I don’t think I have to introduce what Joule is all about, it has been making noise all over the SAP Community since the announcements at #SAPTechEd2023.
In case you missed it, allow me to share that Joule is the AI copilot to help your business requirements while supporting Navigational, Transactional, and Informational patterns. As part of our first announcements, Joule is Generally Available (GA) with SAP SuccessFactors. You may refer to the SAP SuccessFactors 2H 2023 Release Highlights or take a quick look at the SAP SuccessFactors 2H 2023 Release Highlights Video and you can also watch the Demo – Interacting with Joule in SAP SuccessFactors.
So let me summarize the important topics:
Talent Intelligence Hub is GA - Understand, build, and leverage the skills of the workforce with an AI-powered skills framework included in the SAP SuccessFactors platform
Important: Joule is currently available in English, supported and supported in the US (Virginia) and European (Frankfurt) Data Centers with AWS as the Infrastructure Provider.
**********************************************************************
Announcement!!! We will allow all our SAP SuccessFactors customers to use Joule irrespective of the SAP SuccessFactors Data Center and pick any/nearest data center where Joule is supported. You can find more updates here: SAP Note: 3519499 and What’s New with Joule.
You can refer to the Joule Data Center list here.
Obsolete: I recommend always taking a look at the Data Center Mapping between SAP SuccessFactors and Joule. In case your SuccessFactors instance is EU enabled, then you have to select the EU11 Subaccount in your BTP. If EU11 is missing, please contact your CSP/AE to get this enabled in your selected BTP account where your Joule entitlements are provisioned.
******************************************************************
If you have made it so far & have the prerequisites to set it up, and are interested in setting up the Joule service, please reach us at SAP_AI_RIG@sap.com.
In case of Issues, Take a look at the [SAP BTP Onboarding Series] Joule with SFSF – Common Setup Issues
New Release - Joule – Getting Started with Document Grounding - setup guide
Discovery Center Mission Update with full setup Process - Activate SAP Joule for SAP SuccessFactors
*******************************************************************
Disclaimer: Before we get started, as this is a new product with a lot of momentum and subsequent updates to be announced shortly, we recommend referencing the official Joule help guides in case of any changes from the below process.
******************************************************************
Perfect, now that we have the details on Joule let’s roll up our sleeves and learn how to get started with it.
Pre-requisites:
- SAP Start is now available for customers at no extra cost with services like SAP S/4 HANA Cloud, public edition, or SAP SuccessFactors. You can check the details here
- Joule uses the navigation service component of SAP Build Work Zone, standard edition to resolve intent-based navigation targets and configure additional content providers
Roles required to configure:
License: Joule is included as part of your SAP SuccessFactors license at no additional cost with a certain number of free messages for an annual period known as Base AI. Some of the AI Capabilities are part of the premium edition - Premium AI, where you may have to purchase AI Units to use the functionalities.
***Important***
You may refer to the document AI Service List - AI SERVICE ENTITLEMENTS - SuccessFactors to know your eligible messages.
Please contact your Account Executive for more information on Joule contracts and allocation as they vary based on user licenses.
Account Model in SAP BTP and SAP SuccessFactors Tenant: While you are working with SAP BTP, we recommend creating multiple subaccounts to achieve your desired account model. With SuccessFactors delivering a 2-tier account model with a (Dev/Test & a Production tenant), you may want to create two different subaccounts in the SAP BTP to mirror that landscape.
Now, let us consider a staged approach to complete the setup activities for Joule with SuccessFactors.
0. System Landscape <<New process since July 2024>>
1. BTP Activities – Create a Subaccount and Run The Booster
2. Configure SAP Cloud Identity Services – In my case, I have already activated it, you may refer to SAP Discovery Center Mission Get Started with SAP BTP - Cloud Identity Service Provider (SAP IdP). I will be skipping this step as it is activated in my SAPP BTP account
3. Configure Cloud Identity Services in SuccessFactors
4. Adding Trusted Domains in SAP Cloud Identity Services
5. Post Booster Configurations, required to support Joule - Navigation Services
Image 0 (reference diagram for the setup activity)
Now let us get started with the First Step:
You may also refer to our Joule Setup videos here:
- Chapter 1 - Activating Joule and Running the Booster - Read Description for updated information
- Chapter 2 - Establish Trust with your Cloud Identity, BTP and Create Trusted Domains
- Chapter 3 - Activating Joule in SFSF
- Chapter 4 - Activate Cloud Foundry, Create Destinations and Workzone Content Provider
- Chapter 5 - SAP Cloud Identity Services - Source & Target Configurations
0. System Landscape
Refer to our official help page on Register an SAP SuccessFactors System in a Global Account in SAP BTP.
a. Activate “Manage Extensions on BTP” in your SFSF
This section focuses on enabling the integration of your SAP SuccessFactors and your SAP Business Technology Platform subaccount using the Extension Management Configurations.
You may log in to your SuccessFactors, go to Manage Permission Role -> select the Role where you would like to assign the extension -> click on Permission ->
- Admin Access to Metadata Framework -> Select Admin access to MDF OData API permission
- Then click on Manage Extensions on SAP BTP -> select Create Integration with SAP BTP, and Save the settings.
b. System Landscape Setup in your BTP Global Account
You can now select the SAP SuccessFactors system in the Select Integrations screen of the Joule booster instead of manually typing the tenant URL and the company code. You need to ensure that you have registered the system in SAP BTP under System Landscape before you run the booster. To do this Go to your SAP BTP Global Account -> click on Systems Landscape -> In the Systems tab search for your existing SFSF Systems as most of the time they should be auto-discovered -> once you find the SFSF System, select it -> and then click on Get Token.
(Skip this step, if your system is found in the list) In case your SFSF System is not found, you can click on Add System -> Enter the System Name “SuccessFactors tenant”, select System Type as SAP SuccessFactors and click on Add.
You should be able to see a success message, now click on the option Get Token.
c. Update the Integration Token in the Extension Center
In your SAP SuccessFactors -> go to Extension Center -> Enter the token value that you copied from the BTP Account in the Integration Token field and click on Add. Once you add this token, you should be able to see the Multi-Cloud Environment list with your SAP BTP Global Account ID, please click on the refresh button and ensure you see the message Integrated.
Note: In case of missing Extension Center
- The service should be activated in the SFSF Provisioning -> Select Enable Extension Center.
- Go to Admin Center -> Upgrade Center -> select "Extension Centre", and click Upgrade now, to upgrade it.
In case of any issues, while adding tokens in the SFSF system, you can create a ticket using the component - BC-NEO-EXT-SF and share the Company ID of the affected SFSF system along with Data Center details.
1. BTP Activities – Create a Subaccount and Run The Booster
1.1 Create a Subaccount
Let us begin to log in to your SAP BTP Cockpit with Global Account Administrator authorizations, to create a new subaccount for Joule. In your BTP Cockpit -> click on Account Explorer -> click on the Create button -> click Subaccount -> enter the Subaccount name and select once you fill in all the required details, please click on Create.
Note: In my Demo, I am going with SuccessFactors DC33/55 Data Center (Frankfurt) and Europe (Frankfurt) Joule Data Center.
Image 1
1.2 Configure Joule in SAP BTP Cockpit:
Another important step is to check the required Entitlements. Navigate to Entitlements -> click on Service Assignments ->, and search for Joule with limited Quota Assignment as shown in the image below.
Image 2
*** Important *** - Before you run the Joule Booster, please follow 2. Configure SAP Cloud Identity Services(CIS) - (you need to establish Trust for your subaccount and cloud identity services) as this has been added as a prerequisite to the new update to the Booster.
Once you add the Joule Entitlement, we are ready to create the subscription. We will use SAP Boosters to configure and consume the Joule Services. To do this, Click on Boosters -> search for Setting up Joule -> and Click on Start, you will see the Overview page – please read the details and then click on Start in the top right side of the screen.
Image 3
The Booster automatically checks if you have the required Entitlements, Authorizations, and Identity Authentication Tenant. Once the checks are completed, click on the Next button.
Image 4
In the Configure Subaccount tab, You have to select the subaccount that was created in the previous step, in my demo I created a Subaccount named Joule, so I selected “Joule” and click on Next.
Image 5
In the Select Integration tab, we have to select “SAP SuccessFactors” as this blog is focused on SAP SuccessFactors. Let us select SAP SuccessFactors and click on Next.
Image 6
In the next screen, we have to provide the Integration Details, such as the SAP SuccessFactors Tenant Domain URL and the Company Code.
Example:
SAP SuccessFactors tenant login URL: https://hcm41preview.sapsf.com/login?company=testacc01
Tenant Domain: https://hcm41preview.sapsf.com
Company Code: testacc01
Image 7
Once you enter the details, click the Validate button, if no error messages, then you are good to go, click on the Next button. In my case I am good, so I continue with the next setup.
In case of general errors- “The provided Company Code either does not exist or is invalid” Please raise an SAP Ticket with the component - CA-JOULE or CA-JOULE-PRV
In the last step, we validate the details that are entered and click on the Finish button.
Image 8
The booster will execute the process to enable Joule subscription services and you should be able to see the success message as shown below.
Image 9
This completes the Joule provisioning in your SAP BTP Subaccount.
2. Configure SAP Cloud Identity Services(CIS)
In my case, I have already provisioned it, you may refer to SAP Discovery Center Mission Get Started with SAP BTP - Cloud Identity Service Provider (SAP IdP), so I will be skipping the step of activating the Cloud Identity Services.
So why is SAP Cloud Identity Services(CIS)? SAP CIS acts as a central system to authenticate and authorize users for your SAP SuccessFactors and Joule and it is a mandatory component for post booster configurations. In this step, we will enable Custom Identity Service in your Subaccount.
Note: In case you have a Cloud Identity Service configured for your SAP SuccessFactors, you can use the same CIS tenant to establish trust with your subaccount.
Once you activate the Cloud Identity Services, the next step is to Establish Trust between your Cloud Identity Services and the Subaccount. Now let us navigate to the Joule Subaccont, click on Account Explorer -> click on the subaccount Joule -> click on the Security option -> click on Trust Configuration -> click on the Establish Trust button as shown below.
Image 10
Select the SAP Cloud Identity Services Tenant that you have activated, click on Next, and select the Domain Name either *.accounts.ondemand.com or *.accounts.cloud.com and click on Next.
Tip: For best SSO Experience ensure you select the save Domain Name throughout the configurations. Before you select this, verify your Cloud Identity Services Domain URL and select accordingly.
Image 11
Optional Step(Image 12): To Create Platform Users you can either proceed with the next step or, (you can navigate to your Global Account. Click on Security -> Trust Configuration -> Establish Trust -> Select your Cloud Identity Services that you created -> Choose the domain as mentioned above -> Click on Next and in the Configure Parameters you can modify the name and description and this will set up the trust for Platform Users, click on Next and then click on Finish. By doing this Platform Users option will be added to all Subaccounts by default.)
In my case, I have created it to manage Business Users and Application Users.
Image 12
If you are back to your subaccount to Establish Trust, you should be able to see the screen below to Configure Parameters for Application Users, you can click on Next as shown below.
Image 13
Upon completion, you should be able to see Platform Users(if added to Global Account) and Application Users listed on the trusted Trust Configuration page.
Now ensure, only your Custom Identity Service is available for User Logon.
2.1 Configure Trusted Domains for SAP Authorization and Trust Management Service
Now within your subaccount, click on the Security option -> click on Settings -> under Trusted Domains click on the Add button to add your SAP SuccessFactors Domain name.
Example: https://hcm41preview.sapsf.com
Image 14
This completes the setup of Joule in the SAP BTP Subaccount.
3. Configure Cloud Identity Services in SAP SuccessFactors (skip activation step if already active)
Now let us log into the SAP SuccessFactors system and look at the settings required.
In case you already have Cloud Identity Services enabled, you can skip this step, and follow the step after Image 19. To activate the services, click on your Profile icon and then click on Admin Center.
Image 15
From Admin Center, navigate to Upgrade Center and then select Platform.
Image 16
Look for the option – Initiate the SAP Cloud Identity Services Identity Authentication Service Integration, click on Learn More & Upgrade Now.
Image 17
Now click on Upgrade Now, and you will be prompted for a username and Password.
Image 18
Enter your S-User ID and Password. You may also refer to the help guides and videos on this page to initiate your Cloud Identity Service. While selecting your Cloud Identity Services, please ensure you select the same Identity Services used for your SAP Subaccount configurations in the previous steps.
Image 19
Once you initiate to change the Identity Authentication services, it may take up to 24hrs and you will receive an email once the upgrade is complete. You may use the Monitoring Tool for Identity Authentication Service to keep track of the changes. Once the Service is activated please ensure you follow the help documentation to complete the setup process.
Now go back to the Admin Center, you may also want to
Image 20
On the Permission Role Detail page, click on the Permission… button, click on General User Permission look for Access to Joule, select it, and click on Done.
Image 21
This completes the Role assignment to users in SAP SuccessFactors for access to Joule.
4. Adding Trusted Domains and Configure Assertion Attributes in SAP Cloud Identity Services (CIS)
Before testing Joule, we have to maintain your SAP SuccessFactors Domain name in the Cloud Identity Services as a Trusted Domain. Let us login to the Cloud Identity Services -> click on Applications & Resources -> then click on Tenant Settings -> click on Customization -> You will be able to see the option Trusted Domain, please click on it and click on the Add button to create a new line item to specify the Domain name of your SAP SuccessFactors System as shown below, enter the details and Save the Settings.
Example: hcm41preview.sapsf.com
Image 22
4.1 Configure Assestion Attribute
You will have to establish federated trust in your subaccount and configure the assertion attribute user_uuid to the Global User ID field in the Identity Authentication application corresponding to your subaccount to allow user identification based on Global User ID. In your Cloud Identity Services, click on Application & Resources -> click on Applications -> select Application where you have established trust -> click on Attributes on the right panel -> expand the section user_uuid and change the Identity Directory value to Global User ID.
Image 22(a)
This completes the activation of Joule Services in SAP SuccessFactors and the required configurations. You can now navigate to your SAP SuccessFactors System and click on the Joule Icon to open the services.
Image 23
Well, we are not quite there yet to use the full capabilities of Joule. We are just a few more steps away so let us continue 😊.
5. Post Booster Configurations
Once your Joule service is working, Once your Joule service is working, you need to configure the navigation service which is a part of the Build work zone to resolve intent-based navigation targets that are defined in the backend. If you are quite curious about the navigation pattern and not sure how it looks or works, you can refer to Image 40 😊.
5.1 Create SAP Build Work Zone Application and Instance: You may follow the standard help guide to set this up. If you are setting up SAP Build Work Zone for Joule service, you may use the Foundational Plan as shown below or if you already have SAP Build Work Zone standard edition, you may skip the activation and configure the missing steps. I am showing the process of activating the SAP Start - foundation services, and assigning the entitlements to your subaccount as shown below.
Image 24
Before activating the services, ensure you have Created a Cloud Foundry instance and created a Space. Now you can go to Service Marketplace and create the SAP Build Work Zone foundation Services Plans and Application Plans as shown below.
Image 25
Once the services are activated, you can Create a Service Key for the services under Instance as shown below.
Image 26
Enter a Service Key Name and click on Create. Once the service key is created, click on it to view the data and save the data, we will be using it at a later stage.
Image 27
Now let us assign a user to the Work Zone service that is activated. Within your subaccount, click on the Security option -> click on Role Collection -> click on Launchpad_Admin -> click on Edit -> In the Users Section add yourself and Save the settings.
Image 28
5.1.1 Add a Content Provider to Consume CDM Content
Add a new content provider to your SAP Start site to consume the CDM content from SAP SuccessFactors. Go to your SAP BTP Joule Subaccount -> click on Services -> click on Instances & Subscriptions -> click on the application SAP Build Work Zone, standard edition -> the application opens on a new page, click on the Channel Manager icon -> click on +New button and enter the details for the New Content Provider with following information:
Field | Value |
Title | Enter a name for the Content Provider (recommended SuccessFactors) |
Description | Enter a description for the content provider. |
ID | Any unique ID (recommended sfsf or your SFS CompanyID - this will be used again during IPS setup for - cflp.providerId) |
Design-Time Destination | Select the design time destination LPS_SFSF_dt |
Runtime Destination | Select the runtime destination LPS_SFSF_rt |
Runtime Destination for Dynamic Data | Select Use default runtime destination |
Automatically add all content items to the subaccount | True |
Use the Identity Provisioning service to provision user authorizations | True |
The details should be as shown below:
Image 28a
5.2 Configure Navigation Service
We need the Navigation Services to navigate to the targets that are defined in the backend. The recommended approach is to use the Name according to the help guide.
5.2.1 Configure Destination to Use Navigation Service
Within the subaccount, click on Connectivity -> click on Destination, click on Create Destination, and enter the following details:
Field | Value |
Name | NavigationService |
Type | HTTP |
URL | portal url from the service key created for the service instance of SAP Build WorkZone, standard edition. (Images 27 & 29) |
Proxy Type | Internet |
Authentication | OAuth2UserTokenExchange |
Client ID | Client ID from the service key created for the service instance of SAP Build WorkZone, standard edition. (Images 27 & 29) |
Client Secret | Client Secret from the service key created for the service instance of SAP Build WorkZone, standard edition. (Images 27 & 29) |
Token Service URL Type | Dedicated |
Token Service URL | https://<uaa url>/oauth/token |
Add additional properties -
Field | Value |
Use default JDK truststore | Enable this option. |
You should be able to see the details below:
Image 29
The details in Destination should be as below:
Image 30
Tip: The last line item Token Service URL should end with https://<uaa url>/oauth/token, do not forget this.
Save the changes.
5.2.2 Create a Design Time Destination
Create a design-time destination on SAP BTP to access the CDM content API from SAP SuccessFactors.
Note: Accessing SAP SuccessFactors APIs using Basic Authentication has been deprecated. You can create certificate-based destinations. For more information, see Deprecation of HTTP Basic Authentication for APIs.
For the demo, we are going with Basic Auth for now. Create your second destination, Click on Create Destination and enter the following details:
Field | Value |
Name | LPS_SFSF_dt |
Type | HTTP |
URL | https://<tenant API URL>/rest/servicesfoundation/sfcdmcontentservice/v1/SFCDMContent Tip: you can refer to SAP Note: 2215682 - SuccessFactors API URLs and external IPs to find your Tenant API URL based on your Data Center |
Proxy Type | Internet |
Authentication | BasicAuthentication |
User | Enter your SAP SuccessFactors username with oData API access and company in the format of "username@COMPANY". Note: Do not use your login details here. Please create a technical user for Joule with the following permission. You can navigate to Manage Permission Role -> Select the Group this Technical User belongs to, click on Permission, and go to Manage Integration Tools -> select "Allow Admin to Access OData API through Basic Authentication". |
Password | Enter the password for your SAP SuccessFactors |
Add Additional Properties as follows:
Field | Value |
Use default JDK truststore | Enable this option. |
HTML5.DynamicDestination | True |
Enter the details and Save the settings. The details should be as shown below:
Image 31
5.2.3 Update the Runtime Destination
LPS_SFSF_rt destination is automatically created when you run the Joule booster but you may need to update the destination in the following scenarios:
Field | Value |
sap-start | true |
The configuration should look like this:
Image 32
5.2.4 Configure Identity Provisioning Service(IPS) Setup for Navigation Service
The Navigation Service component of SAP Build WorkZone, standard edition service uses Identity Provisioning Service to provision identities and their authorizations between source and target systems.
Note: This section describes the steps to configure the source system (SAP SuccessFactors) and target systems (Identity Authentication and SAP Build Work Zone, standard edition) in the Identity Provisioning of your IAS application user interface. For some customers, SAP SuccessFactors and the Identity Authentication systems are already configured as the source and target system by the Upgrade Center.
We need to configure the Identity provisioning service (IPS) service to:
Note: If you are using the SuccessFactors Onboarding 2.0 module, then we strongly recommend migrating to SCIM API to take advantage of the real-time user sync capabilities that are only available with SCIM API, not oDATA API. For more information, see Overview of SAP SuccessFactors Workforce System for Cross-Domain Identity Management API and refer to this blog.
To do this, let us log in to the Cloud Identity Services with Admin Authorizations, click on Identity Provisioning -> click on Source System -> Assuming that the SAP SuccessFactors is already configured with Cloud Identity Services, you can click on your existing SAP SuccessFactors Source System -> on the right side of the page, click on Transformation and switch to JSON View -> modify the Group Entity in transformations has following configuration, refer to the image below:
++++++++++++++++++++++++++++++++++++++++++++++++++++++
I recommend the second blog, for the Source and Target files configuration that is in my next blog - [SAP BTP Onboarding Series] Joule with SFSF – Common Setup Issues you can download the readily available files attached to the bottom of the blog, use them and follow point number 10. Quick Setup Use the “Source System and Target System” .json files
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Property | Value | Description |
Ignore | false | Ensures groups SCIM entity is considered during the provisioning jobs |
Mapping | { "sourcePath": "$.id", "targetPath": "$.externalId" }, | Ensures the source ID field of the SCIM entity groups is set to externalId |
Image 33
Next in the Under Properties Tab, ensure field sf.user.filter is configured to fetch all required and valid users.
Image 34
In case you don’t want the groups to be provisioned in IAS, you can follow the steps below, else you can skip this and go to Create Target System.
Property | Value | Description |
Ignore | true | Ensures groups SCIM entity is considered during the provisioning jobs |
Now let us create a new Target System with the following values and Save the settings:
Field | Value |
Type | SAP Build WorkZone, standard edition |
Name | Any meaningful name (WorkZone-Target) |
Description | Any Meaningful description |
Source System | Select SuccessFactors source system |
The settings should look as below:
Image 35
In the new Target System that you created, in my case it is SFSF – WorkZone click on the Transformation -> click on JSON view and edit the Group Entity with the value below:
Property | Value | Description |
Mapping | { "sourcePath": "$.externalId", "targetPath": "$.externalId", } | Ensures the externalId field of the SCIM entity groups is set to externalId |
The details should be as shown below:
Image 36
Now click on the Properties tab and check the following details, in case they are missing add them to the list. The values can be found in the Service Key that was generated earlier:
Field | Value |
URL | portal-service field value under endpoints node from the service key |
Authentication | BasicAuthentication |
User | clientid field value under uaa node from the service key |
Password | clientsecret field value under uaa node from the service key |
ProxyType | Internet |
Type | HTTP |
OAuth2TokenServiceURL | https://<uaa url>/oauth/token |
ips.trace.failed.entity.content | False |
cflp.user.unique.attribute | emails[0].value,['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId'],externalId |
cflp.support.bulk.operation | False |
cflp.providerId | ID field value for content channel configured for SAP SuccessFactors in SAP Build WorkZone (step 5.1.1) |
cflp.group.unique.attribute | externalId,['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId'] |
cflp.bulk.operations.max.count | 100 |
The details should be seen as shown below:
Image 37
Note: Please refer to my second blog as mentioned ( above image 33). Since we are using the Certificate for authentication, please use this link to copy your URL based on your data center - mTLS Certificate Server. Example: https://api55preview.cert.sapsf.eu
Now let us go back to the Source System. Click on Identity Provisioning -> click on Source System -> click on the Source System service that you have set up -> click on Jobs tab -> Run Read Job or ReSync Job as per your requirements to provision SAP SuccessFactors users and roles to WorkZone (Navigation Service).
Image 38
The job should run successfully if the configuration is set up correctly. To view the job results, you can click on Identity Provisioning -> click on Provisioning Logs.
If you see a Successful message and if the Group and Users are Read/Created/Update, then we are good.
Image 38a
Well, it's now time to announce that you have set up your SAP SuccessFactors with Joule services with Navigation Patterns 😊.
Image 40
Congratulations!!! If you can see the Navigation arrows we have the settings successful.
Note: In case of any issues, please refer to the common issues blog - https://community.sap.com/t5/technology-blogs-by-sap/sap-btp-onboarding-series-joule-with-sfsf-commo...
==========================================================================
This blog is written with the support of our SAP Product Team and SAP BTP Onboarding Team.
Credits and shout out to harinder.singh.batra and chavi.singhal without which this blog could have not been possible. Appreciate all your support.
===========================================================================
Please visit the SAP Business Technology Platform Customer Onboarding Resource Center page for more information.
If you are just getting started, we have Onboarding Blogs:
Regards,
Nagesh Caparthy
Follow me on LinkedIn for the latest Updates on SAP BTP.
https://www.linkedin.com/in/nagesh-caparthy-027b7016/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
32 | |
14 | |
13 | |
13 | |
11 | |
8 | |
8 | |
7 | |
7 | |
6 |