SAP has introduced SAP Start, our new default central entry point, designed to easily engage with all cloud business solutions across the SAP portfolio. It is included out-of-the-box, at no additional cost, with all integrated SAP cloud business solutions.
If you want to learn more about SAP Start in general, have a look at our recent "Things You Need to Know About SAP Start” blog post.
Today, we want to show you how easy it is to set up SAP Start seamlessly integrated with SAP Fieldglass. Please note that there is also the possibility to integrate SAP S/4HANA Cloud, public edition already today, and more SAP cloud business solutions in the future, which we are covered in blog entries. (see links at the end of this blog post)
Prerequisites
To follow along with this how-to, please make sure you already fulfill the following prerequisites:
You have an existing global account on the SAP Business Technology Platform
Your global account has these entitlements assigned
Service Plan Required QuotaSAP Build Work Zone, standard edition foundation 1 SAP Build Work Zone, standard edition foundation (Application) 1 SAP Task Center standard 1 You have (admin) access to your SAP Fieldglass system with the role “Configuration Manager”
You have Contact to your SAP Fieldglass representative
You have an Identity Authentication Service available in your global account
Prepare Business Technology Platform Account
You first need to create a new subaccount in your BTP global account. Open the Account Explorer page of your global account in the BTP cockpit. You should see a dropdown menu called Create where you select Subaccount. Follow the wizard and fill out all the required fields.
Create Subaccount
In your created subaccount, go to the Entitlements section and entitle the subaccount for:
- SAP Build Work Zone, standard edition (plan: foundation & foundation (Application))
Configure Workzone Entitlement
- SAP Build Work Zone, standard edition (plan: foundation & foundation (Application))
Expand the Services section to open the Instances and Subscriptions section for the subaccount and create a subscription for SAP Build Work Zone, standard edition
SAP Build Work Zone, standard edition plan foundation subscription form
Go to the Overview section of the subaccount and Enable Cloud Foundry in the subaccount
Go to the Overview section of the subaccount and click Create Space
Add your user as Space Developer, Space Manager.
Create Space
In your created space, expand the Services section to open the Instances section for the space and create a service instance for SAP Task Center
Create a service key for your created service instance of SAP Task Center
- This blog article only covers the creation of the Task Center service instance. For all necessary steps please follow the SAP Task Center Initial Setup guide.
In your subaccount, expand the Connectivity section to navigate to the Destinations section of your subaccount and create a new destination based on the service instance of Task Center
Create Task Center Destination
In your global account, select System Landscape from the left panel, and select the Formations tab
Click Create Formation (in the top right corner)
Enter a Formation Name and select Integration with SAP Start as the Formation Type and click Next Step
Select the SAP Start system that reflects your SAP Build Work Zone subscription which you created in step 3 and click Next Step
Double check on the review page that everything looks correct and click Create
Set Up Fieldglass as a Content Provider for SAP Start
Fieldglass Web Service
For this process it’s recommended to create a new user before you continue. For more information please refer to the Fieldglass User Documentation.
- Open your fieldglass instance and navigate to “API Application Keys” within the “Configuration Tools” section.
Fieldglass Configuration Tools
- Click on “New” to create a new API Key
Create new API Key
- Fill out the Form with the following values:
- Application Name: SAP Start Integration
- Description: API Key for SAP Start Integration
Create new API Key Form
- Click on “Create” to create the API Key
- Once the API Key is created, copy the “Client ID” and “Client Secret” values to a secure place. You will need them later. Please ensure that you don’t leave the page.
- Underneath the newly created API key click on “New” within the “Setup Webservice Section”.
Fieldglass Configuration Tools The visible key is not valid and was only used for demo purposes
- Fill out the Form with the following values:
- Application Name: SAP Start Integration
- Virtual Person Name (Username): Select a user which should be used the webservice
- Status: enabled
Create new Webservice Form
- Click on “Save” to create the webservice.
Create Destinations in SAP Business Technology Platform
Establish Trust between Fieldglass and SAP Business Technology Platform
Before we can create the required destinations for the Fieldglass connection, you need to establish trust between the destination service and Fieldglass.
- Open the Destinations page within the Connectivity section of your subaccount in the BTP cockpit.
- On the right-hand side click “Download Trust Configuration” and save the file to your local machine.
- Contact your SAP Fieldglass representative to upload this certificate in the SAP Fieldglass tenant trust store.
Create Destinations
You need to create three destinations in your subaccount in the BTP cockpit.
Open the Destinations page within the Connectivity section of your subaccount in the BTP cockpit.
Click New Destination and enter the following values:
Field Name ValueFieldglass Designtime Destination
Name Fieldglass-<Company Code>_DT Type HTTP Description Fieldglass <Company Code> Design Time URL <Your Fieldglass url>/api/v1/cdm/entities Proxy Type Internet Authentication OAuth2ClientCredentials Client ID: Value of Virtual Person Name (Username) Client Secret: Password of the username selected as Virtual Person Name (Username) Token Service URL Type Dedicated Token Service URL <Your Fieldglass url>/api/oauth2/v2.0/token Token Service User Value of Virtual Person Name (Username) Token Service Password Password of the username select as Virtual Person Name (Username) Add the following values as “additional properties” by clicking the “New Property” button on the right-hand side.
Property Name ValuenameIdFormat urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified URL.headers.X-ApplicationKey Value of API Application Key e.g. DQe20IMhQZd4m46FA43qwIZcb8C Click Save to create the destination.
Create the second destination by clicking New Destination and enter the following values:
Field Name ValueFieldglass Runtime Default Destination
Name Fieldglass-<Company Code>_RT Type HTTP Description Fieldglass <Company Code> Runtime Default URL <Your Fieldglass url> Proxy Type Internet Authentication NoAuthentication Click Save to create the destination.
Create the third destination by clicking New Destination and enter the following values:
Field Name ValueFieldglass RT Data Destination
Name Fieldglass-<Company Code>_RT_DATA Type HTTP Description Fieldglass <Company Code> Runtime URL <Your Fieldglass url>/api/v1/cdm Proxy Type Internet Authentication OAuth2SAMLBearerAssertion Key Store Location Leave empty Key Store Passwort Leave empty or set an explicit password Audience <Your fieldglass URL> e.g. fieldglass.net AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession Client Key: Value of API Application Key e.g. DQe20IMhQZd4m46FA43qwIZcb8C Token Service URL Type Dedicated Token Service URL <Your Fieldglass url>/api/oauth2/v2.0/token Token Service User Value of Virtual Person Name (Username) Token Service Password Password of the username select as Virtual Person Name Add the following values as “additional properties” by clicking the “New Property” button on the right-hand side.
Property Name ValuenameIdFormat urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified URL.headers.X-ApplicationKey Value of API Application Key e.g. DQe20IMhQZd4m46FA43qwIZcb8C HTML5.DynamicDestination true sap-card-nominations-path /api/v1/cdm/nominations Click Save to create the destination.
Navigate to the Channel Manager section in SAP Build Work Zone and add a new Content Provider with the following properties:
Content Provider Creation
Field Name ValueTitle Fieldglass <Company Code> Description Enter a meaningful description ID Fieldglass_<Company code> Designtime Destination Fieldglass_<Company code>_DT Runtime Destination Fieldglass_<Company code>_RT Runtime Destination for Dynamic Data Fieldglass_<Company code>_RT_DATA Automatically add all content items to subaccount. enabled Use the Identity Provisioning service to provision user authorizations. enabled Save the Content Provider
Identity Provisioning
Open your subaccount and navigate to your created Cloud Foundry space, expand the Services section to select Instances for the space and create a service instance for SAP Build Work Zone, standard edition
Create a service key for the service instance of SAP Build Work Zone, standard edition
Open your subaccount, expand the Security section to open the Trust Configuration section
Click on the Establish Trust button and select your IAS tenant
- Ensure your IAS tenant is connected using Open ID Connect (OIDC)
Open your IAS administrator console at <IAS domain>/admin
Navigate to the Identity Provisioning section and open the Source Systems section
Click on + Add to add a new Source System
Select SAP Fieldglass as type
Give the source system a meaningful name
IPS Source System Form
- Open the Transformations tab, click on Edit and switch into the JSON mode to paste the following standard transformation
{ "user": { "mappings": [ { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.userName", "targetPath": "$.userName", "correlationAttribute": true }, { "sourcePath": "$.name", "targetPath": "$.name", "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "optional": true }, { "sourcePath": "$.active", "targetPath": "$.active", "optional": true }, { "sourcePath": "$.title", "targetPath": "$.title", "optional": true }, { "sourcePath": "$.locale", "targetPath": "$.locale", "optional": true }, { "sourcePath": "$.emails", "targetPath": "$.emails", "preserveArrayWithSingleElement": true }, { "sourcePath": "$.emails[?(@.primary== true)].value", "correlationAttribute": true }, { "sourcePath": "$.timezone", "targetPath": "$.timezone", "optional": true }, { "sourcePath": "$.addresses", "targetPath": "$.addresses", "optional": true, "preserveArrayWithSingleElement": true }, { "sourcePath": "$.groups", "targetPath": "$.groups", "optional": true, "preserveArrayWithSingleElement": true, "functions": [ { "function": "concatString", "condition": "'%fg.group.prefix%' !== 'null'", "applyOnElements": true, "applyOnAttribute": "value", "prefix": "%fg.group.prefix%" } ] }, { "sourcePath": "$.schemas", "targetPath": "$.schemas", "preserveArrayWithSingleElement": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "optional": true }, { "sourcePath": "$['resourceExtensions']['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "optional": true } ] }, "group": { "ignore": false, "mappings": [ { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "functions": [ { "function": "concatString", "condition": "'%fg.group.prefix%' !== 'null'", "prefix": "%fg.group.prefix%" } ] }, { "sourcePath": "$.members", "targetPath": "$.members", "optional": true, "preserveArrayWithSingleElement": true }, { "sourcePath": "$.schemas", "targetPath": "$.schemas", "preserveArrayWithSingleElement": true } ] } }IPS Source System Transformations Form
- Open the Transformations tab, click on Edit and switch into the JSON mode to paste the following standard transformation
Open the Properties tab and add the following properties
- Authentication: BasicAuthentication
- OAuth2TokenServiceURL: <URL of your your fieldglass instance with path /api/oauth2/v2.0/token e.g. https://fieldglass.net/api/oauth2/v2.0/token>
- ips.trace.failed.entity.content: false
- Password: <Password of the username select as Virtual Person Name (Username)>
- ProxyType: Internet
- Type: HTTP
- URL: <URL of your your fieldglass instance e.g. https://fieldglass.net>
- User: <Value of Virtual Person Name (Username)>
IPS Source System Properties
Navigate to the Identity Provisioning section and open the Target Systems section
Click on + Add to add a new Target System
Select SAP Build Work Zone, standard edition as type
Give the target system a meaningful name
Select your created source system for Fieldglass as the source system
IPS Target System Form
Open the Transformations tab, click on Edit and switch into the JSON mode to paste the following standard transformation
{ "user": { "skipOperations": [ "update" ], "mappings": [ { "targetPath": "$.id", "sourceVariable": "entityIdTargetSystem" }, { "targetPath": "$.schemas[0]", "constant": "urn:ietf:params:scim:schemas:core:2.0:User" }, { "targetPath": "$['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId']", "constant": "%cflp.providerId%" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.emails[0].value", "condition": "$.emails[?(@.primary == true)].value == []", "optional": true }, { "sourcePath": "$.emails[?(@.primary == true)].value", "targetPath": "$.emails[0].value", "condition": "$.emails[?(@.primary == true)].value != []", "optional": true, "preserveArrayWithSingleElement": true, "functions": [ { "function": "elementAt", "index": 0 } ] }, { "targetPath": "$.emails[0].primary", "condition": "$.emails[0].length() > 0", "constant": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "targetPath": "$.externalId", "optional": true }, { "sourcePath": "$.groups[*].value", "targetPath": "$.groups[?(@.value)]", "optional": true, "preserveArrayWithSingleElement": true, "functions": [ { "function": "resolveEntityIds", "entityType": "group" } ] } ] }, "group": { "mappings": [ { "targetPath": "$.id", "sourceVariable": "entityIdTargetSystem" }, { "targetPath": "$['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId']", "constant": "%cflp.providerId%" }, { "targetPath": "$.schemas[0]", "constant": "urn:ietf:params:scim:schemas:core:2.0:Group" }, { "targetPath": "$.schemas[1]", "constant": "urn:ietf:params:scim:schemas:core:2.0:mapping", "optional": true }, { "sourcePath": "$.id", "targetPath": "$.externalId", "optional": true }, { "sourcePath": "$.id", "targetPath": "$.externalId", "optional": true, "functions": [ { "function": "replaceAllString", "regex": "(?i)(^pcd:)", "replacement": "" }, { "function": "replaceString", "target": "/", "replacement": ":" }, { "function": "replaceString", "target": "(", "replacement": "@" }, { "function": "replaceString", "target": ")", "replacement": "+" } ] }, { "sourcePath": "$.members[*].value", "targetPath": "$.members[?(@.value)]", "optional": true, "preserveArrayWithSingleElement": true, "functions": [ { "function": "resolveEntityIds" } ] } ] } }IPS Target System Transformations Form
Open the Properties tab and add the following properties
- Authentication: BasicAuthentication
- cflp.group.unique.attribute: externalId,['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId']
- cflp.patch.group.members.above.threshold: 5000
- cflp.providerId: <ID of the created content provider in your SAP Build Work Zone tenant e.g. Fieldglass_IE1>
- cflp.user.unique.attribute: emails[0].value,['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId'],externalId
- ips.trace.failed.entity.content: false
- OAuth2TokenServiceURL: <Value of the url property of your created SAP Build Work Zone service key + /oauth/token>
- Password: <Value of the clientsecret property of your created SAP Build Work Zone service key>
- ProxyType: Internet
- Type: HTTP
- URL: <Value of the portal-service property of your created SAP Build Work Zone service key>
- User: <Value of the clientid property of your created SAP Build Work Zone service key>
IPS Target System Properties Form
Navigate to the Identity Provisioning section and open the Source Systems section
Select your created source system of your Fieldglass tenant
Open on the Jobs tab
Click on Run Now for the Read Job to start the synchronization of your S/4HANA users and roles into your SAP Build Work Zone tenant
Navigate to the Identity Provisioning section and open the Provisioning Logs section to see the logs and status of your synchronization jobs
As the last step, you need to configure the Fieldglass system to use the SAP Identity Authentication Service (IAS) as the Identity Provider (IdP) for Single Sign-On (SSO). Please follow the Fieldglass SSO Documentation to configure the SSO settings in your Fieldglass system.
Final Result
You should now have a working setup of SAP Build Work Zone, standard edition with SAP Start and SAP Fieldglass. For the blog post copy and adjust the section Accessing SAP Start and That is it! from one of the following existing blog posts instead of this Final Result section.
- SAP Managed Tags:
