This page is not a part of an official Int4 documentation.
Knowledge Articles

MCP - SAP API Management Configuration

In order to enable access to backend ABAP MCP you need to expose it SAP API Management. There are 2 proxies that need to be deployed.

WellKnown.zipMCP.zip

WellKnown

It’s an endpoint being used for dynamic metadata discovery and authentication. Before deployment adjust values in brackets {{}} in below XMLs under Policy folder:

You can edit the below configurations directly in APIM after deployment or unzip an archive, change file directly, zip again and upload to APIM.

openid-configuration.xml

XML
<!-- This policy can be used to create or modify the standard HTTP request and response messages -->
<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
 
	<!-- Sets a new value to the existing parameter -->
	<Set>
		<Payload contentType="application/json" variablePrefix="@" variableSuffix="#">{
  "issuer": "{{APIM host}}",
  "token_endpoint": "{{APIM host}}/.well-known/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "grant_types_supported": [
    "authorization_code"
  ]
}</Payload>
	</Set>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<AssignTo createNew="false" type="response">response</AssignTo>
</AssignMessage>

oauth-authorization-server.xml

XML
<!-- This policy can be used to create or modify the standard HTTP request and response messages -->
<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
 
	<!-- Sets a new value to the existing parameter -->
	<Set>
		<Payload contentType="application/json" variablePrefix="@" variableSuffix="#">{
  "issuer": "{{APIM host}}",
  "authorization_endpoint": "{{APIM host}}/.well-known/authorize",
  "token_endpoint": "{{APIM host}}/.well-known/token",
  "grant_types_supported": [
    "authorization_code",
    "refresh_token"
  ],
  "response_types_supported": [
    "code"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post"
  ]
}</Payload>
	</Set>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<AssignTo createNew="false" type="response">response</AssignTo>
</AssignMessage>

oauth-protected-resource.xml

XML
<!-- This policy can be used to create or modify the standard HTTP request and response messages -->
<AssignMessage async="false" continueOnError="false" enabled="true" xmlns='http://www.sap.com/apimgmt'>
 
	<!-- Sets a new value to the existing parameter -->
	<Set>
	    <Headers>
            <Header name="Content-Type">application/json</Header>
            <Header name="Access-Control-Allow-Origin">*</Header>
            <Header name="Access-Control-Allow-Methods">GET, OPTIONS</Header>
            <Header name="Access-Control-Allow-Headers">Authorization, Content-Type</Header>
        </Headers>
		<Payload contentType="application/json" variablePrefix="@" variableSuffix="#">{
  "resource": "{{APIM host}}/mcp",
  "authorization_servers": [
    "{{APIM host}}"
  ],
  "bearer_methods_supported": [
    "header"
  ]
        }</Payload>
	</Set>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<AssignTo createNew="false" type="response">response</AssignTo>
</AssignMessage>

MCP

This proxy gives access to ABAP backend - our MCP server. Before deployment adjust values in {{}} in below XML:

APITargetEndPoint/default.xml

XML
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TargetEndPoint xmlns="http://www.sap.com/apimgmt">
    <name>default</name>
    <provider_id>{{API provider (SAP system)}}</provider_id>
    <additionalAPIProviders/>
    <isDefault>true</isDefault>
    <relativePath>/sap/bc/int4/iftt/mcp</relativePath>
    <properties>
        <property>
            <name>request.streaming.enabled</name>
            <value>true</value>
        </property>
        <property>
            <name>response.streaming.enabled</name>
            <value>true</value>
        </property>
    </properties>
    <faultRules/>
    <preFlow>
        <name>PreFlow</name>
        <request>
            <isRequest>true</isRequest>
            <steps>
                <step>
                    <policy_name>token-message</policy_name>
                    <condition></condition>
                    <sequence>3</sequence>
                </step>
                <step>
                    <policy_name>get-csrf-token</policy_name>
                    <condition></condition>
                    <sequence>4</sequence>
                </step>
                <step>
                    <policy_name>set-csrf-token</policy_name>
                    <condition></condition>
                    <sequence>5</sequence>
                </step>
                <step>
                    <policy_name>set-user-and-password</policy_name>
                    <condition></condition>
                    <sequence>1</sequence>
                </step>
                <step>
                    <policy_name>basic-auth</policy_name>
                    <condition></condition>
                    <sequence>2</sequence>
                </step>
            </steps>
        </request>
    </preFlow>
    <postFlow>
        <name>PostFlow</name>
    </postFlow>
    <conditionalFlows/>
    <loadBalancerConfigurations>
        <isRetry>false</isRetry>
        <healthMonitor>
            <isEnabled>false</isEnabled>
        </healthMonitor>
    </loadBalancerConfigurations>
</TargetEndPoint>

API Provider is a SAP backend system. You can define it under API Providers tab in APIM.

Key Value Map

You need to deploy key value map INT4_MCP_USER with basic credentials to your SAP system.

image-20260427-111831.png

Product

You need to assign both proxies to a single product.

image-20260427-112133.png

Once assigned you can create subscription.

image-20260427-112202.png

Key and secret of a subscription are credentials which should be used when connecting to the MCP.

image-20260427-112549.png

Connecting to MCP

Once deployed URL of the MCP server is the one defined as API Proxy URL of MCP artifact.

image-20260427-112753.png

User and password are key and secret of assigned subscription to a product respectively.