2yrran0%5 SAPMMictosot Manufacturing Reference Architecture | SCN 2 Muse Serena Cammy ES Servows & Support ‘rout soN Downloads Trang &Esuzaton Pamersip Developer Cones Aatviy —Cormuricains Aston LUnes of Businees Univ ances ven Webinars Innovation rome Iretigance (SAP Mt) aA SAP/Microsoft Manufacturing Reference Architecture Post by Salvatore Casto SAP ManulsctungWiagraton and mteligence (SAP Mi on Oct28, 2013, “[ae) 1 foul Executive Summary Extend the capabilities of the existing SAP MII product lo better support collaborative Manufacturing reporting, The goal is to modemize this composition environment by converting it to a web-based application that can interact with the SAP Mfg. EMI layer {ll to host tive reports and provide live manufacturing data to these reports and ‘supporting visualization for both PC and Mobile devices. + There should be an enterprise reporting component that leverages the MS SharePoint environment for global reporting + The solution includes Excel web APL as this leverages a large existing business user skillset at many manufacturing facies + Web based client applications allow for reports to be visible from a server rather than only on the PC where its stored + Provides a single view of the data forall users and security around how the data is presented to the end-users + Provide a Single sign-on capability in spite of the multiple technologies and capabilities involved ‘Additional overview content is available here: hp: sen sap.comicommunityimanufacturingimiblog/2013/07/08/sap-enterprise-manufaturing- Inteligence-emisohttonsorsmicrosofotoe- 365, Introduction Purpose ‘The purpose of the document isto provide a reference architecture for setting up the infrastructure that would support collaborative Manufacturing reporting. The document provides guidance on provisioning various ‘components in Windows Azure, Microsoft 0365 and SAP Ml to provide live ‘manufacturing data to these reports and supporting visualization for both PC and Mobile devices. Target Audience ‘This document is intended for Enterprise Architects and developers who can use this, information 1nd the provided scenarios to extend the capabilies of the SAP Ml product to bbotter support collaborative Manufacturing reporting and provide live manufacturing data to these reports and supporting visualization for both PC and Mobile devices. The document is created with the assumption that Enterprisepersonne! are proficient in Windows Azure, Microsoft 0365 and SAP Mll and SAP Netweaver products. pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre 182yrran0%5 SAPMMictosot Manufacturing Reference Architecture | SCN Solution Overview Conceptual View 5£6G7 m ||. ‘Components + Visualization on both PC and mobile devices of the ive manufacturing data feed from the SAP Ml will be provided by multiple Consuming Applications and Services such 188 Office Applications on Microsoft 0365, Web Services/Applications hosted in the web, custom clients on PClmobile devices and Excel an PC, + Data is made available to the consuming applications using Open Standards (OData/SAML) based approach to alleviate any potential enterprise data access + SAP Azure add-on application running on Windows Azure environment decouples the ‘consuming clients from the SAP Mll and provides an Open Standards (OData/SAML) based interface forthe clients to consume. It provides additional access control and security on top of the Mil service endpoints + SAP Mill instance(s) running on the enterprise on premise environment provides the dala feeds from sources as the SRM, CRM, ERP, Plant Database, Plant Data, Historian and Sensor data. + Security of the system is achieved by authenticating and authorizing the users ‘accessing the reports, using thelr Domain credentials stored in Windows Active Directory via Active Directory Federation Services (ADFS). Logical View pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre2yrran0%5 SAPMMicrosot Manufacturing Reference Architecture | SCN Data Layer ‘The SAP Mil Instance is hosted either on the Enterprise On-Premise or in thelr Data Center. The SAP Ml provides an OData feed of the live manufacturing data directly from various source systems with the need to replicate the data. For this the SAP Mil instance connects to the various sources as local Plant Databases, Plant Data Historian and ‘Sensor data, Enterprise ERP, CRM, SRM, and Business Warehouses. ‘The sample OData response Is In the Ink below: http:melp.sap.com/saphelp_miit40sp02Melpdata/en'44/201d2d42994aef8Set91e58dbSc7 Facade Layer ‘The Windows Azure Infrastructure as a Services (laaS) hosts the SAP Azure add-on cloud ‘service that decouples the consuming clients from the SAP Mil and provides an Open ‘Standards (OData/SAML) based interface for the clients to consume. It provides additional ‘access control and securty on top of the Mil service endpoints, Storage + Configuration information such as OData URL endpoint, application configuration is stored in Windows Azure SQL Database + Optionally Odata response from Ml can also be cached and persisted in the Azure Table Storage or Azure SQL Database Data Consumers Data consumers such as Web Application, Web Services, Excel Thick Client and Office Web App can be used to consume Mil data. For the reference architecture, Excel Web [App hosted in SharePoint Online (Otfice 385) has been chosen as one of the consumers of the MI data, Using the new Office App Model, an Office App which hosts the Mil fagade has been used to populate the excel spreadsheet. The Mll Facade Office App can populate the spreadsheet both in the browser as wel as in the Excel Thick Client, Note:Office App Model works only with Office 2013, pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre2yrra015 SAPMMictosot Manufacturing Reference Architecture | SCN Hy ‘Figur: MiIFagade Oce Appin xen! 2013 Dest Cant et Fagade Ofc Appin hime Expoe 0 Visualization Layer ‘As part of the reference architecture, PowerView is used to visual MI data, Excel Thick CCient is populated with the MII data using the Mil Facade Otfice App. PowerView Addin for Excel is then used to visual and interact with the MII Data, ‘The PowetView report below shows the Overall Equipment Effectiveness (OEE) across various plants in USA. ‘The below PowerView report shows the OEE, Avallabifiy, Quality and Production Rate ‘across all the plants in USA, pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre2yrra0%5 SAPMMictosot Manufacturing Reference Architecture | SCN ‘The same PowerView reports also render in the web browser without any additional modifications required, r GE Arai Qulty and Procucton R User Authentication & Authorization User credentials are stored in the on premises Active Directory. Active Directory Federation Services (ADFS) components are hosted on premises to enable WS- {federation trust between Mil Facade and Active Directory. A Federation trust is established between Mll Fagade and ADFS. ‘The SAP Milis hosted securely in the enterprise data centre and only the OData feed is ‘exposed over the intemet via @ secure Reverse Proxy, The SAP Mll running on the SAP Notweaver (Java) stack provides Certificate based authentication for Enterprise users accessing the OData interface. ‘The SAP Mll rusts the Active Directory Certificate Services Root CA running in the VM on, Windows Azure laaS. Mil is configured with Client certificate authentication and ‘authorization is based on users email address or UPN on SAP Ml ‘The Mll Facade application is a Claims aware NET web application built using Miorasoft Windows identity Foundation toolkit and accepts Claims of the Enterprise users. Once the User is successfully authenticated on ADFS, the Mil Facade application generates a temporary certificate that Is valid for a few minutes for the user using Microsoft Active Directory Certificate Services. It uses the certificate to raquest the data from the SAP MI that is running in Enterprise On-Premise. ‘The SAP Mil uses the User Certificate to authenticate the request from Ml facade, Upon successful authentication and authorization, it retrieves the manufacturing data and returns it as an OData response to the Mll Fagade which in tun returns the response to sen sap.com/commuriyimanufacuringiiblog2013/1028'sapmicrosot- manufacturing rference-architectre2yrran0%5 SAPMMictosot Manufacturing Reference Architecture | SCN the consuming application ‘Tho temporary user certificate generated forthe usor by the Ml Fagade application is immediately deleted upon completion of the request. The below sequence diagram shows the User Identity flow across Office 365, Mil Facade ‘and Mil instance, Identify Flow Diagram tl Claims Based Authentication forthe Enterprise users accessing the Mll reports is done with Active Directory Federation Services as the Identity Provider. Users use their Enterprise credentials to authenticate themselves aver the internet against the Enterprise ‘Active Directory via this ADFS proxy. ‘The reference architecture provides a Single Sign-On experience for the user accessing the reports wit al the layers being Claims Aware and the users Claims being used to authenticate and authorize the user. ‘The reference architecture uses Client certificate authentication between the Azure Mil Facade and SAP Ml running on SAP Netweaver Java stack. The cient Cerificate ‘Authentication is achieved using Microsoft Active Directory Certificate Services. Security + All communication protocol is over HTTPS, + No data or user credentials or user certificates is cached or stored on Azure by the Mil Facade application. + The user certificate generated for a user's valid only for that request from the user. ‘The certificate is deleted immediately ater the request is serviced Physical View pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre2yrran0%5 SAPMMictosot Manufacturing Reference Architecture | SCN Enterprise Data Center or On premise infrastructure will host the SAP Mill, and the dala sources SRM, CRM, ERP, Plant Database and Plant Data Historian and Sensor Data. It will also hast the Windows Active Directory and Active Dicectory Federation Services. Windows Azure Environment will host the MIl facade application which provides the Intermediary layer that provides Mil data sources to consumers as ODATA feeds ‘Consuming Applications and Servi «+ The User PC or Mobile devices can host the custom clients that consumes the data land generates the reports + The User PC can host the Excel thick client that consumes the data and generates the reports + The Excel Services, Power View, Performance Point cents and the Office Applications will be hosted on Microsoft Office 365 + Custom Web Applications and Web Services, Microsoft SharePoint can be hosted on premise or in the Enterprise data centre Clients - Users can access the Visualization of the reports from thelr PC or Mobile devices from the Organization intranet. Users on the move can access it from the Internet. Assumptions & Limitations + The consuming applications are claims aware and will be accessing the Ml Facade using SAML tokens, + Web $0 is applicable to users who are using the Web Browser as the user interface + Thick clients such as Windows 8 applications and any other forms based applications will need fo use the Active authentication protocol to get data from Mll Fagade. + Ml Facade cannot be deployed as a Muttitenant application, + This solution is not tested for SAP Mll on premise instance: + This solution is not tested for very large OData sets. This might require addtional architecting such as queues and storage on Azure, + Performance benchmark Tests have not been conducted for this solution to ascertain the data set size, latency ete, + Setting up Single Sign-On (SSO) between 0365 and Active Directory Federation ‘Service (ADFS) is not part of tne reference architecture ‘The fulure version of the Mll Facade can incorporate the following capabiliies where pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre 182yrran0%5 SAPMMictosot Manufacturing Reference Architecture | SCN required + Caching on the Office Client side - Address Security/Data Confidentiality + Addressing very large data sets + Single point of failure(s) 0 Comments pscn sap.com/commurityimanufacuringiblog2013/1028'sapmicrosott-marufacturing-reference-architectre a8