Merge pull request #283202 from MartinPankraz/add-sap-odata-power-platf-article

Jill Grant · web-flow · commit bae4e0bec2ae · 2024-08-13T14:39:54.000-06:00
add sapodata with power platform article
diff --git a/articles/sap/index.yml b/articles/sap/index.yml
@@ -172,18 +172,20 @@ additionalContent:
       #card
       - title: Integrations - How-to-guide
         links:
-           - text: How to configure Microsoft 365 Exchange Online for SAP
-             url: ./workloads/exchange-online-integration-sap-email-outbound.md
-           - text: How to expose SAP Process Orchestration on Azure securely
-             url: ./workloads/expose-sap-process-orchestration-on-azure.md
-           - text: How to configure SAP printing with Microsoft Universal Print
-             url: ./workloads/universal-print-sap-frontend.md
+          - text: Enable SAP Principal Propagation and SSO for Power Platform
+            url: ./workloads/expose-sap-odata-to-power-platform.md
+          - text: How to configure M365 Exchange Online for SAP
+            url: ./workloads/exchange-online-integration-sap-email-outbound.md
+          - text: How to expose SAP Process Orchestration on Azure securely
+            url: ./workloads/expose-sap-process-orchestration-on-azure.md
+          - text: How to configure SAP printing with Microsoft Universal Print
+            url: ./workloads/universal-print-sap-frontend.md
       #card
       - title: Integrations - Quickstart
         links:
-           - text: Deploy an ERP extension using SAP's Cloud SDK on Azure in one click
-             url: https://github.com/Azure-Samples/app-service-javascript-sap-cloud-sdk-quickstart
-           - text: Use free developer accounts for SAP BTP, Microsoft 365 and Azure
-             url: ./workloads/integration-get-started.md#free-developer-accounts
-           - text: Use SAP ABAP platform and SAP BTP, ABAP environment to integrate with Microsoft
-             url: https://blogs.sap.com/2023/06/06/kick-start-your-sap-abap-platform-integration-journey-with-microsoft
+          - text: Deploy an ERP extension using SAP's Cloud SDK on Azure in one click
+            url: https://github.com/Azure-Samples/app-service-javascript-sap-cloud-sdk-quickstart
+          - text: Use free developer accounts for SAP BTP, M365 and Azure
+            url: ./workloads/integration-get-started.md#free-developer-accounts
+          - text: Use SAP ABAP platform and SAP BTP, ABAP environment to integrate with Microsoft
+            url: https://blogs.sap.com/2023/06/06/kick-start-your-sap-abap-platform-integration-journey-with-microsoft
diff --git a/articles/sap/workloads/expose-sap-odata-to-power-platform.md b/articles/sap/workloads/expose-sap-odata-to-power-platform.md
@@ -0,0 +1,69 @@
+---
+title: Enable SAP Principal Propagation and SSO for Power Platform
+description: Learn about configuring SAP Principal Propagation and SSO in Power Platform
+author: MartinPankraz
+
+ms.service: sap-on-azure
+ms.subservice: sap-vm-workloads
+ms.topic: how-to
+ms.date: 8/14/2024
+ms.author: mapankra
+---
+# Enable SAP Principal Propagation and SSO for Power Platform 
+
+Working with SAP interfaces in low code solutions is a common requirement for customers.
+
+This article describes the required foundational configurations and components to interact with SAP systems via OData and the legacy RFC/BAPI interfaces.
+
+The article puts emphasis on secure authorization using Microsoft Entra identity in Power Platform and for the SAP backend user. This mechanism is often referred to as SAP Principal Propagation. See [this community post](https://community.powerplatform.com/blogs/post/?postid=c6a609ab-3556-ef11-a317-6045bda95bf0) for more details.
+
+> [!IMPORTANT]
+> SAP Principal Propagation ensures user-mapping to the licensed named SAP user. For any SAP license related questions please contact your SAP representative.
+
+> [!NOTE]
+> The guidance applies to Azure Logic Apps, Azure Functions, Azure Container Apps, and Azure App Service too.
+
+## SAP ERP connector in Power Platform
+
+The [SAP ERP connector (RFC/BAPI)](/connectors/saperp/) is designed so multiple people can access and use an application at once; therefore, the connections aren't shared. The user credentials are provided in the connection, while other details required to connect to the SAP system (like server details and security configuration) are provided as part of the action.
+
+Enabling single sign-on (SSO) makes it easy to refresh data from SAP while adhering to user-level permissions configured in SAP. There are several ways you can set up SSO for streamlined identity and access management.
+
+Find more details on the [power platform documentation](/power-platform/enterprise-templates/finance/sap-procurement/administer/configure-authentication).
+
+## SAP OData connector in Power Platform
+
+The [SAP OData connector](/connectors/sapodata/) enables consumption of any OData service from the SAP ecosystem.
+
+Enabling SAP Principal Propagation makes it easy to interact with data while adhering to user-level permissions configured in SAP.
+
+Learn more about the supported authentication types on the [power platform documentation](/connectors/sapodata/).
+
+### Guidance for SAP Principal Propagation
+
+Principal Propagation is a mechanism well established in the SAP ecosystem. The SAP OData Connector supports this mechanism by providing a first-party Entra ID app registration with client ID `6bee4d13-fd19-43de-b82c-4b6401d174c3` and scope `user_impersonation`. Use the field `Microsoft Entra ID Resource URI (Application ID URI)` to maintain your globally unique resource URI of the Entra ID app registration authorized to access the SAP OData service.
+
+The focus of the described configuration is on the Azure API Management, SAP Gateway, SAP OAuth 2.0 Server with AS ABAP, and OData sources, but the concepts used apply to any web-based resource.
+
+Learn more from this article on the [Power Platform community](https://community.powerplatform.com/blogs/post/?postid=c6a609ab-3556-ef11-a317-6045bda95bf0).
+
+> [!NOTE]
+> An existing trust setup between your SAP backend and Entra ID using an enterprise app registration is required. The configuration needs to support the OAuth2SAMLBearer flow. See [this Microsoft learn article](/entra/identity/saas-apps/sap-netweaver-tutorial) and this SAP blog for details on the initial steps.
+>
+> :::image type="content" source="media/expose-sap-odata-to-power-platform/sap-principal-propagation-trust.png" alt-text="Illustration of trust relationship between SAP, Entra ID, and API Management solution to support SAP Principal Propagation." lightbox="media/expose-sap-odata-to-power-platform/sap-principal-propagation-trust.png":::
+
+For the Entra ID token exchange required by SAP ([OAuth2SAMLBearer flow](https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/6e/aec739afad4c5c96487c780c0bf82a/frameset.htm)), we recommend using an API Management solution. See [this Microsoft learn article](/azure/api-management/sap-api?tabs=odata#production-considerations) for details on the initial steps with Azure API Management.
+
+:::image type="content" source="media/expose-sap-odata-to-power-platform/sap-principal-propagation.png" alt-text="Authentication flow of the SAP OData Connector with Azure API Management to support SAP Principal Propagation." lightbox="media/expose-sap-odata-to-power-platform/sap-principal-propagation.png":::
+
+## Next steps
+
+[Understand SAP Principal Propagation using API Management in detail | blog](https://community.powerplatform.com/blogs/post/?postid=c6a609ab-3556-ef11-a317-6045bda95bf0)
+
+[Work with SAP OData APIs in Azure API Management | Microsoft Learn](../../api-management/sap-api.md)
+
+[Protect APIs with Application Gateway and API Management | Microsoft Learn](/azure/architecture/reference-architectures/apis/protect-apis)
+
+[Integrate API Management in an internal virtual network with Application Gateway | Microsoft Learn](../../api-management/api-management-howto-integrate-internal-vnet-appgateway.md)
+
+[Understand Azure Application Gateway and Web Application Firewall for SAP | blog](https://blogs.sap.com/2020/12/03/sap-on-azure-application-gateway-web-application-firewall-waf-v2-setup-for-internet-facing-sap-fiori-apps/)
diff --git a/articles/sap/workloads/integration-get-started.md b/articles/sap/workloads/integration-get-started.md
@@ -37,7 +37,7 @@ Select an area for resources about how to integrate SAP and Azure in that space.
 | [SAP RISE managed workloads](rise-integration-services.md) | Learn how to integrate your SAP RISE managed workloads with Azure services. |
 | [Microsoft Office](#microsoft-office) | Learn about Office Add-ins in Excel, doing SAP Principal Propagation with Office 365, SAP Analytics Cloud, and Data Warehouse Cloud integration and more. |
 | [Microsoft Teams](#microsoft-teams) | Discover collaboration scenarios boosting your daily productivity by interacting with your SAP applications directly from Microsoft Teams. |
-| [Microsoft Power Platform](#microsoft-power-platform) | Learn about the available [out-of-the-box SAP applications](/power-automate/sap-integration/solutions) enabling your business users to achieve more with less. |
+| [Microsoft Power Platform](#microsoft-power-platform) | Learn about the available out-of-the-box SAP solutions enabling your business users to achieve more with less. |
 | [Microsoft Universal Print](#microsoft-universal-print) | Learn about the available cloud native printing capabilities for SAP. |
 | [SAP Fiori](#sap-fiori) | Increase performance and security of your SAP Fiori applications by integrating them with Azure services. |
 | [Microsoft Entra ID (formerly Azure Active Directory)](#microsoft-entra-id-formerly-azure-ad) | Ensure end-to-end SAP user authentication and authorization with Microsoft Entra ID. Single sign-on (SSO) and multifactor authentication (MFA) are the foundation for a secure and seamless user experience. |
@@ -100,15 +100,16 @@ For more information about integration with Microsoft Teams, see [Native SAP app
 
 For more information about integration with Microsoft Power Platform, see the following Power Automate resources:
 
+- [SAP Principal Propagation using Azure API Management | blog](https://community.powerplatform.com/blogs/post/?postid=c6a609ab-3556-ef11-a317-6045bda95bf0)
 - [Overview of SAP integration](/power-automate/sap-integration/overview)
-- [Understand prebuilt solution available for integrating SAP with Power Platform](/power-automate/sap-integration/solutions)
 - [Finance and operations templates for SAP process mining with Power Automate Process Advisor](/power-automate/process-mining-finance-ops-templates)
-- [Hyperautomation special video series for SAP based integration and automation with Power Automate](https://flow.microsoft.com/blog/hyperautomation-special-video-series-for-sap-based-integration-automation-with-power-automate/)
-- [RPA Playbook for SAP GUI Automation with Power Automate](https://flow.microsoft.com/blog/rpa-playbook-for-sap-gui-automation-with-power-automate-api-flows-ui-flows-and-power-automate-desktop/)
+- [Hyperautomation for SAP based integration and automation with Power Automate | video series](https://flow.microsoft.com/blog/hyperautomation-special-video-series-for-sap-based-integration-automation-with-power-automate/)
+- [RPA Playbook for SAP GUI Automation with Power Automate | blog](https://flow.microsoft.com/blog/rpa-playbook-for-sap-gui-automation-with-power-automate-api-flows-ui-flows-and-power-automate-desktop/)
 
 Also see the following SAP resources:
+- [SAP Principal Propagation via SAP API Management (Integration Suite)](https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/integrating-low-code-solutions-with-microsoft-using-sap-integration-suite/ba-p/13789298)
 - [Snoozing SAP systems with Power Apps](https://blogs.sap.com/2021/02/10/hey-sap-systems-my-powerapp-says-snooze-but-only-if-youre-ready-yet/)
-- [Use SAP Business Rules Service (part of SAP Workflow) to expose SAP business logic to Power Apps](https://blogs.sap.com/2020/07/31/scp-business-rules-put-to-the-test-with-microsoft-power-platform/)
+- [Use Business Rules capability of SAP Build Process Automation to expose SAP business logic to Power Apps](https://blogs.sap.com/2020/07/31/scp-business-rules-put-to-the-test-with-microsoft-power-platform/)
 
 ### Microsoft Universal Print
 
diff --git a/articles/sap/workloads/media/expose-sap-odata-to-power-platform/sap-principal-propagation-trust.png b/articles/sap/workloads/media/expose-sap-odata-to-power-platform/sap-principal-propagation-trust.png
diff --git a/articles/sap/workloads/media/expose-sap-odata-to-power-platform/sap-principal-propagation.png b/articles/sap/workloads/media/expose-sap-odata-to-power-platform/sap-principal-propagation.png
diff --git a/articles/sap/workloads/toc.yml b/articles/sap/workloads/toc.yml
@@ -233,6 +233,8 @@ items:
         href: disaster-recovery-sap-hana.md
     - name: Integration with Microsoft services
       items:
+      - name: Enable SAP Principal Propagation and SSO for Power Platform
+        href: expose-sap-odata-to-power-platform.md
       - name: Outbound E-Mail from SAP to Exchange Online
         href: exchange-online-integration-sap-email-outbound.md
       - name: Recommended setup for SAP Cloud Identity Services and SAP Business Technology Platform with Microsoft Entra ID
