SAP Azure SAS Integration: AzureBLOB Authentication
Business scenario / Requirements
For the SAP Azure SAS Integration, you must actively transfer, upload, or place various file types, including binary, XML, TXT, etc., from the SAP backend directly into an Azure Storage AzureBLOB container.
In order to make the example simple let’s assume
- You don’t need to map any data inside the file or message. This is a pass-through scenario or IFlow with a FILE sender communication channel (CC) and a REST receiver CC
- no message content manipulation / mapping will take place – therefore no ESR objects will be created
- it is needed to keep the same file name
Azure Storage Authentication
Each client making requests to Azure Storage needs authorization. To authorize access, you have several options, including:
- Shared Key (storage account key)
- Shared Access Signature (SAS)
With the SAP Azure SAS Integration, you can use SAS access to prevent untrustworthy clients from revealing or using the storage account key, while still delegating access to specific storage resources. Additionally, this approach becomes more straightforward to implement in SAP PO using the standard REST adapter.
In the SAP Azure SAS Integration process, SAS provides access to a specific blob in the storage account for a set period, such as until the end of next year, with defined permissions like write-only. It is essentially a URI containing specific query parameters, including the SAS token. For SAP PI/PO to request Azure BLOB Storage, only this SAS URI is necessary.
Read more about “Authorize requests to Azure Storage” – Link
Read more about “Delegate access with a shared access signature” – Link
Azure admin has provided shared access signature URIs that looks following:
https://<account>.blob.core.windows.net/<path_to_custom_container>? sp=<signedPermissions>& st=<signedStart>& se=<signedExpiry>& spr=<signedProtocol>& sv=<signedVersion>& sr=<signedResource>& sig=<signature>
|SAS query parameter||SAS Name||Description||E.g.|
|sp||signedPermissions||This parameter specifies the operations that a client with the SAS can perform on the resource, and it allows for the combination of permissions.||w – write|
|st||signedStart||The time at which the shared access signature becomes valid||2021-01-21T11:12:13Z|
|se||signedExpiry||The time at which the shared access signature becomes invalid||2031-01-21T11:12:13Z|
|spr||signedProtocol||Specifies the protocol permitted for a request made with the SAS||https,http|
|sv||signedVersion||This parameter indicates the service version used to construct the signature field and also specifies which service version will handle a request made with this shared access signature.||2020-02-10|
|sr||signedResource||Specifies which blob resources are accessible via the shared access signature.||c – container|
|sig||signature||You compute the signature as an HMAC by applying the SHA256 algorithm to the string-to-sign and key, and then encode it using Base64 encoding.||kws%3D…|
Explore further details about query string parameters in the section “Create a User Delegation SAS”. – Link
Sender FILE CC configuration
Receiver REST CC
Read more about HTTP parameters “Put Blob” – Link
Important note! Set the parameter EncodeURL to false to avoid the escape of special characters contained in the signature.
As we wrap up our exploration of the SAP Azure SAS Integration for efficient file management and transfer, it’s clear that this technology offers significant advantages for secure and streamlined data processes. If you’re looking to implement this solution or have questions about how it can be tailored to your specific needs, we’re here to help. Don’t hesitate to reach out for personalized advice and solutions. Visit our Contact Us page to start transforming your data management strategy with expert guidance.
Code 10 Managing Partner and Senior SAP Integration Consultant