- How to integrate SAP Jam with IAS IDM?
Image/data in this KBA is from SAP internal systems, sample data, or systems. Any resemblance to real data is purely coincidental.
- Few screens mentioned below are only available to SAP Jam support team. It has been mentioned in the KBA for your understanding.
- Pre-requisites - SCI/ IAS admin access. Only SAP Jam support team will have access to SAP Jam backend.
1. Start with a SCI/IAS company and a company admin user that can login to the SCI/IAS tenant admin page
Click on the 'Applications' tile.
Click on the "+Add" button to add a new application.
Enter the application name and hit save. In above example, name is 'JamPMStage'.
Press the 'Home' icon in the top left corner. Then click on the 'Tenant Settings' tile.
Then click on 'SAML 2.0 Configuration'. Then click on 'Download Metadata File' at the bottom left of the screen.
This will download a file 'metadata.xml' which is the SAML metadata file for SCI acting as a SAML Identity Provider. You will need this file later for configuration in SAP Jam.
2. Create the SAP Jam company (Please note: This section is not available to Customers. Only SAP Jam support has access to this)
- Login as super admin user for SAP Jam.
Go to the page https://jamX.sapjam.com/company/today - replace X with the DC number
- Click 'New Company'
You will be presented with a form with lots of fields that need to be filled out correctly.
- For 'Identity Management' select 'Third Party (e.g. SAP Cloud Identity)'.
- For 'Domain', use the SCI/IAS tenant domain. In production systems this will be in format <ias_tenant_id>.accounts.ondemand.com.
- For 'Company Type' use 'Customer Production' for production companies, 'Customer Test' for preview companies, and 'Internal' for companies created for testing purposes in a production landscape by SAP.
- For 'Product Version' select one of 'Advanced Edition', 'Advanced Plus Edition' or 'Enterprise Edition' depending on what the customer has purchased.
- 'Group Creation Limit', 'Total Storage Limit', 'Extranet User Limit', 'Custom Group Template Limit', 'Allow Third Party OData Source External Applications' should be configured as appropriate depending on what the customer has bought.
- In the 'SCIM Provisioning' section, configure the 'User Limit' for the number of seats the company has purchased. This is important- for BizX integrated companies this configuration is stored in BizX, but for SCIM companies it is stored in Jam.
- In the 'SCIM Provisioning' section, the default 'Administrators managed locally in Jam' is the correct selection for now.
- In the 'SAML Trusted Identity Provider' section, in the 'Metadata file' field, select 'Browse' and add the metadata.xml file you saved from SCI/IAS in part 1 above. This will auto-complete a number of fields in this section. Essentially, this part says that this SAP Jam company will trust the corresponding SCI/IAS tenant to act as a SAML IDP.
- You do not need to edit any settings that are auto-populated, except the checkbox for "Specifies whether SAML Assertions will be accepted from this IDP." This sould be enabled.
In the 'SAML Local Service Provider' section, click 'Generate key pair'. The SAML local service provider will be used to generate logout requests from SAP Jam to SCI/IAS.
Click 'Create' at the bottom of the form to save.
You will now be presented with a page summarizing info on the newly created SAP Jam company- 'View Details' page.
- On this page, scroll down to 'SCIM API Client Name' and copy the 3 lines. You will need to click on the phrase that says 'Click to show the secret' to obtain the client secret. In my example, these are:
SCIM API Client Name: SCIM API Client
SCIM API Client Key: 9Zvxsvv5SjIAlJexeGWz
SCIM API Client Secret: <40 character long token omitted>
The client key and client secret will need to be configured in SCI later- these are what SCI used to call Jam's SCIM service provider API to provision users.
- At the bottom of the page there is a 'Service Provider Settings' section. Click on the button 'Download SP Metadata' in this section. This should generate an 'xml' file sp_metadata_<ComapnyUniqueID>.xml; if it generates as a text file rename the file with a .xml extension.
3. Configure the SCI company with more SAPJam company information obtained during Jam provisioning
- Go back to IAS/SCI, and in the 'Applications' tile, click on the SAP Jam application >> 'SAML 2.0/SAML 2.0 Configuration'.
In the 'Define from Metadata' section, browse to the sp_metadata_<companyUnique_ID>.xml file above, the hit 'save' at the bottom of the page.
- Go to 'Applications', select your SAP Jam application (that you created in step 1), select 'Authentication and Access'. Make sure the 'User Application Access' is set to 'internal'.
- SCI, in the 'Applications' tile, click on the SAP Jam application and there is a 'Home URL' link. Click to Edit. The home url will be of the form:
- If the url here is incorrect when clicking on 'Visit' when testing to ensure that all integreation settings are correct ('Home URL' - 'Visit' you will be brought to a page stating "You're a step away from accessing the page you're looking for.....")
- Go back to the IAS/SCI home, and click the 'User Provisioning' tile.
Click 'Add' to add the appropriate Jam target system (Eg: JamPMStage).
- Choose an appropriate display name such as SAP Jam
- In the 'Target Configurations' section, the SCIM URL for the sample SAP Jam compay is 'https://jamX.sapjam.com/api/v1/scim/Users'.
- The OAuth URL for our sample company is 'https://jamX.sapjam.com/api/v1/auth/token'.
- For the 'Authentication Configurations' section, for the 'Client ID' use the value of the 'SCIM API Client Key' above e.g. 9Zvxsvv5SjIAlJexeGWz for the sample.
- For the 'Client Secret' use the value of the 'SCIM API Client Secret' from above.
4. Initial User Provisioning
Once user provisioning (from step 3) is setup the SCI tenant will start provisioning all newly created users to SAP Jam.
Now the provisioning team can create the client user in the SCI tenant:
1. Go to 'Administrators' tile.
2. Click '+Add' and select 'User'
3. Fill in the required fields and click 'Save'
This user will be provisioned to SAP Jam automatically. If any additional information should be added to the user it can be edited via the 'User Management' tile.
When the customer user activates his/her Cloud Identity user by clicking on the link in the activation email, he/she needs to click on the 'Home Url' link under the SAP Jam application. This way SCI will SSO you into the SAP Jam tenant. As the first user in the SAP Jam side company, he/she will become a company admin. This process is also described for the customer in the welcome email that he/she will receive for SAP Jam.
SAP Jam IAS SCi Jam - IAS integration Identity authentication service Cloud Identity , KBA , LOD-SF-JAM-IAS , JAM - IAS Integration , LOD-SF-JAM , SAP Jam , How To