This Blog continues my previous setup blog post - [SAP BTP Onboarding Series] Joule – Getting Started with Joule and SAP SuccessFactors.

Let's look at the common issues that we may have while setting up Joule with SuccessFactors:

1. Joule does not work in the SFSF account
2. Joule gives me the option to select Default Login and IAS Login 
3. Joule gives me a Blank screen. In case you have an Azure AD/OKTA and Cloud Identity is a Proxy System
4. LPS_SFSF_dt destination check connections fail with 401: Unauthorized
5. I see the Joule chat history in another/colleague's system
6. The Joule Navigation button is missing after a successful Jobrun or Jobsync
7. CDM does now allow users to launch the site manager – channel manager and gives an error
8. IPS – creating target system we do not see an option for Workzone Std, edition
9. How to find out if you have SCIM / oData URL in your IPS Source file and how to change it
10. Quick Setup Use the “Source System and Target System” .json files
11. Joule authentication is not working when the browser '3rd-party cookie blocking policy' is enabled
12. How do I verify if all groups are created for Joule
13. I am using my new Common Super Domain (CSD) with my SFSF and Joule URL validation fails during Booster
14. I am unable to use Joule in Incognito mode - Chrome Browser.
15. Booster execution fails with an error

==================================================================================

So let us take a look at the issue and how to fix them:

1. Joule does not work in the SFSF account

Reason: This issue is related to Trusted Domains in your setup.

Fix: Please go back to the setup blog and refer to the section 

2.1 Configure Trusted Domains for SAP Authorization and Trust Management Service

4. Adding Trusted Domains and Configure Assertion Attributes in SAP Cloud Identity Services (CIS)

2. Joule gives me the option to select Default Login and IAS Login 

Reason: you have both Default Logon and IAS available for User Login in your BTP Subaccount

Fix: Log in to your SAP BTP Cockpit -> Navigate to your Joule Subaccount -> Expand Security option -> Click on Trust Configuration -> Click on Edit option for the Default Identity Provider (sap.default) -> Remove the tick mark for Available for User Logon and save the settings.

Once the settings are saved, you may clear the cookies and try to log in.

3. Joule gives me a Blank screen. In case you have an Azure AD/OKTA and Cloud Identity is a Proxy System, please follow this. 

Issue: In most cases, your SSO should be taken care and Joule should be able to log you in with SFSF.  In case you have a login screen with Joule as shown below and if you are using Cloud Identity as a proxy, you may want to configure additional settings.

Or A Blank Screen as below:

Fix:

• Go to your SAP Cloud Identity Services -> click on Identity Providers -> click Corporate Identity Providers -> select your provider Azure AD/OKTA that is configured -> Ensure your SSO Forward All SSO Requests to Corporate IDP turned Off.
• Now click on Application & Resources -> click on Applications -> click on your BTP Joule Application -> click on Conditional Authentication option -> and change the Default Authentication Identity Provider to your Azure AD/OKTA and save the settings.

4. LPS_SFSF_dt destination check connections fail with 401: Unauthorized

Issue: This could happen if you have the URL incorrect or your User and Password are incorrect.

Fix:

• Please ensure your SFSF URL is correct and you can refer to the SAP Note: 2215682 - SuccessFactors API URLs and external Ips
• The next option is to Reset your password
• If the issue continues, please check the URL in the Postman client for possible reasons could be the wrong URL picked up

Best Practise: Create a Technical User that is not used by any user and set the password to never expire in your SuccessFactors system.

5. I see the Joule chat history in another/colleague's system

Issue: Users can see the Joule conversations in multiple logins with different systems although the login details are different.

Reason: In most of the SFSF Dev / Preview systems, customers have a dummy email created which is common for all users with actual employee details. This can be due to multiple reasons as they take a copy of production to the Dev / Preview system. A dummy email address is created to avoid sending emails to actual users from the Dev / Preview system.

Eg: sap@dummy.com, dummy@dummy.com

Fix: In case you have the dummy emails configured for all the users, in your Dev/ Preview system, you may try the following options:

• Change the Developers / Users email address in the Dev / Preview system to the actual user ID to fix the issues. Remember if you do an IPS sync from your production system, the emails will return to dummy emails as per your settings
• Change the Subject Name Identifier -> Basic Configurations in your Cloud Identity Services from Email Address to Login Name (This change is to do with your Application of Joule).  Remember once this change is done, users have to use the Login Name.

Once the above changes are done, you may also need to add the Launchpad_Admin User with the Login Name to your SAP BTP Subaccount. In case you already have the user created with an email address, delete it, create a new one with a Login Name, and assign the roles.   

6. The Joule Navigation button is missing after a successful Jobrun or Jobsync

Ans: While most of the Setup is complete and jobs have been executed as required if the navigation button is missing (refer to the image for the navigation icon), you will have to check the NavigationService settings at your subaccount destinations.

Navigate to your subaccount -> Click on Connectivity -> Click on Destinations -> Select NavigationService -> Click on Export.

Open the file that you have exported in a notepad and ensure the value of tokenServiceULRType is Dedicated. In case you see the value as Common, go back to your BTP Cockpit, edit the Navigation service select Dedicated, and save the settings. Export the settings and validate the saved changes.

In case the issue continues, a manual refresh of the Content Channel in the Workzone instance is required to make sure Service provider details are updated correctly.

Go to the Work Zone service instance in the BTP subaccount, select Content Channel, choose the service provider connected to SF, click Report, and verify whether Role is assigned correctly. In the below screenshot, the Role is empty.

Go back to your Channel Manager screen and click on the Refresh button to update the Role to the provider that you have created.

Wait for the refresh to complete, once it’s done, click Report to view the details.

If you see the 19/19 in the Role section, we are good. Please log off your SAP SuccessFactors wait for 30 mins for the background jobs to execute and then try again.

7. CDM does now allow users to launch the site manager – channel manager and gives an error.

Issue: while launching the admin user from SFSF to the workzone, if the users are not synchronized it may give an error as below.

Reason: user sync is not complete yet.

Fix:

• Ensure the correct role is assigned to your user with a custom identity service
• Access the Launchpad_Admin role & navigate to Users  to add the user for example:

• Run the job in the admin center - > Job Scheduler tab- > job Type ( Refresh Synthetic Group Data) and click on Run it Now.

8. IPS – creating target system we do not see an option for Workzone Std, edition

Issue: The customer has IAS and IPS tenants with separate tenants and not in a common tenant and while creating the target system, the workzone does not show up.

Reason: The IPS landscape is on SAP NEO and the service needs to be upgraded to multi-cloud.

Fix: 

They can upgrade it using the help guide or refer to the blog -

• https://help.sap.com/docs/identity-provisioning/identity-provisioning-internal/migrate-identity-prov...
• https://community.sap.com/t5/technology-blogs-by-sap/go-for-your-quick-win-migrate-identity-provisio...

Important - The ideal upgrade takes anywhere from 1 hour to 1 day depending on the complexity of the IPS setup from the customer. Please ensure to check the status of the Source/Target/Jobs that were scheduled.

9. How to find out if you have SCIM / oData URL in your IPS Source file and how to change it

Issue: Workzone Groups are supported with SCIM2.0 and the oData API version is not recommended.

How to check: you can log in to your SAP Cloud Identity Services, navigate to your Source System of your SFSF -> Properties, and look for the URL as shown below.

Fix: Make a copy of your Source System and change the values according to the Joule Setup or use the Source & Target Files attached to this blog (bottom). The how to add the Source and Target details are shared in the next step.  

Note: If you are downloading the Source & Target Files attached to this blog, please change the file extension from .txt to .json before importing to your Cloud Identity Services. Check step 10 for setup.

10. Quick Setup Use the “Source System and Target System” .json files

In my previous blog on Joule setup, we had discussed setup using the existing SFSF Source, here we are creating a new Source System in both cases either your URL is using oData and/or a new Joule setup. The new Source System will help us to keep the Joule setup separate and not make changes to your existing setup of your SFSF.

Adding Source System:

• Navigate to your SAP Cloud Identity Services – Navigate to Source System -> click on Add -> Import the file “SuccessFactors - SF-Company-ID - Joule.json” and edit the System Name to your SFSF Company ID as shown below and feel free to add a Description and save the settings.

• The required “Transformation” changes are taken care of in the JSON file which is attached to the blog, so we can directly Navigate to your Properties Tab and change the values as per the Joule Setup as shown below

After the changes, my source looks like this:

• Since we have added this as a new Source, we should also be exporting the Certificates and important to your SuccessFactors system. Click on Outbound Certificate, and click on Download the certificate to make a copy of the new source system that you have created.

• Go to your SuccessFactors system, go to Security Center – click on X.509 Public Certificate Mapping, and click on Add, Change the Configuration Name as per your requirement, Change the Integration Name to Identity Provisioning Service, and select the new certificate that you downloaded and Save the settings.  

Note: Do not enter any details in “Login Name”, it should be blank.

Adding Target System:

Now let us add the Target System using the JSON file, Navigate to your Target System, click on Add, and select the file “WorkZone_Target_ForJoule.json”, once the file is added, you need to change the System Name and add a Description to recognize your setup. Ensure to Select the Source System that was saved in the previous step before you navigate to the Properties Tab.

You may not be able to save until you enter the details required in the Properties tab. Navigate to the Properties tab, and enter the details from your ServiceKey file downloaded from your Subaccount - SAP Workzone ServiceKey. Once you enter the details, you should be able to proceed with your Job Sync.   

11. Joule authentication not working when the browser '3rd-party cookie blocking policy' is enabled

Issue: Joule may not be able to work while 3rd party cookie is blocked. This may happen mostly in incognito or in private mode.

Fix: Please look at the SAP Note: 3428564 - Joule authentication not working when browser '3rd-party cookie blocking policy' is enable...

12. How do I verify if all groups are created for Joule

Issue: in case of setup issues, Jobs may not run properly and we need to validate the Groups created/assigned to a user.

Fix: Based on your Job Logs from your Cloud Identity Services, you may log in to your SAP Workzone, Navigate to your SAP Joule Subaccount, click on Instances and Subscriptions -> click on the SAP Workzone, Standard Edition (ensure you have the Role “Launchpad_Admin” is assigned to you), click on the Settings Tab and enter the User Email or the Global User ID to check the assigned Roles.

In case you need further analysis, refer to the blog by Harjeet Judge on - Leverage SCIM APIs of SAP Build Work Zone to view users and groups provisioned into Work Zone

13. I am using my new Common Super Domain (CSD) with my SFSF and Joule URL validation fails during Booster.

Issue: If you are using the CSD then your SFSF URL would have migrated to a new one and Joule fails to validate the New URL

Fix: You can look at the CSD Migration Customer/Partner Guide to match your SFSF Admin URL to successfully run the booster. Refer to Chapter 5 for the URL details.

14. I am unable to use Joule in Incognito mode - Chrome Browser

 Reason: Third-party cookies could have been blocked on your Browser

 Solution: turn off the Third-party cookies and try to log in.

15. Booster execution fails with an error

Reason: One of the reasons could be that you have not established trust in your sub-account with the Cloud Identity Services. 

Fix: Before you run the Joule Booster, please follow 2. Configure SAP Cloud Identity Services(CIS) in our setup blog - (you need to establish Trust for your subaccount and cloud identity services) as this has been added as a prerequisite to the new update to the Booster.

Credits to all the team members @harjeetjudge @DanH @dkumari @harinder_singh_batra @chavi_singhal @Shreelakshmi 

Cheers, 

Happy Learning

Nagesh 

Check our SAP BTP Onboarding Resouce Center for more such BTP-related topics.