cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Joule error in S4HC public when accessing SAC: No access to service

MKreitlein
Active Contributor

on ‎2025 May 08 2:31 PM

0 Kudos
328

Dear all,

I'm currently testing Joule in a Partner TDD S4HANA Cloud public system... and since the Analytical insights feature seems now generally available I wanted to try this out by using SAC as source, as well.

My SAC system is also TDD, so it has already Version: 2025.8.3 - I know that the regular SAC Q2 update will come on the weekend May 17/18. So a regular SAC tenant might not yet work as of today.

I could include the SAC system successfully into the formation like described here.

My user settings in S4HC are in English, and my question is posted in English as well, since this is currently a prerequisite.

All 3 systems: S4HC, Joule and SAC use the same Identity Authentication Service, and I myself am system owner in SAC, so I have full authorization. We have a Import model indexed via Just Ask, and questions & answers there work fine.

But when using Joule the following error message appears:

SACACCESS.png

Based on this response, it looks like Joule "knows" that it should access the SAC tenant, but obviously the login does not work 😞

My question is: Why not? What is the trick?

My assumption is, the root cause is lying somehow in the login procedure... but when I check in SAC: System - Administration - App Integration, I can see:

- One managed OAUTH Client: JOULE_OAUTH_CLIENT_etc_etc...

- One Trusted Identity Provider: JOULE_IDP_etc_etc...

So I would assume there is a working server to server communication?

FYI: Login into our SAC via the IDP is done via the specific SAML Attribute: User ID, which is also stored in the IDP User ID (If I would store the e-mail address there, I could no longer log into SAC. However mail address is used as Fallback method - without positive effect for my issue). The S4HC User of course is not aware of this. There we have the e-mail address, we have the HR ID P0000xx and we have a CB9980000xx auto-generated User ID.

Is anybody in the community here facing the same problem?

Or who is already able to use Joule with SAC results... and how is your SAC login configured?

Thanks for any feedback.

BR, Martin

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎2025 May 12 3:46 PM

Hi Martin, 

Can you share the formation details and also the full screen of Joule and the error messages. have you raised an SAP Ticket for this?

BR,

Nagesh

Show replies
Show replies
nageshcaparthy
Product and Topic Expert
Product and Topic Expert
‎2025 May 12 6:16 PM
0 Kudos
can you also check if you have done all the setup as in this blog - https://community.sap.com/t5/technology-blog-posts-by-sap/analytical-insights-in-joule-setup-guide/b...
MKreitlein
Active Contributor
‎2025 May 13 7:41 AM
0 Kudos

Hello @nageshcaparthy,

thanks a lot for your feedback. - UPDATE:

I checked the Blog (should have found it already last week) ... and it seems our login method is incorrect? ... you write: "Your SAP Analytics Cloud utilizes SAP Cloud Identity Services or SAML SSO, with your email address functioning as your login method" - We are using the SAML Attribute User ID.

And no, I have not raised a SAP ticket so far, since it is a TDD tenant, and I was not sure if our version was already capable or not ...

However, I'm missing the login in your Blog, about the SSO/SAML settings between SAC, IAM and S4HC/Joule... in more details.

How should we solve this issue, if we had some other systems on the same IDP, but in SAC we need Username as attribute? I think, we changed that from mail to User ID, since we used it together with the Marketing Cloud (and S4HC public TDD) and back in 2021 user login there was only possible via User name. Both launchpads did not have mail address as input field, but only user name.

UPDATE 2, I found this under item 10 - what does it mean for Joule login?

https://help.sap.com/docs/SAP_ANALYTICS_CLOUD/00f68c2e08b941f081002fd3691d86a7/3651184dad944aa2b361a...

If you are using a live connection to SAP S/4HANA Cloud Edition with OAuth 2.0 SAML Bearer Assertion, NameId must be identical to the user name of the business user on your SAP S/4HANA system.

For example, if you want to map an SAP Analytics Cloud user with the user ID SACUSER to your SAP S/4HANA Cloud user with the user name S4HANAUSER, you must select Custom SAML User Mapping and use S4HANAUSER as the Login Credential in Step 10.

If you are using SAP Cloud Identity as your SAML IdP, you can choose Login Name as the NameID attribute for SAP Analytics Cloud, then you can set the login name of your SAP Analytics Cloud user as S4HANAUSER.

Thanks and BR, Martin

MKreitlein
Active Contributor
‎2025 May 22 7:24 AM
0 Kudos

Hello @nageshcaparthy

... any comment regarding my answer?

What is the plan for SAC customers using SAML/SSO with e.g. User ID?

This has to be changed for being able to use Joule?

For what reasons are these things created then?

- One managed OAUTH Client: JOULE_OAUTH_CLIENT_etc_etc...

- One Trusted Identity Provider: JOULE_IDP_etc_etc...

BR, Martin

Ask a Question