Skip to Content

I have come across a lot of blogs and documentation about enabling the SAP JAM service in SAP Cloud Platform trial environments but I have not seen a lot written about setting up a LIVE production collaboration environment. It has taken me a good while setting this up myself and now that the planets have aligned I wanted to share my experience with the SAP blogsphere…so here goes.

From an architecture point of view the following components make up the particular solution I am covering:

  • SAP Cloud Platform (for sub-account)
  • SAP Cloud Platform Identity Authentication tenant (SCPI)
  • SAP JAM Tenant
  • SAP Portal Service (FLP Settings)

This is represented diagrammatically by my own little scribbles below.

Figure:1 SAP JAM Integration scribble architecture diagram

The SAP Cloud Identity Authentication tenant is a key component of the entire solution because it provides the authentication option (in this case) for apps developed on the SAP Cloud Platform and also provides access to the SAP JAM tenant. This means that a user can login once to the Fiori Launchpad and have access to individual Fiori applications as well as see notifications and group discussions from SAP JAM.

As a side note I do believe true collaboration between internal and external partners is undervalued – companies are interested in it (theoretically) however are not ready to commit to this as a strategic objective and for that they are worse off. Until organisations realise the value in true collaboration there will be no way forward. Improvements in productivity not to mention the improvement in external relationships are two such benefits. OK, back to the setup.

SAP Cloud Platform – Trust Settings

Firstly, there needs to be trust set up between the SAP Cloud Platform sub-account and the SAP Cloud Identity tenant. The assumption (from a SAP JAM integration point of view) is that this has already been set up. There are plenty of other blogs that detail this so please look them up. The key fields here are the Local Provider Name and the Signing Certificate, keep a note of these as this is required when setting up Administration activities in the SAP JAM Tenant. The below can be found in the SCP sub-account under the Security > Trust option.

Figure:2 SAP Cloud Platform sub-account Trust settings screen

Key settings include:

  1. The Local provider name which basically points to the SAP Cloud Platform sub-account. This will usually be:

https://ap1.hana.ondemand.com/SCP Sub-account ID where ap1 is the SCP data centre ID. In this case this is the Asia Pacific data centre of Sydney.

  1. The Signing Certificate is required when setting up the SAML trusted IDP in the JAM Admin settings. Further information on SAP JAM Administration is included below.

The other important element is the settings for the Assertion attributes, these are important in the integration between the SAP Cloud Platform sub-account and the JAM tenant and they need to be set up exactly the same as below.

Figure:3 SCP sub-account Trust setting Assertion Attributes

Enter the contents of the Attributes screen above according to this table.

Assertion Attribute Principal Attribute
first_name firstname
last_name lastname
mail email

Table:1  SCP Sub-account Trust Assertion Attribute mapping

The three assertion attributes are necessary for SCP sub-account, SAP Cloud Identity and SAP JAM integration. They need to be entered in exactly the format described above.

NOTE: The email attribute in particular also relates to the useridSource property included in the SCP sub-account Destination which will be covered later.

SAP Cloud Platform – Destination Setup

To connect to the SAP JAM tenant a new destination in SAP Cloud Platform (SCP) is required. This destination needs to be set up within the SCP Sub-account and represents a connection to the SAP JAM Instance.

Figure:4 JAM Destination in SCP Sub-account

Set up the new SAP JAM destination with the following parameters:

The rest of the settings can be maintained according to this table.

Field Contents
Name Destination Name e.g. jam
Type HTTP
Description Meaningful description of the SCP sub-account Destination
URL

Host URL in SAP JAM tenant

https://jam10.sapjam.com

 

Copy from ADMIN section of SAP JAM tenant. This could be different to the above URL. This can be found in the Company Overview section when Administering the JAM instance. You can see this in Figures 5 and 6 above.

 

Proxy Type Internet
Authentication OAuth2SAMLBearerAssertion
Audience cubetree.com
Client Key

Key that is generated when the JAM OAuth client is created in the SAP JAM Administration Integrations setup.

 

You need to copy the Client Key into the Destination value as detailed above. Further details below.

Token Service URL https://jam10.sapjam.com/api/v1/auth/token
Token Service User Leave blank
Token Service Password Leave blank
System User Leave blank

Table 2: JAM Destination settings

As with most Destinations additional properties need to be entered also. Enter the Additional Properties according to this table.

Field Contents
nameIdFormat urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
TrustAll True
userIdSource Email
WebIDEEnabled True
WebIDEUsage Odata_gen

Table 3: SAP JAM Destination in SCP – Additional Properties

SAP Cloud Platform Identity Authentication

There are plenty of other blogs that delve into setting up Trust between SAP Cloud Platform sub-accounts and JAM tenants, one of them I will reference here. This activity is similar to setting up trust with the SAP Cloud Platform sub-account.

  • Create a new Application using the + Add icon.

Figure:7 SAP Cloud Platform Identity Authentication – Application Setup

While Branding and Layout as well as Authentication options can be set up from a true security integration perspective the main actions to be performed exist under the Trust menu as displayed above.

Key elements of the set up include:

  • Name ID Attribute. For any application set up in SAP Cloud Identity a suitable option for the Name ID attribute is required. As you can see above the User ID has been chosen in this
    case.

    Figure:8 Name ID Attribute options

  • Default Name ID Attribute. NOTE: This is a recent NEW feature offering. This allows for 2 options: either unspecified or email address and depends on the Name ID attribute being sent in to the application. If the Name ID attribute selection is anything other than email then the Default Name ID selection should be unspecified. If the Name ID attribute selection is E-Mail then the emailaddress option here should be selected.Figure:9 Default Name ID Attribute setting

SAP JAM Administration

A number of tasks are required in the SAP JAM tenant to ensure successful integration between SAP Cloud Platform, SAP Cloud Identity and the SAP JAM tenant. In most other blogs this activity is carried out within the JAM service included as part of the SAP Cloud Platform trial accounts. However, in a productive environment this is carried out in the actual SAP JAM tenant provided and subscribed by SAP which is outside of the SCP sub-account services.

  • Creating a SAML Trusted IDP for the SCP Sub-account
  • Creating a SAML Trusted IDP for the SAP Cloud Identity tenant – not covered here as there are plenty of blogs that cover this step already. Check the same blog as above here.
  • Creating an OAuth Client

To administer the SAP JAM tenant you will need to be assigned as an Administrator. Once logged in you will need to click the cog icon and select Admin from the drop-down menu.

Figure:10 SAP JAM Administration option

Create a SAML Trusted IDP in SAP JAM

There needs to be trust between the SAP JAM tenant and the SAP Cloud Platform sub-account and the way this is achieved is by setting up a SAML Trusted Identity Provider connection between the two platforms.

Register a SAML Trusted IDP by following these steps:

  • Choose [SAML Trusted IDPs] option from the Integrations Admin menu.

Figure:11 SAP JAM Admin Integration Setup – SAML Trusted IDP’s 

  • Select the [Register your SAML Trusted IDP] icon.

Figure:12 Register new SAML Trusted IDP screen

The next screen will allow to enter all of the relevant fields required in setting up a new SAML Trusted IDP. At this point I will show a combination of screens to make it clearer exactly where the configuration comes from. The screen on the LHS is the new SAML Trusted IDP screen and the one on the right is the SCP Sub-Account Trust settings.

Only 2 fields are required to be entered:

  1. IDP ID
  2. X509 Certificate (Base 64).

Figure:13 Mapping between SAML Trusted IDP and SCP Sub-account Trust screen

The contents of the above should be entered according to this table.

Field Contents
IDP ID

Copy the Local Provider Name from the SAP Cloud Platform sub-account Trust screen and paste it in the IDP ID field.

This is field 1 from Figure 1 above.

 

X509 Certificate (Base 64)

Copy the Signing Certificate contents from the SAP Cloud Platform sub-account Trust screen and paste it into the X509 Certificate (Base64) field.

This is field 2 from Figure 1 above.

NOTE: Be careful and make sure you copy the FULL contents of the signing certificate field.

 

Enabled Activate this checkbox
Administrative Area Leave as Company

Table 4: SAML Trusted IDP settings

Once the above has been entered click on the [Register] icon. This will save the new SAML Trusted IDP configuration.

The resultant set up will look something like this.

Figure:14 Completed SAML Trusted IDP Setup in SAP JAM tenant

The next step is to create an OAuth Client.

Create an OAuth Client

This step specifically sets up an OAuth client for the SAP Cloud Platform sub-account. This set up is required to allow use of the SAP JAM API’s. You can test the successful connectivity of this by running the SAP Web IDE service and trying to find the JAM API’s using the JAM Destination. This is covered below.

Register an OAuth client by following these steps:

  • Choose [OAuth Clients] from the Integrations Admin menu.

Figure:15 SAP JAM Administration – Integrations OAuth Client option

 

  • Click on the [Add OAuth Client] option.

Figure:16 Create new OAuth Client option

The following screen will be displayed.

Figure:17 Registering a new OAuth Client screen

Only populate the following fields to guarantee successful integration.

Field Contents
Name

Enter name of the OAuth Client.

For e.g. SAP Cloud Platform – TEST (usually detail sub-account if you are setting up multiple OAuth clients within the single JAM tenant).

 

Integration URL

Copy the Local Provider Name in again from the SAP Cloud Platform sub-account Trust screen and paste it in the IDP ID field.

This is field 1 from below.

NOTE: The signing certificate is not required here.

 

 

Table 5: OAuth Client entry screen

  • Click on the [Save] icon to save the OAuth client.

When this is carried out a new Client Key value will be created.

You can retrieve this by going back into the OAuth client using the [View] option.

Figure:18 SAP JAM Administration – Integrations OAuth Clients screen

The following screen will be displayed.

Figure:19 SAP JAM Administration – View OAuth Client screen

  • Copy the value assigned to the Key field. You will need to paste this into the SCP sub-account destination Client Key field as described below.

You may recall that the Key value created here needs to be placed into the Client Key of the SCP Sub-account destination.

Figure: 20 SAP JAM Destination configuration screen on SCP Sub-account

Once this is done click on the [Check Connection] icon and it should be successful.

 

Portal Site Settings for JAM Integration

One of the last pieces of the puzzle in setting up real-time Collaboration using SAP JAM is the activation within the Portal site. SAP JAM integration needs to be enabled specifically for each portal site. This can be enabled on Freestyle sites as well but will not be covered here.

To enable this – you need to modify the SAP Jam Integration option in the System Settings of the Fiori Configuration Cockpit of the portal site being maintained. The screen below highlights this.

Figure: 21 Portal Site – System Settings for SAP JAM Integration

When SAP JAM is enabled and successfully integrated into the Fiori Launchpad a couple of things occur:

  • Instead of an icon showing in the Launchpad screen representing the logged on user, a picture is displayed. This picture is copied through from the JAM login profile – if in fact a picture has been maintained for that user.

Figure: 22 Portal Site Preview with successful SAP JAM Integration

  • SAP Jam Groups that the user is authorized for will be included in the Fiori Launchpad and can be selected by the user in the App finder to appear on the user’s launchpad. You can see them below.

 

Figure: 23 Portal Site Preview – App Finder JAM groups

As detailed above there is a way to test connectivity by using SAP Web IDE. You can do this by creating a new Project from a Template and then use the SAP JAM destination set up previously to view the JAM API’s. This is shown below.

Figure: 24 SAP Web IDE and testing the JAM API’s

Finally, when all of this is set up it is extremely powerful – allowing internal and external users to collaborate in real time – increasing productivity, efficiency and improving relationships. True collaboration in the future I believe will be crucial to a businesses success and a key differentiator.

For more information on some of this set up please follow this link.

https://help.sap.com/viewer/u_collaboration_dev_help/033db47cbaa6404cbb8c2e53a220964d.html

Thanks for reading and feel free to leave a comment!

To report this post you need to login first.

11 Comments

You must be Logged on to comment or reply to a post.

    1. Phil Cooley Post author

      Yes. Authentication for SAP JAM (like any other application) can be set up using a company’s internal IdP, SAP Cloud Identity, MS Azure AD etc. The only difference would be the 2nd step. In the SAP JAM admin – Integrations step you would register MS Azure AD as the SAML Trusted IDP and you would need to register SAP JAM as an application within MS Azure as well. This does not change creation of a SAML Trusted IdP for the SAP Cloud Platform though nor the OAuth Client setup – these steps still need to be carried out.

      Don’t see any pitfalls with using MS Azure AD or any other SAML 2.0 provider. Most functions are covered in all IDP’s. I just covered a little of SAP Cloud Identity above in line with SAP’s architecture.

      Thanks for your question.

      (0) 
      1. Christian Happel

        Just to be clear:

        While this should work for an application-level integration, when it comes to user authentication when logging on to SAP Jam itself, you will always need to go through CP Identity Authentication Service (IAS). You can connect IAS to MS Azure AD or any other IdP at the customer of course and delegate authentication from IAS to the other IdP, but for the user authentication flow you can’t connect SAP Jam directly to another IdP.

        (0) 
  1. Phil Cooley Post author

    Thanks Christian Happel for the information – just to clarify I thought there was an ability to link to any other SAML Local Service Provider or is this on a request basis. The below link states this – if I understand it correctly.

    https://help.sap.com/viewer/u_admin_help/dda9b89fd0954b0d948df1a3b8f2b088.html

    Would be good to know exactly as I regularly architect these solutions so want to make sure I am providing clients with the right information.

     

     

     

    (0) 
    1. Christian Happel

      Hi Phil Cooley

      my understanding is that the SAML Trusted IdPs can be used for a system-to-system Integration but when it comes to logging on to the SAP Jam UI you will always have to connect through IAS (or SuccessFactors Foundation in case customers have SAP Jam running on that).

      As mentioned of course you can delegate the Authentication from IAS to another IdP.

      (0) 
  2. Phil Cooley Post author

    Thanks Christian Happel

    The documentation then should be changed to state this as it definitely not stating this in the Help documentation nor setup guides. From a customer stand point, why would a company run SAP JAM then if they need to buy IAS to actually authenticate to it, if they also run their own IDP???  A business case asking for this would never stack up, it is nonsensical!

    I really like SAP Jam and I think collaboration is one of the major differentiators for organisations into the future and the above constraint just limits SAP JAM to be in the running.

    (0) 
    1. Christian Happel

      I’m sorry Phil Cooley but maybe there’s a misunderstanding:

      Customers don’t have to buy IAS separately. They get it together with SAP Jam Collaboration. IAS is the Identity Provider for SAP Jam and it can be connected to any other IdP without any additional costs.

      (0) 
  3. Phil Cooley Post author

    Thanks Christian Happel for clarifying, that makes sense now! 🙂 This definitely makes it more attractive for customers although it still means that customers potentially have 2 user stores. This is ok I think especially with the great collaboration offering that SAP JAM provides. Great, thanks for following up to clear this up. Will definitely make sure my clients understand this!

    (0) 
    1. Christian Happel

      Can you explain why you think you need 2 user stores? Maybe I’m not understanding correctly.

      Yes, of course you need to get users created in SAP Jam, otherwise you can’t invite them to groups, at-mention them etc. But the same needs to be done for a CRM or finance application.

      Now, the user authentication is completely separate from that:
      You can delegate the authentication from IAS to your central on-premise IdP such as AD, or even use SPNEGO for automatic log-on.

      (0) 
  4. Phil Cooley Post author

    Understand I can delegate authentication from the IAS to the on-premise IdP but not sure I see the difference between creating a user in SAP JAM versus creating a user in IAS. Either way, they are 2 user stores. To me, it would be better in IAS as it provides more flexibility for the user and opens up options into the future. Creating users directly in SAP JAM gives them access to SAP JAM only which to me is limiting. So, either way you look at it you have 2 user stores. For your scenario you have a user store in SAP JAM and 1 in their on-premise. This makes 2!

    Determining components of landscapes between IAS, on-premise IdP takes effort – alot of things need to be taken into account such as credibility of the on-prem AD, future strategic directions etc.

    Are there other scenarios in SAP Cloud Platform where IAS is mandatory? Would be good to understand this.

     

     

     

    (0) 

Leave a Reply