Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
Murali_Shanmu
Active Contributor
13,380
Note that this asset was drafted & created before our branding changes related to SAP technology were announced on January 2021. Note that SAP Cloud Platform Cockpit was renamed to SAP BTP cockpit.


This blog series will cover some of the concepts of SAP Work Zone and will also help you familiarize with the steps required to setup SAP Work Zone and integrate it with other applications.



























Enhance the Digital Workplace Experience using SAP Work Zone
Part 1 - Setup and configure SAP Work Zone
Part 2 - SAP Work Zone Overview and Components
Part 3 - Developing SAP UI Cards that render SAP business data within SAP Work Zone
Part 4 - Developing SAP UI Cards that render data from 3rd party systems within SAP Work Zone
Part 5 - Integrating Fiori Apps in SAP Work Zone
Part 6 - Integrating SAP Conversational AI based chatbots with SAP Work Zone
Part 7 - Understanding the Admin role concepts

SAP Work Zone is a service on SAP Business Technology Platform which helps improve productivity by providing a personalized, integrated digital workplace experience across multiple touch points. Its a digital workplace solution which centralizes access to SAP and non-SAP solutions by providing a central entry point to access business apps, processes and collaboration capabilities.


I would encourage you to look at this video which demonstrates the capabilities of SAP Work Zone.

The key capabilities of SAP Work Zone are also documented in SAP Help.

This blog will outline some of the steps required to configure and setup SAP Work Zone.Unlike other services on SAP Business Technology Platform (BTP) which can be enabled with a click of a button, Work Zone requires few steps to be performed - though majority of the steps have been automated using boosters (which I will explain below).

The steps which I am going to show assume that you are looking to setup a fresh SAP Work Zone tenant without the need to migrate an existing SAP Jam tenant. The SAP Help documentation clearly outlines the steps and is a great place to start too.

Please note that as of today, SAP Work Zone is not yet in trial landscape.I have used a productive account to demonstrate some of these capabilities.

Configure trust between SAP BTP and Identity Authentication Service


Once you have the entitlement for SAP Work Zone, it should be visible in your cockpit.


SAP Work Zone requires the use of Identity Authentication service (IAS) and Identity Provisioning service (IPS). There are many components/services which are used seamlessly with SAP Work Zone and hence IAS & IPS plays a key role in ensuring the user/developer is able to access them without having to key in the password and also not worry about manually creating the user in all the components.

In the trust configuration, download the “SAML Metadata”. This is required to setup the trust with IAS in the next step.


 Navigate your IAS > Applications and create a new application. I have used the name “WZ SCP Account”.  In the Trust settings for this new applications, navigate toe “SAML 2.0 Configuration”


Upload the metadata file which you had downloaded earlier from BTP subaccount and save your changes.


In the SAML Assertion attributes, add a new attribute called “Groups”. Ensure that it starts with an uppercase.


Similarly, in the Default attributes section, add the Group attribute with the value “Workzone_User_Type_${type}”.

 


Please ensure that the SAP Work Zone users you create in IAS are of type "employee".

This completes the setup of the new application in IAS. Navigate to the User Groups menu and add the below Work Zone groups. Users will be assigned to the respective groups to control the level of access within Work Zone.

 


Assign the Workzone_Admin role to your user in the User Management.

The next task is to setup the trust on the BTP Cockpit side. To obtain the metadata file from IAS, navigate to Tenant Settings > SAMl 2.0 configurations to download the metadata file.


Switch to Trust Configuration in the BTP cockpit . Notice that by default it has the SAP ID service which will enable users to access the applications using S/P/I/C user IDs. Click on the “New Trust Configuration” button.

 


Upload the metadata file which you downloaded earlier from IAS. Provide a meaningful name and description and save your changes.

 


Its important to turn off the SAP ID service once you have configured trust with IAS and activated it. Use the Pencil icon to edit the settings.

 



Setup of Work Zone using Boosters


Boosters are one of the cool features of BTP which helps customers to get started with different use cases like Workflows, Mobile Cards, AI Business services etc. Good to see a booster also available for Work Zone. Look for it in the Global Account level.


Just follow up the prompts provided by the wizard. In this case, it asks the details of the subaccount which you have already prepared (using the above instructions)


The booster will automatically create the relevant artefacts like destinations, role collections etc and save us from manually performing those configurations.


At the end, you will get a popup with a success message. From here, you can navigate directly to the Work Zone application.


 

SAP Work Zone Configurator:


The configurations are not done yet. We still have few more things to do before we could use start using Work Zone.

Work Zone leverages SAP Jam for the collaboration aspects. As most of you might know, it has its own user management. Hence, we need to setup trust with IAS again and also configure IPS to provision users (from IAS to Work Zone)

When you try to access the Work Zone application from the previous step, it would take you to the Work Zone Configurator. It has the below URL Pattern

https://[subaccount_specific].dt.workzone.cfapps.sap.hana.ondemand.com/sites#Workzone-Config

There are few steps which have been automated here and many still need to be done manually. The SAP Help documentation was clear in most of the places.


Trigger the wizard by selecting the relevant options. In the “Set Up Environment”, you will need to copy paste the IdP trust token as shown below.

 


This can be obtained from the destination menu within the subaccount. Click on “Download Trust”. While copying the token, ignore the header and footer.


 

The next steps is to configure trust with IAS and setup IPS for provisioning users. Download the metadata which is provided here. Make a note of the SAP Jam URL and OAuth Client Key/Secrets.


Switch back to IAS > Applications and create a new application. I have given the name “SAP Jam”. Similar to the previous application configuration, navigate to the SAML 2.0 configuration in the Trust settings and import the metadata file which you downloaded in the previous step.

 


Set the Subject Name Identifier to User UUID as shown below.


Add the user attribute “Groups”

 


Set the default attribute Groups with the value Workzone_User_Type_${type}

 


We need to create a technical user to communicate between IAS and IPS.  Navigate to IAS > Administrators and create a user of type “System”. Provide a BASIC Authentication and make a note of the User ID and password.


 

Launch the IPS service to configure the Source and Target systems.

Remember the URL pattern to launch IPShttps://tenant_id.accounts400.ondemand.com/ips

In the Source Systems, create an entry for Identity Authentication. Populate the properties as provided in this Help page. I didn’t bother using any of the optional properties. When adding the properties for passwords – use the credential option.`


In the Target Systems, create an entry for "SAP Work Zone". Maintain the properties for this target system as per this onboarding Help page. After saving your Source and Target systems, its time up update the transformations within each of them. Refer to the same onboarding Help page to copy the snippets to source and target systems.


This completes the setup of IPS. To trigger to replication of users into Work Zone with their respective role assignments, trigger the job from the source system. Click on “Run Now” form the Read Job. You should be able to see in the job logs the users and groups read and written to Work Zone.


Before testing your access in Work Zone, ensure you add the SAP JAM URL in the trusted domain of IAS. This is enable Work Zone to embed SAP Jam contents (within iFrames/overlays)


You should be now able to login to Work Zone using the IAS credentials and explore the capabilities.


The Fiori Launchpad will also be available in the Applications menu.


For questions on SAP Work Zone, please raise them in the forums and use the tag "SAP Work Zone".`
12 Comments
Yogendra_Ahuja
Explorer
0 Kudos
Nice blog Murli! What are the key differences between Freestyle Portal and SAP Work Zone?

 

Thanks
Murali_Shanmu
Active Contributor
Thanks Ahuja, Freestyle portal has been deprecated and if you are looking to build a site which doesnt have the Fiori Launchpad look and feel, SAP Work Zone is the solution for it. I am not across a documentation which lists the differences between Freestyle Portal and Work Zone. My understanding is that in freestyle portal, you could create your own page layouts using WebIDE/Application Studio and there were additional widgets which you could drag on to the page. Since SAP Work Zone is fairly new solution, there would be enhancements to it in the next few months (for example - Anonymous user access, custom domains etc). Please keep an eye on the SAP Work Zone roadmap (once its released)
NidhiDeep
Explorer
0 Kudos
Hi Murali,

Again thank you for the great blog. We are in the process to configure the Work Zone and while creating a target system in IPS of Type SAP Work Zone. We get the error " Your license does not allow you to create a system of this type".

Interestingly we have the Entitlement for SAP Work Zone in the subaccount and global account level.

Did you face this issue?

Regards

Deep

 
Murali_Shanmu
Active Contributor
0 Kudos
Hi Deep,

IPS is generally bundled with different SAP solutions and has limitations on the allowed target systems. Not sure if the IPS tenant which you have has target connectors for SAP Work Zone https://help.sap.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/81ca0c1b51b449daac240a18ee0...

Its best if you can raise this as a question in the forum for the experts to provide suggestions. Thanks
NidhiDeep
Explorer
0 Kudos
Hi Murali,

Thanks for the quick reply. I had an expert chat with one of the SAP support consultants, it looks like IPS bundled does not support Work Zone, it is only supported on the standalone version of IPS. We have raised an incident and SAP is working on it.

Regards

Nidhideep
former_member390641
Discoverer
0 Kudos
Hi Murali,

 

Excellent blog, very helpful!

I have question for you, we are implementing Workzone (1 tenant) in our organization and we intend to use for two different business areas HR and SCM. This will be connected to 1 single IAS tenant for authentication.

Q: Is it possible to configure two different buckets within the same WZ tenant? do we need to create sperate roles within WZ? can you please guide me?

 

Thanks,

AB
vermeulm
Explorer
0 Kudos
Ankur,

We did a POC on SAP WorkZone and found that we can set up different WorkSpaces for different business units and that you can create different role collections in a central IAS to control which workspace and content the users have access to...

 

Sincerely,

Marius
0 Kudos

Great Blog Murali

Just want to understand the use cases of SAP Work Zone

Also Is it for employees or Contractor ( portal scenario)

 

Thanks

MB

0 Kudos
Great Blog Murali,

we see here some topics, from the help doc and here we see that we need to gen the IAS Groups with the names of the Role Colelctions in the Cockpit, but we use different names and Federation,means we map the Group of our Names to the Role Collection. Also we use our own Role Collection.

We tried it now and it's not complete working, especially what we now see is the Admin Console.

Short overview of our Setup

we build an own RC mapp a IAS Group with the Account Name plus freetext

the IAS group is created and the user assigned.

User are created in the User area of the cockpit .

also that mapping group is done for the delivered SAP Role Collections as we faced that without no content will come, also in the normal user Page.

But now we don't get the admin link, when i now assign my user directly to that SAP delivered Role Collection i can access.

Any Idea what is here happening in the Background ?

Expectation is that we use own names also to separate the different stages Development and Production with different IAS Groups and local assignment of Role Collections area also not wished.

 

Best regards

Thorsten

 

 
PrashanthPundalik
Participant
0 Kudos

Great Blog Murali,

I followed the blog and completed the work zone setup but when I navigate to application, not able to see the landing page of work zone. A blank screen with "Not found" text shown up. Can you please help here.

Thanks 

Prashanth

Murali_Shanmu
Active Contributor
0 Kudos
Hi Prashanth, Can you please create a question in the Community forums with using the tag for SAP Build Work Zone, standard edition. Thanks.

Thanks.
0 Kudos

hello Everyone,

I want to bind sap build apps to sap build workzone advance edition, Do you have any related documents or videos that could be helpful to me.

Best Regards,

Roseswararao

Labels in this area