SAP Certified Development Associate - SAP Extension Suite

BTP

BTP Hyperscaler Extension

Modern hybrid multi-cloud environments integrate SAP Business Technology Platform (SAP BTP) services to implement intelligent enterprises around the SAP S/4HANA core with cloud native runtimes.

SAP Business Technology Platform (SAP BTP) on AWS Azure Cloud

The SAP Business Technology Platform as a Service (PaaS) is built on Data Management, Analytics, Extensibility, Integration and Intelligent Technologies pillars. These pillars offer capabilities side-by-side of SAP enterprise applications.

SAP Business Technology Platform BTP Architecture

Side-by-side implementations with SAP BTP cloud services are used to implement extension, end-to-end integration, cloud analytics, process automation, AI Machine Learning (ML) or data-to-value scenarios.

Examples of hybrid cloud environments are combinations of on-premise enterprise applications like S/4HANA with SAP BTP services or integrations of edge solutions (e.g. IoT or DMC) with SAP BTP cloud applications like SAP Digital Manufacturing Cloud (DMC) or Asset Performance Management.

SAP Business Technology Platform hybrid multi-cloud architectures with Amazon AWS, Microsoft Azure avoid vendor lock-ins of "one-size-fit-all" PaaS selections. Private Links or Service Manager integrations enable these multi-cloud environments with SAP BTP, but there's no option to subscribe to BTP services natively within control cockpits on hyperscaler platforms (status 11/2022).

Security on SAP Business Technology Platform (BTP)

Security on cloud platform shall be implemented with a layered defense in depth strategy on data, application, network and operational level.

SAP Business Technology Platform (BTP) Multi-Cloud Security Defense in Depth

Secured connectivity, cloud identity authentication management and audit logs are examples of defense in depth features on the SAP Business Technology Platform.

SAP Business Technology Platform (BTP) Defense in Depth Architecture Blueprint

SAP BTP network security implementations are limited, because of missing options to separate public and private network segments or to add network components for advanced security implementations (like security groups, routing tables, NAT gateways, OSI level 7 load balancers).

SAP Business Technology Platform Private Link services establish private connections between selected BTP services and services on hyperscaler platforms to avoid public internet network traffic. Private links are available e.g. for Azure App Services or Functions, Cosmos DB, Automation, Key Vault and AWS Lambda, S3, SNS, SQS, SES or Aurora Data API.

SAP Business Technology Platform (BTP) Service Link Integration

Connections between SAP BTP Private Link and Azure Private Link or AWS Endpoint Services allow further integration options e.g. with S/4HANA OData Services.

Cloud Application Security

Further security services like web application firewalls or DNS load balancers can not be configured on the SAP Business Technology Platform (BTP). Security measures like application load balancing, rate limiting or DDoS (Distributed Denial-of-Service) are only limited available, with additional license costs for SAP BTP API Management.

The SAP BTP Credential Store service is based on hyperscaler key management services to provide a secure repository of passwords and keys for applications.

SAP BTP custom domains expose applications with secured by TLS/SSL certificates. Cloud Foundry runtime apps require route mapping to the custom domain and redirect OAuth configuration. Kyma runtime apps can be connected to custom domains using Istio Service Meshs.

Secure Cloud Application Programming

Cloud Application Programming models have to support the OAuth2 standard to implement SaaS applications as service providers (SP) with SAML2 or OpenID authentication protocols. OAuth2 defines authorization grants between clients (SP) and servers (IdP) to limit access securely to cloud resources.

OAuth Authorization Code Grant allows to exchange login information to SAML or JWT formatted access tokens and Bearer Token Grant (SAML or JWT) enables to access OAuth protected resources. The OpenID protocol implements decentralized authentication with identity providers (IdP) with OpenID connect (OIDC) as OAuth authentication layer.

External identity providers (IdP) have to be explicitly trust enabled for SAML authentication on cloud platforms.

The following diagram visualizes how authentication standards are offered on the SAP Business Technology Platform (BTP) with the SAP Cloud Application Model (CAP) to propagate cloud identities across hybrid multi-cloud environments (5) integrated with Cloud Connector and to exchange user tokens (2) and access resources on behalf of authenticated principals (3).

Cloud Architecture Security Best Practices Multi-Cloud Principal Propagation

Cloud Identity Authentication Management (IAM)

The OAuth protocol enables the implementation of Identity Authentication Management (IAM) on the SAP Business Technology Platform. OAuth Authorization Code Grant is available as part of the Cloud Foundry application layer security and supports the exchange of user credentials to access tokens as part of the login process.

SAP BTP application routers facilitate OAuth grant implementations and act as optional single point of entry for applications. BTP app routers are OAuth clients (I) and prompt users (identities, principals) to login with credentials.

Cloud Foundry runtimes offer a UAA (User Access Authentication) server to grant resource access to client applications with JWT formatted tokens (11). The SAP BTP XSUAA service is an extension of the Cloud Foundry UAA OAuth server (II).

SAP Business Technology Platform (BTP) Security Best Practices

Cloud Platform Application Router

Applications can be securely accessed via the SAP BTP Application Router which can be implemented managed or standalone. Managed approuter are the recommended default option as features of the SAP Launchpad and the SAP Cloud Portal Service. Standalone approuters can be implemented for some special use cases like multi-tenancy and will be listed together with apps in Cloud Foundry spaces.

Some important approuters tasks are to forward requests as reverse proxy to defined routes, serve static content like HTML5 apps, integrate seamlessly with the xsuaa protected HTML5 Application Repository service, provide session handling and to manage authentication flows.

Identity Authentication Management on SAP Business Technology Platforms is controlled by route authentication types, which define whether users get prompted to enter login information (for UAA or IAS services). IAS prompts enable OIDC flows in Kyma environments.

Signed authentication tokens (1) can be forwarded by the Approuter as HTTP authorization header (2) to destinations (without authentication, not for proxy type on-premise). The forwarded tokens (2) get validated in Cloud Foundry runtime apps with the XSUAA public key and the JWT token content (body) is used to enforce authorization by scopes.

SAP Cloud Foundry Security Best Practices Hybrid Multi-Cloud Connectivity Forward Auth Token

BTP Cloud Connectivity Service

The Connectivity service allows SAP BTP applications to securely access remote services that run on the internet or on-premise. Destinations configured on subaccount or instance level in the BTP console provide technical information about targets. Alternatively, destinations can be configured on application level in the Cloud Foundry manifest.yml or as environment variables (Cloud Foundry, Kyma).

SAP BTP destinations enable principal propagation for applications to cloud targets with authentication type OAuth2SAMLBearerAssertion. The authentication type PrincipalPropagation allows propagating principals from cloud applications to SAP systems deployed on-premise or in private clouds.

Cloud Connectors establish connections between the SAP Business Technology Platforms and SAP systems hosted on-premise systems or on Hyperscaler platforms. The installation requires a TLS secured internet connection to the Connectivity Service host. The SAP BTP Connectivity Service host IP address is controlled by the respective infrastructure provider.

SAP BTP principal propagation has to be enabled with trust established between Cloud Connector, Cloud SAML2 IdP and SAP system. NetWeaver rules map user information of the short-lived certificates (created by Cloud Connector) to SAP user IDs.

High availability Cloud Connector installations for SAP Business Technology Platforms are setup with two instances as master and shadow.

SAP BTP Connectivity Service Cloud Connector High Availability

SAP BTP Kubernetes workloads require a proxy, delivered as Docker image and Helm chart to connect with on-premise cloud connectors. The Kyma environment provides a central API Gateway to connect to SAP Cloud solutions.

Secure Application Authentication Flows

Well architected SAP BTP applications implement OAuth authentication flow with Identity Authentication and Connectivity services. SAP BTP connectivity services use destinations to establish secure connections to cloud services, internet targets or on-premise systems, specified with proxy types OnPremise, Internet (e.g. S/4HANA Cloud) or PrivateLink.

OAuth 2.0 SAML bearer assertion flows use SAML assertions issued by an identity provider and consumed by a service provider. OAuth 2.0 is extended with a Token Exchange feature available for BTP authentication flows with the Security Token Service (STS) of the Cloud Connector.

PrincipalPropagation of SAP Business Technology Platform destinations enable single sign-on (SSO) by forwarding JWT cloud identities to destinations with proxy type OnPremise and authentication type PrincipalPropagation or any proxy type with OAuth2 SAML Bearer Assertion.

Destinations define the following authentication types to access resources:


SAP Cloud Foundry Security Best Practices Hybrid Multi-Cloud Connectivity Principal Propagation


SAP Cloud Foundry Security Best Practices Hybrid Multi-Cloud Connectivity OAuth2SAMLBearerAssertion


SAP Cloud Foundry Security Best Practices Hybrid Multi-Cloud Connectivity OAuth2UserTokenExchange

Resilient Cloud Implementations

The SAP Business Technology Platform offers options to implement resiliency with Business Continuity and Disaster Recovery (BCDR) standard plans, which is limited to restore productive tenants from backups without any guaranteed fixed recovery timeline (RTO). Furthermore, BTP HANA Cloud Services support zone redundant storage which increases the default availability SLA from 99,9% to 99,95%.

Cloud Foundry runtime specific features are high availability, managed on compute and (multi-instance) application level with hyperscaler availability zones, and the Autoscaler Service. The Kyma runtime offers backups of managed Kubernetes periodically.

High-available multi-cloud extension and integration solutions can be deployed on subaccounts across different hyperscaler platforms and regions. Such deployments avoid downtimes needed for major SAP BTP upgrades. To get notified about planned major upgrades, customers can subscribe to cloud system notifications.

SAP BTP Robotic Process Automation (RPA)

SAP Business Technology Platform Process Automation combines Workflow Management with Robotic Process Automation (RPA) technologies. Process Designer and Form Editor enable No-Code development with pre-built content like industry-specific bots for automations, forms or process projects.

SAP BTP RPA helps to transform tedious or repetitive tasks of human workers into digital business processes. Robotic Process Automation can accelerate the digital transformation of business processes with automation. Available RPA content, like packages or templates, simplifies and accelerates the SAP process automation design.

The RPA service is composed of Cloud Factory for orchestration and monitoring, Cloud Studio to design automation processes and Store, with pre-built content and SDKs (e.g. PDF, Excel, Outlook, Word, SAP GUI, SAPUI5), cloud components.

Automations are running on the on-premise desktop agent and can be operated confidently e.g. with SAP Cloud ALM for operations monitoring capabilities.

Robotic Process Automation tasks can be processed unattended (autonomously, fully automated) in the background or attended and interactively (assisted by humans with task centers). SAP recommends to run API Bots in unattended, scheduled mode.

The design capabilities for robotic process automations include drag and drop process tools, advanced workflow management and (interactive) forms. Routing of automated robotic processes can be implemented with condition criteria and decisions based on complex policies or business rules.

Connectors enable automations of web, win, ui, SAP (Web) GUI, HLLAPI applications. Robotic process automations can be operated with performance measurement, alert monitoring, technical and functional traces. Automated processes can offer collaboration and notication capabilities like e-mail, APIs, CAI notifiers or alert management.

RPA data integrations are enabled with SDK packages for PDF, Excel, PowerPoint, MS-Word, BAPI, Outlook, SAPUI5, SAP GUI and built-in Document Information Extraction.

AI Business Services

SAP Business Technology Platform AI Business Services are ready to use intelligent services, which can be integrated within applications or automation scenarios. SAP BTP AI Business Services offer capabilities like Document Information Extraction, Document Classification into user-defined categories, Business Entity Recognition, Service Ticket Intelligence or Personalized Recommendations.

SAP BTP AI Business Services provide reusable models, pre-trained by domain experts, with common pattern across business processes and SAP solutions. These machine learning models are pre-processed to remove noise and outliers. During the training process, BTP AI services check for early stopping conditions to avoid model overfitting and compare resulting models with already existing trained models, to choose the best-fitting model.

AI Service Ticket Intelligence Service

Service Ticket Intelligence machine learning models support text classification or solution recommendation scenario types which have to be specified during the upload of training data.

  1. Text classification analyzes input data with regard to ticket categories and priorities, language detection and sentiment analysis.
  2. Solution recommendations for service agents are based on previous similar tickets.

Text classification of the Service Ticket Intelligence is performed by a Convolutional Neural Network (CNN) with multiple layers. One of these layers is called attention layer, which concentrates on sentence level to investigate token weights like cognitive attention.

AI Personalized Recommendations Service

SAP BTP AI Personalized Recommendations is a offering for batch and real-time inference calls, which are returning recommendations with certain confidence scores. With this service, you can also find out which item attribute or past interactions influenced each recommendation. Inference API endpoints of the recommendation services further allow to boost categorical features with higher priority and force specific desired recommendations.

Intelligent recommendations are embedded in SAP Cloud Solutions like SuccessFactors to create learning paths or to improve the web shop experience with Commerce Cloud. Similar use cases are recommendations for internal procurement and career path planning.

AI Document Information Extraction Service

AI Document Information Extraction extracts business relevant entities from unstructured business documents (such as invoices) with content in headers and tables. Enrich the information with existing master data (e.g. from vendor or employee).

AI Business Entity Recognition

SAP BTP Business Entity Recognition algorithms train neural networks to learn pattern for entity classification in business documents. Currently (11/2022), the service offers four pre-trained SAP models: e-mail business entity, invoice header, address and generic entity. Custom machine learning models can be used to classify any given type of named entity, such as mobile number, first name, last name or address.

The service transforms the initial text into a machine-readable label mask to enable the algorithm to understand where to find and recognize the to be returned class information.

AI Data Attribute Recommendation Service

AI Data Attribute Recommendation applies machine learning to predict and classify data records with model templates to serve single-label, multi-label and multi-class classification tasks using traditional or neural network machine learning models. Model templates generate an empty, not-trained unique model architecture for each input dataset schema.

Available model templates with classification tasks:

Some possible use-cases are: