Академический Документы
Профессиональный Документы
Культура Документы
2 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1 System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Payment Card Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
3 Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1 Consumer Applications: Releases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
3.2 Consumer Applications: Transport Layer Security (TLS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
3.3 Additional Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
3.4 User Account with Payment Service Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4 Setup Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.1 Account Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Creating a Subaccount (SaaS Tenant) in your Global Account (GA). . . . . . . . . . . . . . . . . . . . . . . 10
Configuring the Identity Provider (IdP) and Setting Up Authentication. . . . . . . . . . . . . . . . . . . . . 11
Subscribing the SaaS Tenant to the SAP Digital Payments Add-On. . . . . . . . . . . . . . . . . . . . . . . 13
Creating Role Collections and Assigning Them to User Groups. . . . . . . . . . . . . . . . . . . . . . . . . . 13
Enabling Machine-to-Machine (M2M) Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
4.2 Activating PSPs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
4.3 Connecting the SAP Digital Payments Add-On and the PSP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.4 Consumer Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
4.5 Payment Service Provider Determination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6 Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
This guide provides an introduction to digital payment services using the SAP digital payments add-on, and
describes the steps your system administrator must take to set up and configure the add-on.
The system landscape for payment scenarios using the SAP digital payments add-on is composed of three
elements:
● Consumer application: The communication between the consumer application, such as SAP S/4HANA
Cloud, and the customer account in the SAP Cloud Platform works using REST Web services and is
generally triggered by the consumer application.
● SAP digital payments add-on on SAP Cloud Platform: The SAP digital payments add-on processes the
requests from the consumer application and routes them to the relevant external payment service provider
(PSP). The add-on contains one 'core' adapter and one adapter for each PSP. In addition, the customer
account establishes the connection to the SAP Fiori UI for the key user. Please note that messages from
the SAP digital payments add-on are issued in English only.
● Payment service provider: The SAP digital payments add-on and the external PSPs communicate using
Web services. Most of this communication is synchronous.
The consumer application can initiate the following services using the SAP digital payments add-on:
The SAP digital payments add-on can be used in combination with various consumer applications. For
information on which consumer application releases are compatible with the SAP digital payments add-on,
please refer to the documentation of the relevant consumer application.
If you want to use the SAP digital payments add-on, the relevant ABAP system must be able to make a
connection using TLS 1.2 (or higher). TLS 1.0 or 1.1 connections are not compatible.
If your consumer application is a cloud application from SAP, you do not have to take any measures because
SAP ensures that TLS 1.2 is implemented.
If your consumer application is an on-premise application, please refer to the procedure described in 510007
.
Example
ssl/client_ciphersuites 151:PFS:HIGH:!eRC4:!eNULL:!aNULL:!mMD5
● Browser
You need a Web browser, preferably Google Chrome, Internet Explorer, or Mozilla Firefox.
● Identity Management
You need an Identity and Access Management (IAM) system.
The SAP digital payments add-on connects the consumer applications to services provided by external PSPs.
The PSP licenses, however, are not included with the SAP digital payments add-on. You must obtain the PSP
licenses from the individual PSPs. You will need the PSP user account data to connect the SAP digital payments
add-on to the PSP services.
This section describes the steps to be performed by an SAP customer to set up a fully functional account for
the SAP digital payments add-on.
Overview
You must perform the following steps (see below for overview graphic and further details of each step):
Context
The SAP digital payments add-on is delivered with two tenants: a test tenant for testing integration and a
productive tenant for productive usage. We strongly recommend that you create two subaccounts to
distinguish between the usages, for example Digital Payments Test Account and Digital Payments
Productive Account.
For information on creating subaccounts in the SAP Cloud Foundry environment, refer to the SAP Cloud
Platform help topic Create Subaccounts Using the Cockpit.
With respect to the Display Name and the Subdomain, we suggest that you add a suffix with your company
name at the end of the subdomain. We strongly recommend that you define the display name and the
subdomain name in such a way that you can easily distinguish between your productive account and your test
account.
Context
For your existing SAML2-compliant identity provider (IdP), you need to establish mutual trust between your
subaccount's UAA (SAML2 service provider) and your IdP. To do this, you must upload the corresponding XML
metadata files. This process varies depending on the IdP implementation used.
If you are using the SAP Cloud Platform Identity Authentication service, you will find more information under
Establish Trust with an SAML 2.0 Identity Provider in a Subaccount in the SAP Cloud Platform help topic
Establish Trust and Federation with UAA Using SAP Cloud Platform Identity Authentication Service.
If you are using a different IdP, you will find more information under Establish Trust with Any SAML 2.0 Identity
Provider in a Subaccount in the SAP Cloud Platform help topic Establish Trust and Federation with UAA Using
Any SAML Identity Provider.
The metadata (including public key) of your tenant's UAA (service provider) can be found at https://
<subdomain>.authentication.eu10.hana.ondemand.com/saml/metadata
Note
As <subdomain>, use the subdomain names you defined when creating your test account and productive
account.
As Assertion Attribute Name for the Groups user attribute, enter Groups with initial capital.
If you are using a different IdP, you will find more information under Register SAP Cloud Platform Subaccount in
Any SAML 2.0 Identity Provider in the SAP Cloud Platform help topic Establish Trust and Federation with UAA
Using Any SAML Identity Provider.
Context
Note
If you are using the SAP Cloud Platform Identity Authentication service, you create the two groups
under Users & Authorizations User Groups .
Note
If you are using the SAP Cloud Platform Identity Authentication service and you need to create new
users, you do this under Users & Authorizations User Management .
Note
If you are using the SAP Cloud Platform Identity Authentication service IAS tenant, you must find the
users under User Management and assign them to the groups. It is not possible to open a group and
assign users to it.
Context
You need to subscribe to the SAP digital payments add-on application in your subaccount in the SAP Cloud
Platform cockpit.
Proceed as described in the SAP Cloud Platform help topic Subscribe to Multitenant Business Applications in
the Cloud Foundry Environment Using the Cockpit.
For your test subaccount, subscribe to the application SAP digital payments add-on Demo. For your
productive account, subscribe to the application SAP digital payments add-on Prod.
After you have successfully subscribed to the SAP digital payments add-on, you need to create role collections
and assign roles so that you can manage access to the application.
Context
For information on maintaining role collections, refer to the SAP Cloud Platform help topic Maintain Role
Collections.
You need to create two role collections, one for administrator and one for key user. We suggest you use the
names <dp-admin> and <dp-keyuser>.
Context
For information on assigning role collections to users or user groups using the SAP Cloud Platform cockpit,
refer to the SAP Cloud Platform help topic Assign Role Collections .
Note
Note that you must do this for both of the role collections you have created (administrator and key user).
● If you are using the default trust configuration with SAP ID Service, you assign users to role collections
directly. For more information, see the SAP Cloud Platform help topic Directly Assign Role Collections to
Users.
● If you are using a custom trust configuration, for example SAP Cloud Platform Identity Authentication
service, you can either assign users to role collections directly or map role collections to user groups. For
more information about mapping role collections to user groups, see the SAP Cloud Platform help topic
Map Role Collections to User Groups. In the <value> field, provide the name of the user group that you
maintained in your IdP previously.
To enable M2M communication for your consumer applications, you need to create an instance of the service
broker that provides access to the APIs.
Note
Currently, service instances can only be created in the Cloud Foundry environment.
Context
Note
Note that you must perform these steps for both of the subaccounts that you have created.
1. In your global account in the SAP Cloud Platform cockpit, navigate to the relevant subaccount and choose
Overview.
2. In the Cloud Foundry section, click Enable Cloud Foundry.
3. Choose a name for your organization. You can simply use the proposed name and click Create.
4. Wait until the creation process is finished.
5. On the left-hand side, you can see a new item called Spaces.
Context
Note
You must perform these steps for both of the subaccounts that you have created.
Note
You can only create services within the scope of a Cloud Foundry space.
1. Go to Spaces.
2. Click New Space.
3. Enter a name of your choice for the space. We recommend using digitalpayments.
4. Click Save.
For more information about creating a Cloud Foundry space, refer to the SAP Cloud Platform help topic Create
Cloud Foundry Spaces Using the Cockpit.
Context
Before creating an instance of the service broker for M2M communication, you must first enable M2M
communication for the subaccount in question.
You must perform these steps for both of the subaccounts that you have created.
1. Go to your global account view in the SAP Cloud Platform cockpit and choose Entitlements in the
dropdown list.
2. At the top of the screen, click Edit.
3. Look for the relevant quota: SAP digital payments add-on M2M for test/demo (for testing purposes) or SAP
digital payments add-on M2M for production (for productive usage), and for the corresponding subaccount,
and select the service plan: standard.
4. Click Save.
For more information about adding quotas to subaccounts, refer to the SAP Cloud Platform help topic Add
Quotas to Subaccounts Using the Cockpit.
Context
Note
You must perform these steps for both of the subaccounts that you have created.
Proceed as follows:
1. In the SAP Cloud Platform cockpit in the relevant subaccount, go to the newly created space.
2. Choose Services Service Marketplace .
3. Select SAP digital payments add-on (for tests, M2M) or SAP digital payments add-on (for productive usage,
M2M) accordingly.
4. On the left-hand side, choose Instances.
5. Click New Instance.
6. Select Plan standard.
7. Click Next.
8. Click Next.
9. Enter an Instance Name for the service instance, such as dp-m2m.
10. Click Finish and the new instance appears in the list.
For more information about creating an instance, refer to the SAP Cloud Platform help topic Create Service
Instances Using the Cockpit.
Context
To authorize the communication between your consumer application and the SAP digital payments add-on,
client credentials are required. These can be obtained by creating a service key for the service instance you
created.
Note
Note that you must do this for both of the subaccounts you have created.
Proceed as follows:
For more information about creating a service key, refer to the SAP Cloud Platform help topic Create Service
Keys Using the Cockpit.
Note
The client credentials and other authorization-related details are stored in the service key. The service keys
are permanently stored in the Cloud Foundry environment of your subaccount. The data provided in the
service key created, such as clientid or clientsecret, will be needed to establish the communication
arrangement between your consumer application and the SAP digital payments add-on.
The procedure to establish connectivity between your consumer application and the SAP digital payments
add-on varies depending on the consumer application in question. For more information, please refer to the
documentation of your consumer application.
Example
"uaadomain": "authentication.eu10.hana.ondemand.com",
"tenantmode": "shared",
"sburl": "https://......-xsuaa.authentication.eu10.hana.ondemand.com",
"clientid": "sb-……345",
"identityzone": "<subdomain>",
"clientsecret": "abc……1234=",
"tenantid": "abc987654-a123-…..-b456",
"url": https://<subdomain>.authentication.eu10.hana.ondemand.com
Note
Replace the placeholder <subdomain> with the subaccount you have created in the account setup
procedure.
Once you have set up your account, you need to activate the adapter(s) for the PSP(s) you want to use with the
SAP digital payments add-on. Each PSP has its own dedicated adapter.
To activate adapters, access the Payment Service Provider Status UI using the URLs below, and provide the
appropriate credentials.
Note
You will need to replace <subdomain> with the subdomain names you created earlier.
https://<subdomain>.demo-digitalpayments-sap.cfapps.eu10.hana.ondemand.com/
pspStatus/index.html
https://<subdomain>.digitalpayments-sap.cfapps.eu10.hana.ondemand.com/pspStatus/
index.html
When you access the UI, you will see a list of active/inactive PSPs. Simply select the row of the inactive PSP
you want to activate and click Activate.
The status then changes to and the PSP is ready for use.
Context
To set up the connection between the SAP digital payments add-on and a PSP, all you have to do is enter the
account credentials provided to you by that PSP.
The URLs for the PSPs currently supported have the following format:
Stripe
Test account:
https://<subdomain>.demo-digitalpayments-sap.cfapps.eu10.hana.ondemand.com/stripeConfiguration/
index.html
Productive account:
https://<subdomain>.digitalpayments-sap.cfapps.eu10.hana.ondemand.com/stripeConfiguration/index.html
Paymetric
Test account:
https://<subdomain>.demo-digitalpayments-sap.cfapps.eu10.hana.ondemand.com/paymetricConfiguration/
index.html
Productive account:
https://<subdomain>.digitalpayments-sap.cfapps.eu10.hana.ondemand.com/paymetricConfiguration/
index.html
Note
Replace the placeholder <subdomain> with the subaccount you created in the account setup procedure.
Note
1. Using the relevant URL, enter the user account credentials you received from your PSP and save.
For security reasons, the credentials are saved in a keystore. The secure credentials are masked on the UI.
For Paymetric you require Merchant GUID and Shared Key for the tokenization service, and XiPay User,
XiPay Password, and XiPay Merchant ID for the payment processes, such as authorization or settlement.
For more information on this, see Paymetric's help:
○ Set XiPay WSA Password
○ XiPay Routing
2. Check the connectivity by clicking Check Connection.
Context
Connectivity has to be established between your consumer application and the SAP digital payments add-on.
You have already maintained the technical details and credentials for the SAP digital payments add-on. For
further information, please refer to the documentation of your consumer application.
Once you have completed all the above setup activities, your key user needs to set up the PSP determination.
For further information on this, please refer to the User Guide for SAP Digital Payments Add-On.
Please refer to the Security Guide for the SAP Digital Payments Add-On for information about security and PCI
compliance.
If you need support with the SAP digital payments add-on, please create a customer incident using the
following component:
FIN-FSCM-HCP-DP
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.