Dear SAP Community,

In this blog, I will try to clarify the architecture of SAP WorkZone Advanced Edition (SAP WZAE) with a focus on the SAML authentication process. Many existing guides provide step-by-step instructions, but often lack explanation of the key concepts behind the process. This blog will aim to fill that gap and provide clarity on the roles of IAS, IPS, SAML, and the relationship between SAP WZAE and DWS. Why SAML is emphasized - the SAML setup and understanding are a key to successfully install SAP WorkZone Advanced Edition. 

Without a deeper understanding of key concepts such as IAS, IPS, tenants and subaccounts in BTP, SAML, SAP WorkZone app (frontend), SAP DWS (backend), JAM (sometimes SAP SuccessFactors and the SAP Cloud Foundry environment) — the process of installing and configuring the SAP WorkZone ecosystem can feel random and unnecessarily challenging

The following description provides the list of main components that are required for authentication in SAP WorkZone Advanced Edition application:

• IAS (Identity Authentication Service): A cloud-based service that handles authentication for users in SAP systems, enabling Single Sign-On (SSO) and secure user access using standards like SAML.

• IPS (Identity Provisioning Service): A service for automating user provisioning, synchronizing users, roles, and permissions between different identity providers and target systems.

• SAML (Security Assertion Markup Language): A protocol used for Single Sign-On (SSO) that allows identity providers (IdP) to authenticate users and authorize access to service providers (SP) securely.

• SAP WorkZone App (Frontend): The user interface of SAP WorkZone, where users interact with applications, content, and workflows to manage their work and access business applications.

• SAP DWS (Digital Workplace Service): The backend component of SAP WorkZone that manages user data, workspace configurations, and content through APIs, providing administrative functions and integration capabilities.

Please note, this guide will not provide another step-by-step installation guide for SAP WZAE. Instead, it aims to complement the existing blog https://community.sap.com/t5/technology-blogs-by-sap/sap-btp-onboarding-series-step-by-step-guide-to..., which already provides detailed instructions on setting up SAP WZAE (in my opinion a few steps are not needed, but we will cover it later).

SAP WorkZone Advanced Edition (WZAE) and BTP

In simple terms, the BTP platform is gradually replacing SAP NetWeaver as the core platform for modern SAP applications. Just like SAP NetWeaver, BTP's kernel should be supported by the SAP Basis or another technical department in my view, as it involves many configurations and settings typically managed by SAP Basis teams in the NetWeaver environment.

To successfully configure and maintain a reliable and well-documented SAP WorkZone application or any other application in BTP, it's crucial to understand the architecture of SAP BTP, like we used to work with the architecture of classic SAP NetWeaver that includes few Application Servers, Database (single or cluster), and Web Dispatcher (optional), SSO and SAML configuration! The deeper understanding of the BTP backend ensures that the application setup is both effective and stable.

My recommendation for project associated with BTP - the team must have a consultant with technical background (SAP Platform support), otherwise you are in the risk to start the ping pong with SAP Support during implementation and finally will need to attract externals to finish setup.

Example of the SAP BTP Environment

This is a very basic diagram illustrating the different levels of the BTP environment. The key on this diagram is SAP Cloud Identity Service. The idea is to show that you don’t need to have the individual instance of SAP CIS inside of each Subaccount. It’s like a CUA system, usually there are two instances for all landscape - one for all production environments and another one for non productions.

When setting up SAP WorkZone, it is crucial for an administrator to have a solid understanding of the SAML protocol and how it is managed (IAS or IdP is installed inside of Cloud Identity Service that can work like standalone or proxy app. for local IdP [for instance MS Active Directory]). Knowing the concepts of the Identity Provider (IdP) and Service Provider (SP) — which are key components of SAML— is vital for ensuring a successful setup.

Key Components of SAP WorkZone

Before switch to technical aspects, it is important to note that SAP Work Zone application contains two key components:

1. Front End component – SAP Build WorkZone advanced edition (SaaS)
2. Backend component – Digital Workplace Service (DWS). Particularly, this instance stores user settings and authorization

SAML Configuration for SAP WZAE

Now the SAML, I would like to pay an attention on it because this is a key step in the configuration of SAP WZAE. The rest of steps that you can find in the official guide or blog are not so difficult:

• official guide: https://help.sap.com/docs/build-work-zone-advanced-edition/sap-build-work-zone-advanced-edition/prer...
• blog: https://community.sap.com/t5/technology-blogs-by-sap/sap-btp-onboarding-series-step-by-step-guide-to...

Authentication process in SAP Work Zone:

Authentication Process in SAP Work Zone

Let’s breakdown the above diagram:

1. To be able to login in the Work Zone, the user must be created in IAS:

1.1 Additionally, the trust relationship must be established between subaccount of SAP WZAE and SAP IAS:

1.2 “Available for User Logon” option must be selected in the configuration of IAS:

1.3 The default identity provider should be disabled to prevent the usage of S-USER for connection:

2. SAP WZAE sends SAML request to IAS during login:

3. IAS sends back the SAML response with details about user:

3.1 Please pay an attention on AttributeStatement area, this is quite important. To provide a proper response the attributes of SAP WZAE application in IAS must be configured properly:

The saml trace can be obtained with SAML-tracer extension that is available in chrome:

Just turn it on before open the login page

4. Here the SAP magic starts - to be able to connect SAP WZAE app it makes the request to DWS. SAP WZAE calls the internal API /dynamic_dest/JAM/v1/single_use_tokens to generate the token and if it is ok, the response contains the location of DWS:

Our experience - we had the issue at this stage, this step likely failed because the subject name attributes were not correctly configured for the WorkZone application in IAS. However, since the URL included the "JAM" prefix, I initially thought we had missed something with the JAM integration, as JAM is mentioned multiple times in the official documentation:

As we later realized, JAM integration is not required, and there is no need for a connection with JAM at all (honestly, I still don’t know how the integration with JAM works, and I don’t intend to find out until this is mandatory for setup). The fact remains that the connection to JAM is not necessary to complete the setup of SAP WorkZone and /dynamic_dest/JAM/v1/single_use_tokens is not associated with JAM although JAM is presented in the URI.

The need to set up a SAML application for DWS is not well explained and can actually complicate the setup and troubleshooting process. Initially, I followed the instructions provided in this blog and created the application in IAS as suggested. However, after further investigation, I ended up deleting this application because I couldn’t find a valid reason to keep it. It didn’t seem to play a necessary role in the overall setup of SAP WorkZone Advanced Edition.

For your reference, the details about DWS can be obtained by using site manager configuration https://<the name of you wz_app>.dt.workzone.cfapps.eu10.hana.ondemand.com:

5. In accordance with diagram SAP WorkZone connects to DWS with ticket and here the IPS begins playing. So to that moment everything is good and you are sure you have the user that belongs to the one of the SAP Work Zone group:

But as we found this is not enough. To complete a user setup, IAS data must be replicated to the DWS and the bridge between SAP WZAE DWS and IAS is IPS 😊. In accordance with blog https://community.sap.com/t5/technology-blogs-by-sap/sap-btp-onboarding-series-step-by-step-guide-to... you have to create the source and target system in IPS and run the job to replicate the data. It's important, if you want to provide the access for new user, after user creation in IAS the resynch job must be executed in IPS to replicate data in DWS!

Why we need to create the SAML configuration for DWS in IAS I did not find. Finally, I deleted the SAML for DWS because it is not using.

How to find the location of IAS and IPS: https://iamtenants.accounts.cloud.sap/

I hope an explained 6 steps will give you a little more understanding of the backend of SAP Work Zone. A detailed setup guide is not included here for the following reasons:

1. A detailed and accurate guide has already been provided in the blog by Nagesh Caparthy, which I recommend referring to for step-by-step instructions on setting up SAP WorkZone Advanced Edition.
2. I hope that SAP will release a comprehensive guide for BTP similar to BC360. Without this, navigating the environment can feel like working blind. Ideally, we could benefit from documentation that is as clear and structured as the Integration & Exception Monitoring - Setup & Configuration guide, which is simple, user-friendly, and effective. For reference, you can find that guide here.
3. If you encounter issues during the SAP WorkZone setup or with any other application involving SAML, feel free to share your experiences or ask questions in the comments below. I am happy to help!

To conclude, the key to successfully setting up SAP WorkZone Advanced Edition lies in understanding its architecture and the role of SAML for authentication. While existing step-by-step guides are useful, a deeper understanding of concepts like IAS, IPS, and DWS ensures smoother implementation. I hope this article provides clarity, and if you encounter issues, feel free to share your experiences or ask questions in the comments