I don’t think I have to introduce what SAP Joule is all about, it has been making noise all over the SAP Community since the announcements at #SAPTechEd2023.
In case you missed it, allow me to share that Joule is the AI copilot to help your business requirements while supporting Navigational, Transactional, and Informational patterns. As part of our first announcements, Joule is Generally Available (GA) with SAP SuccessFactors. You may refer to the SAP SuccessFactors 2H 2023 Release Highlights or take a quick look at the SAP SuccessFactors 2H 2023 Release Highlights Video and you can also watch the Demo – Interacting with Joule in SAP SuccessFactors.
So let me summarize the important topics:
- Talent Intelligence Hub is GA – Understand, build, and leverage the skills of the workforce with an AI-powered skills framework included in the SAP SuccessFactors platform
- Integrated Learning Experience is GA, it supports users with a redesigned learning home page and personalized AI-powered recommendations on
- Have to Learn
- Need to Learn
- Want to Learn
- New Recruiter Experience with AI-powered job descriptions using Joule and the ability to add MS Team call details to the interview
- Interview questions based on the Job Description with Joule
- SAP SuccessFactors App for Microsoft Teams available in the AppStore
- SAP SuccessFactors Employee Central quick actions
- SAP SuccessFactors Incentive Management
- Follow the SAP Road Map Explorer for future updates
Important: SAP Joule is currently available in English, supported and supported in the US (Virginia) and European (Frankfurt) Data Centers with AWS as the Infrastructure Provider.
I recommend always taking a look at the Data Center Mapping between SAP SuccessFactors and Joule.
******************************************************************
Disclaimer: Before we get started, as this is a new product with a lot of momentum and subsequent updates to be announced shortly, we recommend referencing the official Joule help guides in case of any changes from the below process.
******************************************************************
Perfect, now that we have the details on Joule let’s roll up our sleeves and learn how to get started with it.
Pre-requisites:
- SAP BTP Account with Joule(das-application) Check your entitlements in your SAP BTP Global Account. If you have an SAP SuccessFactors license and this entitlement is missing, please contact your SAP Account Executive
- SAP Build Work Zone, standard edition / SAP Start. (SAP Start is now available for customers at no extra cost with services like SAP S/4 HANA Cloud, public edition, or SAP SuccessFactors. You can check the details here)
- SAP SuccessFactors License + Understand the Data Center Mapping listed above
- SAP Cloud Identity Services – you may log in to Viewing Assigned Tenants and Administrators to verify your active tenants. If you are new to the topic, you can check the SAP Discovery Center Mission – Get Started with SAP BTP – Cloud Identity Service Provider (SAP IdP)
- Configure the assertion attribute user_uuid to the Global User ID field in the Identity Authentication application corresponding to your subaccount to allow user identification based on Global User ID (discussed in image 22a)
Roles required to configure:
- SAP BTP Global Account Admin & BTP Subaccount Admin (in case they are different users)
- SAP SuccessFactors Administrator
- SAP Cloud Identity Services Administrator
License: Joule is included as part of your SAP SuccessFactors license at no additional cost with a certain number of free messages for an annual period known as Base AI. Some of the AI Capabilities are part of the premium edition – Premium AI, where you may have to purchase AI Units to use the functionalities.
- SuccessFactors customers will receive a Joule message allocation based on the number of licensed, active users; Users licensed for multiple products only count once
- Messages will be metered on an annual basis; at the end of each term, the annual allocation of free messages will reset (i.e., no carryover)
- Customers must purchase additional SAP AI Units (Premium AI) if they exceed their free message allocation during the annual period
- In case the service is not visible in your BTP Cockpit, to gain access to Joule, all customers will need to license a no-cost SAP SKU. Doing so will trigger the provisioning of Joule and the creation of the terms and conditions that must be accepted by the customer to use Joule.
Please contact your Account Executive for more information on Joule contracts and allocation as they vary based on user licenses.
Account Model in SAP BTP and SAP SuccessFactors Tenant: While you are working with SAP BTP, we recommend creating multiple subaccounts to achieve your desired account model. With SuccessFactors delivering a 2-tier account model with a (Dev/Test & a Production tenant), you may want to create two different subaccounts in the SAP BTP to mirror that landscape.
Now, let us consider a staged approach to complete the setup activities for Joule with SuccessFactors.
- SAP BTP Activities – Create a Subaccount and Run The Booster
- Configure SAP Cloud Identity Services – In my case, I have already activated it, you may refer to SAP Discovery Center Mission Get Started with SAP BTP – Cloud Identity Service Provider (SAP IdP). I will be skipping this step as it is activated in my SAPP BTP account
- Configure Cloud Identity Services in SuccessFactors
- Adding Trusted Domains in SAP Cloud Identity Services
- Post Booster Configurations, required to support Joule – Navigation Services
Image 0 (reference diagram for the setup activity)
Now let us get started with the First Step:
- BTP Activities – Create a Subaccount and Run The Booster
1.1 Create a Subaccount
Let us begin to log in to your SAP BTP Cockpit with Global Account Administrator authorizations, to create a new subaccount for Joule. In your BTP Cockpit -> click on Account Explorer -> click on the Create button -> click Subaccount -> enter the Subaccount name and select once you fill in all the required details, please click on Create.
Note: In my Demo, I am going with SuccessFactors DC33/55 Data Center (Frankfurt) and Europe (Frankfurt) Joule Data Center. Please refer to Data Center Mapping which is listed above.
Image 1
1.2 Configure Joule in SAP BTP Cockpit:
Another important step is to check the required Entitlements. Navigate to Entitlements -> click on Service Assignments ->, and search for Joule with limited Quota Assignment as shown in the image below.
Image 2
Once you add the Joule Entitlement, we are ready to create the subscription. We will use SAP Boosters to configure and consume the Joule Services. To do this, Click on Boosters -> search for Setting up Joule -> and Click on Start, you will see the Overview page – please read the details and then click on Start in the top right side of the screen.
Image 3
The Booster automatically checks if you have the required Entitlements, Authorizations, and Identity Authentication Tenant. Once the checks are completed, click on the Next button.
Image 4
In the Configure Subaccount tab, You have to select the subaccount that was created in the previous step, in my demo I created a Subaccount named Joule, so I selected “Joule” and click on Next.
Image 5
In the Select Integration tab, we have to select “SAP SuccessFactors” as this blog is focused on SAP SuccessFactors. Let us select SAP SuccessFactors and click on Next.
Image 6
In the next screen, we have to provide the Integration Details, such as the SAP SuccessFactors Tenant Domain URL and the Company Code.
Example:
SAP SuccessFactors tenant login URL: https://hcm41preview.sapsf.com/login?company=testacc01
Tenant Domain: https://hcm41preview.sapsf.com
Company Code: testacc01
Image 7
Once you enter the details, click the Validate button, if no error messages, then you are good to go, click on the Next button. In my case I am good, so I continue with the next setup.
In case of general errors- “The provided Company Code either does not exist or is invalid” Please raise an SAP Ticket with the component – CA-JOULE or CA-JOULE-PRV
In the last step, we validate the details that are entered and click on the Finish button.
Image 8
The booster will execute the process to enable Joule subscription services and you should be able to see the success message as shown below.
Image 9
This completes the Joule provisioning in your SAP BTP Subaccount.
2. Configure SAP Cloud Identity Services(CIS)
In my case, I have already provisioned it, you may refer to SAP Discovery Center Mission Get Started with SAP BTP – Cloud Identity Service Provider (SAP IdP), so I will be skipping the step of activating the Cloud Identity Services.
So why is SAP Cloud Identity Services(CIS)? SAP CIS acts as a central system to authenticate and authorize users for your SAP SuccessFactors and Joule and it is a mandatory component for post booster configurations. In this step, we will enable Custom Identity Service in your Subaccount.
Note: In case you have a Cloud Identity Service configured for your SAP SuccessFactors, you can use the same CIS tenant to establish trust with your subaccount.
Once you activate the Cloud Identity Services, the next step is to Establish Trust between your Cloud Identity Services and the Subaccount. Now let us navigate to the Joule Subaccont, click on Account Explorer -> click on the subaccount Joule -> click on the Security option -> click on Trust Configuration -> click on the Establish Trust button as shown below.
Image 10
Select the SAP Cloud Identity Services Tenant that you have activated, click on Next, and select the Domain Name either *.accounts.ondemand.com or *.accounts.cloud.com and click on Next.
Tip: For best SSO Experience ensure you select the save Domain Name throughout the configurations. Before you select this, verify your Cloud Identity Services Domain URL and select accordingly.
Image 11
Optional Step(Image 12): To Create Platform Users you can either proceed with the next step or, (you can navigate to your Global Account. Click on Security -> Trust Configuration -> Establish Trust -> Select your Cloud Identity Services that you created -> Choose the domain as mentioned above -> Click on Next and in the Configure Parameters you can modify the name and description and this will set up the trust for Platform Users, click on Next and then click on Finish. By doing this Platform Users option will be added to all Subaccounts by default.)
In my case, I have created it to manage Business Users and Application Users.
Image 12
If you are back to your subaccount to Establish Trust, you should be able to see the screen below to Configure Parameters for Application Users, you can click on Next as shown below.
Image 13
Upon completion, you should be able to see Platform Users(if added to Global Account) and Application Users listed on the trusted Trust Configuration page.
2.1 Configure Trusted Domains for SAP Authorization and Trust Management Service
Now within your subaccount, click on the Security option -> click on Settings -> under Trusted Domains click on the Add button to add your SAP SuccessFactors Domain name.
Example: https://hcm41preview.sapsf.com
Image 14
This completes the setup of Joule in the SAP BTP Subaccount.
3. Configure Cloud Identity Services in SAP SuccessFactors (skip activation step if already active)
Now let us log into the SAP SuccessFactors system and look at the settings required.
In case you already have Cloud Identity Services enabled, you can skip this step, and follow the step after Image 19. To activate the services, click on your Profile icon and then click on Admin Center.
Image 15
From Admin Center, navigate to Upgrade Center and then select Platform.
Image 16
Look for the option – Initiate the SAP Cloud Identity Services Identity Authentication Service Integration, click on Learn More & Upgrade Now.
Image 17
Now click on Upgrade Now, and you will be prompted for a username and Password.
Image 18
Enter your S-User ID and Password. You may also refer to the help guides and videos on this page to initiate your Cloud Identity Service. While selecting your Cloud Identity Services, please ensure you select the same Identity Services used for your SAP Subaccount configurations in the previous steps.
Image 19
Once you initiate to change the Identity Authentication services, it may take up to 24hrs and you will receive an email once the upgrade is complete. You may use the Monitoring Tool for Identity Authentication Service to keep track of the changes. Once the Service is activated please ensure you follow the help documentation to complete the setup process.
Now go back to the Admin Center, you may also want to
- Manage Role-Based Permission Access, and Grant roles required as per your organizational requirements.
- Manage Permission Groups, Create New Groups, and add Group Members as required
- Go to Manage Permission Role, and click on the Permission Role where you would like to grant Joule services.
Image 20
On the Permission Role Detail page, click on the Permission… button, click on General User Permission look for Access to Joule, select it, and click on Done.
Image 21
This completes the Role assignment to users in SAP SuccessFactors for access to Joule.
4. Adding Trusted Domains and Configure Assertion Attributes in SAP Cloud Identity Services (CIS)
Before testing Joule, we have to maintain your SAP SuccessFactors Domain name in the Cloud Identity Services as a Trusted Domain. Let us login to the Cloud Identity Services -> click on Applications & Resources -> then click on Customization -> You will be able to see the option Trusted Domain, please click on it and click on the Add button to create a new line item to specify the Domain name of your SAP SuccessFactors System as shown below, enter the details and Save the Settings.
Example: hcm41preview.sapsf.com
Image 22
4.1 Configure Assestion Attribute
You will have to establish federated trust in your subaccount and configure the assertion attribute user_uuid to the Global User ID field in the Identity Authentication application corresponding to your subaccount to allow user identification based on Global User ID. In your Cloud Identity Services, click on Application & Resources -> click on Applications -> select Application where you have established trust -> click on Attributes on the right panel -> expand the section user_uuid and change the Identity Directory value to Global User ID.
Image 22(a)
This completes the activation of Joule Services in SAP SuccessFactors and the required configurations. You can now navigate to your SAP SuccessFactors System and click on the Joule Icon to open the services.
Say Hello to Joule, your friendly Copilot!!! 
Image 23
Well, we are not quite there yet to use the full capabilities of Joule. We are just a few more steps away so let us continue .
5. Post Booster Configurations
Once your Joule service is working, Once your Joule service is working, you need to configure the navigation service which is a part of the Build work zone to resolve intent-based navigation targets that are defined in the backend. If you are quite curious about the navigation pattern and not sure how it looks or works, you can refer to Image 40 .
5.1 Create SAP Build Work Zone Application and Instance: You may follow the standard help guide to set this up. If you are setting up SAP Build Work Zone for Joule service, you may use the Foundational Plan as shown below or if you already have SAP Build Work Zone standard edition, you may skip the activation and configure the missing steps. I am showing the process of activating the SAP Start – foundation services, and assigning the entitlements to your subaccount as shown below.
Image 24
Before activating the services, ensure you have Created a Cloud Foundry instance and created a Space. Now you can go to Service Marketplace and create the SAP Build Work Zone foundation Services Plans and Application Plans as shown below.
Image 25
Once the services are activated, you can Create a Service Key for the services under Instance as shown below.
Image 26
Enter a Service Key Name and click on Create. Once the service key is created, click on it to view the data and save the data, we will be using it at a later stage.
Image 27
Now let us assign a user to the Work Zone service that is activated. Within your subaccount, click on the Security option -> click on Role Collection -> click on Launchpad_Admin -> click on Edit -> In the Users Section add yourself and Save the settings.
Image 28
5.2 Configure Navigation Service
We need the Navigation Services to navigate to the targets that are defined in the backend. The recommended approach is to use the Name according to the help guide.
5.2.1 Configure Destination to Use Navigation Service
Within the subaccount, click on Connectivity -> click on Destination, click on Create Destination, and enter the following details:
| Field | Value |
| Name | NavigationService |
| Type | HTTP |
| URL | portal url from the service key created for the service instance of SAP Build WorkZone, standard edition. (Images 27 & 29) |
| Proxy Type | Internet |
| Authentication | OAuth2UserTokenExchange |
| Client ID | Client ID from the service key created for the service instance of SAP Build WorkZone, standard edition. (Images 27 & 29) |
| Client Secret | Client Secret from the service key created for the service instance of SAP Build WorkZone, standard edition. (Images 27 & 29) |
| Token Service URL Type | Common |
| Token Service URL | https://<uaa url>/oauth/token |
Add additional properties –
| Field | Value |
| Use default JDK truststore | Enable this option. |
You should be able to see the details below:
Image 29
The details in Destination should be as below:
Image 30
Tip: The last line item Token Service URL should end with https://<uaa url>/oauth/token, do not forget this.
Save the changes.
5.2.2 Create a Design Time Destination
Create a design-time destination on SAP BTP to access the CDM content API from SAP SuccessFactors.
Note: Accessing SAP SuccessFactors APIs using Basic Authentication has been deprecated. You can create certificate-based destinations. For more information, see Deprecation of HTTP Basic Authentication for APIs.
For the demo, we are going with Basic Auth for now. Create your second destination, Click on Create Destination and enter the following details:
| Field | Value |
| Name | LPS_SFSF_dt |
| Type | HTTP |
| URL |
https://<tenant API URL>/rest/servicesfoundation/sfcdmcontentservice/v1/SFCDMContent Tip: you can refer to SAP Note: 2215682 – SuccessFactors API URLs and external IPs to find your Tenant API URL based on your Data Center |
| Proxy Type | Internet |
| Authentication | BasicAuthentication |
| User | Enter your SAP SuccessFactors username with oData API access and company in the format of username@COMPANY. |
| Password | Enter the password for your SAP SuccessFactors |
Add Additional Properties as follows:
| Field | Value |
| Use default JDK truststore | Enable this option. |
| HTML5.DynamicDestination | True |
Enter the details and Save the settings. The details should be as shown below:
Image 31
5.2.3 Update the Runtime Destination
LPS_SFSF_rt destination is automatically created when you run the Joule booster but you may need to update the destination in the following scenarios:
- If you are using the SAP Build WorkZone foundation plan (not the standard plan), enter/type the following information in the Additional Properties section:
| Field | Value |
| sap-start | true |
- If your SAP SuccessFactors tenant has already migrated to use the SAP super domain (cloud.sap), update the URL field in the destination to use the new super domain, for example, https://sfsf.cloud.sap/
The configuration should look like this:
Image 32
5.2.4 Configure Identity Provisioning Service(IPS) Setup for Navigation Service
The Navigation Service component of SAP Build WorkZone, standard edition service uses Identity Provisioning Service to provision identities and their authorizations between source and target systems.
Note: This section describes the steps to configure the source system (SAP SuccessFactors) and target systems (Identity Authentication and SAP Build Work Zone, standard edition) in the Identity Provisioning of your IAS application user interface. For some customers, SAP SuccessFactors and the Identity Authentication systems are already configured as the source and target system by the Upgrade Center.
We need to configure the Identity provisioning service (IPS) service to:
- Provision user details to the SAP Build WorkZone target system with the user email, Global User ID, and group memberships
- Provision user roles as groups to SAP Build WorkZone target system with role ID as external ID and group memberships
To do this, let us log in to the Cloud Identity Services with Admin Authorizations, click on Identity Provisioning -> click on Source System -> assuming that the SAP SuccessFactors is already configured with Cloud Identity Services, you can click on your existing SAP SuccessFactors Source System -> on the right side of the page, click on Transformation and switch to JSON View -> modify the Group Entity in transformations has following configuration, refer to the image below:
| Property | Value | Description |
| Ignore | false | Ensures groups SCIM entity is considered during the provisioning jobs |
| Mapping | { “sourcePath”: “$.id”, “targetPath”: “$.externalId” }, |
Ensures the source ID field of the SCIM entity groups is set to externalId |
Image 33
Next in the Under Properties Tab, ensure field sf.user.filter is configured to fetch all required and valid users.
Image 34
In case you don’t want the groups to be provisioned in IAS, you can follow the steps below, else you can skip this and go to Create Target System.
- Navigate to Identity Provisioning Source System
- Select the target system configured for Identity Authentication
- Select transformations and switch to JSON view
- Ensure the Group entity in transformations has the following configuration:
| Property | Value | Description |
| Ignore | true | Ensures groups SCIM entity is considered during the provisioning jobs |
Now let us create a new Target System with the following values and Save the settings:
| Field | Value |
| Type | SAP Build WorkZone, standard edition |
| Name | Any meaningful name (WorkZone-Target) |
| Description | Any Meaningful description |
| Source System | Select SuccessFactors source system |
The settings should look as below:
Image 35
In the new Target System that you created, in my case it is SFSF – WorkZone click on the Transformation -> click on JSON view and edit the Group Entity with the value below:
| Property | Value | Description |
| Mapping | { “sourcePath”: “$.externalId”, “targetPath”: “$.externalId”, } |
Ensures the externalId field of the SCIM entity groups is set to externalId |
The details should be as shown below:
Image 36
Now click on the Properties tab and check the following details, in case they are missing add them to the list. The values can be found in the Service Key that was generated earlier:
| Field | Value |
| URL | portal-service field value under endpoints node from the service key |
| Authentication | BasicAuthentication |
| User | clientid field value under uaa node from the service key |
| Password | clientsecret field value under uaa node from the service key |
| ProxyType | Internet |
| Type | HTTP |
| OAuth2TokenServiceURL | https://<uaa url>/oauth/token |
| ips.trace.failed.entity.content | False |
| cflp.user.unique.attribute | emails[0].value,[‘urn:ietf:params:scim:schemas:extension:2.0:mapping’][‘providerId’],externalId |
| cflp.support.bulk.operation | False |
| cflp.providerId | ID field value for content channel configured for SAP SuccessFactors in SAP Build WorkZone |
| cflp.group.unique.attribute | externalId,[‘urn:ietf:params:scim:schemas:extension:2.0:mapping’][‘providerId’] |
| cflp.bulk.operations.max.count | 100 |
The details should be seen as shown below:
Image 37
Now let us go back to the Source System. Click on Identity Provisioning -> click on Source System -> click on the Source System service that you have set up -> click on Jobs tab -> Run Read Job or ReSync Job as per your requirements to provision SAP SuccessFactors users and roles to WorkZone (Navigation Service).
Image 38
The job should run successfully if the configuration is set up correctly. To view the job results, you can click on Identity Provisioning -> click on Provisioning Logs.
5.3 Add a Content Provider to Consume CDM Content
Add a new content provider to your SAP Start site to consume the CDM content from SAP SuccessFactors. Go to your SAP BTP Joule Subaccount -> click on Services -> click on Instances & Subscriptions -> click on the application SAP Build Work Zone, standard edition -> the application opens on a new page, click on the Channel Manager icon -> click on +New button and enter the details for the New Content Provider with following information:
| Field | Value |
| Title | Enter a name for the content provider (recommended SuccessFactors) |
| Description | Enter a description for the content provider. |
| ID | Any unique ID (recommended SuccessFactors) |
| Design-Time Destination | Select the design time destination LPS_SFSF_dt |
| Runtime Destination | Select the runtime destination LPS_SFSF_rt |
| Runtime Destination for Dynamic Data | Select Use default runtime destination |
| Automatically add all content items to the subaccount | True |
| Use the Identity Provisioning service to provision user authorizations | True |
The details should be as shown below:
Image 39
Well, it’s now time to announce that you have set up your SAP SuccessFactors with Joule services with Navigation Patterns .
Image 40
Congratulations!!! If you can see the Navigation arrows we have the settings successful.
==========================================================================
This blog is written with the support of our SAP Product Team and SAP BTP Onboarding Team.
Credits and shout out to @harinder.singh.batra and @chavi.singhal without which this blog could have not been possible. Appreciate all your support.
===========================================================================
Regards,
Nagesh Caparthy
Follow me on LinkedIn for the latest Updates on SAP BTP.