Skip to Content

I have come across a lot of blogs and documentation about enabling the SAP JAM service in SAP Cloud Platform trial environments but I have not seen a lot written about setting up a LIVE production collaboration environment. It has taken me a good while setting this up myself and now that the planets have aligned I wanted to share my experience with the SAP blogsphere…so here goes.

From an architecture point of view the following components make up the particular solution I am covering:

  • SAP Cloud Platform (for sub-account)
  • SAP Cloud Platform Identity Authentication tenant (SCPI)
  • SAP JAM Tenant
  • SAP Portal Service (FLP Settings)

This is represented diagrammatically by my own little scribbles below.

Figure:1 SAP JAM Integration scribble architecture diagram

The SAP Cloud Identity Authentication tenant is a key component of the entire solution because it provides the authentication option (in this case) for apps developed on the SAP Cloud Platform and also provides access to the SAP JAM tenant. This means that a user can login once to the Fiori Launchpad and have access to individual Fiori applications as well as see notifications and group discussions from SAP JAM.

As a side note I do believe true collaboration between internal and external partners is undervalued – companies are interested in it (theoretically) however are not ready to commit to this as a strategic objective and for that they are worse off. Until organisations realise the value in true collaboration there will be no way forward. Improvements in productivity not to mention the improvement in external relationships are two such benefits. OK, back to the setup.

SAP Cloud Platform – Trust Settings

Firstly, there needs to be trust set up between the SAP Cloud Platform sub-account and the SAP Cloud Identity tenant. The assumption (from a SAP JAM integration point of view) is that this has already been set up. There are plenty of other blogs that detail this so please look them up. The key fields here are the Local Provider Name and the Signing Certificate, keep a note of these as this is required when setting up Administration activities in the SAP JAM Tenant. The below can be found in the SCP sub-account under the Security > Trust option.

Figure:2 SAP Cloud Platform sub-account Trust settings screen

Key settings include:

  1. The Local provider name which basically points to the SAP Cloud Platform sub-account. This will usually be:

https://ap1.hana.ondemand.com/SCP Sub-account ID where ap1 is the SCP data centre ID. In this case this is the Asia Pacific data centre of Sydney.

  1. The Signing Certificate is required when setting up the SAML trusted IDP in the JAM Admin settings. Further information on SAP JAM Administration is included below.

The other important element is the settings for the Assertion attributes, these are important in the integration between the SAP Cloud Platform sub-account and the JAM tenant and they need to be set up exactly the same as below.

Figure:3 SCP sub-account Trust setting Assertion Attributes

Enter the contents of the Attributes screen above according to this table.

Assertion Attribute Principal Attribute
first_name firstname
last_name lastname
mail email

Table:1  SCP Sub-account Trust Assertion Attribute mapping

The three assertion attributes are necessary for SCP sub-account, SAP Cloud Identity and SAP JAM integration. They need to be entered in exactly the format described above.

NOTE: The email attribute in particular also relates to the useridSource property included in the SCP sub-account Destination which will be covered later.

SAP Cloud Platform – Destination Setup

To connect to the SAP JAM tenant a new destination in SAP Cloud Platform (SCP) is required. This destination needs to be set up within the SCP Sub-account and represents a connection to the SAP JAM Instance.

Figure:4 JAM Destination in SCP Sub-account

Set up the new SAP JAM destination with the following parameters:

The rest of the settings can be maintained according to this table.

Field Contents
Name Destination Name e.g. jam
Type HTTP
Description Meaningful description of the SCP sub-account Destination
URL

Host URL in SAP JAM tenant

https://jam10.sapjam.com

 

Copy from ADMIN section of SAP JAM tenant. This could be different to the above URL. This can be found in the Company Overview section when Administering the JAM instance. You can see this in Figures 5 and 6 above.

 

Proxy Type Internet
Authentication OAuth2SAMLBearerAssertion
Audience cubetree.com
Client Key

Key that is generated when the JAM OAuth client is created in the SAP JAM Administration Integrations setup.

 

You need to copy the Client Key into the Destination value as detailed above. Further details below.

Token Service URL https://jam10.sapjam.com/api/v1/auth/token
Token Service User Leave blank
Token Service Password Leave blank
System User Leave blank

Table 2: JAM Destination settings

As with most Destinations additional properties need to be entered also. Enter the Additional Properties according to this table.

Field Contents
nameIdFormat urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
TrustAll True
userIdSource Email
WebIDEEnabled True
WebIDEUsage Odata_gen

Table 3: SAP JAM Destination in SCP – Additional Properties

SAP Cloud Platform Identity Authentication

There are plenty of other blogs that delve into setting up Trust between SAP Cloud Platform sub-accounts and JAM tenants, one of them I will reference here. This activity is similar to setting up trust with the SAP Cloud Platform sub-account.

  • Create a new Application using the + Add icon.

Figure:7 SAP Cloud Platform Identity Authentication – Application Setup

While Branding and Layout as well as Authentication options can be set up from a true security integration perspective the main actions to be performed exist under the Trust menu as displayed above.

Key elements of the set up include:

  • Name ID Attribute. For any application set up in SAP Cloud Identity a suitable option for the Name ID attribute is required. As you can see above the User ID has been chosen in this
    case.

    Figure:8 Name ID Attribute options

  • Default Name ID Attribute. NOTE: This is a recent NEW feature offering. This allows for 2 options: either unspecified or email address and depends on the Name ID attribute being sent in to the application. If the Name ID attribute selection is anything other than email then the Default Name ID selection should be unspecified. If the Name ID attribute selection is E-Mail then the emailaddress option here should be selected.Figure:9 Default Name ID Attribute setting

SAP JAM Administration

A number of tasks are required in the SAP JAM tenant to ensure successful integration between SAP Cloud Platform, SAP Cloud Identity and the SAP JAM tenant. In most other blogs this activity is carried out within the JAM service included as part of the SAP Cloud Platform trial accounts. However, in a productive environment this is carried out in the actual SAP JAM tenant provided and subscribed by SAP which is outside of the SCP sub-account services.

  • Creating a SAML Trusted IDP for the SCP Sub-account
  • Creating a SAML Trusted IDP for the SAP Cloud Identity tenant – not covered here as there are plenty of blogs that cover this step already. Check the same blog as above here.
  • Creating an OAuth Client

To administer the SAP JAM tenant you will need to be assigned as an Administrator. Once logged in you will need to click the cog icon and select Admin from the drop-down menu.

Figure:10 SAP JAM Administration option

Create a SAML Trusted IDP in SAP JAM

There needs to be trust between the SAP JAM tenant and the SAP Cloud Platform sub-account and the way this is achieved is by setting up a SAML Trusted Identity Provider connection between the two platforms.

Register a SAML Trusted IDP by following these steps:

  • Choose [SAML Trusted IDPs] option from the Integrations Admin menu.

Figure:11 SAP JAM Admin Integration Setup – SAML Trusted IDP’s 

  • Select the [Register your SAML Trusted IDP] icon.

Figure:12 Register new SAML Trusted IDP screen

The next screen will allow to enter all of the relevant fields required in setting up a new SAML Trusted IDP. At this point I will show a combination of screens to make it clearer exactly where the configuration comes from. The screen on the LHS is the new SAML Trusted IDP screen and the one on the right is the SCP Sub-Account Trust settings.

Only 2 fields are required to be entered:

  1. IDP ID
  2. X509 Certificate (Base 64).

Figure:13 Mapping between SAML Trusted IDP and SCP Sub-account Trust screen

The contents of the above should be entered according to this table.

Field Contents
IDP ID

Copy the Local Provider Name from the SAP Cloud Platform sub-account Trust screen and paste it in the IDP ID field.

This is field 1 from Figure 1 above.

 

X509 Certificate (Base 64)

Copy the Signing Certificate contents from the SAP Cloud Platform sub-account Trust screen and paste it into the X509 Certificate (Base64) field.

This is field 2 from Figure 1 above.

NOTE: Be careful and make sure you copy the FULL contents of the signing certificate field.

 

Enabled Activate this checkbox
Administrative Area Leave as Company

Table 4: SAML Trusted IDP settings

Once the above has been entered click on the [Register] icon. This will save the new SAML Trusted IDP configuration.

The resultant set up will look something like this.

Figure:14 Completed SAML Trusted IDP Setup in SAP JAM tenant

The next step is to create an OAuth Client.

Create an OAuth Client

This step specifically sets up an OAuth client for the SAP Cloud Platform sub-account. This set up is required to allow use of the SAP JAM API’s. You can test the successful connectivity of this by running the SAP Web IDE service and trying to find the JAM API’s using the JAM Destination. This is covered below.

Register an OAuth client by following these steps:

  • Choose [OAuth Clients] from the Integrations Admin menu.

Figure:15 SAP JAM Administration – Integrations OAuth Client option

 

  • Click on the [Add OAuth Client] option.

Figure:16 Create new OAuth Client option

The following screen will be displayed.

Figure:17 Registering a new OAuth Client screen

Only populate the following fields to guarantee successful integration.

Field Contents
Name

Enter name of the OAuth Client.

For e.g. SAP Cloud Platform – TEST (usually detail sub-account if you are setting up multiple OAuth clients within the single JAM tenant).

 

Integration URL

Copy the Local Provider Name in again from the SAP Cloud Platform sub-account Trust screen and paste it in the IDP ID field.

This is field 1 from below.

NOTE: The signing certificate is not required here.

 

 

Table 5: OAuth Client entry screen

  • Click on the [Save] icon to save the OAuth client.

When this is carried out a new Client Key value will be created.

You can retrieve this by going back into the OAuth client using the [View] option.

Figure:18 SAP JAM Administration – Integrations OAuth Clients screen

The following screen will be displayed.

Figure:19 SAP JAM Administration – View OAuth Client screen

  • Copy the value assigned to the Key field. You will need to paste this into the SCP sub-account destination Client Key field as described below.

You may recall that the Key value created here needs to be placed into the Client Key of the SCP Sub-account destination.

Figure: 20 SAP JAM Destination configuration screen on SCP Sub-account

Once this is done click on the [Check Connection] icon and it should be successful.

 

Portal Site Settings for JAM Integration

One of the last pieces of the puzzle in setting up real-time Collaboration using SAP JAM is the activation within the Portal site. SAP JAM integration needs to be enabled specifically for each portal site. This can be enabled on Freestyle sites as well but will not be covered here.

To enable this – you need to modify the SAP Jam Integration option in the System Settings of the Fiori Configuration Cockpit of the portal site being maintained. The screen below highlights this.

Figure: 21 Portal Site – System Settings for SAP JAM Integration

When SAP JAM is enabled and successfully integrated into the Fiori Launchpad a couple of things occur:

  • Instead of an icon showing in the Launchpad screen representing the logged on user, a picture is displayed. This picture is copied through from the JAM login profile – if in fact a picture has been maintained for that user.

Figure: 22 Portal Site Preview with successful SAP JAM Integration

  • SAP Jam Groups that the user is authorized for will be included in the Fiori Launchpad and can be selected by the user in the App finder to appear on the user’s launchpad. You can see them below.

 

Figure: 23 Portal Site Preview – App Finder JAM groups

As detailed above there is a way to test connectivity by using SAP Web IDE. You can do this by creating a new Project from a Template and then use the SAP JAM destination set up previously to view the JAM API’s. This is shown below.

Figure: 24 SAP Web IDE and testing the JAM API’s

Finally, when all of this is set up it is extremely powerful – allowing internal and external users to collaborate in real time – increasing productivity, efficiency and improving relationships. True collaboration in the future I believe will be crucial to a businesses success and a key differentiator.

For more information on some of this set up please follow this link.

https://help.sap.com/viewer/u_collaboration_dev_help/033db47cbaa6404cbb8c2e53a220964d.html

Thanks for reading and feel free to leave a comment!

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

    1. Phil Cooley Post author

      Yes. Authentication for SAP JAM (like any other application) can be set up using a company’s internal IdP, SAP Cloud Identity, MS Azure AD etc. The only difference would be the 2nd step. In the SAP JAM admin – Integrations step you would register MS Azure AD as the SAML Trusted IDP and you would need to register SAP JAM as an application within MS Azure as well. This does not change creation of a SAML Trusted IdP for the SAP Cloud Platform though nor the OAuth Client setup – these steps still need to be carried out.

      Don’t see any pitfalls with using MS Azure AD or any other SAML 2.0 provider. Most functions are covered in all IDP’s. I just covered a little of SAP Cloud Identity above in line with SAP’s architecture.

      Thanks for your question.

      (0) 
      1. Christian Happel

        Just to be clear:

        While this should work for an application-level integration, when it comes to user authentication when logging on to SAP Jam itself, you will always need to go through CP Identity Authentication Service (IAS). You can connect IAS to MS Azure AD or any other IdP at the customer of course and delegate authentication from IAS to the other IdP, but for the user authentication flow you can’t connect SAP Jam directly to another IdP.

        (0) 

Leave a Reply