How to integrate SAP Jam with IAS as IdP?
Image/data in this KBA is from SAP internal systems, sample data, or systems. Any resemblance to real data is purely coincidental.
- SAP Jam Collaboration
- SAP Cloud Platform Identity Authentication Service (SAP IAS)
- Pre-requisites - IAS admin access.
- Few screens mentioned and tasks needed will be only available to SAP Jam support team as only SAP Jam support team will have access to SAP Jam backend;
- In case those steps or info are needed you should open an incident to component LOD-SF-JAM-IAS
Step 1. Start with a SAP IAS (fomerly known as SCI) instance configuration;
- Login with an Admin user to the IAS tenant admin page;
- Click on the 'Applications' tile;
- Click on the "+Add" button to add a new application.
- Enter the application name and hit save.
- Go to Applications & Resources -> Tenant Settings tile.
- Then click on 'SAML 2.0 Configuration'. Then click on 'Download Metadata File' at the bottom left of the screen.
- Save the file 'metadata.xml' as it is the SAML metadata file for IAS acting as a SAML Identity Provider. You use it later on SAP Jam configuration.
Step 2. Create/ Maintain details for SAP Jam company (Please note: This section only applies to SAP Jam support team, as only support team has access to it)
- Login as Super Admin into your personal SAP JAM profile via link https://portal.wdf.sap.corp/home
- Click on Menu -> SAP JAM -> Calendar -> Scroll down the page and choose Customer JAM DC from listed DC's.
( ex. For DC10 customer choose jam10 )
3. Click Jam / SAP Jam from the bottom of page to get redirected to Site Admin -> Enter JAM Company Id. -> Search
Note : Please check Cloud Reporting to check on Customer JAM Company id. if not available.
4. You will be presented with a form with lots of fields that need to be filled out correctly. Below are what is needed on each one:
- For 'Identity Management' select 'Third Party (e.g. SAP Cloud Identity)'.
- For 'Domain', use the IAS tenant domain. In production systems this will be in format <ias_tenant_id>.accounts.ondemand.com.
- For 'Company Type' use 'Customer Production' for production companies, 'Customer Test' for preview companies, and 'Internal' for companies created for testing purposes in a production landscape by SAP.
- For 'Product Version' select one of 'Advanced Edition', 'Advanced Plus Edition' or 'Enterprise Edition' depending on what the customer has purchased.
- 'Group Creation Limit', 'Total Storage Limit', 'Extranet User Limit', 'Custom Group Template Limit', 'Allow Third Party OData Source External Applications' should be configured as appropriate depending on what the customer has bought.
- In the 'SCIM Provisioning' section, configure the 'User Limit' for the number of seats the company has purchased. This is important- for BizX integrated companies this configuration is stored in BizX, but for SCIM companies it is stored in Jam;
- In the 'SCIM Provisioning' section, the default 'Administrators managed locally in Jam' is the correct selection;.
- In the 'SAML Trusted Identity Provider' section, in the 'Metadata file' field, select 'Browse' and upload the metadata.xml file you saved from IAS in step 1.7 above. This will auto-complete a number of fields in this section;
- You will only need to check the checkbox for "Specifies whether SAML Assertions will be accepted from this IDP." on this section;
Note: The "IDP ID" listed here has to match exactly with what is configure in IAS -> Applications&Resources-> Tenant Settings->SAML 2.0 Configuration-> Name
You can correct it in SAP Jam Admin to match what is selected in IAS OR change it in IAS (via drop down menu) to match what is on SAP Jam Admin
In the 'SAML Local Service Provider' section, click 'Generate key pair'. The SAML local service provider will be used to generate logout requests from SAP Jam to IAS.
- Click 'Create' at the bottom of the form to save.
- You will now be presented with a page summarizing info on the newly created SAP Jam instance;
- On this page, scroll down to 'SCIM API Client Name' section and copy the 3 lines below:
- SCIM API Client Name:
- SCIM API Client Key:
- SCIM API Client Secret:
- The client key and client secret will be needed IAS configuration later. They will be used on the provision users of user from IAS to Jam via APIs;
- In 'Service Provider Settings' section, click on the button 'Download SP Metadata' in this section. An 'xml' file with name sp_metadata_<ComapnyUniqueID>.xml should be generated; if it generates as a text file rename the file with a .xml extension.
Step 3. Configure the IAS instance with SAP Jam company information;
- Go back to IAS Admin page;
- In the 'Applications', go to SAP Jam application -> 'SAML 2.0/SAML 2.0 Configuration';
- In the 'Define from Metadata' section, browse to the sp_metadata_<companyUnique_ID>.xml file downloaded on 2.12 step;
- Save at the bottom of the page;
- Go to 'Applications', select your SAP Jam application (that you created in step 1);
- Select 'Authentication and Access'. Make sure the 'User Application Access' is set to 'internal'.
- In the 'Applications' tile, click on the SAP Jam application and there is a 'Home URL' link;
- Click to Edit. The home url will be of the form https://jamX.sapjam.com/c/XXXXXX.accountsXXX.ondemand.com/auth/status
- If the url is incorrect, you will receive the below error message when clicking on 'Visit' for testing
('Home URL' - 'Visit' you will be brought to a page stating "You're a step away from accessing the page you're looking for.....")
- Go to User & Authorizations -> User Provisioning;
- Click 'Add' to add the appropriate Jam target system (Eg: JamPMStage);
- Choose an appropriate Display Name such as SAP Jam and enter the data below:
- On field SCIM URL enter 'https://jamX.sapjam.com/api/v1/scim/Users', replacing X for your datacenter number (it will be on your standard Jam url as well);
- On field OAuth URL enter 'https://jamX.sapjam.com/api/v1/auth/token'.
- On field Client ID enter the value of the 'SCIM API Client Key' from step 2.10. (You can request this and the below for SAP Jam support through incident on component LOD-SF-JAM-IAS)
- On field Client Secret enter the value of the 'SCIM API Client Secret' from step 2.10.
- Click 'Save'.
Step 4. Initial User Provisioning
Once user provisioning (from step 3) is setup the IAS tenant will start provisioning all newly created users to SAP Jam.
Now the provisioning team can create the client user in the IAS tenant:
- Go to 'Administrators' tile.
- Click '+Add' and select 'User'
- Fill in the required fields and click 'Save'
This user will be provisioned to SAP Jam automatically. If any additional information should be added to the user it can be edited via the 'User Management' tile.
For IAS, you can provision the users by the steps below:
- On IAS go to User & Authorization;
- Click on User Provisioning and Select the SAP Jam tenant you want to provision the users;
- On the lower right side of the page click on Provision > Click Ok
When the customer user activates his/her Cloud Identity user by clicking on the link in the activation email, he/she needs to click on the 'Home Url' link under the SAP Jam application. This way IAS will SSO you into the SAP Jam tenant. As the first user in the SAP Jam side company, he/she will become a company admin. This process is also described for the customer in the welcome email that he/she will receive for SAP Jam.
SAP Jam, IAS, SCi, Jam - IAS integration, Identity authentication service, Cloud Identity, User Provisioning , KBA , LOD-SF-JAM-IAS , Integration with IAS , LOD-SF-JAM , SAP Jam , BC-IAM-IDS , Identity Authentication Service , How To