication | NoAuthentication |
Click Save to create the destination.
Create the third destination by clicking New Destination and enter the following values:
Field Name ValueName | Fieldglass-<Company Code>_RT_DATA |
Type | HTTP |
Description | Fieldglass <Company Code> Runtime |
URL | <Your Fieldglass url>/api/v1/cdm |
Proxy Type | Internet |
Authentication | OAuth2SAMLBearerAssertion |
Key Store Location | Leave empty |
Key Store Passwort | Leave empty or set an explicit password |
Audience | <Your fieldglass URL> e.g. fieldglass.net |
AuthnContextClassRef | urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession |
Client Key: | Value of API Application Key e.g. DQe20IMhQZd4m46FA43qwIZcb8C |
Token Service URL Type | Dedicated |
Token Service URL | <Your Fieldglass url>/api/oauth2/v2.0/token |
Token Service User | Value of Virtual Person Name (Username) |
Token Service Password | Password of the username select as Virtual Person Name |
Add the following values as “additional properties” by clicking the “New Property” button on the right-hand side.
Property Name ValuenameIdFormat | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
URL.headers.X-ApplicationKey | Value of API Application Key e.g. DQe20IMhQZd4m46FA43qwIZcb8C |
HTML5.DynamicDestination | true |
sap-card-nominations-path | /api/v1/cdm/nominations |
Click Save to create the destination.
Navigate to the Channel Manager section in SAP Build Work Zone and add a new Content Provider with the following properties:
Title | Fieldglass <Company Code> |
Description | Enter a meaningful description |
ID | Fieldglass_<Company code> |
Designtime Destination | Fieldglass_<Company code>_DT |
Runtime Destination | Fieldglass_<Company code>_RT |
Runtime Destination for Dynamic Data | Fieldglass_<Company code>_RT_DATA |
Automatically add all content items to subaccount. | enabled |
Use the Identity Provisioning service to provision user authorizations. | enabled |
Save the Content Provider
Open your subaccount and navigate to your created Cloud Foundry space, expand the Services section to select Instances for the space and create a service instance for SAP Build Work Zone, standard edition
Create a service key for the service instance of SAP Build Work Zone, standard edition
Open your subaccount, expand the Security section to open the Trust Configuration section
Click on the Establish Trust button and select your IAS tenant
Open your IAS administrator console at <IAS domain>/admin
Navigate to the Identity Provisioning section and open the Source Systems section
Click on + Add to add a new Source System
Select SAP Fieldglass as type
Give the source system a meaningful name
{ "user": { "mappings": [ { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.userName", "targetPath": "$.userName", "correlationAttribute": true }, { "sourcePath": "$.name", "targetPath": "$.name", "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "optional": true }, { "sourcePath": "$.active", "targetPath": "$.active", "optional": true }, { "sourcePath": "$.title", "targetPath": "$.title", "optional": true }, { "sourcePath": "$.locale", "targetPath": "$.locale", "optional": true }, { "sourcePath": "$.emails", "targetPath": "$.emails", "preserveArrayWithSingleElement": true }, { "sourcePath": "$.emails[?(@.primary== true)].value", "correlationAttribute": true }, { "sourcePath": "$.timezone", "targetPath": "$.timezone", "optional": true }, { "sourcePath": "$.addresses", "targetPath": "$.addresses", "optional": true, "preserveArrayWithSingleElement": true }, { "sourcePath": "$.groups", "targetPath": "$.groups", "optional": true, "preserveArrayWithSingleElement": true, "functions": [ { "function": "concatString", "condition": "'%fg.group.prefix%' !== 'null'", "applyOnElements": true, "applyOnAttribute": "value", "prefix": "%fg.group.prefix%" } ] }, { "sourcePath": "$.schemas", "targetPath": "$.schemas", "preserveArrayWithSingleElement": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "optional": true } ] }, "group": { "ignore": false, "mappings": [ { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "functions": [ { "function": "concatString", "condition": "'%fg.group.prefix%' !== 'null'", "prefix": "%fg.group.prefix%" } ] }, { "sourcePath": "$.members", "targetPath": "$.members", "optional": true, "preserveArrayWithSingleElement": true }, { "sourcePath": "$.schemas", "targetPath": "$.schemas", "preserveArrayWithSingleElement": true } ] } }
Open the Properties tab and add the following properties
Navigate to the Identity Provisioning section and open the Target Systems section
Click on + Add to add a new Target System
Select SAP Build Work Zone, standard edition as type
Give the target system a meaningful name
Select your created source system for Fieldglass as the source system
Open the Transformations tab, click on Edit and switch into the JSON mode to paste the following standard transformation
{ "user": { "skipOperations": [ "update" ], "mappings": [ { "targetPath": "$.id", "sourceVariable": "entityIdTargetSystem" }, { "targetPath": "$.schemas[0]", "constant": "urn:ietf:params:scim:schemas:core:2.0:User" }, { "targetPath": "$['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId']", "constant": "%cflp.providerId%" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.emails[0].value", "condition": "$.emails[?(@.primary == true)].value == []", "optional": true }, { "sourcePath": "$.emails[?(@.primary == true)].value", "targetPath": "$.emails[0].value", "condition": "$.emails[?(@.primary == true)].value != []", "optional": true, "preserveArrayWithSingleElement": true, "functions": [ { "function": "elementAt", "index": 0 } ] }, { "targetPath": "$.emails[0].primary", "condition": "$.emails[0].length() > 0", "constant": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "targetPath": "$.externalId", "optional": true }, { "sourcePath": "$.groups[*].value", "targetPath": "$.groups[?(@.value)]", "optional": true, "preserveArrayWithSingleElement": true, "functions": [ { "function": "resolveEntityIds", "entityType": "group" } ] } ] }, "group": { "mappings": [ { "targetPath": "$.id", "sourceVariable": "entityIdTargetSystem" }, { "targetPath": "$['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId']", "constant": "%cflp.providerId%" }, { "targetPath": "$.schemas[0]", "constant": "urn:ietf:params:scim:schemas:core:2.0:Group" }, { "targetPath": "$.schemas[1]", "constant": "urn:ietf:params:scim:schemas:core:2.0:mapping", "optional": true }, { "sourcePath": "$.id", "targetPath": "$.externalId", "optional": true }, { "sourcePath": "$.id", "targetPath": "$.externalId", "optional": true, "functions": [ { "function": "replaceAllString", "regex": "(?i)(^pcd:)", "replacement": "" }, { "function": "replaceString", "target": "/", "replacement": ":" }, { "function": "replaceString", "target": "(", "replacement": "@" }, { "function": "replaceString", "target": ")", "replacement": "+" } ] }, { "sourcePath": "$.members[*].value", "targetPath": "$.members[?(@.value)]", "optional": true, "preserveArrayWithSingleElement": true, "functions": [ { "function": "resolveEntityIds" } ] } ] } }
Open the Properties tab and add the following properties
Navigate to the Identity Provisioning section and open the Source Systems section
Select your created source system of your Fieldglass tenant
Open on the Jobs tab
Click on Run Now for the Read Job to start the synchronization of your S/4HANA users and roles into your SAP Build Work Zone tenant
Navigate to the Identity Provisioning section and open the Provisioning Logs section to see the logs and status of your synchronization jobs
As the last step, you need to configure the Fieldglass system to use the SAP Identity Authentication Service (IAS) as the Identity Provider (IdP) for Single Sign-On (SSO). Please follow the Fieldglass SSO Documentation to configure the SSO settings in your Fieldglass system.
You should now have a working setup of SAP Build Work Zone, standard edition with SAP Start and SAP Fieldglass. For the blog post copy and adjust the section Accessing SAP Start and That is it! from one of the following existing blog posts instead of this Final Result section.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
14 | |
12 | |
10 | |
9 | |
9 | |
9 | |
8 | |
8 | |
8 | |
7 |