Integration configuration between SAP Jam Collaboration and SAP CP Identity Authentication service
Since beginning of 2016 for most of our customers SAP Jam Collaboration comes with the SAP CP Identity Authentication service (IAS) for user provisioning and user authentication.
For non-SuccessFactors customers a newly provisioned Jam tenant comes pre-configured with the Identity Authentication service. In this post I’ll explain the different configuration pieces you will see in the Jam tenant and the IAS tenant.
Initial Tenant Activation
Let’s start with how customers will get access to their Jam tenant.
Customers are receiving two welcome emails:
- One for their SAP Jam Collaboration tenant with information about their tenant URL and next steps on how get started.
- The second email is the tenant activation email for their Identity Authentication tenant.
Both emails are sent to the IT contact of the customer that has been defined in the sales order.
Once the customer has activated their IAS tenant by clicking the activation link in the email, they can launch SAP Jam from the Applications menu in IAS. This will create the first user in Jam for the person who’s launching Jam. This user automatically becomes an administrator of the Jam tenant.
From then on on additional users can be created directly within IAS and will automatically be provisioned to Jam, or IAS can be connected to another IdP, such as Active Directory and users can be provisioned from there. For details on this, please refer to the documentation of Identity Authentication.
NOTE: If the first user didn’t launch Jam, the automatic provisioning of new users won’t happen!
User Provisioning Configuration
Update: Since September 2017 new SAP Jam customers will also receive the SAP Cloud Platform Identity Provisioning service (IPS). IPS is used to provision users to SAP Jam. The user provisioning for new customers isn’t done by IAS anymore. For details about this, please refer to this blog: https://blogs.sap.com/2017/11/09/sap-jam-now-comes-with-the-sap-cloud-platform-identity-provisioning-service/
In IAS you will notice an option for User Provisioning. An SAP Jam system will be preconfigured as a target system for the provisioning of users from IAS to Jam.
This configuration uses a client key and secret from your Jam tenant. The respective OAuth Client in the Jam tenant is called “SCIM API Client”. Don’t change or delete this OAuth client, because otherwise the provisioning of users from IAS to Jam won’t work anymore. In case you did change it though, just create a new OAuth client and use the key and secret to update the provisioning settings in IAS.
Trust Configuration in SAP Jam
To have a trust established between SAP Jam and Identity Authentication there’s a SAML Trusted IDP pre-configured in Jam. Its ID will be the URL of your IAS tenant.
You better don’t change anything on this configuration, otherwise you might get logged out of Jam and non of your users won’t be able to get back in. In that case only a support ticket will help.
But just for the stake of completeness, all required settings are available in the Tenant Settings menu in your IAS tenant where you can even download a metadata file of the SAML 2.0 configuration settings and upload that file when registering a new SAML Trusted IDP in Jam.
Application Configuration in Identity Authentication
Coming back to the Applications menu in IAS where you see an SAP Jam application pre-configured.
The configuration includes a couple of things.
SAML configuration
Most importantly, the SAML 2.0 configuration settings.
Again, this is all pre-configured by default, but you will find the Name and the Certificate also in your Jam tenant in your SAML Local Identity Provider settings.
With regards to the Assertion Consumer Service Endpoint, use the following: https://<Jam data center>.sapjam.com/saml/sp/acs
And for the Single Logout Endpoints use https://<Jam data center>.sapjam.com/saml/sp/slo
NameID Attribute
We recommend to use the User ID here. User Ids in IAS always start with a P. Especially when you connect multiple other systems to IAS, such as SAP Document Center, SAP Hybris Cloud for Customer, or any app you are building on HCP yourself, and you also want to integrate them with SAP Jam it’s helpful to use the same user Ids in all of your systems.
Of course SAP Jam will still know your users email address in addition, and you will be able to integrate other systems with SAP Jam by mapping the users of these systems based on the email address, too.
User Application Access
You will find this under Authentication and Trust of the Jam application in IAS. This should be set to Internal for SAP Jam. You will run into problems and users won’t be able to log on to Jam anymore when you set it to private.
The Home URL
Finally, for every application in IAS you can configure a Home URL. This URL makes it easy to launch the application from the IAS admin page. Your end users will never launch Jam from here, but rather open the Jam URL directly and Jam will forward them to IAS for authentication. Nevertheless this also comes pre-configured. This is especially important for the first user activating the IAS tenant and launching the Jam tenant for the very first time.
The URL will always look like this:
https://<Jam datacenter>.sapjam.com/c/<Jam tenant ID=IAS tenant URL>/auth/status
Hi Christian Happel,
for the Non-SFSF customer, Can the SAP Jam do not use the IAS (SCI) for the user authentication, but able to use the customer IDP, saying ADFS etc.
So in this case, it should like: JAM -> ADFS (no IAS involved).
Is it possible?Thanks.
Regards, Qiang
Hi Qiang,
you can achieve this by connecting IAS to ADFS. But you can't connect SAP Jam directly to ADFS.
It would always be like this:
SAP Jam -> IAS -> ADFS.
Best, Christian
Hi Christian,
we have received these tenants and configured the integration.
When we request a C4C Production tenant, Will we receive 2 aditionals tenants for Jam and IAS?
Thanks in advance,
Paco Ruiz.
Hi Paco,
IAS by default only delivers 1 productive tenant (and 1 test), so that your company uses the same IAS tenant across the entire organization. If you don't want that you will need to purchase an additional IAS tenant separately.
For Jam it also makes sense to only have 1 productive tenant at a company. Otherwise you can't collaborate across tenants. But that decision is up to you and needs to be defined during the order process.
Best, Christian
Hi Christian Happel
Considering the implementation of SAP Jam Collaboration on a non-SF scenario, and the fact that Users will come from Microsoft Active Directory (ADFS), I have 5 questions:
We know each User could go into his/her Settings and change the Language or depending on the answer on 4. we could proxy and access each User record and manually change it by ourselves, but we wanted to guarantee that by default the Language is the correct one for each User, depending on where they are from;
Thank you in advance.
Best regards,
Hi Joao,
my blog is 4 years old and I'm not working on the Jam-team anymore since quite some time. So please excuse me that I won't have an answer to everything anymore.
The way you define which users should be in which Jam tenant (test or prod) is via IPS though: With the Identity Provisioning Service you basically select users from your source system (IAS or ADFS) and define which of them should be provisioned into which target system. This way you can provision all of them in the Jam production tenant, and only a subset in the Jam test tenant.
Best regards, Christian
Hi Christian,
Thank you very much for your prompt reply. Considering you feedback:
1.
1.1.
Source: ADFS
Target: SAP Jam
right?
1.2. is Proxy = middle(ware)?
1.3. or 2. Could you please ellaborate "select users" part? I mean, to filter the Users, where do you apply the filter conditions? Is it in ADFS or in IPS?
3. By "IPS documentation" do you mean "SAP Cloud Platform Identity Provisioning Service" PDF Public Guide?
4. So even if we configure what is in 3., there is no way to test this by ourselves, to ensure it is actually working?
Thank you once again.
Best regards,
1.1 yes.
1.2 Kind of, yes. You don't replicate any user information into IAS but use it only to forward to your IdP.
1.3 in IPS.
3. Doesn't have to be the pdf version. Check out this link. It includes example transformations where you select specific users. Transformation Examples - SAP Help Portal
4. Not sure what you mean with "yourself". Are you an external consultant of the customer? In that case you will need a (test-)user on their Active Directory to test the working scenario. It doesn't have to be your own user.