Skip to Content
Author's profile photo Christian Happel

Integration configuration between SAP Jam Collaboration and SAP CP Identity Authentication service

Since beginning of 2016 for most of our customers SAP Jam Collaboration comes with the SAP CP Identity Authentication service (IAS) for user provisioning and user authentication.

For non-SuccessFactors customers a newly provisioned Jam tenant comes pre-configured with the Identity Authentication service. In this post I’ll explain the different configuration pieces you will see in the Jam tenant and the IAS tenant.

 

Initial Tenant Activation

Let’s start with how customers will get access to their Jam tenant.
Customers are receiving two welcome emails:

  • One for their SAP Jam Collaboration tenant with information about their tenant URL and next steps on how get started.
  • The second email is the tenant activation email for their Identity Authentication tenant.

Both emails are sent to the IT contact of the customer that has been defined in the sales order.

Once the customer has activated their IAS tenant by clicking the activation link in the email, they can launch SAP Jam from the Applications menu in IAS. This will create the first user in Jam for the person who’s launching Jam. This user automatically becomes an administrator of the Jam tenant.

From then on on additional users can be created directly within IAS and will automatically be provisioned to Jam, or IAS can be connected to another IdP, such as Active Directory and users can be provisioned from there. For details on this, please refer to the documentation of Identity Authentication.
NOTE: If the first user didn’t launch Jam, the automatic provisioning of new users won’t happen!

 

User Provisioning Configuration

Update: Since September 2017 new SAP Jam customers will also receive the SAP Cloud Platform Identity Provisioning service (IPS). IPS is used to provision users to SAP Jam. The user provisioning for new customers isn’t done by IAS anymore. For details about this, please refer to this blog: https://blogs.sap.com/2017/11/09/sap-jam-now-comes-with-the-sap-cloud-platform-identity-provisioning-service/

In IAS you will notice an option for User Provisioning. An SAP Jam system will be preconfigured as a target system for the provisioning of users from IAS to Jam.

This configuration uses a client key and secret from your Jam tenant. The respective OAuth Client in the Jam tenant is called “SCIM API Client”. Don’t change or delete this OAuth client, because otherwise the provisioning of users from IAS to Jam won’t work anymore. In case you did change it though, just create a new OAuth client and use the key and secret to update the provisioning settings in IAS.

 

Trust Configuration in SAP Jam

To have a trust established between SAP Jam and Identity Authentication there’s a SAML Trusted IDP pre-configured in Jam. Its ID will be the URL of your IAS tenant.

You better don’t change anything on this configuration, otherwise you might get logged out of Jam and non of your users won’t be able to get back in. In that case only a support ticket will help.

But just for the stake of completeness, all required settings are available in the Tenant Settings menu in your IAS tenant where you can even download a metadata file of the SAML 2.0 configuration settings and upload that file when registering a new SAML Trusted IDP in Jam.

 

Application Configuration in Identity Authentication

Coming back to the Applications menu in IAS where you see an SAP Jam application pre-configured.

The configuration includes a couple of things.

SAML configuration

Most importantly, the SAML 2.0 configuration settings.

Again, this is all pre-configured by default, but you will find the Name and the Certificate also in your Jam tenant in your SAML Local Identity Provider settings.


With regards to the Assertion Consumer Service Endpoint, use the following: https://<Jam data center>.sapjam.com/saml/sp/acs
And for the Single Logout Endpoints use https://<Jam data center>.sapjam.com/saml/sp/slo

NameID Attribute

We recommend to use the User ID here. User Ids in IAS always start with a P. Especially when you connect multiple other systems to IAS, such as SAP Document Center, SAP Hybris Cloud for Customer, or any app you are building on HCP yourself, and you also want to integrate them with SAP Jam it’s helpful to use the same user Ids in all of your systems.

Of course SAP Jam will still know your users email address in addition, and you will be able to integrate other systems with SAP Jam by mapping the users of these systems based on the email address, too.

User Application Access

You will find this under Authentication and Trust of the Jam application in IAS. This should be set to Internal for SAP Jam. You will run into problems and users won’t be able to log on to Jam anymore when you set it to private.

 

The Home URL

Finally, for every application in IAS you can configure a Home URL. This URL makes it easy to launch the application from the IAS admin page. Your end users will never launch Jam from here, but rather open the Jam URL directly and Jam will forward them to IAS for authentication. Nevertheless this also comes pre-configured. This is especially important for the first user activating the IAS tenant and launching the Jam tenant for the very first time.

The URL will always look like this:

https://<Jam datacenter>.sapjam.com/c/<Jam tenant ID=IAS tenant URL>/auth/status

 

 

Assigned tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Christian Happel,

      for the Non-SFSF customer, Can the SAP Jam do not use the IAS (SCI) for the user authentication, but able to use the customer IDP, saying ADFS etc.

      So in this case, it should like: JAM -> ADFS (no IAS involved).

      Is it possible?Thanks.

      Regards, Qiang

       

      Author's profile photo Christian Happel
      Christian Happel
      Blog Post Author

      Hi Qiang,

      you can achieve this by connecting IAS to ADFS. But you can't connect SAP Jam directly to ADFS.

      It would always be like this:

      SAP Jam -> IAS -> ADFS.

      Best, Christian

      Author's profile photo Francisco Ruiz Garcia
      Francisco Ruiz Garcia

      Hi Christian,

       

      we have received these tenants and configured the integration.

      When we request a C4C Production tenant, Will we receive 2 aditionals tenants for Jam and IAS?

       

      Thanks in advance,

       

      Paco Ruiz.

      Author's profile photo Christian Happel
      Christian Happel
      Blog Post Author

      Hi Paco,

      IAS by default only delivers 1 productive tenant (and 1 test), so that your company uses the same IAS tenant across the entire organization. If you don't want that you will need to purchase an additional IAS tenant separately.

      For Jam it also makes sense to only have 1 productive tenant at a company. Otherwise you can't collaborate across tenants. But that decision is up to you and needs to be defined during the order process.

      Best, Christian

      Author's profile photo João Costa Pinto
      João Costa Pinto

      Hi Christian Happel

      Considering the implementation of SAP Jam Collaboration on a non-SF scenario, and the fact that Users will come from Microsoft Active Directory (ADFS), I have 5 questions:

      1. From my understanding in IAS you have a single “User Management” section, so how do you distinguish which Users are in Test from the ones in PROD? Supposing in Test for UAT you only need around 20-30 Users, and in PROD all Users should be there;
      2. Lets suppose now that in PROD instead of having every single User in ADFS, you only want Users from a certain country. How do you prevent that from happening, i.e., how do you ensure that from AD to IAS you only send Users from that country in particular?
      3. I have gone through documentation and I was not able to find an answer for this topic: which Language settings does SAP Jam prevail? I already noticed that besides the settings in SAP Jam, in User attributes there is a “Language” field in IAS. We want to ensure that SAP Jam is in German for a User from there, but if not the system should be presented in English.
        We know each User could go into his/her Settings and change the Language or depending on the answer on 4. we could proxy and access each User record and manually change it by ourselves, but we wanted to guarantee that by default the Language is the correct one for each User, depending on where they are from;
      4. Considering this new IAS/IPS approach, how can you access SAP Jam using another User? I am asking this for testing purposes, since in SF you have the Proxy feature and via Provisioning you can also do so (this last is the best one to me);
      5. Do you always need to access IAS to access SAP Jam? Does not SAP provide a separate link to access it (through User & PWD) in order to proceed with the config there at the same time as IAS is configured?

      Thank you in advance.

      Best regards,

      Author's profile photo Christian Happel
      Christian Happel
      Blog Post Author

      Hi Joao,

      my blog is 4 years old and I'm not working on the Jam-team anymore since quite some time. So please excuse me that I won't have an answer to everything anymore.

      1. If users are in ADFS, you don't have to replicate them into IAS. You can use IAS as a proxy to ADFS.
        The way you define which users should be in which Jam tenant (test or prod) is via IPS though: With the Identity Provisioning Service you basically select users from your source system (IAS or ADFS) and define which of them should be provisioned into which target system. This way you can provision all of them in the Jam production tenant, and only a subset in the Jam test tenant.
      2. Same is true for users of a specific country: In IPS you define that only users with a certain attribute (such as country = Germany) are going to be provisioned.
      3. I don't recall this one exactly anymore unfortunately, but I remember that there was a way to define the user language via IPS as well. You might want to look at the IPS documentation for it.
      4. The proxy-feature isn't available anymore when you use IAS/IPS with Jam.
      5. No, there is no direct log-on possible to an SAP Jam tenant. Either you log on via SuccessFactors Foundation, or via IAS, or via any IDP that IAS forwards you to.

      Best regards, Christian

       

       

      Author's profile photo João Costa Pinto
      João Costa Pinto

      Hi Christian,

      Thank you very much for your prompt reply. Considering you feedback:

      1.
      1.1.
      Source: ADFS
      Target: SAP Jam
      right?
      1.2. is Proxy = middle(ware)?
      1.3. or 2. Could you please ellaborate "select users" part? I mean, to filter the Users, where do you apply the filter conditions? Is it in ADFS or in IPS?

      3. By "IPS documentation" do you mean "SAP Cloud Platform Identity Provisioning Service" PDF Public Guide?

      4. So even if we configure what is in 3., there is no way to test this by ourselves, to ensure it is actually working?

      Thank you once again.

      Best regards,

      Author's profile photo Christian Happel
      Christian Happel
      Blog Post Author

      1.1 yes.

      1.2 Kind of, yes. You don't replicate any user information into IAS but use it only to forward to your IdP.

      1.3 in IPS.

      3. Doesn't have to be the pdf version. Check out this link. It includes example transformations where you select specific users. Transformation Examples - SAP Help Portal

      4. Not sure what you mean with "yourself". Are you an external consultant of the customer? In that case you will need a (test-)user on their Active Directory to test the working scenario. It doesn't have to be your own user.