| Status | Approved |
| Owner | |
| Stakeholders | |
| LeanIX Link | SAP Integration Suite |
Introduction
Purpose
The purpose of this document is to outline the application architecture of SAP Cloud Integration Suite as deployed by SyWayScope & Objectives
This document will describe the high-level architecture of the SAP Cloud Integration Suite.
Out of Scope:
- Since SAP Cloud Integration Suite is a SaaS group of applications, network and infrastructure architecture will NOT be covered.
- Product documentation and information that can be found online will not be documented here, but referenced using hyperlinks.
- Implementation details such as Integration Design or API Management Design may have different architectures.
Application Architecture
Overview
Application Architecture Components
| Component | Acronym | Description |
|---|---|---|
| Business Accelerator Hub | Business Accelerator is a centralized resource for developers and partners to build integrations and extensions for SAP solutions, access pre-built integration content, and accelerate digital transformation efforts. The key features of the hub is enabling the discovery of API, ability to use existing integration content provided by SAP and partners. | |
| Cloud Integration | CI | Formally known as Hana Cloud Integration (HCI) and Cloud Platform Integration (CPI), CI is the core capability enabling the integration design and execution with SAP and non-SAP, cloud, and on-premise applications. CI enables Integration design via web based User Interface, providing orchestration of integration processes, connectivity to SAP, non-SAP, Cloud and On-Premise systems and Data Transformation. |
| API Management | APIM | APIM provides governance, security and monitoring of API, enabling exposure, management and monetization of APIs. APIM brings together all components necessary to expose and consume APIs providing capabilities for complete lifecycle of APIs, including, discovery, security, mediation, traffic management, analytics and documentation. |
| Event Mesh ( & Advanced Event Mesh ) | EM ( & AEM ) | EM provides the core infrastructure for enterprise-grade broker for event-driven architecture. It allow asynchronous communication between SAP and non-SAP. |
| Open Connectors | A Central Hub to access configurable connectors for over 170 non-SAP applications through harmonised APIs, enabling simplification and acceleration of integrations. | |
| Integration Advisor & Trading Partner Management | IAE & TPM | IAE & TPM accelerate the development of business-oriented interfaces and mappings, generate runtime artefacts quickly, and significantly reduce efforts. Combined with AI-assisted tool for mapping and defining message interfaces, it provides industry-specific content based on standards like EDI, cXML, and assists in accelerated B2B/EDI mapping activity. A Central cockpit provides the ability centrally manage trading partner relationships. |
| Integration Assessment | Integration Assessment capability is a methodology and toolset for deciding when to use different integration techniques and patterns and provides guidance on integration strategy and helps standardize integration patterns across projects. | |
| Graph | Graph provides the ability centralise and manage APIs to provide a unified Enterprise API exposing data from multiple SAP sources |
Application Security
User Access
User Access to Integration Suite is via Web, and limited to technical user (developers, system administrators, support teams etc).
Authentication
- User Authentication to Cloud Integration is via SAML Single Sign-on (SSO) using Syensqo Entra ID federated to IdP. Username and Password logon are not permitted.
- System Authentication options include
- OAuth 2.0 - access tokens issued via XSUAA
- Basic Authentication
- Cloud Connector - for outbound traffic from Cloud Integration to On-Premise system - provides a TLS connection and authenticates via Principal Propagation
Authentication Flow
User accesses Cloud Integration tenant URL
- The request gets redirected to SAP IdP configured in SAP BTP subaccount for Cloud Integration
User is re-directed to Corporate Identity Provider (IdP) logon page - Microsoft
User authenticates to Microsoft using Entra ID, if not already authenticated.
IdP validates and issues SAML 2.0 assertion back to BTP
SAP BTP maps the Role Collections assigned to the User
User accesses Cloud Integration
Authorisation
Standard Roles and Role Collections are assigned for User Access to Cloud Integration Components. Roles are assigned via SAP BTP Cockpit
| System | Administrator | Developer | General Access |
|---|---|---|---|
| Cloud Integration | PI_Administrator | PI_Integration_Developer | PI_Read_Only, PI_Business_Expert |
| API Management | APIPortal.Administrator, APIManagement.SelfService.Administrator, AuthGroup.SelfService.Admin, AuthGroup.API.Admin | APIPortal.Configurator, APIPortal.Developer, APIPortal.Tester, APIPortal.Service.CatalogIntegration | APIPortal.Guest |
Communication Security
For System-to-system communication, all data transfers are encrypted via a suitable mechanism - for example:
- HTTP Adapter which uses TLS 1.2 as the standard ( HTTPS )
- IDoc Adapter, which also uses TLS 1.2 as the standard ( HTTPS )
- SFTP Adapter which uses SSH-2
Data Security
SAP data centres are certified to comply with global security standards, such as ISO/IEC 27001 and SOC 2. SAP implements stringent security measures including encryption, 24/7 monitoring, and regular audits.Other Controls
System Availability SLA is 99.7% (documented in SAP Trust Center - Service Level Agreement for Cloud Services ).System Landscape
| Landscape Id | URL | Composite | Additional details |
|---|---|---|---|
| Development Environment | https://syw-itg-dev-eu20.authentication.eu20.hana.ondemand.com | Stand Alone | Rest of World only (EU) |
Integration Test Environment (composite) | TBA | Test Composite | China, USA, Rest of World only (EU) |
| User Acceptance Test Environment (composite) | TBA | Test Composite | China, USA, Rest of World only (EU) |
| Parallel run and TRG (composite) | TBA | Test Composite | China, USA, Rest of World only (EU) |
| DR (undepoloyed,composite) | TBA | Test Composite | China, USA, Rest of World only (EU) |
| Production Environment | TBA | Stand Alone | China, USA, Rest of World only (EU) |
Operation Architecture
Transport Management
Landscape Setup - initial setup for transport management | |
|---|---|
| Configure Landscape | Define your system landscapes (e.g., Development, QA, Production) within Figaf's Configuration -> Landscapes page. Specify details like platform, automatic transport lookup, and landscape items. |
| Synchronize Systems | Synchronize your source system (e.g., your development environment) with Figaf to capture the current state of your integration objects. Create a Development Ticket Generate Ticket - Navigate to DevOps -> Tickets and create a new development ticket, associating it with the relevant landscape. This ticket will track your changes. Attach and Track Objects Attach Tracked Objects - Within the ticket, go to the "Tracked Objects" tab. Attach the specific transport(s) or integration objects (e.g., iFlows, mappings) that contain the code you want to transport. |
End to End Transport Management | |
|---|---|
| Generate Ticket | Navigate to DevOps -> Tickets and create a new development ticket, associating it with the relevant landscape. This ticket will track your changes. |
| Attach Tracked Objects | Within the ticket, go to the "Tracked Objects" tab. Attach the specific transport(s) or integration objects (e.g., iFlows, mappings) that contain the code you want to transport. |
| Include Dependencies | Use the "Attach all dependent objects" feature to ensure all necessary related objects are included in the transport. |
| Start Transport | Click the "Start transport" button. Figaf will then prepare the transport package for deployment. |
| Synchronize Target System | Synchronize your target system (e.g., your QA or production environment) with Figaf |
| Automated Import Check | Figaf automatically checks the import status of the transports after synchronization. The transport status will update to "IMPORTED" once successfully processed |
| Resolve Ticket | Once the transport is complete and verified, you can resolve the development ticket in Figaf. |
| Key Features | |
|---|---|
| Version Control | Figaf tracks changes to integration objects, allowing you to compare versions and understand modifications. |
| Approval Workflows | Implement approval processes within Figaf before transports are moved to higher environments. |
| Testing Integration | Leverage Figaf's testing capabilities to create and execute tests on your transported code, ensuring functionality after deployment. |
| Virtual Tenants (for CPI) | Utilize virtual tenants for environments like QA, allowing reuse of development systems while maintaining governance through prefixes/postfixes and avoiding unnecessary deployments of certain objects like value mappings |
Release Management
SAP Release Management
Provides information on patch releases for hotfixes, bugfixes, and code enhancements. Patches for SAP Cloud Integration and Integration Advisor . Patch Release information covers the most recent changes made to the latest version of the software.
Monitoring
Monitoring in SAP Integration Suite provides end-to-end visibility into integration processes, APIs, and event-driven messaging across hybrid and cloud landscapes. It helps administrators, developers, and business stakeholders ensure that integrations run reliably, securely, and in compliance with business SLAs.
Monitoring in SAP Cloud Integration (CI)
- Message Monitoring - This core feature of SAP Cloud Platform Integration (SCPI), used to track, analyse, and troubleshoot the flow of integration messages between systems. It provides visibility into message processing, status, and potential errors, ensuring smooth operation of integration scenarios. Note - payloads are not captured by default, these may only be captured through explicit tracing with sufficient privilege in the system.
- Integration Content - Deployed object status with associated error on failure.
- Security Content - List displays of existing credentials (obscured passwords), certificates with expiry and custom user roles. Additional tooling is available for connectivity testing etc.
- Datastore Monitoring - List display of local storage (global variables) for use by integration developers (correlations/aggregators).
Additional capability offered by FIGAF tooling - TBA
Monitoring in API Management
Monitoring in SAP API Management provides transparency into how APIs are being consumed, their performance, and any potential errors. It allows administrators, developers, and business users to analyse API traffic, detect issues, and ensure APIs are meeting business and technical expectations.
- API Analytics and Monitoring
- Provides real-time and historical insights into API traffic
- Tracks metrics such as request counts, response times, error rates, latency, and throughput.
- Allows filtering by API proxies, applications, developers, or time ranges
- Helps identify usage trends including unusual traffic patterns for capacity planning and fraud detection.
- Trace and Debug
- Captures inbound and outbound request/response details
- Shows traffic distribution across APIs and consumers
Monitoring in Advanced Event Mesh
TBA
Sizing
SAP monitors system load and utilization, and proactively scales up capacity during release deployment.
- Log size limitations exist and can be extended at additional cost.
Cloud Integration tenant characteristics
| Resource | Scope |
|---|---|
| Integration content | 2 GB Refer to the blog on Content Size Limits |
| JMS queues | 9 GB, 150 transactions (default configuration with 30 queues) Can be scaled up to 30 GB, 500 transactions (with 100 queues) See the blog on Cloud Integration – JMS Resource and Size Limits |
| Message processing log persistence | |
| Runtime database | 35 GB See: Optimize Performance |
| Disk space | 10 GB Refer to SAP Note 2648415 |
High Availability
SAP provides high availability by default based on multi-availability zone redundancy, this results in significant additional charges in terms of additional tenants to load balance or route through.
- This capability is not a requirement at this moment due to excessive cost for little benefit.
Disaster Recovery
SAP provides this capability through multi-availability zone, this capability can "replicated" through provisioning on services through alternative availability zones (AZ) during a complete failure. The provisioning of Testing landscape has been designed with this "feature" under consideration.
During a significant outage (Entire availability zone failure), the test landscape which by design will be hosted elsewhere will be enabled for productive services through the FIGAF tool. This will effectively use the TEST systems for Cloud Integration Suite as dual purpose QAS and DR system.
Full DR process is TBA pending final discussions with FIGAF.
Backup/Restore
SAP performs full backups with the following schedule to meet SAP's recovery point objective.
| Tier | Frequency | Rentention |
|---|---|---|
| T1 | Hourly | 8 Days |
| T2 | Daily | 35 Days |
| T3 | Every Sunday | 120 Days |
Maintenance Plan
SAP applies software update to Cloud Integration using a zero downtime process.
Other dependant BTP services may apply and still cause "issues" ← explain.
Cloud Integration Software Update