Mobile apps for SAP S/4HANA – Customer Guide

Hello SAP Community,

This time I am going to talk about the mobile ready capabilities of the SAP S/4HANA system.

Preamble

During these particular times, we have been hearing a lot the following words: quarentines, lockdowns, Supply Chain challenges, consumer demand shocks,

And the question everyone is asking is: How can companies be prepared for this situation?.

The answer that comes to my mind is mobility. Doesn’t matter where you are, in order to be prepared for what’s coming next and be able to take a quick decision, you need to have information at the palm of your hand.

This topic is largely tackled in SAP S/4HANA by using SAP Fiori apps (web apps).

As you know, SAP Fiori apps are are built using SAP Fiori paradigm which with the following design principles:

• Role-based
• Adaptive
• Simple
• Coherent
• Delightful

This means that due to the “Adaptive” principle, users are enable to work with the SAP Fiori apps either from desktop and mobile devices.

But apart from the SAP Fiori apps available in the SAP S/4HANA systems, there is an offering of mobile apps you can download from your favourite app store.

This is the current list of mobile applications available for SAP S/4HANA environments:

SAP Customer Guide Apple

Using “SAP Customer Guide” app you can retrieve the latest customer financial data anywhere and any time. This app connects to SAP S/4HANA and allows regional CFOs and sales manager to prepare for upcoming customer meetings and keep track of a customer right from their iPhone or iPad.

SAP Shop Floor Manager Android Apple

SAP Shop Floor Manager mobile app helps “Production Supervisors” in the Manufacturing Plant to reach the production figures for the day, ensure smooth running production line and remove breakdowns and bottlenecks, have the right people at the right time at the right place and have all machines up and running and all material at work.

SAP Asset Manager Android Apple

Using SAP Asset Manager mobile app you can manage work orders, notifications, condition monitoring, material consumption, time management, and failure analysis. It supports the highly skilled workers who maintain enterprise assets to perform their job with complex information and business logic that is always available whether they are connected to the network or working in offline environments.

This particular app needs an add-on to be installed on the backend system.

Introduction

In this article I am going to focus on how to configure one of the apps previously listed, against an SAP S/4HANA on premise system. Particularly, I am going to show the step by step configuration of the “SAP Customer Guide” mobile app. Help SAP

Requirements

Before starting with this tutorial, let’s list the prerequisites:

• SCP Cloud Foundry with Mobile Services
• SCP Cloud Connector
• SAP S/4HANA system
• Identity Provider (IdP)

Architecture

The architecture of this solution contains a lot of components, so let’s start analyzing it by identifying the different systems that are part of it.

Now that we are aware of what are the different systems that interacts in the landscape, we are going to step into the details of the authentication process.

Using a native mobile app that you have downloaded from your phone’s app store, you authenticate against an IdP that then propagates your identity to the SAP S/4HANA system.

There are some important points you have to be aware with about the IdP prerequisites that can be ffound in the help sap documentation.

The IdP needs to fulfill the SAML 2.0 standard. Use one of the following mutually exclusive options:

• Use an existing SAML 2.0 IdP: If you already have a SAML 2.0 compliant IdP, you can use this for the Corporate Identity Provider. For more information, see Identity Federation with a Corporate Identity Provider.
• Use an Identity Authentication Tenant: If you don’t have a Corporate Identity Provider, you can use SAP’s cloud product – SAP Cloud Platform Identity Authentication Service. A detailed description about this product can be found here: SAP Cloud Platform Identity Authentication Service
• Use the SAP ID Service: The SAP ID service is SAP’s ready-to-use identity service that is offered as a Software-as-a-Service solution completely operated by SAP. This variant should only be considered for testing scenarios as you don’t have control over the user store. Also, you cannot integrate this solution with your on-premise user management.

For the purpose of this blog, I am going to use the SAP ID Service.

Going back to the architecture explanation, I am going to paste below the graphic of the detailed architecture for this solution .

We are going to talk back about this, when configuring the security tab in the SCP Mobile Services application tab.

Configuration of mobile application

First you have to create a new application in your mobile services cockpit.

Select the features that the app need to have:

• Mobile Client Log Upload
• Mobile Client Resources
• Mobile Client Usage and User Feedback
• Mobile Connectivity
• Mobile Network Trace

Configuration of Application Security tab (and SCC setup)

The Customer Guide app works letting the user authenticate against an IdP and then propagaiting this authentication against the SAP S/4HANA system. In this sense, the SAP Cloud Connector need to be configured for this purpose. Check the following links for understanding principal propagation between SAP Cloud Platform and an OnPremise system Link (Link1 and Link2). Just one small clarification, you don’t need to configure the destination on the SAP Cloud Platform. The mobile app knows which cloud connector/system to use due to the “url” and “cloud connector location id” specified in the SCP mobile servies destinations defined in the connectivity tab of the mobile app. This will be presented in the next section.

Remember that for the purpose of this blog, I have used SAP ID Service IdP.

The steps to configure principal propagation from the Cloud Connector to the SAP S/4HANA system are the following.

In SCC administration console:

1. Synchronize the IdP for Principal Propagation

2. Create System certificate

3. Create CA certificate

4. Change Principal Propagation config to propagate mail attribute to map to the SAP S/4HANA user. This is some important info to know about the SAP ID Service IdP mapping and Cloud Foundry environment. be aware that most of the articles related to principal propagation are done in Neo. In my case, I used Cloud Foundry environment so I have to use ${email} parameter.
5. Create sample certificate using the e-mail you have been configured in the account within the SAP ID Service (IdP)

6. Add the Backend System with Principal Propagation config in the “Cloud To On-Premise” tab

Note: This is a nice article about how to create the SSL certificates needed for the Cloud Connector.

In the SAP S/4HANA system:

1. Upload SCC System certificate in t-code strustsso2. Note: SCC system certificate should be signed either with a local CA or public, otherwise the SAP S/4HANA will give you SSL communication errors.
The SCC certificate should be uploaded in the “SSL Server Standard” folder like detailed in the blogs mentioned at the beginning of the section.

2. Configure the required system parameters mentioned in the two blogs previously provided. Some of them are not dynamic, so you will need to reboot the instance.

login/certificate_mapping_rulebased

icm/HTTPS/verify_client

icm/HTTPS/trust_client_with_issuer

icm/HTTPS/trust_client_with_subject

icm/trusted_reverse_proxy_0. –> Not needed in most of the cases.

3. Go to t-code CERTRULE and configure the rule necessary to map the SAP ID Service user to the SAP S/4HANA user using the e-mail property (use the sample certificate you previously generated in the SCC to verify this is working fine)

It’s very probably that you have some issues with the principal propagation configuration, keep checking the SMICM log trace to debug and SCC log file ljs_trace.log located in //SCC/log folder, and consult these excellent resources (info1 and info2) about the meaning of the errors.

Finally, in the SCP Mobile Services cockpit, we just need to know that in the security tab of the app it needs to be selected the option “OAuth”.

OAuth is an open protocol for securely authorizing applications using a standard method. SAP Cloud Platform must be the authorization server. This is the default option, and the OAuth client is generated automatically. You can use API keys with this choice.

Configuration of SCP Mobile Services destination

In this step we are going to define the backend connection that the app is going to use.

Upload configuration files to SCP Mobile Services

The customer guide app uses some configuration files to render the application functionality. Depending on the content you defined in these files, your app will display different content, and functionality as different action and navigations. Please check this link for further information.

You will have to navigate to the “Mobile Client Resources” feature of the app, and create these files:

• AppConfiguration.json
• FLPEndpointConfiguration.json
• LayoutConfiguration.json

Conclusion

As you have seen in this blog, SAP Customer Guide provides a new way to interact with SAP S/4HANA systems, using a native mobile app. Once configured, you will be able to check customer’s data directly from your cellphone/tablet, using a total mobile native approach that you are able to personalize using json files.

Remember that this is not the only SAP standard app app available for SAP S/4HANA, and each one has their different configuration setups. I encourage you to review each of them, so you can get the most of your SAP S/4HANA systems.

I hope you like the content, and start implementing them in your projects.

Thanks.

Best regards,

Emanuel