/btp-cap-multitenant-saas-SAP-samples

Sample project that demonstrates how to setup a multitenant application for a Software-as-a-Service scenario, leveraging the Kyma and Cloud Foundry Runtimes of the SAP Business Technology Platform. Developers learn how to implement their own CAP (mtxs) based SaaS app including an SaaS API and integration with various essential SAP BTP service of...

Primary LanguageJavaScriptApache License 2.0Apache-2.0

Develop a multitenant Software as a Service application in SAP BTP using CAP (Kyma + Cloud Foundry)

REUSE status

Description

The Sustainable SaaS (SusaaS) sample application has been built in a partner collaboration to help interested developers, partners, and customers in developing multitenant Software as a Service applications using CAP and deploying them to the SAP Business Technology Platform (SAP BTP). For this use-case, the SAP BTP, Cloud Foundry and Kyma Runtime were chosen. Still, you can also develop similar SaaS applications in the SAP BTP, ABAP environment (click here for further details).

The example focuses on using standard frameworks and SAP BTP services for developing, deploying, and monitoring the solution like the Cloud Application Programming Model (CAP), SAP API Management, Alert Notification, and many more.

The sample application has a focus on the topic of sustainability and is therefore called Sustainable SaaS (Susaas) app. It allows customers (Consumer Tenants) of the SaaS application to extend their SAP solutions like SAP S/4HANA with additional features developed by the SaaS vendor (Provider).

Due to the technical and theoretical complexity of the topic, the sample application shall not be seen or used in any kind for productive scenarios. It is supposed to present ideas and approaches for putting your scenario into practice. Our goal is to cover as many topics as we can, but not in the greatest depth that might justify productive usability.

Below you can find the solution architecture diagrams of our sample application. As you can see, the Kyma as well as the Cloud Foundry architecture both contain a lot of services and tools which you will use in this tutorial (click to enlarge).

Kyma

Cloud Foundry

Content

To get started, we recommend to Discover some basic skills and learnings first. The following parts of the documentation will introduce you to the basics of this scenario, the concepts of multitenancy, and Software as a Service applications.

Continue your journey and deploy the Basic Version of the SaaS sample application to your SAP BTP, Cloud Foundry or Kyma environment, after preparing your Provider Subaccount by assigning the required entitlements. Learn about the different components used in the comprehensive SaaS sample app running in your environment now and subscribe a first Consumer Tenant.

Once you successfully deployed the Basic features of the SaaS sample application to your Cloud Foundry landscape or Kyma Cluster, feel free to enhance it with more features as part of the Advanced Version. This includes for example a SAP API Management integration to monitor and manage your SaaS API endpoints or SAP Identity Authentication to provide a Central User Management without relying on SAP ID service. Furthermore, you will learn and see a sample of how to integrate a backend system like SAP S/4HANA from a SaaS Consumer perspective.

After adding some or all of the Advanced Features, the following Expert Features contain a variety of different topics, which will make your application and life as a SaaS developer even more convenient. You will learn about management and backup of your Tenant database containers, multi-region deployments of SaaS applications and how to tackle topics like Custom Domain usage. Most of the Advanced Features can be tested with both, the Cloud Foundry and the Kyma Runtime, while some of the features are (as of now) available for a specific runtime only.

Important - Some of the Expert Features are Work-in-Progress. The code and documentation are subject to change.

Cloud Foundry (only)

Kyma (only)

Requirements

If not yet done, for this sample application we recommend to set up a Pay-As-You-Go (PAYG) or CPEA account and use the mentioned Free (Tier) service plans. A tutorial how to setup a PAYG account (allowing you to use all Free Tier service plans) can be found in the Tutorial Navigator.

Hint - This sample scenario (Basic and Advanced Version) can also be deployed to Cloud Foundry and Kyma environments in Trial accounts, although we recommend to use one of the two account types mentioned above. When going for a Trial account, please make sure to choose the us10 region to have access to SAP HANA Cloud.

Basic Version

The Basic Version of the sample application requires the following set of SAP BTP entitlements in the Provider Subaccount and can be done using Free (Tier) service plans of PAYG and CPEA accounts.

Kyma

Service / Subscription Free Tier / (Trial) Plans
Destination Service Lite
SAP Alert Notification service for SAP BTP Free / (Trial: Lite)
SAP Application Logging Service Lite
SAP Authorization and Trust Management Service Broker
Application
SAP BTP, Kyma Runtime Free / (Trial: Trial)
SAP Cloud Management Service for SAP BTP Central
SAP HTML5 Application Repository Service for SAP BTP App-host
App-runtime
SAP Software-as-a-Service Provisioning service Application
SAP HANA Cloud hana-free (Trial: hana)
tools
SAP HANA Schemas & HDI Containers hdi-shared
SAP Service Manager Container
Subaccount-Admin

Cloud Foundry

Hint - 1GB of Cloud Foundry Runtime is sufficient for this use-case.

Service / Subscription Free (Tier) / (Trial) Plans
Application Autoscaler Standard
Destination Service Lite
SAP Alert Notification service for SAP BTP Free / (Trial: Lite)
SAP Application Logging Service Lite
SAP Authorization and Trust Management Service Broker
Application
SAP BTP, Cloud Foundry Runtime Free / (Trial: MEMORY)
SAP Cloud Management Service for SAP BTP Central
SAP Credential Store Free / (Trial: Trial)
SAP HTML5 Application Repository Service for SAP BTP App-host
App-runtime
SAP SaaS Provisioning Service Application
SAP HANA Cloud hana-free / (Trial: hana)
tools
SAP HANA Schemas & HDI Containers hdi-shared
SAP Service Manager Container
Subaccount-Admin

If you need assistance assigning entitlements to your Provider Subaccount, you might find information here.

Advanced Features

The Advanced Features require some additional services and software components which are listed below. Please note that the SAP Identity Authentication Service is only available in Pay-As-You-Go (PAYG) and CPEA accounts.

Service Free (Tier) / (Trial) Plans
SAP Integration Suite Free (Application)
(Trial: trial (Application))
Cloud Identity Services default (Application)
Application
SAP S/4HANA 2021 (or newer)

Please check the below details on these additional entitlements required for the Advanced Version. Especially using the Cloud Identity Services it is essential to understand the licensing model to remain within the free usage boundaries!

SAP Integration Suite

The free service plan is usable for 90 days only. Your tenant will be decommissioned after 90 days and you need to set up a new tenant if you wish to do further validations.

Cloud Identity Services

When signing up for a PAYG or CPEA account, you're entitled for one free test and productive SAP Identity Authentication Service (SAP IAS) tenant. Use the Cloud Identity Services plan default (Application) to create such an instance in your environment. Any further tenant can be licensed as Additional Tenant and will be charged according to your account type. Please also check the official SAP Help documentation (click here) and the following blog post (click here) for further information. Please check for potentially existing SAP IAS tenants first, to make sure you are sticking to the free service offering limits.

Using the SAP Identity Authentication Service, please make sure to comply with the license model, which is highly dependent on the application registration type created in SAP IAS. Using SAP IAS for authentication scenarios involving third-party solutions will result in costs! While SAP Cloud to SAP Cloud Log-ons are usually part of your overall SAP BTP contract, make sure you understand the licensing model before extensively using SAP IAS as part of your overall architecture. Additional information can be found in SAP Help (click here).

The service plan application allows you to create respective Service Instances within SAP BTP, that will automatically register an application in the trusted SAP IAS tenant configured in your Subaccount configuration.

SAP S/4HANA

An SAP S/4HANA system is actually not part of your SAP BTP Provider Subaccount, but is required if you want to test the automated data push feature from an existing SAP On-Premise solution. While we recommend to use at least the SAP S/4HANA 2021 release, with a bit of coding effort you should also be able to integrate older releases. This tutorial assumes you have at least access to an SAP S/4HANA 2021 release. Feel free to check out the SAP Cloud Appliance Library (https://cal.sap.com/) to get yourself a free test license.

Known Issues

Open

  • Automated Credential Rotation (Workaround available - 2023/06/09)
    • Problem: Users are facing a callback authentication error after successful login via SAP IAS as part of the One-Domain concept.
    • Issue: Activating the automated credential rotation of the SAP BTP Service Operator renews the X.509 certificate of the respective SAP IAS service bindings. As the Application Router caches the binding details for performance reasons, the cached X.509 certificate is not valid anymore after rotation. This results in an authentication error between Application Router and SAP IAS.
    • Workaround: A restart of the Application Router after credential rotation will solve this issue and the latest X.509 certificate is being cached. This restart can be automated in a Kubernetes/Kyma CronJob, starting a new Deployment rollout according to your credential rotation cycle. You can find an example incl. roles and service accounts in the respective Expert Features (click here). Combined with an external Redis cache for Application Router session management, downtimes can be minimized or completely mitigated! Make sure to have a sufficient overlap of both, the old and new X.509 certificate (rotatedBindingTTL: 24h & rotationFrequency: 48h), so the cached credentials are still valid until the restart has happened!
    • Solution: Issue has been addressed and a potential notification mechanism might trigger an automated update of the Application Router cache in the future (subject to change).
  • Consumer extension API issue (Workaround available - 2022/12/19)
    • Problem: Applying a Consumer extension currently results in the Push API not being usable by the extended Tenant anymore.
    • Issue: The current implementation has issues to read and process the CSN file of the extended SaaS CAP service. This service serves as a base for the API CAP service.
    • Workaround: Extensibility has been temporarily disabled for the CAP API Service.
    • Solution: Issues has been addressed with the CAP product management and potential solutions will be worked on.

How to obtain support

Create an issue in this repository if you find a bug or have questions about the content.

For additional support, ask a question in SAP Community.

Contributing

If you wish to contribute code or offer fixes or improvements, please send a pull request. Check out our contribution guide. Due to legal reasons, contributors will be asked to accept a DCO when they create the first pull request for this project. This happens in an automated fashion during the submission process. SAP uses the standard DCO text of the Linux Foundation.

Code of Conduct

Please follow our code of conduct.

License

Copyright (c) 2023 SAP SE or an SAP affiliate company. All rights reserved. This project is licensed under the Apache Software License, version 2.0 except as noted otherwise in the LICENSE file.