CRM and CX Blogs by Members
Find insights on SAP customer relationship management and customer experience products in blog posts from community members. Post your own perspective today!
Showing results for 
Search instead for 
Did you mean: 


This blog is a successor to this blog. I highly suggest you read the first one before you read this part.


In first part of this blog series, we finished initial customizing step, imported and exported certain certifications and for the last we set up SAML 2.0 Configuration in SAP Marketing backend.

We'll carry on where we left off in the second part.

6. Check SSFA

In this activity, we make sure that the system uses the correct encryption algorithm for the certificates.

Go to transaction code SSFA and check the entry where "SSF Application" field is entered as "Collaboration Integration Library:oAuth Appl".

When you find this entry, double click on the entry to display details and check if the following entries are entered correctly:

Parameter Value
SSF Application Collaboration Integration Library:oAuth Appl.
Security Product SAPSECULIB
SSF Format International Standard PKCS#1 (Standard padding)
Private Address Book SAPCLBOAU100.pse
SSF Profile Name SAPCLBOAU100.pse
SSF Profile ID (OPT)
Hash Algorithm SHA1
Encryption Algorithm AES128-CBC
Distribute PSE (Only SAPSECULIB) X

Note that if you cannot find such an entry in this customizing table, choose "New Entries" first and maintain above values and save your entries. The system should ask you a customizing request. Assign the customizing request you're using for SAP Jam integration.

7. Export Certificates Required for SAP Jam Admin Settings

In this activity, we are going to export two certificates we have to import to SAP Jam through SAP Jam Admin console.

Kindly note that if you have any other SAP Marketing backend system you want to integrate SAP Jam with, you need to perform this step for each SAP Marketing backend system.

7.1. Issuing Certificates for SSF CLBOAU

This part describes how to issue the SSF CLBOAU certificate.

Go to transaction STRUST, switch to change mode and find folder named "SSF Collaboration Integration Library: oAuth Appl."

Right click on the folder. If you can see the option "Create", click on that and maintain below values in the pop-up dialog.:

Parameter Value
Name Use proposed default(make sure no symbol in the name. You even have to delete ":" symbol proposed in the default name otherwise it keeps giving error )
Org. (optional) Use proposed default
Company./Org. Use proposed default
CA Use proposed default
Algorithm RSA
Key Strength 1024
Signature Algorithm Use proposed default

After you maintain the values above hit "Enter" to continue. You have now successfully issued SSF CLBOAU certificate.

In case you don't see "Create" option when you click on the folder "SSF Collaboration Integration Library: oAuth Appl.", that means SSF CLBOAU certificate has been already issued. You can skip to 7.2 Exporting SSF Certificate CLBOAU step below in this case.

7.2. Exporting SSF Certificate CLBOAU

While you are in STRUST transaction and in change mode, double click on folder  "SSF Collaboration Integration Library: oAuth Appl.""

On the right side, under "Own Certificate" section, double click on Subject line.

Certificate details should now be filled out under "Certificate" section at the bottom. Click on "Export Certificate" icon to start the export process.

Choose Base64 as file format. And pick a folder you want to save the file to. Enter file name as "clboau.txt". After providing a folder and file name, hit Enter to complete export process.

Now file should be saved to your local folder that you provided with the name "clboau.txt".

7.3. Exporting SSF SAML2 Service Provider Certificate

At this step, you are going to export SSF SAML2 Service Provider Signature certificate.

This step is fundamentally same as previous step 7.2. Exporting SSF Certificate CLBOAU

There are only two difference compared to previous step:

- This time, you start with double click on "SSF SAML2 Service Provider - Signature" folder instead of  "SSF Collaboration Integration Library: oAuth Appl.""

- And while you're exporting the certificate, this time you provide the file name as "serviceprovider.txt" instead of ""clboau.txt".

The rest of the activities are exactly same as previous step.

At the end of this section, you have successfully exported two certificates that you will need for SAP Jam Admin settings.

8. Registering Identity Provider

In SAP Jam, each back-end system and each client you want to connect must be published as an identity provider (IdP). This section describes how to register your identity provider in SAP Jam.

Log in to SAP Jam tenant as company admin and proceed as shown in the following screenshots

Kindly note that you have to have admin authorization to continue this step


You have successfully reigstered your IdP in SAP Jam Admin Panel.

9. Setting Up the OAuth Client

You have to register each application that you want to use for each SAP Marketing system and client. In this step, you register your application as an OAuth client in SAP Jam

Log in to SAP Jam tenant as company admin and proceed as shown in the following screenshots

Kindly note that you have to have admin authorization to continue this step

You have successfully added a new OAuth client. Now find your new OAuth client in the list of "OAuth "Clients" tab and click on "View".

In details, you will find your consumer key you require to complete step 11. Define Application Settings. Store this consumer key to a notepad.

10. Defining Server Settings

In this step, you customize the server settings for SAP Jam in the Marketing system.

Go to transaction CLB2_PLATF. Click on "New Entries". Under "Server Communication" foldeselect the line with the following values:

Field name Entry Value
Service Provider Type Jam
Server Jam productive
Name of Local Service Provider

And maintain following values:

Field name Entry Value
Server URL Enter your Jam URL

Proxy Host

Proxy Port
This is the proxy information you entered in chapter HTTPS Proxy. The values for the Proxy Host and Proxy Port fields should be determined by ICF, so the integration scenario normally work without entering values. So I suggest leaving these fields empty first. If you have trouble later though, you can fill these fields with proxy host and proxy port information that you obtained from your BASIS administrator
SSL Application ID ANONYM

Save entries and assign a customizing request that you're going to use for SAP Jam integration. Double click on "Authentication Method" sub-folder to maintain following values.

Context Description Authentication
APPLI Application context OAUTH_10_SHA1
APPUSR Application context with user authentication OAUTH_10_SHA1_3
NONE No authentication NONE
USER User context SAML_20

Save your entries again under same customizing request.

11. Define Application Settings

In this step you will define application-specific settings for your Marketing system.

Go to transaction CLB2_APPLI_PLATF. When the customizing view shows up, there should be an existing entry with following values (if not, maintain it with following values):

Column Value
Application ID DEFAULT
Service Provider Type Jam
Server Jam productive

Select the line with the above values and, double-click on "Server Settings" sub folder on the left folder structure. In the "Server Settings" group box, enter the following values

Field name Entry Value
Ext. Application ID

Enter the name of the OAuth client on the SAP Jam side you defined in chapter 9. Setting Up the OAuth Client.

In our example, it is JAM_TRT_500
Consumer Key Enter the consumer key you retrieved from SAP Jam as described in chapter 9. Setting Up the OAuth Client.
HTTP Timeout

Enter a value, if you need to set a timeout – for example, the UI technology has a shorter connection timeout than the REST call. For this field, you can set a value lower than the value for the default UI timeout.

And you can leave this empty.

Save your entries and assign these changes to a customizing request that you are usng for SAP Jam integration.

12. Testing API Calls

To execute a basic test, you can use ABAP report RCLB2_DEMO_GENERIC.

Go to transaction SE38 and enter "RCLB2_DEMO_GENERIC" as program name and execute the report.

Maintain the following values for the selection fields:

Service Provider Type Jam
Application ID DEFAULT
Request Method GET HTTP GET
Service Endpoint Input Alternative Manually Entered Endpoint (Radio Button)
Endpoint api/v1/OData
Authentication Context NONE

After maintaining above values, execute the report.

If you have a successful response, an XML output like below should return.


Now we're all set and ready to start collaboration on campaigns in SAP Marketing


With a SAP Jam integration, you can have following options on campaigns:

  • Select an existing SAP Jam (external, internal and even sub-group) group and assign it to your campaign

  • Remove assignment of SAP Jam group from campaign. During removal, you have even option to delete SAP Jam group completely or just remove assignment to campaign but keep SAP Jam group itself

  • You can create a SAP Jam group from scratch for your campaign.

Kindly note that when you create SAP Jam group directly from SAP Marketing, you create external SAP Jam groups. This might not be desired for some cases where only internal SAP Jam groups should be involved for campaigns. In that case, you have to ensure that you create an internal SAP Jam group in SAP Jam first and assign it to the campaign later.

Enjoy your collaboration and exchange of information between your teams, units, departments now!