I don’t think I have to introduce what Joule is all about, it has been making noise all over the SAP Community since the announcements at #SAPTechEd2023.

In case you missed it, allow me to share that Joule is the AI copilot to help your business requirements while supporting Navigational, Transactional, and Informational patterns. As part of our first announcements, Joule is Generally Available (GA) with SAP SuccessFactors. You may refer to the SAP SuccessFactors 2H 2023 Release Highlights or take a quick look at the SAP SuccessFactors 2H 2023 Release Highlights Video and you can also watch the Demo – Interacting with Joule in SAP SuccessFactors.

So let me summarize the important topics:

Talent Intelligence Hub is GA - Understand, build, and leverage the skills of the workforce with an AI-powered skills framework included in the SAP SuccessFactors platform

• Integrated Learning Experience is GA, it supports users with a redesigned learning home page and personalized AI-powered recommendations on
  • Have to Learn
  • Need to Learn
  • Want to Learn
  •  
• New Recruiter Experience with AI-powered job descriptions using Joule and the ability to add MS Team call details to the interview
• Interview questions based on the Job Description with Joule
• SAP SuccessFactors App for Microsoft Teams available in the AppStore
• SAP SuccessFactors Employee Central quick actions
• SAP SuccessFactors Incentive Management
• Follow the SAP Road Map Explorer for future updates

Important:  Joule is currently available in English, supported and supported in the US (Virginia) and European (Frankfurt) Data Centers with AWS as the Infrastructure Provider.

I recommend always taking a look at the Data Center Mapping between SAP SuccessFactors and Joule.

******************************************************************

If you have made it so far & have the prerequisites to set it up, and are interested in setting up the Joule service, please reach us at sap_btp_onboarding@sap.com.

In case of Issues, Take a look at the [SAP BTP Onboarding Series] Joule with SFSF – Common Setup Issues

*******************************************************************

Disclaimer: Before we get started, as this is a new product with a lot of momentum and subsequent updates to be announced shortly, we recommend referencing the official Joule help guides in case of any changes from the below process.

******************************************************************
Perfect, now that we have the details on Joule let’s roll up our sleeves and learn how to get started with it.

Pre-requisites:

• SAP BTP Account with Joule(das-application) Check your entitlements in your SAP BTP Global Account. If you have an SAP SuccessFactors license and this entitlement is missing, please contact your SAP Account Executive
• SAP Build Work Zone, standard edition / SAP Start.

- SAP Start is now available for customers at no extra cost with services like SAP S/4 HANA Cloud, public edition, or SAP SuccessFactors. You can check the details here

- Joule uses the navigation service component of SAP Build Work Zone, standard edition to resolve intent-based navigation targets and configure additional content providers

• SAP SuccessFactors License + Understand the Data Center Mapping listed above
• SAP Cloud Identity Services – you may log in to Viewing Assigned Tenants and Administrators to verify your active tenants. If you are new to the topic, you can check the SAP Discovery Center Mission - Get Started with SAP BTP - Cloud Identity Service Provider (SAP IdP)
• Configure the assertion attribute user_uuid to the Global User ID field in the Identity Authentication application corresponding to your subaccount to allow user identification based on Global User ID (discussed in image 22a)

Roles required to configure:

• SAP BTP Global Account Admin & BTP Subaccount Admin (in case they are different users)
• SAP SuccessFactors Administrator
• SAP Cloud Identity Services Administrator

License: Joule is included as part of your SAP SuccessFactors license at no additional cost with a certain number of free messages for an annual period known as Base AI. Some of the AI Capabilities are part of the premium edition - Premium AI, where you may have to purchase AI Units to use the functionalities.

• SuccessFactors customers will receive a Joule message allocation based on the number of licensed, active users; Users licensed for multiple products only count once
• Messages will be metered on an annual basis; at the end of each term, the annual allocation of free messages will reset (i.e., no carryover)
• Customers must purchase additional SAP AI Units (Premium AI) if they exceed their free message allocation during the annual period
• In case the service is not visible in your BTP Cockpit, to gain access to Joule, all customers will need to license a no-cost SAP SKU. Doing so will trigger the provisioning of Joule and the creation of the terms and conditions that must be accepted by the customer to use Joule.

***Important***

You may refer to the document AI Service List - AI SERVICE ENTITLEMENTS - SuccessFactors to know your eligible messages. 

Please contact your Account Executive for more information on Joule contracts and allocation as they vary based on user licenses.

Account Model in SAP BTP and SAP SuccessFactors Tenant: While you are working with SAP BTP, we recommend creating multiple subaccounts to achieve your desired account model. With SuccessFactors delivering a 2-tier account model with a (Dev/Test & a Production tenant), you may want to create two different subaccounts in the SAP BTP to mirror that landscape.

Now, let us consider a staged approach to complete the setup activities for Joule with SuccessFactors.

1. SAP BTP Activities – Create a Subaccount and Run The Booster
2. Configure SAP Cloud Identity Services – In my case, I have already activated it, you may refer to SAP Discovery Center Mission Get Started with SAP BTP - Cloud Identity Service Provider (SAP IdP). I will be skipping this step as it is activated in my SAPP BTP account
3. Configure Cloud Identity Services in SuccessFactors
4. Adding Trusted Domains in SAP Cloud Identity Services
5. Post Booster Configurations, required to support Joule - Navigation Services

Image 0 (reference diagram for the setup activity)

Now let us get started with the First Step:

You may also refer to our Joule Setup videos here: https://video.sap.com/playlist/details/1_y49pkqti

1. BTP Activities – Create a Subaccount and Run The Booster

1.1 Create a Subaccount

Let us begin to log in to your SAP BTP Cockpit with Global Account Administrator authorizations, to create a new subaccount for Joule. In your BTP Cockpit -> click on Account Explorer -> click on the Create button -> click Subaccount -> enter the Subaccount name and select once you fill in all the required details, please click on Create.

Note: In my Demo, I am going with SuccessFactors DC33/55 Data Center (Frankfurt) and Europe (Frankfurt) Joule Data Center. Please refer to Data Center Mapping which is listed above.

Image 1

1.2 Configure Joule in SAP BTP Cockpit:

Another important step is to check the required Entitlements. Navigate to Entitlements -> click on Service Assignments ->, and search for Joule with limited Quota Assignment as shown in the image below.

Image 2

*** Important *** - Before you run the Joule Booster, please follow 2. Configure SAP Cloud Identity Services(CIS) - (you need to establish Trust for your subaccount and cloud identity services) as this has been added as a prerequisite to the new update to the Booster.

Once you add the Joule Entitlement, we are ready to create the subscription. We will use SAP Boosters to configure and consume the Joule Services. To do this, Click on Boosters -> search for Setting up Joule -> and Click on Start, you will see the Overview page – please read the details and then click on Start in the top right side of the screen.

Image 3

The Booster automatically checks if you have the required Entitlements, Authorizations, and Identity Authentication Tenant. Once the checks are completed, click on the Next button.

Image 4

In the Configure Subaccount tab, You have to select the subaccount that was created in the previous step, in my demo I created a Subaccount named Joule, so I selected “Joule” and click on Next.

Image 5

In the Select Integration tab, we have to select “SAP SuccessFactors” as this blog is focused on SAP SuccessFactors.  Let us select SAP SuccessFactors and click on Next.

Image 6

In the next screen, we have to provide the Integration Details, such as the SAP SuccessFactors Tenant Domain URL and the Company Code.

Example:

SAP SuccessFactors tenant login URL: https://hcm41preview.sapsf.com/login?company=testacc01

Tenant Domain: https://hcm41preview.sapsf.com

Company Code: testacc01

Image 7

Once you enter the details, click the Validate button, if no error messages, then you are good to go, click on the Next button.  In my case I am good, so I continue with the next setup.

In case of general errors- “The provided Company Code either does not exist or is invalid” Please raise an SAP Ticket with the component - CA-JOULE or CA-JOULE-PRV

In the last step, we validate the details that are entered and click on the Finish button.

Image 8

The booster will execute the process to enable Joule subscription services and you should be able to see the success message as shown below.

Image 9

This completes the Joule provisioning in your SAP BTP Subaccount.

2. Configure SAP Cloud Identity Services(CIS)

In my case, I have already provisioned it, you may refer to SAP Discovery Center Mission Get Started with SAP BTP - Cloud Identity Service Provider (SAP IdP), so I will be skipping the step of activating the Cloud Identity Services.

So why is SAP Cloud Identity Services(CIS)? SAP CIS acts as a central system to authenticate and authorize users for your SAP SuccessFactors and Joule and it is a mandatory component for post booster configurations. In this step, we will enable Custom Identity Service in your Subaccount.

Note: In case you have a Cloud Identity Service configured for your SAP SuccessFactors, you can use the same CIS tenant to establish trust with your subaccount.

Once you activate the Cloud Identity Services, the next step is to Establish Trust between your Cloud Identity Services and the Subaccount. Now let us navigate to the Joule Subaccont, click on Account Explorer -> click on the subaccount Joule -> click on the Security option -> click on Trust Configuration -> click on the Establish Trust button as shown below.

Image 10

Select the SAP Cloud Identity Services Tenant that you have activated, click on Next, and select the Domain Name either *.accounts.ondemand.com or *.accounts.cloud.com and click on Next.

Tip: For best SSO Experience ensure you select the save Domain Name throughout the configurations. Before you select this, verify your Cloud Identity Services Domain URL and select accordingly.

Image 11

Optional Step(Image 12):  To Create Platform Users you can either proceed with the next step or, (you can navigate to your Global Account. Click on Security -> Trust Configuration -> Establish Trust -> Select your Cloud Identity Services that you created -> Choose the domain as mentioned above  -> Click on Next and in the Configure Parameters you can modify the name and description and this will set up the trust for Platform Users, click on Next and then click on Finish. By doing this Platform Users option will be added to all Subaccounts by default.)

In my case, I have created it to manage Business Users and Application Users.

Image 12

If you are back to your subaccount to Establish Trust, you should be able to see the screen below to Configure Parameters for Application Users, you can click on Next as shown below.

Image 13

Upon completion, you should be able to see Platform Users(if added to Global Account) and Application Users listed on the trusted Trust Configuration page.

Now ensure, only your Custom Identity Service is available for User Logon and disable the Default Identity Provider. 

Image 13a

2.1 Configure Trusted Domains for SAP Authorization and Trust Management Service

Now within your subaccount, click on the Security option -> click on Settings ->  under Trusted Domains click on the Add button to add your SAP SuccessFactors Domain name.

Example: https://hcm41preview.sapsf.com

Image 14

This completes the setup of Joule in the SAP BTP Subaccount.

3. Configure Cloud Identity Services in SAP SuccessFactors (skip activation step if already active)

Now let us log into the SAP SuccessFactors system and look at the settings required.

In case you already have Cloud Identity Services enabled, you can skip this step, and follow the step after Image 19. To activate the services, click on your Profile icon and then click on Admin Center.

Image 15

From Admin Center, navigate to Upgrade Center and then select Platform.

Image 16

Look for the option – Initiate the SAP Cloud Identity Services Identity Authentication Service Integration, click on Learn More & Upgrade Now.

Image 17

Now click on Upgrade Now, and you will be prompted for a username and Password.

Image 18

Enter your S-User ID and Password. You may also refer to the help guides and videos on this page to initiate your Cloud Identity Service. While selecting your Cloud Identity Services, please ensure you select the same Identity Services used for your SAP Subaccount configurations in the previous steps.

Image 19

Once you initiate to change the Identity Authentication services, it may take up to 24hrs and you will receive an email once the upgrade is complete.  You may use the Monitoring Tool for Identity Authentication Service to keep track of the changes. Once the Service is activated please ensure you follow the help documentation to complete the setup process.

Now go back to the Admin Center, you may also want to

• Manage Role-Based Permission Access, and Grant roles required as per your organizational requirements.
• Manage Permission Groups, Create New Groups, and add Group Members as required
• Go to Manage Permission Role, and click on the Permission Role where you would like to grant Joule services.

Image 20

On the Permission Role Detail page, click on the Permission… button, click on General User Permission look for Access to Joule, select it, and click on Done.

Image 21

This completes the Role assignment to users in SAP SuccessFactors for access to Joule.

4. Adding Trusted Domains and Configure Assertion Attributes in SAP Cloud Identity Services (CIS)

Before testing Joule, we have to maintain your SAP SuccessFactors Domain name in the Cloud Identity Services as a Trusted Domain. Let us login to the Cloud Identity Services -> click on Applications & Resources -> then click on Tenant Settings -> click on Customization -> You will be able to see the option Trusted Domain, please click on it and click on the Add button to create a new line item to specify the Domain name of your SAP SuccessFactors System as shown below, enter the details and Save the Settings.

Example: hcm41preview.sapsf.com

Image 22

4.1 Configure Assestion Attribute

You will have to establish federated trust in your subaccount and configure the assertion attribute user_uuid to the Global User ID field in the Identity Authentication application corresponding to your subaccount to allow user identification based on Global User ID. In your Cloud Identity Services, click on Application & Resources -> click on Applications -> select Application where you have established trust -> click on Attributes on the right panel -> expand the section user_uuid and change the Identity Directory value to Global User ID.

Image 22(a)

This completes the activation of Joule Services in SAP SuccessFactors and the required configurations. You can now navigate to your SAP SuccessFactors System and click on the Joule Icon to open the services.

Say Hello to Joule, your friendly Copilot!!! 😊

Image 23

Well, we are not quite there yet to use the full capabilities of Joule. We are just a few more steps away so let us continue 😊.

5. Post Booster Configurations

Once your Joule service is working, Once your Joule service is working, you need to configure the navigation service which is a part of the Build work zone to resolve intent-based navigation targets that are defined in the backend. If you are quite curious about the navigation pattern and not sure how it looks or works, you can refer to Image 40 😊.

5.1 Create SAP Build Work Zone Application and Instance: You may follow the standard help guide to set this up. If you are setting up SAP Build Work Zone for Joule service, you may use the Foundational Plan as shown below or if you already have SAP Build Work Zone standard edition, you may skip the activation and configure the missing steps. I am showing the process of activating the SAP Start - foundation services, and assigning the entitlements to your subaccount as shown below.

Image 24

Before activating the services, ensure you have Created a Cloud Foundry instance and created a Space. Now you can go to Service Marketplace and create the SAP Build Work Zone foundation Services Plans and Application Plans as shown below.

Image 25

Once the services are activated, you can Create a Service Key for the services under Instance as shown below.

Image 26

Enter a Service Key Name and click on Create. Once the service key is created, click on it to view the data and save the data, we will be using it at a later stage.

Image 27

Now let us assign a user to the Work Zone service that is activated. Within your subaccount, click on the Security option -> click on Role Collection -> click on Launchpad_Admin -> click on Edit -> In the Users Section add yourself and Save the settings.

Image 28

5.2 Configure Navigation Service

We need the Navigation Services to navigate to the targets that are defined in the backend. The recommended approach is to use the Name according to the help guide.

5.2.1 Configure Destination to Use Navigation Service

Within the subaccount, click on Connectivity -> click on Destination, click on Create Destination, and enter the following details:

Add additional properties -

You should be able to see the details below:

Image 29

The details in Destination should be as below:

Image 30

Tip: The last line item Token Service URL should end with https://<uaa url>/oauth/token, do not forget this.

Save the changes.

5.2.2 Create a Design Time Destination

Create a design-time destination on SAP BTP to access the CDM content API from SAP SuccessFactors.

Note: Accessing SAP SuccessFactors APIs using Basic Authentication has been deprecated. You can create certificate-based destinations. For more information, see Deprecation of HTTP Basic Authentication for APIs.

For the demo, we are going with Basic Auth for now. Create your second destination, Click on Create Destination and enter the following details:

Add Additional Properties as follows:

Enter the details and Save the settings. The details should be as shown below:

Image 31

5.2.3 Update the Runtime Destination

LPS_SFSF_rt destination is automatically created when you run the Joule booster but you may need to update the destination in the following scenarios:

• If you are using the SAP Build WorkZone foundation plan (not the standard plan), enter/type the following information in the Additional Properties section:

• If your SAP SuccessFactors tenant has already migrated to use the SAP super domain (cloud.sap), update the URL field in the destination to use the new super domain, for example, https://sfsf.cloud.sap/

The configuration should look like this:

Image 32

5.2.4 Configure Identity Provisioning Service(IPS) Setup for Navigation Service

The Navigation Service component of SAP Build WorkZone, standard edition service uses Identity Provisioning Service to provision identities and their authorizations between source and target systems.

Note: This section describes the steps to configure the source system (SAP SuccessFactors) and target systems (Identity Authentication and SAP Build Work Zone, standard edition) in the Identity Provisioning of your IAS application user interface. For some customers, SAP SuccessFactors and the Identity Authentication systems are already configured as the source and target system by the Upgrade Center.

We need to configure the Identity provisioning service (IPS) service to:

• Provision user details to the SAP Build WorkZone target system with the user email, Global User ID, and group memberships
• Provision user roles as groups to SAP Build WorkZone target system with role ID as external ID and group memberships

Note: If you are using the SuccessFactors Onboarding 2.0 module, then we strongly recommend migrating to SCIM API to take advantage of the real-time user sync capabilities that are only available with SCIM API, not oDATA API. For more information, see Overview of SAP SuccessFactors Workforce System for Cross-Domain Identity Management API and refer to this blog.

To do this, let us log in to the Cloud Identity Services with Admin Authorizations, click on Identity Provisioning -> click on Source System -> Assuming that the SAP SuccessFactors is already configured with Cloud Identity Services, you can click on your existing SAP SuccessFactors Source System -> on the right side of the page, click on Transformation and switch to JSON View -> modify the Group Entity in transformations has following configuration, refer to the image below:

++++++++++++++++++++++++++++++++++++++++++++++++++++++

In case of quick setup, we have shared the Source and Target files in my next blog - [SAP BTP Onboarding Series] Joule with SFSF – Common Setup Issues you can use them and follow point number 10. Quick Setup Use the “Source System and Target System” .json files

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Image 33

Next in the Under Properties Tab, ensure field sf.user.filter is configured to fetch all required and valid users.

Image 34

In case you don’t want the groups to be provisioned in IAS, you can follow the steps below, else you can skip this and go to Create Target System.

• Navigate to Identity Provisioning Source System
• Select the target system configured for Identity Authentication\Select transformations and switch to JSON view
• Ensure the Group entity in transformations has the following configuration:

Now let us create a new Target System with the following values and Save the settings:

The settings should look as below:

Image 35

In the new Target System that you created, in my case it is SFSF – WorkZone click on the Transformation -> click on JSON view and edit the Group Entity with the value below:

The details should be as shown below:

Image 36

Now click on the Properties tab and check the following details, in case they are missing add them to the list. The values can be found in the Service Key that was generated earlier:

The details should be seen as shown below:

Image 37

Now let us go back to the Source System. Click on Identity Provisioning -> click on Source System -> click on the Source System service that you have set up -> click on Jobs tab -> Run Read Job or ReSync Job as per your requirements to provision SAP SuccessFactors users and roles to WorkZone (Navigation Service).

Image 38

The job should run successfully if the configuration is set up correctly. To view the job results, you can click on Identity Provisioning -> click on Provisioning Logs.

5.3 Add a Content Provider to Consume CDM Content

Add a new content provider to your SAP Start site to consume the CDM content from SAP SuccessFactors. Go to your SAP BTP Joule Subaccount -> click on Services -> click on Instances & Subscriptions -> click on the application SAP Build Work Zone, standard edition ->  the application opens on a new page, click on the Channel Manager icon -> click on +New button and enter the details for the New Content Provider with following information:

The details should be as shown below:

Image 39

Well, it's now time to announce that you have set up your SAP SuccessFactors with Joule services with Navigation Patterns 😊.

Image 40

Congratulations!!! If you can see the Navigation arrows we have the settings successful.

==========================================================================

This blog is written with the support of our SAP Product Team and SAP BTP Onboarding Team.

Credits and shout out to harinder.singh.batra and chavi.singhal without which this blog could have not been possible. Appreciate all your support.

===========================================================================

Please visit the SAP Business Technology Platform Customer Onboarding Resource Center page for more information.

If you are just getting started, we have Onboarding Blogs:

• Introducing the SAP BTP Onboarding Blog Series
• SAP BTP Cockpit Technical Overview
• SAP BTP Subaccount Technical Overview
• SAP BTP Directories – Entitlement and User Management
• SAP BTP – Usage Data Management Service / Resource Consumption APIs
• SAP SuccessFactors Extensibility + Systems Services on BTP
• A Business User's Guide to Becoming a Citizen Developer with SAP AppGyver
• Step-by-Step guide to activate your SAP Build Work Zone, Advanced Edition

Regards,

Nagesh Caparthy
Follow me on LinkedIn for the latest Updates on SAP BTP.
https://www.linkedin.com/in/nagesh-caparthy-027b7016/