Since beginning of 2016 for most of our customers SAP Jam Collaboration comes with the SAP CP Identity Authentication service (IAS) for user provisioning and user authentication.
For non-SuccessFactors customers a newly provisioned Jam tenant comes pre-configured with the Identity Authentication service. In this post I’ll explain the different configuration pieces you will see in the Jam tenant and the IAS tenant.
Initial Tenant Activation
Let’s start with how customers will get access to their Jam tenant.
Customers are receiving two welcome emails:
- One for their SAP Jam Collaboration tenant with information about their tenant URL and next steps on how get started.
- The second email is the tenant activation email for their Identity Authentication tenant.
Both emails are sent to the IT contact of the customer that has been defined in the sales order.
Once the customer has activated their IAS tenant by clicking the activation link in the email, they can launch SAP Jam from the Applications menu in IAS. This will create the first user in Jam for the person who’s launching Jam. This user automatically becomes an administrator of the Jam tenant.
From then on on additional users can be created directly within IAS and will automatically be provisioned to Jam, or IAS can be connected to another IdP, such as Active Directory and users can be provisioned from there. For details on this, please refer to the documentation of Identity Authentication.
NOTE: If the first user didn’t launch Jam, the automatic provisioning of new users won’t happen!
User Provisioning Configuration
Update: Since September 2017 new SAP Jam customers will also receive the SAP Cloud Platform Identity Provisioning service (IPS). IPS is used to provision users to SAP Jam. The user provisioning for new customers isn’t done by IAS anymore. For details about this, please refer to this blog: https://blogs.sap.com/2017/11/09/sap-jam-now-comes-with-the-sap-cloud-platform-identity-provisioning-service/
In IAS you will notice an option for User Provisioning. An SAP Jam system will be preconfigured as a target system for the provisioning of users from IAS to Jam.
This configuration uses a client key and secret from your Jam tenant. The respective OAuth Client in the Jam tenant is called “SCIM API Client”. Don’t change or delete this OAuth client, because otherwise the provisioning of users from IAS to Jam won’t work anymore. In case you did change it though, just create a new OAuth client and use the key and secret to update the provisioning settings in IAS.
Trust Configuration in SAP Jam
To have a trust established between SAP Jam and Identity Authentication there’s a SAML Trusted IDP pre-configured in Jam. Its ID will be the URL of your IAS tenant.
You better don’t change anything on this configuration, otherwise you might get logged out of Jam and non of your users won’t be able to get back in. In that case only a support ticket will help.
But just for the stake of completeness, all required settings are available in the Tenant Settings menu in your IAS tenant where you can even download a metadata file of the SAML 2.0 configuration settings and upload that file when registering a new SAML Trusted IDP in Jam.
Application Configuration in Identity Authentication
Coming back to the Applications menu in IAS where you see an SAP Jam application pre-configured.
The configuration includes a couple of things.
Most importantly, the SAML 2.0 configuration settings.
Again, this is all pre-configured by default, but you will find the Name and the Certificate also in your Jam tenant in your SAML Local Identity Provider settings.
With regards to the Assertion Consumer Service Endpoint, use the following: https://<Jam data center>.sapjam.com/saml/sp/acs
And for the Single Logout Endpoints use https://<Jam data center>.sapjam.com/saml/sp/slo
We recommend to use the User ID here. User Ids in IAS always start with a P. Especially when you connect multiple other systems to IAS, such as SAP Document Center, SAP Hybris Cloud for Customer, or any app you are building on HCP yourself, and you also want to integrate them with SAP Jam it’s helpful to use the same user Ids in all of your systems.
Of course SAP Jam will still know your users email address in addition, and you will be able to integrate other systems with SAP Jam by mapping the users of these systems based on the email address, too.
User Application Access
You will find this under Authentication and Trust of the Jam application in IAS. This should be set to Internal for SAP Jam. You will run into problems and users won’t be able to log on to Jam anymore when you set it to private.
The Home URL
Finally, for every application in IAS you can configure a Home URL. This URL makes it easy to launch the application from the IAS admin page. Your end users will never launch Jam from here, but rather open the Jam URL directly and Jam will forward them to IAS for authentication. Nevertheless this also comes pre-configured. This is especially important for the first user activating the IAS tenant and launching the Jam tenant for the very first time.
The URL will always look like this:
https://<Jam datacenter>.sapjam.com/c/<Jam tenant ID=IAS tenant URL>/auth/status