Note that this asset was drafted & created before our branding changes related to SAP technology were announced on January 2021.
Note that SAP Cloud Platform Cockpit was renamed to SAP BTP cockpit.
This blog series will cover some of the concepts of SAP Work Zone and will also help you familiarize with the steps required to setup SAP Work Zone and integrate it with other applications.
SAP Work Zone is a service on SAP Business Technology Platform which helps improve productivity by providing a personalized, integrated digital workplace experience across multiple touch points. Its a digital workplace solution which centralizes access to SAP and non-SAP solutions by providing a central entry point to access business apps, processes and collaboration capabilities.
I would encourage you to look at this
video which demonstrates the capabilities of SAP Work Zone.
The key capabilities of SAP Work Zone are also documented in
SAP Help.
This blog will outline some of the steps required to configure and setup SAP Work Zone.Unlike other services on SAP Business Technology Platform (BTP) which can be enabled with a click of a button, Work Zone requires few steps to be performed - though majority of the steps have been automated using boosters (which I will explain below).
The steps which I am going to show assume that you are looking to setup a fresh SAP Work Zone tenant without the need to migrate an existing SAP Jam tenant. The
SAP Help documentation clearly outlines the steps and is a great place to start too.
Please note that as of today, SAP Work Zone is not yet in trial landscape.I have used a productive account to demonstrate some of these capabilities.
Configure trust between SAP BTP and Identity Authentication Service
Once you have the entitlement for SAP Work Zone, it should be visible in your cockpit.
SAP Work Zone requires the use of Identity Authentication service (IAS) and Identity Provisioning service (IPS). There are many components/services which are used seamlessly with SAP Work Zone and hence IAS & IPS plays a key role in ensuring the user/developer is able to access them without having to key in the password and also not worry about manually creating the user in all the components.
In the trust configuration, download the “SAML Metadata”. This is required to setup the trust with
IAS in the next step.
Navigate your
IAS > Applications and create a new application. I have used the name “WZ
SCP Account”. In the Trust settings for this new applications, navigate toe “SAML 2.0 Configuration”
Upload the metadata file which you had downloaded earlier from BTP subaccount and save your changes.
In the SAML Assertion attributes, add a new attribute called “Groups”. Ensure that it starts with an uppercase.
Similarly, in the Default attributes section, add the Group attribute with the value “Workzone_User_Type_${type}”.
Please ensure that the SAP Work Zone users you create in IAS are of type "employee".
This completes the setup of the new application in
IAS. Navigate to the User Groups menu and add the below Work Zone groups. Users will be assigned to the respective groups to control the level of access within Work Zone.
Assign the Workzone_Admin role to your user in the User Management.
The next task is to setup the trust on the BTP Cockpit side. To obtain the metadata file from
IAS, navigate to Tenant Settings > SAMl 2.0 configurations to download the metadata file.
Switch to Trust Configuration in the BTP cockpit . Notice that by default it has the SAP ID service which will enable users to access the applications using S/P/I/C user IDs. Click on the “New Trust Configuration” button.
Upload the metadata file which you downloaded earlier from
IAS. Provide a meaningful name and description and save your changes.
Its important to turn off the SAP ID service once you have configured trust with
IAS and activated it. Use the Pencil icon to edit the settings.
Setup of Work Zone using Boosters
Boosters are one of the cool features of BTP which helps customers to get started with different use cases like Workflows, Mobile Cards,
AI Business services etc. Good to see a booster also available for Work Zone. Look for it in the Global Account level.
Just follow up the prompts provided by the wizard. In this case, it asks the details of the subaccount which you have already prepared (using the above instructions)
The booster will automatically create the relevant artefacts like destinations, role collections etc and save us from manually performing those configurations.
At the end, you will get a popup with a success message. From here, you can navigate directly to the Work Zone application.
SAP Work Zone Configurator:
The configurations are not done yet. We still have few more things to do before we could use start using Work Zone.
Work Zone leverages SAP Jam for the collaboration aspects. As most of you might know, it has its own user management. Hence, we need to setup trust with
IAS again and also configure
IPS to provision users (from
IAS to Work Zone)
When you try to access the Work Zone application from the previous step, it would take you to the Work Zone Configurator. It has the below URL Pattern
https://[subaccount_specific].dt.workzone.cfapps.sap.hana.ondemand.com/sites#Workzone-Config
There are few steps which have been automated here and many still need to be done manually. The SAP Help documentation was clear in most of the places.
Trigger the wizard by selecting the relevant options. In the “Set Up Environment”, you will need to copy paste the IdP trust token as shown below.
This can be obtained from the destination menu within the subaccount. Click on “Download Trust”. While copying the token, ignore the header and footer.
The next steps is to configure trust with
IAS and setup
IPS for provisioning users. Download the metadata which is provided here. Make a note of the SAP Jam URL and OAuth Client Key/Secrets.
Switch back to
IAS > Applications and create a new application. I have given the name “SAP Jam”. Similar to the previous application configuration, navigate to the SAML 2.0 configuration in the Trust settings and import the metadata file which you downloaded in the previous step.
Set the Subject Name Identifier to User
UUID as shown below.
Add the user attribute “Groups”
Set the default attribute Groups with the value Workzone_User_Type_${type}
We need to create a technical user to communicate between
IAS and
IPS. Navigate to
IAS > Administrators and create a user of type “System”. Provide a BASIC Authentication and make a note of the User ID and password.
Launch the
IPS service to configure the Source and Target systems.
Remember the URL pattern to launch
IPS:
https://tenant_id.accounts400.ondemand.com/ips
In the Source Systems, create an entry for Identity Authentication. Populate the properties as provided in this Help page. I didn’t bother using any of the optional properties. When adding the properties for passwords – use the credential option.`
In the Target Systems, create an entry for "SAP Work Zone". Maintain the properties for this target system as per this onboarding Help page. After saving your Source and Target systems, its time up update the transformations within each of them. Refer to the same onboarding Help page to copy the snippets to source and target systems.
This completes the setup of IPS. To trigger to replication of users into Work Zone with their respective role assignments, trigger the job from the source system. Click on “Run Now” form the Read Job. You should be able to see in the job logs the users and groups read and written to Work Zone.
Before testing your access in Work Zone, ensure you add the SAP JAM URL in the trusted domain of
IAS. This is enable Work Zone to embed SAP Jam contents (within iFrames/overlays)
You should be now able to login to Work Zone using the
IAS credentials and explore the capabilities.
The Fiori Launchpad will also be available in the Applications menu.
For questions on SAP Work Zone, please raise them in the forums and use the tag "SAP Work Zone".`