Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
nageshcaparthy
Product and Topic Expert
Product and Topic Expert
6,547

This Blog continues my previous setup blog post - [SAP BTP Onboarding Series] Joule – Getting Started with Joule and SAP SuccessFactors.

Let's look at the common issues that we may have while setting up Joule with SuccessFactors:

  1. Joule does not work in the SFSF account
  2. Joule gives me the option to select Default Login and IAS Login 
  3. Joule gives me a Blank screen. In case you have an Azure AD/OKTA and Cloud Identity is a Proxy System
  4. LPS_SFSF_dt destination check connections fail with 401: Unauthorized
  5. I see the Joule chat history in another/colleague's system
  6. The Joule Navigation button is missing after a successful Jobrun or Jobsync
  7. CDM does now allow users to launch the site manager – channel manager and gives an error
  8. IPS – creating target system we do not see an option for Workzone Std, edition
  9. How to find out if you have SCIM / oData URL in your IPS Source file and how to change it
  10. Quick Setup Use the “Source System and Target System” .json files
  11. Joule authentication is not working when the browser '3rd-party cookie blocking policy' is enabled
  12. How do I verify if all groups are created for Joule
  13. I am using my new Common Super Domain (CSD) with my SFSF and Joule URL validation fails during Booster
  14. I am unable to use Joule in Incognito mode - Chrome Browser.
  15. Booster execution fails with an error
  16. "Oops, something went wrong. How about trying something different?" - Joule does not work.
  17. Joule in SAP SuccessFactors - View Phone Number Behavior

==================================================================================

So let us take a look at the issue and how to fix them:

  1. Joule does not work in the SFSF account

nageshcaparthy_1-1711474404706.png

Reason: This issue is related to Trusted Domains in your setup.

Fix: Please go back to the setup blog and refer to the section 

2.1 Configure Trusted Domains for SAP Authorization and Trust Management Service

4. Adding Trusted Domains and Configure Assertion Attributes in SAP Cloud Identity Services (CIS)

 

2. Joule gives me the option to select Default Login and IAS Login 

Reason: you have both Default Logon and IAS available for User Login in your BTP Subaccount

Fix: Log in to your SAP BTP Cockpit -> Navigate to your Joule Subaccount -> Expand Security option -> Click on Trust Configuration -> Click on Edit option for the Default Identity Provider (sap.default) -> Remove the tick mark for Available for User Logon and save the settings.

 

nageshcaparthy_2-1711474583169.png

Once the settings are saved, you may clear the cookies and try to log in.

 

3. Joule gives me a Blank screen. In case you have an Azure AD/OKTA and Cloud Identity is a Proxy System, please follow this. 

Issue: In most cases, your SSO should be taken care and Joule should be able to log you in with SFSF.  In case you have a login screen with Joule as shown below and if you are using Cloud Identity as a proxy, you may want to configure additional settings.

nageshcaparthy_3-1711474689709.png

Or A Blank Screen as below:

nageshcaparthy_0-1712223457252.png

 

Fix:

  • Go to your SAP Cloud Identity Services -> click on Identity Providers -> click Corporate Identity Providers -> select your provider Azure AD/OKTA that is configured -> Ensure your SSO Forward All SSO Requests to Corporate IDP turned Off.
  • Now click on Application & Resources -> click on Applications -> click on your BTP Joule Application -> click on Conditional Authentication option -> and change the Default Authentication Identity Provider to your Azure AD/OKTA and save the settings.

nageshcaparthy_4-1711474726475.png

 

 

4. LPS_SFSF_dt destination check connections fail with 401: Unauthorized

Issue: This could happen if you have the URL incorrect or your User and Password are incorrect.

nageshcaparthy_0-1711474988605.png

Fix:

Best Practise: Create a Technical User that is not used by any user and set the password to never expire in your SuccessFactors system.

 

5. I see the Joule chat history in another/colleague's system

Issue: Users can see the Joule conversations in multiple logins with different systems although the login details are different.

Reason: In most of the SFSF Dev / Preview systems, customers have a dummy email created which is common for all users with actual employee details. This can be due to multiple reasons as they take a copy of production to the Dev / Preview system. A dummy email address is created to avoid sending emails to actual users from the Dev / Preview system.

Eg: sap@dummy.com, dummy@dummy.com

Fix: In case you have the dummy emails configured for all the users, in your Dev/ Preview system, you may try the following options:

  • Change the Developers / Users email address in the Dev / Preview system to the actual user ID to fix the issues. Remember if you do an IPS sync from your production system, the emails will return to dummy emails as per your settings
  • Change the Subject Name Identifier -> Basic Configurations in your Cloud Identity Services from Email Address to Login Name (This change is to do with your Application of Joule).  Remember once this change is done, users have to use the Login Name.

Once the above changes are done, you may also need to add the Launchpad_Admin User with the Login Name to your SAP BTP Subaccount. In case you already have the user created with an email address, delete it, create a new one with a Login Name, and assign the roles.   

 

 

6. The Joule Navigation button is missing after a successful Jobrun or Jobsync

Ans: While most of the Setup is complete and jobs have been executed as required if the navigation button is missing (refer to the image for the navigation icon), you will have to check the NavigationService settings at your subaccount destinations.

nageshcaparthy_0-1711534569481.png

Navigate to your subaccount -> Click on Connectivity -> Click on Destinations -> Select NavigationService -> Click on Export.

nageshcaparthy_1-1711475293929.png

Open the file that you have exported in a notepad and ensure the value of tokenServiceULRType is Dedicated. In case you see the value as Common, go back to your BTP Cockpit, edit the Navigation service select Dedicated, and save the settings. Export the settings and validate the saved changes.

nageshcaparthy_2-1711475358264.png

In case the issue continues, a manual refresh of the Content Channel in the Workzone instance is required to make sure Service provider details are updated correctly.

Go to the Work Zone service instance in the BTP subaccount, select Content Channel, choose the service provider connected to SF, click Report, and verify whether Role is assigned correctly. In the below screenshot, the Role is empty.

nageshcaparthy_1-1711534760545.png

Go back to your Channel Manager screen and click on the Refresh button to update the Role to the provider that you have created.

nageshcaparthy_2-1711534780526.png

Wait for the refresh to complete, once it’s done, click Report to view the details.

nageshcaparthy_3-1711534813721.png

If you see the 19/19 in the Role section, we are good. Please log off your SAP SuccessFactors wait for 30 mins for the background jobs to execute and then try again.

 

7. CDM does now allow users to launch the site manager – channel manager and gives an error.

Issue: while launching the admin user from SFSF to the workzone, if the users are not synchronized it may give an error as below.

nageshcaparthy_3-1711475490974.png

 

nageshcaparthy_5-1711475515718.png

Reason: user sync is not complete yet.

Fix:

  • Ensure the correct role is assigned to your user with a custom identity service
  • Access the Launchpad_Admin role & navigate to Users  to add the user for example:

nageshcaparthy_6-1711475556339.png

  • Run the job in the admin center - > Job Scheduler tab- > job Type ( Refresh Synthetic Group Data) and click on Run it Now.

nageshcaparthy_8-1711475597976.png

 

8. IPS – creating target system we do not see an option for Workzone Std, edition

Issue: The customer has IAS and IPS tenants with separate tenants and not in a common tenant and while creating the target system, the workzone does not show up.

nageshcaparthy_0-1711475731631.png

Reason: The IPS landscape is on SAP NEO and the service needs to be upgraded to multi-cloud.

Fix

They can upgrade it using the help guide or refer to the blog -

Important - The ideal upgrade takes anywhere from 1 hour to 1 day depending on the complexity of the IPS setup from the customer. Please ensure to check the status of the Source/Target/Jobs that were scheduled.

 

9. How to find out if you have SCIM / oData URL in your IPS Source file and how to change it

Issue: Workzone Groups are supported with SCIM2.0 and the oData API version is not recommended.

How to check: you can log in to your SAP Cloud Identity Services, navigate to your Source System of your SFSF -> Properties, and look for the URL as shown below.

nageshcaparthy_1-1711475790742.png

Fix: Make a copy of your Source System and change the values according to the Joule Setup or use the Source & Target Files attached to this blog (bottom). The how to add the Source and Target details are shared in the next step.  

Note: If you are downloading the Source & Target Files attached to this blog, please change the file extension from .txt to .json before importing to your Cloud Identity Services. Check step 10 for setup.

 

10. Quick Setup Use the “Source System and Target System” .json files

In my previous blog on Joule setup, we had discussed setup using the existing SFSF Source, here we are creating a new Source System in both cases either your URL is using oData and/or a new Joule setup. The new Source System will help us to keep the Joule setup separate and not make changes to your existing setup of your SFSF.

Adding Source System:

  • Navigate to your SAP Cloud Identity Services – Navigate to Source System -> click on Add -> Import the file “SuccessFactors - SF-Company-ID - Joule.json” and edit the System Name to your SFSF Company ID as shown below and feel free to add a Description and save the settings.

nageshcaparthy_2-1711476113943.png

  • The required “Transformation” changes are taken care of in the JSON file which is attached to the blog, so we can directly Navigate to your Properties Tab and change the values as per the Joule Setup as shown below

nageshcaparthy_3-1711476185409.png

After the changes, my source looks like this:

nageshcaparthy_4-1711476217879.png

  • Since we have added this as a new Source, we should also be exporting the Certificates and important to your SuccessFactors system. Click on Outbound Certificate, and click on Download the certificate to make a copy of the new source system that you have created.

nageshcaparthy_0-1711476303157.png

  • Go to your SuccessFactors system, go to Security Center – click on X.509 Public Certificate Mapping, and click on Add, Change the Configuration Name as per your requirement, Change the Integration Name to Identity Provisioning Service, and select the new certificate that you downloaded and Save the settings.  

Note: Do not enter any details in “Login Name”, it should be blank.

nageshcaparthy_1-1711476342549.png

Adding Target System:

Now let us add the Target System using the JSON file, Navigate to your Target System, click on Add, and select the file “WorkZone_Target_ForJoule.json”, once the file is added, you need to change the System Name and add a Description to recognize your setup. Ensure to Select the Source System that was saved in the previous step before you navigate to the Properties Tab.

nageshcaparthy_2-1711476402055.png

You may not be able to save until you enter the details required in the Properties tab. Navigate to the Properties tab, and enter the details from your ServiceKey file downloaded from your Subaccount - SAP Workzone ServiceKey. Once you enter the details, you should be able to proceed with your Job Sync.   

nageshcaparthy_3-1711476450241.png

Note: Since we are using the Certificate for authentication, please use this link to copy your URL based on your data center - mTLS Certificate Server. Example: https://api55preview.cert.sapsf.eu

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/af2b8d5437494....

11. Joule authentication not working when the browser '3rd-party cookie blocking policy' is enabled

Issue: Joule may not be able to work while 3rd party cookie is blocked. This may happen mostly in incognito or in private mode.

Fix: Please look at the SAP Note: 3428564 - Joule authentication not working when browser '3rd-party cookie blocking policy' is enable...

 

12. How do I verify if all groups are created for Joule

Issue: in case of setup issues, Jobs may not run properly and we need to validate the Groups created/assigned to a user.

Fix: Based on your Job Logs from your Cloud Identity Services, you may log in to your SAP Workzone, Navigate to your SAP Joule Subaccount, click on Instances and Subscriptions -> click on the SAP Workzone, Standard Edition (ensure you have the Role “Launchpad_Admin” is assigned to you), click on the Settings Tab and enter the User Email or the Global User ID to check the assigned Roles.

nageshcaparthy_4-1711476530019.png

In case you need further analysis, refer to the blog by Harjeet Judge on - Leverage SCIM APIs of SAP Build Work Zone to view users and groups provisioned into Work Zone

 

13. I am using my new Common Super Domain (CSD) with my SFSF and Joule URL validation fails during Booster.

Issue: If you are using the CSD then your SFSF URL would have migrated to a new one and Joule fails to validate the New URL

Fix: You can look at the CSD Migration Customer/Partner Guide to match your SFSF Admin URL to successfully run the booster. Refer to Chapter 5 for the URL details.

 

14. I am unable to use Joule in Incognito mode - Chrome Browser

 Reason: Third-party cookies could have been blocked on your Browser

 Solution: turn off the Third-party cookies and try to log in.

nageshcaparthy_0-1712138209878.png

15. Booster execution fails with an error

 

Reason: One of the reasons could be that you have not established trust in your sub-account with the Cloud Identity Services. 

nageshcaparthy_0-1713171575533.png

FixBefore you run the Joule Booster, please follow 2. Configure SAP Cloud Identity Services(CIS) in our setup blog - (you need to establish Trust for your subaccount and cloud identity services) as this has been added as a prerequisite to the new update to the Booster.

16. "Oops, something went wrong. How about trying something different?" - Joule does not work.

Reason: This could be due to multiple scenarios due to GUID Mismatch, IP Restrictions, or Login and Password Policies IP for individual users.

Case 0: GUID Mismatch Fix: You can refer to the KBA - https://me.sap.com/notes/0003488269 if this is not fixed, please check the following Case 1 and Case 2.

Case 1:

In your SAP SuccessFactors -> Navigate to IP Restriction Management -> If this page has No data, we are good.

nageshcaparthy_0-1721638523318.png

In case your company is allowing the whitelisting of certain IPs for internal rules, only then,  you should add the SAP BTP NAT IPs that are related to your Joule Service. Look at the fix listed after Case 2.

Case 2:

If your company has maintained your users with certain IPs, this issue could happen only for you. To verify this, you can navigate to Password & Login Policy Settings -> Expand to option Set API login exceptions -> If you do not have any User ID listed, we are all good.

If you(r)/any User ID is listed with an IP Address, then Joule will respond “Oops, something went wrong.”, to fix this, follow the steps below.

nageshcaparthy_1-1721638642377.png

Fix(Case 1 and Case 2):

To find the SAP BTP Subaccount Data Center, go to your SAP BTP Account -> navigate to your Subaccount where with Joule Services -> in the Overview section you should be able to see the Cloud Foundry Environment, please look at API Endpoint -> In my case its https://api.cf.us10-001.hana.ondemand.com/ so my CF Data Center is “us10”.

nageshcaparthy_2-1721638680112.png

Once you have your CF Data Center, please go to Regions and API Endpoints Available for the Cloud Foundry Environment, and search for your respective value in the Technical Key as below.

nageshcaparthy_3-1721638712664.png

Look for the “NAT IPs (egress, IPs for requests from a Cloud Foundry app)” and you need to copy the values related to your CF account. In my case, it's “cf-us10-001”.

nageshcaparthy_4-1721638748914.png

For Case 1: Copy one IP at a time and create an entry in your SFSF System in IP Restrictions Management.

nageshcaparthy_5-1721638772627.png

You should re-login once this is done.

Caution: In case your company does not have any IP Restrictions and if you add it for BTP only, it may cause issues for Login from other IPs that are not listed in this. Please be cautious before adding this.

For Case 2: You can copy the entire IP Address from NAT IPs (egress, IPs for requests from a Cloud Foundry app), edit the User ID in Set API login exceptions -> append the IP to this list, and Save the settings.  

Tip: For Joule to function properly, you may need to do this for all the users listed here. If a user is not listed, there is no need to add them.

17. Joule in SAP SuccessFactors - View Phone Number Behavior

Issue: Phone Number may not respond as expected.

Fix: Refer to the KBA - 3458399

Credits to all the team members @harjeetjudge @DanH @dkumari @harinder_singh_batra @chavi_singhal @Shreelakshmi 

Cheers, 

Happy Learning

Nagesh 

Check our SAP BTP Onboarding Resouce Center for more such BTP-related topics.