
This Blog continues my previous setup blog post - [SAP BTP Onboarding Series] Joule – Getting Started with Joule and SAP SuccessFactors.
Let's look at the common issues that we may have while setting up Joule with SuccessFactors:
==================================================================================
So let us take a look at the issue and how to fix them:
Reason: This issue is related to Trusted Domains in your setup.
Fix: Please go back to the setup blog and refer to the section
2.1 Configure Trusted Domains for SAP Authorization and Trust Management Service
4. Adding Trusted Domains and Configure Assertion Attributes in SAP Cloud Identity Services (CIS)
2. Joule gives me the option to select Default Login and IAS Login
Reason: you have both Default Logon and IAS available for User Login in your BTP Subaccount
Fix: Log in to your SAP BTP Cockpit -> Navigate to your Joule Subaccount -> Expand Security option -> Click on Trust Configuration -> Click on Edit option for the Default Identity Provider (sap.default) -> Remove the tick mark for Available for User Logon and save the settings.
Once the settings are saved, you may clear the cookies and try to log in.
3. Joule gives me a Blank screen. In case you have an Azure AD/OKTA and Cloud Identity is a Proxy System, please follow this.
Issue: In most cases, your SSO should be taken care and Joule should be able to log you in with SFSF. In case you have a login screen with Joule as shown below and if you are using Cloud Identity as a proxy, you may want to configure additional settings.
Or A Blank Screen as below:
Fix:
4. LPS_SFSF_dt destination check connections fail with 401: Unauthorized
Issue: This could happen if you have the URL incorrect or your User and Password are incorrect.
Fix:
Best Practise: Create a Technical User that is not used by any user and set the password to never expire in your SuccessFactors system.
5. I see the Joule chat history in another/colleague's system
Issue: Users can see the Joule conversations in multiple logins with different systems although the login details are different.
Reason: In most of the SFSF Dev / Preview systems, customers have a dummy email created which is common for all users with actual employee details. This can be due to multiple reasons as they take a copy of production to the Dev / Preview system. A dummy email address is created to avoid sending emails to actual users from the Dev / Preview system.
Eg: sap@dummy.com, dummy@dummy.com
Fix: In case you have the dummy emails configured for all the users, in your Dev/ Preview system, you may try the following options:
Once the above changes are done, you may also need to add the Launchpad_Admin User with the Login Name to your SAP BTP Subaccount. In case you already have the user created with an email address, delete it, create a new one with a Login Name, and assign the roles.
6. The Joule Navigation button is missing after a successful Jobrun or Jobsync
Ans: While most of the Setup is complete and jobs have been executed as required if the navigation button is missing (refer to the image for the navigation icon), you will have to check the NavigationService settings at your subaccount destinations.
Navigate to your subaccount -> Click on Connectivity -> Click on Destinations -> Select NavigationService -> Click on Export.
Open the file that you have exported in a notepad and ensure the value of tokenServiceULRType is Dedicated. In case you see the value as Common, go back to your BTP Cockpit, edit the Navigation service select Dedicated, and save the settings. Export the settings and validate the saved changes.
In case the issue continues, a manual refresh of the Content Channel in the Workzone instance is required to make sure Service provider details are updated correctly.
Go to the Work Zone service instance in the BTP subaccount, select Content Channel, choose the service provider connected to SF, click Report, and verify whether Role is assigned correctly. In the below screenshot, the Role is empty.
Go back to your Channel Manager screen and click on the Refresh button to update the Role to the provider that you have created.
Wait for the refresh to complete, once it’s done, click Report to view the details.
If you see the 19/19 in the Role section, we are good. Please log off your SAP SuccessFactors wait for 30 mins for the background jobs to execute and then try again.
7. CDM does now allow users to launch the site manager – channel manager and gives an error.
Issue: while launching the admin user from SFSF to the workzone, if the users are not synchronized it may give an error as below.
Reason: user sync is not complete yet.
Fix:
8. IPS – creating target system we do not see an option for Workzone Std, edition
Issue: The customer has IAS and IPS tenants with separate tenants and not in a common tenant and while creating the target system, the workzone does not show up.
Reason: The IPS landscape is on SAP NEO and the service needs to be upgraded to multi-cloud.
Fix:
They can upgrade it using the help guide or refer to the blog -
Important - The ideal upgrade takes anywhere from 1 hour to 1 day depending on the complexity of the IPS setup from the customer. Please ensure to check the status of the Source/Target/Jobs that were scheduled.
9. How to find out if you have SCIM / oData URL in your IPS Source file and how to change it
Issue: Workzone Groups are supported with SCIM2.0 and the oData API version is not recommended.
How to check: you can log in to your SAP Cloud Identity Services, navigate to your Source System of your SFSF -> Properties, and look for the URL as shown below.
Fix: Make a copy of your Source System and change the values according to the Joule Setup or use the Source & Target Files attached to this blog (bottom). The how to add the Source and Target details are shared in the next step.
Note: If you are downloading the Source & Target Files attached to this blog, please change the file extension from .txt to .json before importing to your Cloud Identity Services. Check step 10 for setup.
10. Quick Setup Use the “Source System and Target System” .json files
In my previous blog on Joule setup, we had discussed setup using the existing SFSF Source, here we are creating a new Source System in both cases either your URL is using oData and/or a new Joule setup. The new Source System will help us to keep the Joule setup separate and not make changes to your existing setup of your SFSF.
Adding Source System:
After the changes, my source looks like this:
Note: Do not enter any details in “Login Name”, it should be blank.
Adding Target System:
Now let us add the Target System using the JSON file, Navigate to your Target System, click on Add, and select the file “WorkZone_Target_ForJoule.json”, once the file is added, you need to change the System Name and add a Description to recognize your setup. Ensure to Select the Source System that was saved in the previous step before you navigate to the Properties Tab.
You may not be able to save until you enter the details required in the Properties tab. Navigate to the Properties tab, and enter the details from your ServiceKey file downloaded from your Subaccount - SAP Workzone ServiceKey. Once you enter the details, you should be able to proceed with your Job Sync.
Note: Since we are using the Certificate for authentication, please use this link to copy your URL based on your data center - mTLS Certificate Server. Example: https://api55preview.cert.sapsf.eu
11. Joule authentication not working when the browser '3rd-party cookie blocking policy' is enabled
Issue: Joule may not be able to work while 3rd party cookie is blocked. This may happen mostly in incognito or in private mode.
Fix: Please look at the SAP Note: 3428564 - Joule authentication not working when browser '3rd-party cookie blocking policy' is enable...
12. How do I verify if all groups are created for Joule
Issue: in case of setup issues, Jobs may not run properly and we need to validate the Groups created/assigned to a user.
Fix: Based on your Job Logs from your Cloud Identity Services, you may log in to your SAP Workzone, Navigate to your SAP Joule Subaccount, click on Instances and Subscriptions -> click on the SAP Workzone, Standard Edition (ensure you have the Role “Launchpad_Admin” is assigned to you), click on the Settings Tab and enter the User Email or the Global User ID to check the assigned Roles.
In case you need further analysis, refer to the blog by Harjeet Judge on - Leverage SCIM APIs of SAP Build Work Zone to view users and groups provisioned into Work Zone
13. I am using my new Common Super Domain (CSD) with my SFSF and Joule URL validation fails during Booster.
Issue: If you are using the CSD then your SFSF URL would have migrated to a new one and Joule fails to validate the New URL
Fix: You can look at the CSD Migration Customer/Partner Guide to match your SFSF Admin URL to successfully run the booster. Refer to Chapter 5 for the URL details.
14. I am unable to use Joule in Incognito mode - Chrome Browser
Reason: Third-party cookies could have been blocked on your Browser
Solution: turn off the Third-party cookies and try to log in.
15. Booster execution fails with an error
Reason: One of the reasons could be that you have not established trust in your sub-account with the Cloud Identity Services.
Fix: Before you run the Joule Booster, please follow 2. Configure SAP Cloud Identity Services(CIS) in our setup blog - (you need to establish Trust for your subaccount and cloud identity services) as this has been added as a prerequisite to the new update to the Booster.
16. "Oops, something went wrong. How about trying something different?" - Joule does not work.
Reason: This could be due to multiple scenarios due to GUID Mismatch, IP Restrictions, or Login and Password Policies IP for individual users.
Case 0: GUID Mismatch Fix: You can refer to the KBA - https://me.sap.com/notes/0003488269 if this is not fixed, please check the following Case 1 and Case 2.
Case 1:
In your SAP SuccessFactors -> Navigate to IP Restriction Management -> If this page has No data, we are good.
In case your company is allowing the whitelisting of certain IPs for internal rules, only then, you should add the SAP BTP NAT IPs that are related to your Joule Service. Look at the fix listed after Case 2.
Case 2:
If your company has maintained your users with certain IPs, this issue could happen only for you. To verify this, you can navigate to Password & Login Policy Settings -> Expand to option Set API login exceptions -> If you do not have any User ID listed, we are all good.
If you(r)/any User ID is listed with an IP Address, then Joule will respond “Oops, something went wrong.”, to fix this, follow the steps below.
Fix(Case 1 and Case 2):
To find the SAP BTP Subaccount Data Center, go to your SAP BTP Account -> navigate to your Subaccount where with Joule Services -> in the Overview section you should be able to see the Cloud Foundry Environment, please look at API Endpoint -> In my case its https://api.cf.us10-001.hana.ondemand.com/ so my CF Data Center is “us10”.
Once you have your CF Data Center, please go to Regions and API Endpoints Available for the Cloud Foundry Environment, and search for your respective value in the Technical Key as below.
Look for the “NAT IPs (egress, IPs for requests from a Cloud Foundry app)” and you need to copy the values related to your CF account. In my case, it's “cf-us10-001”.
For Case 1: Copy one IP at a time and create an entry in your SFSF System in IP Restrictions Management.
You should re-login once this is done.
Caution: In case your company does not have any IP Restrictions and if you add it for BTP only, it may cause issues for Login from other IPs that are not listed in this. Please be cautious before adding this.
For Case 2: You can copy the entire IP Address from NAT IPs (egress, IPs for requests from a Cloud Foundry app), edit the User ID in Set API login exceptions -> append the IP to this list, and Save the settings.
Tip: For Joule to function properly, you may need to do this for all the users listed here. If a user is not listed, there is no need to add them.
17. Joule in SAP SuccessFactors - View Phone Number Behavior
Issue: Phone Number may not respond as expected.
Fix: Refer to the KBA - 3458399
Credits to all the team members @harjeetjudge @DanH @dkumari @harinder_singh_batra @chavi_singhal @Shreelakshmi
Cheers,
Happy Learning
Nagesh
Check our SAP BTP Onboarding Resouce Center for more such BTP-related topics.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
7 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
5 | |
5 | |
5 |