SAP JAM Collaboration – Set up in Productive Environment
I have come across a lot of blogs and documentation about enabling the SAP JAM service in SAP Cloud Platform trial environments but I have not seen a lot written about setting up a LIVE production collaboration environment. It has taken me a good while setting this up myself and now that the planets have aligned I wanted to share my experience with the SAP blogsphere…so here goes.
From an architecture point of view the following components make up the particular solution I am covering:
- SAP Cloud Platform (for sub-account)
- SAP Cloud Platform Identity Authentication tenant (SCPI)
- SAP JAM Tenant
- SAP Portal Service (FLP Settings)
This is represented diagrammatically by my own little scribbles below.
Figure:1 SAP JAM Integration scribble architecture diagram
The SAP Cloud Identity Authentication tenant is a key component of the entire solution because it provides the authentication option (in this case) for apps developed on the SAP Cloud Platform and also provides access to the SAP JAM tenant. This means that a user can login once to the Fiori Launchpad and have access to individual Fiori applications as well as see notifications and group discussions from SAP JAM.
As a side note I do believe true collaboration between internal and external partners is undervalued – companies are interested in it (theoretically) however are not ready to commit to this as a strategic objective and for that they are worse off. Until organisations realise the value in true collaboration there will be no way forward. Improvements in productivity not to mention the improvement in external relationships are two such benefits. OK, back to the setup.
SAP Cloud Platform – Trust Settings
Firstly, there needs to be trust set up between the SAP Cloud Platform sub-account and the SAP Cloud Identity tenant. The assumption (from a SAP JAM integration point of view) is that this has already been set up. There are plenty of other blogs that detail this so please look them up. The key fields here are the Local Provider Name and the Signing Certificate, keep a note of these as this is required when setting up Administration activities in the SAP JAM Tenant. The below can be found in the SCP sub-account under the Security > Trust option.
Figure:2 SAP Cloud Platform sub-account Trust settings screen
Key settings include:
- The Local provider name which basically points to the SAP Cloud Platform sub-account. This will usually be:
https://ap1.hana.ondemand.com/SCP Sub-account ID where ap1 is the SCP data centre ID. In this case this is the Asia Pacific data centre of Sydney.
- The Signing Certificate is required when setting up the SAML trusted IDP in the JAM Admin settings. Further information on SAP JAM Administration is included below.
The other important element is the settings for the Assertion attributes, these are important in the integration between the SAP Cloud Platform sub-account and the JAM tenant and they need to be set up exactly the same as below.
Figure:3 SCP sub-account Trust setting Assertion Attributes
Enter the contents of the Attributes screen above according to this table.
|Assertion Attribute||Principal Attribute|
Table:1 SCP Sub-account Trust Assertion Attribute mapping
The three assertion attributes are necessary for SCP sub-account, SAP Cloud Identity and SAP JAM integration. They need to be entered in exactly the format described above.
NOTE: The email attribute in particular also relates to the useridSource property included in the SCP sub-account Destination which will be covered later.
SAP Cloud Platform – Destination Setup
To connect to the SAP JAM tenant a new destination in SAP Cloud Platform (SCP) is required. This destination needs to be set up within the SCP Sub-account and represents a connection to the SAP JAM Instance.
Figure:4 JAM Destination in SCP Sub-account
Set up the new SAP JAM destination with the following parameters:
The rest of the settings can be maintained according to this table.
|Name||Destination Name e.g. jam|
|Description||Meaningful description of the SCP sub-account Destination|
Host URL in SAP JAM tenant
Copy from ADMIN section of SAP JAM tenant. This could be different to the above URL. This can be found in the Company Overview section when Administering the JAM instance. You can see this in Figures 5 and 6 above.
Key that is generated when the JAM OAuth client is created in the SAP JAM Administration Integrations setup.
You need to copy the Client Key into the Destination value as detailed above. Further details below.
|Token Service URL||https://jam10.sapjam.com/api/v1/auth/token|
|Token Service User||Leave blank|
|Token Service Password||Leave blank|
|System User||Leave blank|
Table 2: JAM Destination settings
As with most Destinations additional properties need to be entered also. Enter the Additional Properties according to this table.
Table 3: SAP JAM Destination in SCP – Additional Properties
SAP Cloud Platform Identity Authentication
There are plenty of other blogs that delve into setting up Trust between SAP Cloud Platform sub-accounts and JAM tenants, one of them I will reference here. This activity is similar to setting up trust with the SAP Cloud Platform sub-account.
- Create a new Application using the + Add icon.
Figure:7 SAP Cloud Platform Identity Authentication – Application Setup
While Branding and Layout as well as Authentication options can be set up from a true security integration perspective the main actions to be performed exist under the Trust menu as displayed above.
Key elements of the set up include:
- Name ID Attribute. For any application set up in SAP Cloud Identity a suitable option for the Name ID attribute is required. As you can see above the User ID has been chosen in this
Figure:8 Name ID Attribute options
- Default Name ID Attribute. NOTE: This is a recent NEW feature offering. This allows for 2 options: either unspecified or email address and depends on the Name ID attribute being sent in to the application. If the Name ID attribute selection is anything other than email then the Default Name ID selection should be unspecified. If the Name ID attribute selection is E-Mail then the emailaddress option here should be selected.Figure:9 Default Name ID Attribute setting
SAP JAM Administration
A number of tasks are required in the SAP JAM tenant to ensure successful integration between SAP Cloud Platform, SAP Cloud Identity and the SAP JAM tenant. In most other blogs this activity is carried out within the JAM service included as part of the SAP Cloud Platform trial accounts. However, in a productive environment this is carried out in the actual SAP JAM tenant provided and subscribed by SAP which is outside of the SCP sub-account services.
- Creating a SAML Trusted IDP for the SCP Sub-account
- Creating a SAML Trusted IDP for the SAP Cloud Identity tenant – not covered here as there are plenty of blogs that cover this step already. Check the same blog as above here.
- Creating an OAuth Client
To administer the SAP JAM tenant you will need to be assigned as an Administrator. Once logged in you will need to click the cog icon and select Admin from the drop-down menu.
Figure:10 SAP JAM Administration option
Create a SAML Trusted IDP in SAP JAM
There needs to be trust between the SAP JAM tenant and the SAP Cloud Platform sub-account and the way this is achieved is by setting up a SAML Trusted Identity Provider connection between the two platforms.
Register a SAML Trusted IDP by following these steps:
- Choose [SAML Trusted IDPs] option from the Integrations Admin menu.
Figure:11 SAP JAM Admin Integration Setup – SAML Trusted IDP’s
- Select the [Register your SAML Trusted IDP] icon.
Figure:12 Register new SAML Trusted IDP screen
The next screen will allow to enter all of the relevant fields required in setting up a new SAML Trusted IDP. At this point I will show a combination of screens to make it clearer exactly where the configuration comes from. The screen on the LHS is the new SAML Trusted IDP screen and the one on the right is the SCP Sub-Account Trust settings.
Only 2 fields are required to be entered:
- IDP ID
- X509 Certificate (Base 64).
Figure:13 Mapping between SAML Trusted IDP and SCP Sub-account Trust screen
The contents of the above should be entered according to this table.
Copy the Local Provider Name from the SAP Cloud Platform sub-account Trust screen and paste it in the IDP ID field.
This is field 1 from Figure 1 above.
|X509 Certificate (Base 64)||
Copy the Signing Certificate contents from the SAP Cloud Platform sub-account Trust screen and paste it into the X509 Certificate (Base64) field.
This is field 2 from Figure 1 above.
NOTE: Be careful and make sure you copy the FULL contents of the signing certificate field.
|Enabled||Activate this checkbox|
|Administrative Area||Leave as Company|
Table 4: SAML Trusted IDP settings
Once the above has been entered click on the [Register] icon. This will save the new SAML Trusted IDP configuration.
The resultant set up will look something like this.
Figure:14 Completed SAML Trusted IDP Setup in SAP JAM tenant
The next step is to create an OAuth Client.
Create an OAuth Client
This step specifically sets up an OAuth client for the SAP Cloud Platform sub-account. This set up is required to allow use of the SAP JAM API’s. You can test the successful connectivity of this by running the SAP Web IDE service and trying to find the JAM API’s using the JAM Destination. This is covered below.
Register an OAuth client by following these steps:
- Choose [OAuth Clients] from the Integrations Admin menu.
Figure:15 SAP JAM Administration – Integrations OAuth Client option
- Click on the [Add OAuth Client] option.
Figure:16 Create new OAuth Client option
The following screen will be displayed.
Figure:17 Registering a new OAuth Client screen
Only populate the following fields to guarantee successful integration.
Enter name of the OAuth Client.
For e.g. SAP Cloud Platform – TEST (usually detail sub-account if you are setting up multiple OAuth clients within the single JAM tenant).
Copy the Local Provider Name in again from the SAP Cloud Platform sub-account Trust screen and paste it in the IDP ID field.
This is field 1 from below.
NOTE: The signing certificate is not required here.
Table 5: OAuth Client entry screen
- Click on the [Save] icon to save the OAuth client.
When this is carried out a new Client Key value will be created.
You can retrieve this by going back into the OAuth client using the [View] option.
Figure:18 SAP JAM Administration – Integrations OAuth Clients screen
The following screen will be displayed.
Figure:19 SAP JAM Administration – View OAuth Client screen
- Copy the value assigned to the Key field. You will need to paste this into the SCP sub-account destination Client Key field as described below.
You may recall that the Key value created here needs to be placed into the Client Key of the SCP Sub-account destination.
Figure: 20 SAP JAM Destination configuration screen on SCP Sub-account
Once this is done click on the [Check Connection] icon and it should be successful.
Portal Site Settings for JAM Integration
One of the last pieces of the puzzle in setting up real-time Collaboration using SAP JAM is the activation within the Portal site. SAP JAM integration needs to be enabled specifically for each portal site. This can be enabled on Freestyle sites as well but will not be covered here.
To enable this – you need to modify the SAP Jam Integration option in the System Settings of the Fiori Configuration Cockpit of the portal site being maintained. The screen below highlights this.
Figure: 21 Portal Site – System Settings for SAP JAM Integration
When SAP JAM is enabled and successfully integrated into the Fiori Launchpad a couple of things occur:
- Instead of an icon showing in the Launchpad screen representing the logged on user, a picture is displayed. This picture is copied through from the JAM login profile – if in fact a picture has been maintained for that user.
Figure: 22 Portal Site Preview with successful SAP JAM Integration
- SAP Jam Groups that the user is authorized for will be included in the Fiori Launchpad and can be selected by the user in the App finder to appear on the user’s launchpad. You can see them below.
Figure: 23 Portal Site Preview – App Finder JAM groups
As detailed above there is a way to test connectivity by using SAP Web IDE. You can do this by creating a new Project from a Template and then use the SAP JAM destination set up previously to view the JAM API’s. This is shown below.
Figure: 24 SAP Web IDE and testing the JAM API’s
Finally, when all of this is set up it is extremely powerful – allowing internal and external users to collaborate in real time – increasing productivity, efficiency and improving relationships. True collaboration in the future I believe will be crucial to a businesses success and a key differentiator.
For more information on some of this set up please follow this link.
Thanks for reading and feel free to leave a comment!
Can I also directly use a third party SAML 2.0 provider (eg MS Azure AD) with SAP JAM? Do you know any pitfalls?
Yes. Authentication for SAP JAM (like any other application) can be set up using a company's internal IdP, SAP Cloud Identity, MS Azure AD etc. The only difference would be the 2nd step. In the SAP JAM admin - Integrations step you would register MS Azure AD as the SAML Trusted IDP and you would need to register SAP JAM as an application within MS Azure as well. This does not change creation of a SAML Trusted IdP for the SAP Cloud Platform though nor the OAuth Client setup - these steps still need to be carried out.
Don't see any pitfalls with using MS Azure AD or any other SAML 2.0 provider. Most functions are covered in all IDP's. I just covered a little of SAP Cloud Identity above in line with SAP's architecture.
Thanks for your question.
Just to be clear:
While this should work for an application-level integration, when it comes to user authentication when logging on to SAP Jam itself, you will always need to go through CP Identity Authentication Service (IAS). You can connect IAS to MS Azure AD or any other IdP at the customer of course and delegate authentication from IAS to the other IdP, but for the user authentication flow you can't connect SAP Jam directly to another IdP.
But when I always need to use IAS IdP with SAP Jam for logging in to SAP Jam itself, why should I use anything else than IAS IdP?
Why can't Jam use directly a company internal IdP?
You can use IAS to connect to a company internal IdP. You can use IAS even just as a proxy IdP.
But it's not supported to connect SAP Jam to the company IdP directly.
Thanks Christian Happel for the information - just to clarify I thought there was an ability to link to any other SAML Local Service Provider or is this on a request basis. The below link states this - if I understand it correctly.
Would be good to know exactly as I regularly architect these solutions so want to make sure I am providing clients with the right information.
Robert Horne Can you please answer this?
Hi Phil Cooley
my understanding is that the SAML Trusted IdPs can be used for a system-to-system Integration but when it comes to logging on to the SAP Jam UI you will always have to connect through IAS (or SuccessFactors Foundation in case customers have SAP Jam running on that).
As mentioned of course you can delegate the Authentication from IAS to another IdP.
Thanks Christian Happel
The documentation then should be changed to state this as it definitely not stating this in the Help documentation nor setup guides. From a customer stand point, why would a company run SAP JAM then if they need to buy IAS to actually authenticate to it, if they also run their own IDP??? A business case asking for this would never stack up, it is nonsensical!
I really like SAP Jam and I think collaboration is one of the major differentiators for organisations into the future and the above constraint just limits SAP JAM to be in the running.
I'm sorry Phil Cooley but maybe there's a misunderstanding:
Customers don't have to buy IAS separately. They get it together with SAP Jam Collaboration. IAS is the Identity Provider for SAP Jam and it can be connected to any other IdP without any additional costs.
The cost in in setup and separate administration of the IAS!
Is it possible to use the IAS provided with SAP Jam for anything else then SAP Jam, eg for authenticating users to a unrelated HTML5 SCP app?
Technically of course. IAS comes with a number of SAP cloud solutions out of the box by now, and I expect to see a lot more in the future.
From a licensing perspective, when you buy SAP Jam the included licenses for IAS are only valid for SAP Jam of course.
Regarding costs: SAP Jam comes pre-integrated with IAS and IPS. If you want to use your own company IdP, the costs of connecting IAS to that once are much lower than connecting every single SAP cloud application directly and manually to the company IdP.
Thanks Christian Happel for clarifying, that makes sense now! 🙂 This definitely makes it more attractive for customers although it still means that customers potentially have 2 user stores. This is ok I think especially with the great collaboration offering that SAP JAM provides. Great, thanks for following up to clear this up. Will definitely make sure my clients understand this!
Can you explain why you think you need 2 user stores? Maybe I'm not understanding correctly.
Yes, of course you need to get users created in SAP Jam, otherwise you can't invite them to groups, at-mention them etc. But the same needs to be done for a CRM or finance application.
Now, the user authentication is completely separate from that:
You can delegate the authentication from IAS to your central on-premise IdP such as AD, or even use SPNEGO for automatic log-on.
Understand I can delegate authentication from the IAS to the on-premise IdP but not sure I see the difference between creating a user in SAP JAM versus creating a user in IAS. Either way, they are 2 user stores. To me, it would be better in IAS as it provides more flexibility for the user and opens up options into the future. Creating users directly in SAP JAM gives them access to SAP JAM only which to me is limiting. So, either way you look at it you have 2 user stores. For your scenario you have a user store in SAP JAM and 1 in their on-premise. This makes 2!
Determining components of landscapes between IAS, on-premise IdP takes effort - alot of things need to be taken into account such as credibility of the on-prem AD, future strategic directions etc.
Are there other scenarios in SAP Cloud Platform where IAS is mandatory? Would be good to understand this.
Have you received any answers to your last question?
Hi Wolfgang, no - not as yet.
Thanks for the blog. I had few queries. So when we talk about authentication and authorization into
Jam - is this like there are only 2 options -
Is there any other method of going into Jam - can i integrate company LDAP with Jam and use the same identity provider for jam ? If yes - what would be the steps. It would be great if you can give some clarity.
it isn't possible to connect SAP Jam directly to your LDAP, but you can either connect IAS or SuccessFactors to it.
We have procured the Jam Licence. Now it comes with an IPS & IAS along with the JAM tenant itself.
We do not use SuccessFactors and need Jam to integrate with SCP Portal Fiori Apps, so that users external to the organization access Jam.
We already have an SAP Cloud Identity & Access tenant configured to our SCP portal WebIDE etc. It is now set as the default Identity tenant for the Portal.
Now with Jam license comes the additional new IAS.
We want the existing SAP Cloud Identity tenant to be used for Jam too.
Should we go ahead and register Jam as an application on existing tenant with SAML. What implications does it have for the IPS that came with Jam. We do not have MS-ADFS / Successfactors in this case. We just use the SCP Identity tenant.
Can you please throw some light on the options. wanted to check before we go ahead and add Jam as a application on our existing Identity tenant.
Hi Pavan Pakkurthi
Thanks for the question. The benefit of keeping the newly provisioned IAS and IPS is that it is basically all set up for you already which obviously will save some administration tasks thereby saving some $$$. However, I can see your point about the fact that you already have an existing one with users and connected to your SAP Cloud Platform subaccounts.
You can add the SAP JAM application to your existing SAP Cloud Identity and probably makes sense but I would take a minute to think about the entire landscape and what you eventually want this to look like. Ideally, would be good to find some sort of need for it since you are already licensed for it. You may want to think about the tiered environment. That is, can you use the new IAS and IPS in a Production subaccount as opposed to QA or DEV where you could just use your existing one? I only say this because the IPS is a really good advantage here especially if you are licensed for it.
It does seem a shame not to use these items so I would try and find a way - basically in your landscape configuration.
Hope this helps!