SAP Knowledge Base Article - Public

2519531 - SAP Jam - How to integrate SAP Jam with SCI / IAS IdM

Symptom

  • How to integrate SAP Jam with IAS IDM?

Environment

SAP Jam

IAS

Resolution

SAP Note:

  • Few screens mentioned below are only available to SAP Jam support team. It has been mentioned in the KBA for your understanding.
  • Pre-requisites - SCI/ IAS admin access. Only SAP Jam support team will have access to SAP Jam backend.

===================================================================================

1. Start with a SCI/IAS company and a company admin user that can login to the SCI/IAS tenant admin page

Click on the 'Applications' tile.

a1.png

Click on the "+Add" button to add a new application.

a2.png

Enter the application name and hit save. In above example, name is 'JamPMStage'.

Press the 'Home' icon in the top left corner. Then click on the 'Tenant Settings' tile.

a3.png

Then click on 'SAML 2.0 Configuration'. Then click on 'Download Metadata File' at the bottom left of the screen. This will download a file 'metadata.xml' which is the SAML metadata file for SCI acting as a SAML Identity Provider. You will need this file later for configuration in Jam.

a5.png


2. Create the SAP Jam company
  (Not available to Customers. Only SAP Jam support has access to this)

  • Login as super admin user for SAP Jam.
    Go to the page https://jamX.sapjam.com/company/today - replace X with the DC number
  • Click 'New Company'
    You will be presented with a form with lots of fields that need to be filled out correctly.
    • For 'Identity Management' select 'Third Party (e.g. SAP Cloud Identity)'.
    • For 'Domain', use the SCI/IAS tenant domain. In production systems this will be in format  <ias_tenant_id>.accounts.ondemand.com.
    • For 'Company Type' use 'Customer Production' for production companies, 'Customer Test' for preview companies, and 'Internal' for companies created for testing purposes in a production landscape by SAP.
    • For 'Product Version' select one of 'Advanced Edition', 'Advanced Plus Edition' or 'Enterprise Edition' depending on what the customer has purchased.
    • 'Group Creation Limit', 'Total Storage Limit', 'Extranet User Limit', 'Custom Group Template Limit', 'Allow Third Party OData Source External Applications' should be configured as appropriate depending on what the customer has bought.
    • In the 'SCIM Provisioning' section, configure the 'User Limit' for the number of seats the company has purchased. This is important- for BizX integrated companies this configuration is stored in BizX, but for SCIM companies it is stored in Jam.

  • In the 'SCIM Provisioning' section, the default 'Administrators managed locally in Jam' is the correct selection for now.
    a5.png

  •  In the 'SAML Trusted Identity Provider' section, in the 'Metadata file' field, browse to the metadata.xml file you saved from SCI/IAS in part 1 above. This will fill out a number of fields in this section. Essentially, this part says that this Jam company will trust the corresponding SCI/IAS tenant to act as a SAML IDP.
  • You can keep all the default except the checkbox for "Specifies whether SAML Assertions will be accepted from this IDP." should be enabled.
    a6.png

  •   In the 'SAML Local Service Provider' section, click 'Generate key pair'. The SAML local service provider will be used to generate logout requests from SAP Jam to SCI/IAS.

    Click 'Create' at the bottom of the form.
    a7.png

  • You will now be presented with a page summarizing info on the newly created SAP Jam company. You should take note of it for later use.

    On this page, scroll down to SCIM API Client Name' and copy the 3 lines. You will need to click on the phrase that says 'Click to show the secret' to obtain the client secret. In my example, these are:
    SCIM API Client Name: SCIM API Client
    SCIM API Client Key: 9Zvxsvv5SjIAlJexeGWz
    SCIM API Client Secret: <40 character long token omitted>
    The client key and client secret will need to be configured in SCI later- these are what SCI used to call Jam's SCIM service provider API to provision users.
    a8.png
  • At the bottom of the page there is a 'Service Provider Settings' section. Click on the button 'Download SP Metadata' in this section. This will generate a text file named sp_metadata_<ComapnyUniqueID>. Rename the file with a .xml extension.
    a9.png


3. Configure the SCI company with more Jam company information obtained during Jam provisioning

  • Go back to IAS/SCI, and in the 'Applications' tile, click on the SAP Jam application >> 'SAML 2.0/SAML 2.0 Configuration'.
    In the 'Define from Metadata' section, browse to the sp_metadata_<companyUnique_ID>.xml file above, the hit 'save' at the bottom of the page.

    a10.png

  • In the SAP Jam application under 'Applications', select 'Authentication and Access'. Make sure the 'User Application Access' is set to 'internal'.
    a11.png
  • SCI, in the 'Applications' tile, click on the Jam application, there will be a 'Home URL' link. Click to Edit. The home url will be of the form:
    https://jamX.sapjam.com/c/XXXXXX.accountsXXX.ondemand.com/auth/status
    a12.png

  • Go back to the IAS/SCI home, and click the 'User Provisioning' tile.
    a13.png

  •  Click 'Add' to add the appropriate Jam target system (Eg: JamPMStage).

    • Choose an appropriate display name such as SAP Jam 
    • In the 'Target Configurations' section, the SCIM URL for the sample SAP Jam compay is 'https://jamX.sapjam.com/api/v1/scim/Users'.
    • The OAuth URL for our sample company is 'https://jamX.sapjam.com/api/v1/auth/token'. 
    • For the 'Authentication Configurations' section, for the 'Client ID' use the value of the 'SCIM API Client Key' above e.g. 9Zvxsvv5SjIAlJexeGWz for the sample. 
    • For the 'Client Secret' use the value of the 'SCIM API Client Secret' from above. 

    Click 'Save'.
    a14.png

4. Initial User Provisioning



Once user provisioning (from step 3) is setup the SCI tenant will start provisioning all newly created users to Jam.

Now the provisioning team can create the client user in the SCI tenant:

1.     Go to 'Administrators' tile.

2.     Click '+Add' and select 'User'

3.     Fill in the required fields and click 'Save'

This user will be provisioned to SAP Jam automatically. If any additional information should be added to the user it can be edited via the 'User Management' tile.

When the customer user activates his Cloud Identity user by clicking on the link in the activation email, he needs to click on the 'Home Url' link under the SAP Jam application. This way SCI will SSO you into the SAP Jam tenant. As the first user in the SAP Jam side company, he will become a company admin. This process is also described for the customer in the welcome email that he will receive for SAP Jam.

Keywords

SAP Jam IAS SCi Jam - IAS integration , KBA , LOD-SF-JAM-IAS , JAM - IAS Integration , How To

Product

SAP Jam Collaboration all versions