2yrran0%5 SAPMMictosot Manufacturing Reference Architecture | SCN
2 Muse Serena Cammy
ES
Servows & Support ‘rout soN Downloads
Trang &Esuzaton Pamersip Developer Cones Aatviy —Cormuricains Aston
LUnes of Businees Univ ances ven Webinars Innovation rome
Iretigance (SAP Mt)
aA SAP/Microsoft Manufacturing Reference Architecture
Post by Salvatore Casto SAP ManulsctungWiagraton and mteligence (SAP Mi on Oct28, 2013,
“[ae) 1 foul
Executive Summary
Extend the capabilities of the existing SAP MII product lo better support collaborative
Manufacturing reporting, The goal is to modemize this composition environment by
converting it to a web-based application that can interact with the SAP Mfg. EMI layer
{ll to host tive reports and provide live manufacturing data to these reports and
‘supporting visualization for both PC and Mobile devices.
+ There should be an enterprise reporting component that leverages the MS SharePoint
environment for global reporting
+ The solution includes Excel web APL as this leverages a large existing business user
skillset at many manufacturing facies
+ Web based client applications allow for reports to be visible from a server rather than
only on the PC where its stored
+ Provides a single view of the data forall users and security around how the data is
presented to the end-users
+ Provide a Single sign-on capability in spite of the multiple technologies and
capabilities involved
‘Additional overview content is available here:
hp: sen sap.comicommunityimanufacturingimiblog/2013/07/08/sap-enterprise-manufaturing-
Inteligence-emisohttonsorsmicrosofotoe- 365,
Introduction
Purpose
‘The purpose of the document isto provide a reference architecture for setting up the
infrastructure that would support collaborative
Manufacturing reporting. The document provides guidance on provisioning various
‘components in Windows Azure, Microsoft 0365 and SAP Ml to provide live
‘manufacturing data to these reports and supporting visualization for both PC and Mobile
devices.
Target Audience
‘This document is intended for Enterprise Architects and developers who can use this,
information
1nd the provided scenarios to extend the capabilies of the SAP Ml product to
bbotter support collaborative Manufacturing reporting and provide live manufacturing data
to these reports and supporting visualization for both PC and Mobile devices. The
document is created with the assumption that Enterprisepersonne! are proficient in
Windows Azure, Microsoft 0365 and SAP Mll and SAP Netweaver products.
pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre 182yrran0%5 SAPMMictosot Manufacturing Reference Architecture | SCN
Solution Overview
Conceptual View
5£6G7 m ||.
‘Components
+ Visualization on both PC and mobile devices of the ive manufacturing data feed from
the SAP Ml will be provided by multiple Consuming Applications and Services such
188 Office Applications on Microsoft 0365, Web Services/Applications hosted in the
web, custom clients on PClmobile devices and Excel an PC,
+ Data is made available to the consuming applications using Open Standards
(OData/SAML) based approach to alleviate any potential enterprise data access
+ SAP Azure add-on application running on Windows Azure environment decouples the
‘consuming clients from the SAP Mll and provides an Open Standards (OData/SAML)
based interface forthe clients to consume. It provides additional access control and
security on top of the Mil service endpoints
+ SAP Mill instance(s) running on the enterprise on premise environment provides the
dala feeds from sources as the SRM, CRM, ERP, Plant Database, Plant Data,
Historian and Sensor data.
+ Security of the system is achieved by authenticating and authorizing the users
‘accessing the reports, using thelr Domain credentials stored in Windows Active
Directory via Active Directory Federation Services (ADFS).
Logical View
pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre2yrran0%5 SAPMMicrosot Manufacturing Reference Architecture | SCN
Data Layer
‘The SAP Mil Instance is hosted either on the Enterprise On-Premise or in thelr Data
Center. The SAP Ml provides an OData feed of the live manufacturing data directly from
various source systems with the need to replicate the data. For this the SAP Mil instance
connects to the various sources as local Plant Databases, Plant Data Historian and
‘Sensor data, Enterprise ERP, CRM, SRM, and Business Warehouses.
‘The sample OData response Is In the Ink below:
http:melp.sap.com/saphelp_miit40sp02Melpdata/en'44/201d2d42994aef8Set91e58dbSc7
Facade Layer
‘The Windows Azure Infrastructure as a Services (laaS) hosts the SAP Azure add-on cloud
‘service that decouples the consuming clients from the SAP Mil and provides an Open
‘Standards (OData/SAML) based interface for the clients to consume. It provides additional
‘access control and securty on top of the Mil service endpoints,
Storage
+ Configuration information such as OData URL endpoint, application configuration is
stored in Windows Azure SQL Database
+ Optionally Odata response from Ml can also be cached and persisted in the Azure
Table Storage or Azure SQL Database
Data Consumers
Data consumers such as Web Application, Web Services, Excel Thick Client and Office
Web App can be used to consume Mil data. For the reference architecture, Excel Web
[App hosted in SharePoint Online (Otfice 385) has been chosen as one of the consumers
of the MI data,
Using the new Office App Model, an Office App which hosts the Mil fagade has been used
to populate the excel spreadsheet. The Mll Facade Office App can populate the
spreadsheet both in the browser as wel as in the Excel Thick Client,
Note:Office App Model works only with Office 2013,
pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre2yrra015 SAPMMictosot Manufacturing Reference Architecture | SCN
Hy
‘Figur: MiIFagade Oce Appin xen! 2013 Dest Cant
et Fagade Ofc Appin hime Expoe 0
Visualization Layer
‘As part of the reference architecture, PowerView is used to visual MI data, Excel Thick
CCient is populated with the MII data using the Mil Facade Otfice App. PowerView Addin
for Excel is then used to visual and interact with the MII Data,
‘The PowetView report below shows the Overall Equipment Effectiveness (OEE) across
various plants in USA.
‘The below PowerView report shows the OEE, Avallabifiy, Quality and Production Rate
‘across all the plants in USA,
pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre2yrra0%5 SAPMMictosot Manufacturing Reference Architecture | SCN
‘The same PowerView reports also render in the web browser without any additional
modifications required,
r GE Arai Qulty and Procucton R
User Authentication & Authorization
User credentials are stored in the on premises Active Directory. Active Directory
Federation Services (ADFS) components are hosted on premises to enable WS-
{federation trust between Mil Facade and Active Directory. A Federation trust is
established between Mll Fagade and ADFS.
‘The SAP Milis hosted securely in the enterprise data centre and only the OData feed is
‘exposed over the intemet via @ secure Reverse Proxy, The SAP Mll running on the SAP
Notweaver (Java) stack provides Certificate based authentication for Enterprise users
accessing the OData interface.
‘The SAP Mll rusts the Active Directory Certificate Services Root CA running in the VM on,
Windows Azure laaS. Mil is configured with Client certificate authentication and
‘authorization is based on users email address or UPN on SAP Ml
‘The Mll Facade application is a Claims aware NET web application built using Miorasoft
Windows identity Foundation toolkit and accepts Claims of the Enterprise users. Once the
User is successfully authenticated on ADFS, the Mil Facade application generates a
temporary certificate that Is valid for a few minutes for the user using Microsoft Active
Directory Certificate Services. It uses the certificate to raquest the data from the SAP MI
that is running in Enterprise On-Premise.
‘The SAP Mil uses the User Certificate to authenticate the request from Ml facade, Upon
successful authentication and authorization, it retrieves the manufacturing data and
returns it as an OData response to the Mll Fagade which in tun returns the response to
sen sap.com/commuriyimanufacuringiiblog2013/1028'sapmicrosot- manufacturing rference-architectre2yrran0%5 SAPMMictosot Manufacturing Reference Architecture | SCN
the consuming application
‘Tho temporary user certificate generated forthe usor by the Ml Fagade application is
immediately deleted upon completion of the request.
The below sequence diagram shows the User Identity flow across Office 365, Mil Facade
‘and Mil instance,
Identify Flow Diagram
tl
Claims Based Authentication forthe Enterprise users accessing the Mll reports is done
with Active Directory Federation Services as the Identity Provider. Users use their
Enterprise credentials to authenticate themselves aver the internet against the Enterprise
‘Active Directory via this ADFS proxy.
‘The reference architecture provides a Single Sign-On experience for the user accessing
the reports wit al the layers being Claims Aware and the users Claims being used to
authenticate and authorize the user.
‘The reference architecture uses Client certificate authentication between the Azure Mil
Facade and SAP Ml running on SAP Netweaver Java stack. The cient Cerificate
‘Authentication is achieved using Microsoft Active Directory Certificate Services.
Security
+ All communication protocol is over HTTPS,
+ No data or user credentials or user certificates is cached or stored on Azure by the
Mil Facade application.
+ The user certificate generated for a user's valid only for that request from the user.
‘The certificate is deleted immediately ater the request is serviced
Physical View
pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre2yrran0%5 SAPMMictosot Manufacturing Reference Architecture | SCN
Enterprise Data Center or On premise infrastructure will host the SAP Mill, and the
dala sources SRM, CRM, ERP, Plant Database and Plant Data Historian and Sensor
Data. It will also hast the Windows Active Directory and Active Dicectory Federation
Services.
Windows Azure Environment will host the MIl facade application which provides the
Intermediary layer that provides Mil data sources to consumers as ODATA feeds
‘Consuming Applications and Servi
«+ The User PC or Mobile devices can host the custom clients that consumes the data
land generates the reports
+ The User PC can host the Excel thick client that consumes the data and generates
the reports
+ The Excel Services, Power View, Performance Point cents and the Office
Applications will be hosted on Microsoft Office 365
+ Custom Web Applications and Web Services, Microsoft SharePoint can be hosted on
premise or in the Enterprise data centre
Clients - Users can access the Visualization of the reports from thelr PC or Mobile
devices from the Organization intranet. Users on the move can access it from the Internet.
Assumptions & Limitations
+ The consuming applications are claims aware and will be accessing the Ml Facade
using SAML tokens,
+ Web $0 is applicable to users who are using the Web Browser as the user interface
+ Thick clients such as Windows 8 applications and any other forms based applications
will need fo use the Active authentication protocol to get data from Mll Fagade.
+ Ml Facade cannot be deployed as a Muttitenant application,
+ This solution is not tested for SAP Mll on premise instance:
+ This solution is not tested for very large OData sets. This might require addtional
architecting such as queues and storage on Azure,
+ Performance benchmark Tests have not been conducted for this solution to ascertain
the data set size, latency ete,
+ Setting up Single Sign-On (SSO) between 0365 and Active Directory Federation
‘Service (ADFS) is not part of tne reference architecture
‘The fulure version of the Mll Facade can incorporate the following capabiliies where
pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre 182yrran0%5 SAPMMictosot Manufacturing Reference Architecture | SCN
required
+ Caching on the Office Client side - Address Security/Data Confidentiality
+ Addressing very large data sets
+ Single point of failure(s)
0 Comments
pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre a8