Embed SAP Work Zone in Microsoft Teams as a website.
This short brief is to explain how to embed your SAP Work Zone workspaces as a Website with Microsoft Teams web client.
This is a different approach from the one described in the official SAP documentation, namely Integrating with Microsoft Teams
SAP Work Zone is digital workspace and an asset management tool per se. Its purpose is to give business users a unified and federated experience across all the digital assets of a workplace in an enterprise.
It supports a variety of content management tools like for instance cards.
At the same time SAP Work Zone can be embedded in an iframe of a generic website as well.
Good to know:
Putting it all together
When it comes to embedding SAP Work Zone in an iframe it is important to let the SAP BTP sub-account [that is the host to SAP Work Zone tenant] know the trusted (allowed) domains.
Failure to do so will result in the following error message thrown in a browser:
Refused to frame 'https://<subdomain>.authentication.<region>.hana.ondemand.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://*.ondemand.com https://*.sapjam.com https://*.sharepoint.com https://*.cloud.sap".
You may notice the Microsoft Teams domain is simply missing in the list of trusted domains!
The resolution is pretty simple.
If your SAP BTP sub-account hosting SAP Work Zone is Feature Set-B all you need to do is to allow the
https://teams.microsoft.com/ domain from the BTP cockpit.
In case this is a Feature Set-A SAP BTP sub-account you need to do it programmatically using the apiaccess plan of a XSUAA service instance.
As soon as this is done the SAP Work Zone iframe embedding as a Website in Microsoft Teams web client should work as expected:
There is however one more thing to take into consideration, namely the smooth logon experience with SAP Work Zone in an iframe.
If you do nothing and there is no other valid session for your SAP Work Zone user, you will most likely see the following error message:
[Error] Blocked a frame with origin "https://<SAP IAS tenant host name>.<SAP IAS tenant domain name>" from accessing a frame with origin "https://teams.microsoft.com". Protocols, domains, and ports must match.
SAP Work Zone comes with a pre-wired SAP IAS tenant to manage the users authentication.
Thus you need to add the Microsoft Teams domain to the list of the trusted domains in this SAP IAS tenant as depicted below:
If, for whatever reason this could not be done (or wouldn’t be enough), as a workaround, you could login to your SAP Work Zone in a separate tab of the browser first.
In order to be able to embed SAP Work Zone into Microsoft Teams as a generic website all that is required is to make the Microsoft Teams domain a trusted domain with both
- the SAP BTP sub-account, the host of SAP Work Zone tenant as well as
- the SAP IAS tenant used for SAP Work Zone users authentication.