I have come across a lot of blogs and documentation about enabling the SAP JAM service in SAP Cloud Platform trial environments but I have not seen a lot written about setting up a LIVE production collaboration environment. It has taken me a good while setting this up myself and now that the planets have aligned I wanted to share my experience with the SAP blogsphere…so here goes.
From an architecture point of view the following components make up the particular solution I am covering:
- SAP Cloud Platform (for sub-account)
- SAP Cloud Platform Identity Authentication tenant (SCPI)
- SAP JAM Tenant
- SAP Portal Service (FLP Settings)
This is represented diagrammatically by my own little scribbles below.
Figure:1 SAP JAM Integration scribble architecture diagram
The SAP Cloud Identity Authentication tenant is a key component of the entire solution because it provides the authentication option (in this case) for apps developed on the SAP Cloud Platform and also provides access to the SAP JAM tenant. This means that a user can login once to the Fiori Launchpad and have access to individual Fiori applications as well as see notifications and group discussions from SAP JAM.
As a side note I do believe true collaboration between internal and external partners is undervalued – companies are interested in it (theoretically) however are not ready to commit to this as a strategic objective and for that they are worse off. Until organisations realise the value in true collaboration there will be no way forward. Improvements in productivity not to mention the improvement in external relationships are two such benefits. OK, back to the setup.
SAP Cloud Platform – Trust Settings
Firstly, there needs to be trust set up between the SAP Cloud Platform sub-account and the SAP Cloud Identity tenant. The assumption (from a SAP JAM integration point of view) is that this has already been set up. There are plenty of other blogs that detail this so please look them up. The key fields here are the Local Provider Name and the Signing Certificate, keep a note of these as this is required when setting up Administration activities in the SAP JAM Tenant. The below can be found in the SCP sub-account under the Security > Trust option.
Figure:2 SAP Cloud Platform sub-account Trust settings screen
Key settings include:
- The Local provider name which basically points to the SAP Cloud Platform sub-account. This will usually be:
https://ap1.hana.ondemand.com/SCP Sub-account ID where ap1 is the SCP data centre ID. In this case this is the Asia Pacific data centre of Sydney.
- The Signing Certificate is required when setting up the SAML trusted IDP in the JAM Admin settings. Further information on SAP JAM Administration is included below.
The other important element is the settings for the Assertion attributes, these are important in the integration between the SAP Cloud Platform sub-account and the JAM tenant and they need to be set up exactly the same as below.
Figure:3 SCP sub-account Trust setting Assertion Attributes
Enter the contents of the Attributes screen above according to this table.
|Assertion Attribute||Principal Attribute|
Table:1 SCP Sub-account Trust Assertion Attribute mapping
The three assertion attributes are necessary for SCP sub-account, SAP Cloud Identity and SAP JAM integration. They need to be entered in exactly the format described above.
NOTE: The email attribute in particular also relates to the useridSource property included in the SCP sub-account Destination which will be covered later.
SAP Cloud Platform – Destination Setup
To connect to the SAP JAM tenant a new destination in SAP Cloud Platform (SCP) is required. This destination needs to be set up within the SCP Sub-account and represents a connection to the SAP JAM Instance.
Figure:4 JAM Destination in SCP Sub-account
Set up the new SAP JAM destination with the following parameters:
The rest of the settings can be maintained according to this table.
|Name||Destination Name e.g. jam|
|Description||Meaningful description of the SCP sub-account Destination|
Host URL in SAP JAM tenant
Copy from ADMIN section of SAP JAM tenant. This could be different to the above URL. This can be found in the Company Overview section when Administering the JAM instance. You can see this in Figures 5 and 6 above.
Key that is generated when the JAM OAuth client is created in the SAP JAM Administration Integrations setup.
You need to copy the Client Key into the Destination value as detailed above. Further details below.
|Token Service URL||https://jam10.sapjam.com/api/v1/auth/token|
|Token Service User||Leave blank|
|Token Service Password||Leave blank|
|System User||Leave blank|
Table 2: JAM Destination settings
As with most Destinations additional properties need to be entered also. Enter the Additional Properties according to this table.
Table 3: SAP JAM Destination in SCP – Additional Properties
SAP Cloud Platform Identity Authentication
There are plenty of other blogs that delve into setting up Trust between SAP Cloud Platform sub-accounts and JAM tenants, one of them I will reference here. This activity is similar to setting up trust with the SAP Cloud Platform sub-account.
- Create a new Application using the + Add icon.
Figure:7 SAP Cloud Platform Identity Authentication – Application Setup
While Branding and Layout as well as Authentication options can be set up from a true security integration perspective the main actions to be performed exist under the Trust menu as displayed above.
Key elements of the set up include:
- Name ID Attribute. For any application set up in SAP Cloud Identity a suitable option for the Name ID attribute is required. As you can see above the User ID has been chosen in this
Figure:8 Name ID Attribute options
- Default Name ID Attribute. NOTE: This is a recent NEW feature offering. This allows for 2 options: either unspecified or email address and depends on the Name ID attribute being sent in to the application. If the Name ID attribute selection is anything other than email then the Default Name ID selection should be unspecified. If the Name ID attribute selection is E-Mail then the emailaddress option here should be selected.Figure:9 Default Name ID Attribute setting
SAP JAM Administration
A number of tasks are required in the SAP JAM tenant to ensure successful integration between SAP Cloud Platform, SAP Cloud Identity and the SAP JAM tenant. In most other blogs this activity is carried out within the JAM service included as part of the SAP Cloud Platform trial accounts. However, in a productive environment this is carried out in the actual SAP JAM tenant provided and subscribed by SAP which is outside of the SCP sub-account services.
- Creating a SAML Trusted IDP for the SCP Sub-account
- Creating a SAML Trusted IDP for the SAP Cloud Identity tenant – not covered here as there are plenty of blogs that cover this step already. Check the same blog as above here.
- Creating an OAuth Client
To administer the SAP JAM tenant you will need to be assigned as an Administrator. Once logged in you will need to click the cog icon and select Admin from the drop-down menu.
Figure:10 SAP JAM Administration option
Create a SAML Trusted IDP in SAP JAM
There needs to be trust between the SAP JAM tenant and the SAP Cloud Platform sub-account and the way this is achieved is by setting up a SAML Trusted Identity Provider connection between the two platforms.
Register a SAML Trusted IDP by following these steps:
- Choose [SAML Trusted IDPs] option from the Integrations Admin menu.
Figure:11 SAP JAM Admin Integration Setup – SAML Trusted IDP’s
- Select the [Register your SAML Trusted IDP] icon.
Figure:12 Register new SAML Trusted IDP screen
The next screen will allow to enter all of the relevant fields required in setting up a new SAML Trusted IDP. At this point I will show a combination of screens to make it clearer exactly where the configuration comes from. The screen on the LHS is the new SAML Trusted IDP screen and the one on the right is the SCP Sub-Account Trust settings.
Only 2 fields are required to be entered:
- IDP ID
- X509 Certificate (Base 64).
Figure:13 Mapping between SAML Trusted IDP and SCP Sub-account Trust screen
The contents of the above should be entered according to this table.
Copy the Local Provider Name from the SAP Cloud Platform sub-account Trust screen and paste it in the IDP ID field.
This is field 1 from Figure 1 above.
|X509 Certificate (Base 64)||
Copy the Signing Certificate contents from the SAP Cloud Platform sub-account Trust screen and paste it into the X509 Certificate (Base64) field.
This is field 2 from Figure 1 above.
NOTE: Be careful and make sure you copy the FULL contents of the signing certificate field.
|Enabled||Activate this checkbox|
|Administrative Area||Leave as Company|
Table 4: SAML Trusted IDP settings
Once the above has been entered click on the [Register] icon. This will save the new SAML Trusted IDP configuration.
The resultant set up will look something like this.
Figure:14 Completed SAML Trusted IDP Setup in SAP JAM tenant
The next step is to create an OAuth Client.
Create an OAuth Client
This step specifically sets up an OAuth client for the SAP Cloud Platform sub-account. This set up is required to allow use of the SAP JAM API’s. You can test the successful connectivity of this by running the SAP Web IDE service and trying to find the JAM API’s using the JAM Destination. This is covered below.
Register an OAuth client by following these steps:
- Choose [OAuth Clients] from the Integrations Admin menu.
Figure:15 SAP JAM Administration – Integrations OAuth Client option
- Click on the [Add OAuth Client] option.
Figure:16 Create new OAuth Client option
The following screen will be displayed.
Figure:17 Registering a new OAuth Client screen
Only populate the following fields to guarantee successful integration.
Enter name of the OAuth Client.
For e.g. SAP Cloud Platform – TEST (usually detail sub-account if you are setting up multiple OAuth clients within the single JAM tenant).
Copy the Local Provider Name in again from the SAP Cloud Platform sub-account Trust screen and paste it in the IDP ID field.
This is field 1 from below.
NOTE: The signing certificate is not required here.
Table 5: OAuth Client entry screen
- Click on the [Save] icon to save the OAuth client.
When this is carried out a new Client Key value will be created.
You can retrieve this by going back into the OAuth client using the [View] option.
Figure:18 SAP JAM Administration – Integrations OAuth Clients screen
The following screen will be displayed.
Figure:19 SAP JAM Administration – View OAuth Client screen
- Copy the value assigned to the Key field. You will need to paste this into the SCP sub-account destination Client Key field as described below.
You may recall that the Key value created here needs to be placed into the Client Key of the SCP Sub-account destination.
Figure: 20 SAP JAM Destination configuration screen on SCP Sub-account
Once this is done click on the [Check Connection] icon and it should be successful.
Portal Site Settings for JAM Integration
One of the last pieces of the puzzle in setting up real-time Collaboration using SAP JAM is the activation within the Portal site. SAP JAM integration needs to be enabled specifically for each portal site. This can be enabled on Freestyle sites as well but will not be covered here.
To enable this – you need to modify the SAP Jam Integration option in the System Settings of the Fiori Configuration Cockpit of the portal site being maintained. The screen below highlights this.
Figure: 21 Portal Site – System Settings for SAP JAM Integration
When SAP JAM is enabled and successfully integrated into the Fiori Launchpad a couple of things occur:
- Instead of an icon showing in the Launchpad screen representing the logged on user, a picture is displayed. This picture is copied through from the JAM login profile – if in fact a picture has been maintained for that user.
Figure: 22 Portal Site Preview with successful SAP JAM Integration
- SAP Jam Groups that the user is authorized for will be included in the Fiori Launchpad and can be selected by the user in the App finder to appear on the user’s launchpad. You can see them below.
Figure: 23 Portal Site Preview – App Finder JAM groups
As detailed above there is a way to test connectivity by using SAP Web IDE. You can do this by creating a new Project from a Template and then use the SAP JAM destination set up previously to view the JAM API’s. This is shown below.
Figure: 24 SAP Web IDE and testing the JAM API’s
Finally, when all of this is set up it is extremely powerful – allowing internal and external users to collaborate in real time – increasing productivity, efficiency and improving relationships. True collaboration in the future I believe will be crucial to a businesses success and a key differentiator.
For more information on some of this set up please follow this link.
Thanks for reading and feel free to leave a comment!