Duet Enterprise for Microsoft SharePoint and SAP

Duet Enterprise is a new jointly developed product from SAP and Microsoft that enables interoperability between SAP applications and Microsoft SharePoint Server 2010 Enterprise Edition. Duet Enterprise empowers employees to consume and extend SAP processes and information from within SharePoint Server and Microsoft Office 2010 client applications.

Duet Enterprise Architecture

Microsoft Environment
Clients
Browsers Duet Enterprise supports all browsers supported by SharePoint Server 2010.

SAP Environment

Duet Enterprise SharePoint Add-on Components

These lists explain the Duet Enterprise SharePoint Add-on components as seen in the illustration at right.

SharePoint Server 2010 Enterprise Edition

SAP NetWeaver Business Warehouse SharePoint Server 2010 Components
1
Reporting

Duet Enterprise SAP Add-on Components

Duet Enterprise SAP Add-on Components*

Key SharePoint System Components used by Duet Enterprise

A. SharePoint workflow functionality supports SharePoint users interacting with SAP workflows. B. The Enterprise Content Manager component is used to manage the lifecycle of documents, such as SAP reports. C. Duet Enterprise uses the SharePoint Security Token Service to authenticate users using SAML tokens. D. Microsoft Business Connectivity Services provide a connector for communication between SharePoint Server 2010 and the SAP environment along with other features used to connect to and interact with SAP information.

Duet Enterprise SharePoint Add-on Components

1. The Duet Enterprise Site templates provide SharePoint Server 2010 users with entry points into the preconfigured Duet Enterprise experience. The Duet Enterprise sites are composed of a an initial set of subsites, including Application Center, Customers, Products, and a set of sites for collaboration on customers and other business data. These sites are pre connected to the corresponding business objects in the SAP environment. 2. The Duet Enterprise Workflow feature enables SharePoint Server 2010 users to participate in SAP workflows, for example, to approve an expense report. 3. The Duet Enterprise Reporting feature enables the retrieval of SAP reports from SAP BW or SAP ERP. 4. The Business Connectivity Services Solution Designer feature is used to customize Duet Enterprise solutions. 5. The Duet Enterprise Collaboration feature enables SharePoint Server 2010 users to collaborate around SAP information and objects. This feature provides a set of templates to set up collaboration sites. 6. The monitoring and supportability components support integration troubleshooting of both Microsoft and SAP components. For example, this module enables administrators to change a feed or customize a view. 7. Duet Enterprise Role and Profile Sync enables SAP roles and SAP profiles to be used in SharePoint Server 2010.
1
Duet Enterprise Site templates

These lists explain the Duet Enterprise SAP Add-on components as seen in the illustration at left.

A
SharePoint Workflow

Templates & Starter Services

A

Key SAP Environment Components used by Duet Enterprise 1. The Reporting modules that run on SAP NetWeaver or SAP Business Warehouse provide reporting functionality around SAP data. 2. The SAP Workflow engine runs all SAP Workflows. 3. SAP Enterprise services and Business Events are used to interact with the SAP Business Suite and retrieve SAP information and content. 4. The SAP SMD and CCMS tools are used to monitor SAP systems and SAP Duet Enterprise components.

Duet Enterprise SAP Add-on Components

A. Starter Services includes a set of pre-packaged SAP business objects. B. Duet Enterprise Workflow enables SharePoint Server 2010 users to participate in SAP workflows. C. Duet Enterprise Reporting enables SharePoint Server 2010 users to retrieve reports from SAP. Reporting also enables the configuration of report catalogs, which are then made available on the Reporting Site in SharePoint Server 2010. D. The Content Publisher is used to transfer content from SAP to SharePoint Server 2010. E. The Object Instance Cache is used to cache Duet Enterprise specific data and information. F. The Routing Manager routes requests for reports from SAP NetWeaver to the corresponding SAP back-end system. G. The Role Provider enables SharePoint Server 2010 to get a list of SAP roles that can be used to grant permissions on securable objects in SharePoint Server 2010 sites. Note: The Duet Enterprise SAP Add-on provides the services that enable interoperability between the SAP system and the SharePoint system. For example, the Duet Enterprise Reporting module maps to the SharePoint Reporting site, and the Content Publisher module maps to the Enterprise Content manager.

Microsoft Office Professional Plus 2010

Enterprise Content Manager

SAP NetWeaver
2

Starter Services

Microsoft Outlook 2010 Microsoft InfoPath 2010 Microsoft Excel 2010 Microsoft Word 2010 Microsoft SharePoint Workspace 2010

B
SAP Workflow Duet Enterprise Workflow

SharePoint Security Token Service

BDC Server Runtime

D 1
Business Connectivity Services Reporting Duet Enterprise Reporting

SAP Business Suite Duet Enterprise SharePoint Add-on

3
Enterprise Services

Basic Components

text

D
Content Publisher

3 2
Duet Enterprise Workflow feature

Business Events Object Instance Cache

F 3
Duet Enterprise Reporting feature

SAP Supportability Tools

4

Routing Manager

G 4

BDC service
BCS Solution Design feature

SMD

Role Provider

4
CCMS

5
Duet Enterprise Collaboration feature

* Runs on the SAP NetWeaver ABAP stack

6
Monitoring & Supportability components

7
Duet Enterprise Role & Profile Sync

BDC service data

Duet Enterprise Security

Duet Enterprise SharePoint user accounts cannot directly access information in the SAP system. Duet Enterprise enables SAP administrators to map SharePoint user accounts to SAP accounts. Duet Enterprise also enables SAP roles that are mapped to SAP users in the SAP environment. When SharePoint users are mapped to SAP users or roles this enables SAP applications to authenticate the SharePoint users by looking up the SAP account that is mapped to a particular SharePoint user. Duet Enterprise also enables using SAP roles as claims-based security principals in SharePoint. This enables SharePoint users and administrators to grant SAP users access to SharePoint securable objects, such as sites, lists, and items by securing those securable objects using SAP roles. SAP roles are defined and the SAP user-to-role assignment is managed in the SAP environment. The ability to secure SharePoint objects by using SAP roles saves the administrative overhead of redefining those same roles in SharePoint.

Impact of Business Unit Ownership of Applications on Duet Enterprise Landscape

SharePoint Farm 1 Applications for Business Unit 1 SharePoint Farm 2 Applications for Business Unit 2

Secure objects in SharePoint using SAP Roles

When a SharePoint user runs an SAP report from a SharePoint site, a file that contains the report is delivered to a SharePoint document library and secured using one or more SAP roles. Because the file is secured using an SAP role rather than the user account of the SharePoint user who ran the report, SharePoint must look up the SAP role in the user profile store for SharePoint users who want to view the report. The diagram below, and the associated list on the right, describe the authorization process of a user requesting access to a securable object in SharePoint that has been secured using an SAP role. 1. A SharePoint user or administrator opens the People Picker and assigns SAP roles to SharePoint securable objects, such as sites, lists, and documents. 2. The People Picker uses the Duet Enterprise Claims Provider to access the list of SAP roles that have been authorized for use in SharePoint. The Duet Enterprise Claims Provider requests the SAP role definitions from the SAP application. 3. The SAP application sends the SAP role definitions back to the Duet Enterprise Claims Provider, which makes them available in the People Picker. 4. The SharePoint administrator selects the SAP role from the People Picker and grants that SAP role the appropriate permissions for the SharePoint securable object.
4 1

Duet Enterprise User Authorization

The diagram below provides a high-level overview of the Duet Enterprise user authorization process. 1. A SharePoint farm administrator synchronizes the user profiles in SAP with the SharePoint User Profile Store over a Business Data Connectivity Services connector. This brings the SAP roles to which are users mapped into the SharePoint User Profile Store.

Duet Enterprise Web Application

Sales Management Site for Business Unit 1 http://BUIT1salesmgmt Leave Management Site for Business Unit 1 http://BUIT1leavemgmt

Duet Enterprise Web Application

Sales Management Site for Business Unit 2 http://BUIT2salesmgmt Leave Management Site for Business Unit 2 http://BUIT2leavemgmt Budget Management Site for Business Unit 2 http:/BUIT2budgetmgmt

This diagram represents an organization in which SAP backend systems are managed by the Corporate IT organization, Duet Enterprise SAP add-ons are managed by each business unit IT department, and SharePoint Server 2010 is managed by the SharePoint administration team. This landscape scenario depicts all applications among the business units as hosted in the same farm. In this situation, the administrator and the business unit want complete control of all of the components in the stacks. In this scenario, the service levels differ between applications in the enterprise. Some applications are critical for business and care is taken to ensure availability of these applications. Other applications are important but do not have to ensure the same level of services as those of critical applications. Multiple Duet Enterprise applications can be deployed in a single SharePoint Server 2010 farm. Multiple SAP backend systems and domains can be used with Duet Enterprise. Note that a single SAP NetWeaver Server must be deployed with a single SharePoint Server 2010. Many organizations have complex requirements that require deploying multiple SAP backend systems. Examples of such complex requirements are as follows: Critical differences between the SAP applications Geographical distribution of the user base Business unit ownership of the application or system Functional separation of the applications and autonomy of the operations

Profiles Synchronized Duet Enterprise Claims Provider

3 1

BDC model configured for Sales Management and Leave Management for Business Unit 1 will be hosted in this service application instance.

BDC model configured for Sales Management, Leave Management, and Budget Management for Business Unit 2 will be hosted in this service application instance.

SAP

DUET ENTERPRISE CLAIMS PROVIDER

2. A SharePoint user or administrator logs into a SharePoint site and attempts to access a site, list, or items that are secured using an SAP role. 3. SharePoint uses the Duet Enterprise Claims Provider to access the User Profile Store to determine which SAP roles the SharePoint user or administrator has been assigned. SharePoint then grants or denies the SharePoint user access to the securable object based on the role the user is assigned and the permissions granted to that SAP role on the securable object.

Sales Management Business Unit 1

Leave Management Business Unit 1

Sales Management Business Unit 2

Leave Management Business Unit 2

Budget Management Business Unit 2

SAP
2

Duet Enterprise SAP Add-on X

Duet Enterprise SAP Add-on Y

PEOPLE PICKER

SharePoint User

Sales & Leave Management

Sa l es

e Le av Budge t

Sale s

e eav

Budget, Sales, & Leave Management

SharePoint securable object

ERP Backend

CRM Backend

HCM Backend

Duet Enterprise Trust Configurations

SAP BW

Duet Enterprise Landscape: Logical Overview

Microsoft Stack SAP Server Stack
SAP Business Warehouse components

Duet Enterprise Landscape Monitoring

Monitored by Microsoft standard tools

Duet Enterprise Claims-based Authentication

Although Duet Enterprise support multiple authentication methods, Claims authentication is the only method that supports using SAP role to secure objects in SharePoint. The diagram below and the list to the right shows a high-level view of how authentication works in a Duet Enterprise environment. 1. The SharePoint user's identity is sent to the Business Connectivity Services Windows Communication Foundation connector. 2. The connector sends the SharePoint user's identity to the SharePoint Security Token Service. SharePoint Server SharePoint Secure Token Store
3
u Tr st

SAP Computer Center Management System

Microsoft SharePoint Server 2010
Duet Enterprise Applications

PSE

Duet Enterprise Clients

PSE SSL SSL

Microsoft SharePoint Server 2010

STS

Clients using Duet Enterprise

Clients

SAP Environment
SAP NetWeaver 7.02 SAP Business Suite

SharePoint Supported Browsers Microsoft Office Professional Plus 2010

SAP Applications

Microsoft Office 2010

SAP NetWeaver
SSL PSE SSL PSE Duet Enterprise Applications

SharePoint Server 2010 Farm

Duet Enterprise SharePoint Add-on

SAP NetWeaver
Duet Enterprise SAP Add-on

SAP ERP 2004/6.0

SAP Business Suite (optional) NW >= 7.0

SharePoint Server 2010 supported browsers

Duet Enterprise BDC Models: 1

Duet Enterprise SAP Add-on Duet Enterprise Services SAP Business Warehouse

SAP back-end

3. The SharePoint Security Token Service returns a token that identifies the SharePoint user. 4. The token is then sent to SAP NetWeaver in a SOAP request packet. 5. A trust relationship is created between the SAP NetWeaver and the Security Token Service during deployment. This enables SAP NetWeaver to use the token to look up the SAP user that is mapped to the SharePoint user who is identified by the token. 6. The SAP user account that is mapped to the SharePoint user is returned to SAP NetWeaver. 7. SAP NetWeaver users the SAP user account to request access to information in the SAP system and, if the user is authorized to access the information, the requested information is sent to SAP NetWeaver. 8. SAP NetWeaver sends the requested information to the BCS WCF connector as a SOAP response. 9. The BCE connector passes the information to the SharePoint user.

SAP ERP

NW 7.02

NW 6.40/7.0

Duet Enterprise SharePoint Add-on

User Mapping
6

Authentication

Active Directory

LDAP Server (optional)

Identity Management

Business Connectivity Services

Business Content

SAP BASIS

CUA (optional)

IDM (optional)
Internet Information Services

Legend: PSE = Personal Security Environment; SSL = Secure Sockets Layer; STS = Security Token Service The Trust Configurations diagram shows the one-way Security Token Service (STS) flow between Microsoft SharePoint Server 2010 and SAP NetWeaver that SAML requires. The two-way Secure Sockets Layer (SSL) flow of trust between SharePoint Server 2010 and SAP NetWeaver is a requirement for secure communication. The SSL flow is a required exchange of certifications in this environment if the certifications are self-signed but can be an option if the certifications are publicly-signed. The diagram then shows the two-way Personal Security Environment( PSE) flow of trust between SAP NetWeaver and NetWeaver BW that is used to establish trust between the SAP systems. The one-way SSL flow is required in this environment for secure communications. The two-way PSE flow between the SAP NetWeaver and SAP ERP systems is used to establish trust between the components of the SAP systems. The two-way SSL flow between the SAP ERP system and the SAP NetWeaver system is used for returning reports back to SAP NetWeaver and also for handling customer data. The mstnw702-ssl.cert certificate must be shared between the SharePoint Server and the SAP NetWeaver Server. The mstnw702-pse.cert certificate must be shared between the SAP NetWeaver Server and the SAP ERP Server.
Notification

5 7

SAP Application
ext SAP user cont

Microsoft SharePoint Workspace 2010

.NET Framework 3.5

1 9

BCS WCF Connector

4 8

SAP NetWeaver

Any SMTP Server (optional)

Landscape Management

SLD (optional)
Database Server

Legend
All network calls over HTTPS SharePoint user identity Claims Identity SAP user SharePoint user

Monitoring

SCOM

3rd Party Monitoring Software (optional)

Monitoring

SMD

CCMS (part of ABAP system)

Microsoft System Center Microsoft SharePoint health rules

Monitored by SAP standard tools

2010 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at ITSPDocs@microsoft.com.