SAP integration to APIM?

Question

My doubt is about how to integrate SAP to APIM? I would have to register SAP to Azure AD to manage users, and how would it be the authentication and authorization to this external resource, these responsabilities will lie on SAP or APIM?

Answer 1

Jhon Elmer Bustamante Botero Thanks for posting your question in Microsoft Q&A. Yes, you would have to integrate SAP cloud with Azure AD, and this will allow users to signing to SAP with Azure AD accounts and follow doc https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial for more info.

The authentication and authorization can be performed in API Management depending on the use case. You can use validate-jwt policy to validate the JWT token passed by Azure AD and also, other policies to check role/group permissions in APIM. Refer SAP principal propagation for policy snippet and there is an example end-to-end scenario to integrate API Management with an SAP gateway with detailed steps.

I hope this helps and let me know if you have any questions.

Answer 2

Hi Jhon Elmer Bustamante Botero

Thanks for reaching out on Microsoft Q&A!

It's not a 101 answer to your question, as "integrating SAP to APIM" isn't a one-off, but I'm going to provide you with guidance on what is possible in my opinion:

• When your SAP product has an public facing API endpoint:
  • APIM can connect directly to it
  • Your inbound policy can make sure authorization for the backend is set
• When your SAP product does not have a public facing API endpoint, but does have an API:
  • You could upscale your APIM to Premium, however this can be a costly thing to do; Within the Premium tier you're able to:
    • Connect to a VNet which can be connected to the network where SAP lives
    • From that point forward you can use APIM policies again. just like a public facing endpoint, to connect to your SAP environment
  • As upscaling is coslty you could also use Logic Apps connected to APIM:
    • You can connect to SAP through the On-Premises Data Gateway, providing access to your perimeter network, after which the endpoint can be reached using the 'HTTP using Azure AD' connector in Logic Apps
• When your SAP product does not have a public facing API endpoint, and does not have an API (but RFC/BAPI):
  • You must use Logic Apps, again connected through the APIM, connecting to RFC/BAPI over the On-Premises Data Gateway providing access o your perimeter network
  • Now you can use the default 'SAP Connector' in the Logic Apps

In all cases you can use Azure API Management to upgrade security, which is best practice, to validate your callers before continuing to the backend (like for example validating through JWT and such).

Please click 'Accept answer' if you find this helpful.
Feel free to drop additional queries in the comments below!

Kind regards,

Sonny

Answer 3

Thank you to all for your answers. I will apply them into my problem.

BW