sap jam abap integration – configuration guide · this configuration guide supports this process...

© 2013 SAP AGDietmar-Hopp-Allee 16

D-69190 Walldorf

+

SAP JAM ABAP INTEGRATION –CONFIGURATION GUIDENOVEMBER 2012Version 1.0

SAIL Configuration Guide

© 2013 SAP AGDietmar-Hopp-Allee 16D-69190 Walldorf

Title: SAIL Configuration GuideVersion: 1.0Date: November 2012

of 34

Configuration Guide for ConnectingSAP Jam with SAP ABAP Systems

1 Motivation ..................................................................................................................................4

2 Initial Setup .................................................................................................................................5

2.1 Configuration Flow ..............................................................................................................5

2.2 Preparation .........................................................................................................................6

2.2.1 Application and OAuth Client .......................................................................................6

2.2.2 Prerequisites ................................................................................................................6

2.3 Setting up the Back End .......................................................................................................7

2.3.1 HTTP Proxy ..................................................................................................................7

2.3.2 Service Provider Certificate ..........................................................................................8

2.3.3 Preparing SAML2 ....................................................................................................... 12

2.3.4 Preparing SHA1 .......................................................................................................... 14

2.3.5 Preparing the Users ................................................................................................... 17

2.4 Setting Up SAP Jam ............................................................................................................ 18

2.4.1 Setting up SAML2 ....................................................................................................... 18

2.4.2 Setting Up the OAuth Client ....................................................................................... 20

3 Customizing in the Back End ...................................................................................................... 23

3.1 Customizing Delivered by SAP ............................................................................................ 23

3.1.1 Authentication ........................................................................................................... 23

3.1.2 Server Definitions ...................................................................................................... 24

3.2 Local Server Settings .......................................................................................................... 25

3.2.1 Create Server Definition for SAP Jam .......................................................................... 25

3.2.2 Adjust Server Settings ................................................................................................ 26

3.3 Application Settings ........................................................................................................... 28

3.4 Transactions ...................................................................................................................... 28

3.5 Proposal for Naming IDPs .................................................................................................. 29

3.6 Tiny Little Helpers .............................................................................................................. 29

3.6.1 Sample Reports .......................................................................................................... 29




of 34

3.6.2 Customizing Check ..................................................................................................... 29

3.6.3 Customizing Transfer ................................................................................................. 30

3.7 Most Valued Errors ............................................................................................................ 31

3.8 Potential Errors ................................................................................................................. 32




of 34

1 MotivationThe Social Media ABAP Integration Library (SAIL) is part of SAP NetWeaver and delivered in a firstversion with SAP_BASIS 7.31 SP03, 7.30 SP07, and 7.02 SP11.The use of these new collaboration features is optional. If you want to use them in your system, youfirst have to activate business function BC_SRV_STW_01.The activation unveils a new path in the IMG with several configuration steps:

SAP NetWeaver Implementation GuideApplication Server

Basis ServicesCollaboration.

This configuration guide supports this process step-by-step, providing screenshots, examples, andbackground information.

The architecture of the system landscape looks as display in the graphic below. The two main aspectsof the configuration are to:

Establish the HTTPS connection with the service providerFulfill the prerequisites for the authentication.As different authentication procedures are applied (SAML 2.0 and OAuth 1.0a), thedescription makes up the largest part of the document.

Note: For the configuration steps described in this document, it is assumed that your SAPNetWeaver release includes SAP_BASIS 7.31 SP05 (alternatively 7.30 SP08 or 7.02 SP12).Therefore, the IMG path that was originally developed for StreamWork integration has to beused. A dedicated IMG path for SAP Jam will be delivered with subsequent SPs.




of 34

2 Initial SetupThe tasks described in this chapter must be checked and executed for each backend system:

- The first time you set up the connection between the backend system and the serviceprovider

- When the technical prerequisites change- When adjustments are made for security reasons (such as regular changes of the certificate)

2.1 Configuration Flow

Start

Preparation, data collection

SAP Jam configuration

SAIL configuration

Backend basic configuration

End

Connection of backendsystem to SAP Jam




of 34

2.2 PreparationTo establish a connection between the backend system and the service provider, a number ofconfiguration steps are required on both sides. However, you first need to answer the followingquestions:

1. What proxy settings do you need to make in order to communicate with the outside world?2. What is the name of the client-specific SSL-channel?

(You can use transaction STRUST to find the information.)3. Which authentication procedure do you want to use?

(As a default - and described below - SAML2 is used for authentication in the user contextand RSA-SHA1 is used in the context of an OAuth client).

Note: Cross-company Wikis and cross-company group creation will only work if SAP Jam wasconfigured appropriately. Therefore you have to contact SAP Jam Product Support or Consulting.

Note: Ensure that note 1777493 is applied to get support for embedded URLs in the UI of thebackend application.

2.2.1 Application and OAuth ClientThe application is delivered by SAP (CRM, HCM, and so on) or it is an application you have developedyourself and that you want to enhance by the collaboration features.This backend application needs to be registered with SAP Jam as an OAuth client. This OAuth clientacts as a representative of the backend application within SAP Jam (the respective configuration canbe found in section Setting Up the OAuth Client).

A generic application called SAIL1 is part of the SAP_BASIS delivery. The questions are, when do youuse this generic application, and when do you define an application of your own? You have to decidewhether to keep the SAP Jam objects (such as groups, feeds and so) private - or whether to makethem public. If you want to reuse the same objects in several applications, it makes sense to use thesame application (SAIL) for all of them. If you do not want other applications to access your SAP Jamobjects, you should define your own application.

2.2.2 PrerequisitesFirst, you need a company in SAP Jam. This corresponds to your SAP Jam license (this is a mandatoryprerequisite for a successful integration scenario). You will find further information about yourcompany by choosing the Admin menu point in the user dropdown list as shown in the screenshotbelow.

1 SAIL = Social Media ABAP Integration Library




of 34

Secondly, the person who wants to perform the setup must have a valid SAP Jam user account; thisuser account has to be associated with the company, which has to be configured. Neither a backenduser only, nor a user in a different company will do the trick.The user account in SAP Jam, which will be used to perform the configuration, must have beengranted company administration rights for the company that will be configured.

Full administration rights are required in the back end.

You will receive all of the necessary information for Jam registration together with your license.

Each user have to be registered in SAP Jam with an unique email address, since in the back end thebackend user will be mapped to this email address to access SAP Jam.

2.3 Setting up the Back EndNote: If you are wondering why you should use the IMG path that is dedicated to StreamWork forsetting up the connectivity to SAP Jam, refer to the red box in the Motivation chapter.

2.3.1 HTTP ProxyIMG node: Collaboration > StreamWork Integration > Direct Communication > Define HTTP Service

Communication from a company network with the outside world takes places by means of an HTTPproxy that needs to be maintained in Customizing.

Click the IMG node that starts transaction SICF, choose Execute (F8) without making furtherspecifications, then, in the Client menu, select Proxy Settings (Ctrl-F2).

On the HTTPS Log tab, you can find the value that the system uses for proxy access by default (theHost Name and Port fields).




of 34

The fields might not be filled because global defaults are used here. If this is the case, ask yoursystem administrator. (Actually, it might work even if the values are empty.)Also ask your system administrator whether it is necessary to use a dedicated connection. If so, makesure you are given the valid values for Host Name and Port.

2.3.2 Service Provider CertificateIMG path: Collaboration > StreamWork Integration > Direct Communication > Maintain Certificate ofService Provider

The service provider must be set up as a trustworthy system in the back end.

2.3.2.1 Retrieving the Certificate

First of all, you need the SSL certificate of the service provider. You can obtain this from Firefox, forexample, via the icon to the website:

Or in the Internet Explorer via the Security Report:

And if you prefer Chrome:

This certificate has to be saved in a file with Base64 format. You can choose whether you want to usethe client certificate or the CA certificate; the latter has a much longer validity.




of 34

2.3.2.1.1 Client certificateDisplay the certificate dialog, switch to the Details tab and choose Copy to File.

In the next dialog, activate the Base64 option:

2.3.2.1.2 CA CertificateThe CA certificate requires the same steps except that you first jump to a different dialog. Again,open the certificate dialog – but instead of switching to the Details tab, you switch to the Certificatepath tab. There you highlight the second to last certificate and chose View Certificate.




of 34

A second certificate dialog opens and you can proceed as described in the Client certificate chapter.As you can see, the client certificate is valid for three years – the CA certificate for 10 years:




of 34

2.3.2.2 Setting up the SSL ChannelNow go to transaction STRUST. There you will find the entry for the client Anonymous SSL -channel.

You need to import the Service Provider Certificate if it does not yet exist. In the final result, theservice provider’s certificate that you have saved in the file must appear in the list of certificates. Ifyou have chosen to import the client certificate instead of the CA certificate, it may look like this:




of 34

2.3.3 Preparing SAML2IMG path: Collaboration > StreamWork Integration > Direct Communication > Enable SAML 2.0Identity Provider

To authenticate a user with the service provider, version 2.0 of the Security Assertion MarkupLanguage (hereafter called SAML2) is used. The basic procedure is as follows:

1. The backend system is made known to the service provider in the form of an IdentityProvider (IDP). This happens when you make an entry in a specific company und provide theIDP certificate. This establishes a trustworthy relationship between the back end and theservice provider.

2. The backend system provides an assertion that ensures that the specified user has beenauthenticated in the backend system.

3. This assertion is sent to the service provider. As the service provider has a trustworthyrelationship to the back end in 1., the user – assuming the user belongs to the company – isconsidered to be registered.

4. A session ID that the user uses to identify himself or herself to the service provider for thenext operation is issued.

Click the IMG node to start transaction SAML2 to set up the IDP in the current client:

The IDP, when set up, is valid for all applications connecting to SAP Jam from this client(you may leave all wizard settings at their default value - except the provider name, of course):




of 34

The Provider Name is needed later so it can be entered in the service provider‘s company. Changethe default by adding a company-specific prefix, for example, <company>_<systemID>_<client>.The operation mode is Service Provider.The certificate for the IDP is also required. In order to save this to a file, change to transactionSTRUST. There you will find the node SSF SAML2 Service Provider - S. The ‘S’ stands for Signature –this is exactly what is needed. Export the IDP certificate according to the procedure shown below inImage 1: Export Certificate.

This is a link to the illustration!




of 34

2.3.4 Preparing SHA1IMG path: Collaboration > StreamWork Integration > Direct Communication > Retrieve Certificate forRSA-SHA1

A client based on OAuth (2-legged or 3-legged) is required by some administrative APIs that are runin an application. By default, RSA-SHA1 is used for encryption.Normally, the application-based OAuth requires a consumer key and secret to be stored in thebackend system (for each application), but the Social Media ABAP Integration Library uses a variantthat replaces the secret by a SAML assertion, similar to the SAML 2.0 authentication scenario. Forthis approach, only one entry is necessary in SSF, and no secrets need to be stored here. Theconsumer key for each application still needs to be maintained, as described in chapter 3.3.

1. A Secure Store& Forward Application (SSFA) is set up in the back end.2. You use transaction STRUST to issue a certificate for this SSFA. It is registered with the

service provider.3. The communication that takes place between the back end and the service provider is

authenticated with the help of the chosen encryption.

In the system, the SSFA exists with the name CLBOAU. See next chapter for details.

2.3.4.1 Create an SSFA InstanceThe entry CLBOAU created in this step should be available in the system as it is part of the standarddelivery. If it is missing for any reason, you can do the following:

Start transaction SSFA, which we will be used to create an instance of the SSFA application typeCLBOAU. Select New Entries (F5) and enter the following values:




of 34

SSF Format: The entry you select should reference to PKCS#1 or, in some cases, PKCS1-V1.5.The name of the Private Address Book and the SSF Profile Name may differ slightly, depending on thesystem settings.

Go to transaction STRUST: In the tree on the left, you will find the SSFA application you just created.To create a new PSE, right click your mouse to choose Create.




of 34

Double check your settings to ensure that you have selected RSA as the algorithm. This SSFcertificate has to be exported to the back end in Base64 format since it has to be entered in theservice provider at a later time. Double clicking the certificate owner field displays the certificate. Usethe Export command to save it in the file.

Image 1: Export Certificate

Double click




of 34

2.3.5 Preparing the UsersIn the standard delivery, the SAP Jam user corresponds with the e-mail address of each user in theback end.

Please ensure that all users have maintained an e-mail address.

This concludes the preparatory tasks in the back end.




of 34

2.4 Setting Up SAP JamEach application in the back end should be registered as an OAuth client.

You need the authorization as a company administrator in SAP Jam to do the configuration stepsdescribed in this chapter. Starting point of the configuration is the Admin menu. You can it reachchoosing the Admin menu point from the user dropdown list at the upper right corner as shown inthe screenshot below.

2.4.1 Setting up SAML2IMG path: Collaboration > StreamWork Integration > Direct Communication > Register SAML TrustedIdentity Provider at SAP Jam

From the Admin menu choose “SAML Trusted IDPs” and click on the link “Register your identityprovider” as shown in the screenshot.

Register only the IDP that you created in the back end:




of 34

The most important specifications you need to make are:

1. Identity Providers ID: Use the name you assigned in the back end. The names in SAP Jam andin the back end have to be identical.

2. Allowed Assertion Scope: Choose Users in my company to enable the IDP for the users inyour company.

3. Certificate: This is where you need the IDP certificate you saved in a file above.

Finally, press the Save pushbutton to finish this configuration step. Setting up the authentication ofyour application for SAP Jam using a SAML2 Assertion is now complete.




of 34

2.4.2 Setting Up the OAuth ClientIMG path: Collaboration > StreamWork Integration > Direct Communication > Register Application asOAuth Client

Your back end application needs a corresponding counterpart with the service provider. From theAdmin menu in SAP Jam choose “OAuth Clients” and afterwards press the link “Add OAuth Client” asshown in the screenshot below.

This brings you to the following registration screen:




of 34

1. Application name: In the back end, this application is then linked with the application foundthere. Therefore, we recommend that you reference the backend application – but you mayhave to consider multi-tenant or cross-system scenarios. Therefore, we recommend that youuse a name pattern like <company>_<systemID>_<client>_<application> as defined intransaction CLB_APPLI_PLATF, for instance SAP_YN3_000_SAIL.The name should not be longer than 255 characters. There are no special requirements forthe format of the name and blanks are allowed.

2. Certificatea. This SSF certificate has been saved to a file above in case you want to use RSA-SHA1

signatures for calls in the application context.b. If you leave this field blank, SAP Jam supplies a Consumer Secret as the result – with

it you can use either PLAINTEXT or RSA-HMAC instead of RSA-SHA1.

After pressing the Save pushbutton, you will find the consumer key that you have to enter inCustomizing at a later point in time, following the View link of your OAuth Client:




of 34

This completes the OAuth Client configuration in SAP Jam.




of 34

3 Customizing in the Back End

Finally, you need to turn your attention to the configuration of the Integration Library in the backendsystem.

3.1 Customizing Delivered by SAP

Note: This section is for information purposes only. You do not have to do anything here.

You can inform yourself about the service providers (aka platform types) and the supported APImethods in the CLBVC_PTYPE view cluster (transaction CLB_PTYPE).This design-time model defines SAP StreamWork as the first service provider.Note: A dedicated platform type for SAP Jam will be delivered with the SAP NetWeaver supportpackages including SAP_BASIS 7.31SP 07, 7.30 SP09, or 7.02 SP13.

In addition to the service provider, the view cluster defines the API methods that are currentlysupported starting from the very first version (V1) including all subsequent versions.

You can find the backend applications that use the Social Media ABAP Integration Library in theCLBV_APPLI view (transaction CLB_APPLI). Note that a SAIL application that may be reused by manyapplications is delivered. Therefore, it is not mandatory for new applications to define an entry oftheir own.

3.1.1 Authentication

Table CLBC_PLATF_AUTH defines the appropriate authentication method for each authenticationcontext and for each target server. The delivery Customizing mentions four different types ofauthentication contexts (view CLBV_AUTH_CONT):




of 34

The authentication methods are listed in the CLBV_AUTH_METH view.Delivered methods are:Method DescriptionOAUTH_10_SHA1 2-legged OAuth for application context without auditSAML_20 Session ID with SAML2 authenticationOAUTH_10_SHA1_3 3-legged OAuth for application context with auditNONE Internal authentication method

3.1.2 Server Definitions

You can view the delivered system specifications in the CLBVC_PLATF_DEF view cluster (transactionCLB_PLATF_DEF). First and foremost, this view cluster defines the servers for each Service Provider.

Server URLs for SAP StreamWork:

productive: https://streamwork.comssandbox: https://sandbox.streamwork.comThe purpose of the sub node "API Method Versions" is to choose for each target server exactly one ofthe method versions from the repository specified by view cluster CLBVC_PTYPE. This mechanismallows testing of a new method version against a test system while still using the former version inthe productive system.

https://streamwork.coms/

https://sandbox.streamwork.com/




of 34

3.2 Local Server SettingsSince the delivered Server Definitions are intended to be used for StreamWork connectivity, amodification-free adjustment has to be made as described in Create Server Definition for SAP Jam.

3.2.1 Create Server Definition for SAP JamExecute transaction CLB_PLATF_DEF and copy the entry “StreamWork” “productive” as displayed inthe screenshot

In the following screen, adjust the Server, the Description, the Server URL, and the Service Provider.During licensing of SAP Jam, you received a unique URL that has to be entered as the Server URL. Incase of questions you may contact SAP Jam Product Support.

After pressing Enter, select copy all in the dialog box that appears




of 34

Finally, choose Save in the view cluster. If you also want to connect to a test instance of SAP Jam, youhave to execute the steps, described in this chapter for the same.

3.2.2 Adjust Server SettingsIMG path: Collaboration > StreamWork Integration > Direct Communication > Server Settings

The next view cluster defines how the back end connects to the service provider servers and isavailable as CLBVC_PLATF (transaction CLB_PLATF).

Here you have to specify (for each system and client) the target servers that you use (from theentries you entered in Create Server Definition for SAP Jam).




of 34

You have to fill the following values to get a valid instance:1. Proxy: This is the proxy information that has been gathered above. The integration scenario

may work without entering a value here by just using the system defaults, however, it canfail in some cases when no value is entered.

2. SSL Client Identity: The SSL Channel has already been set up.3. Make sure the SEA Active flag is not set, since the StreamWork Enterprise Agent is no longer

used with SAP Jam.

You use the Authentication Method subnode to specify the authentication methods used on thisserver. The default assignment should look like this for the productive SAP Jam server:

You perform the authentication by implementing BAdI CLB_AUTHENTICATE; a BAdI implementationexists for each authentication method, the method is used as a filter value for the BAdI.Implementations are delivered for the specified authentication methods OAUTH_10_SHA1,OAUTH_10_SHA_3, and SAML_20.Note: If necessary, you could define a new OAUTH_10_HMAC value for the context APPLI and createa new BAdI that has the filter value OAUTH_10_HMAC and that uses the RSA-HMAC algorithm in itssignature.

You can find the enhancement spot here:Package S_CLB_CONNECTEnhancement spot CLB_CONNECTIVITYInterface IF_CLB_AUTHENTICATE




of 34

3.3 Application SettingsIMG path: Collaboration > StreamWork Integration > Direct Communication > Application-SpecificServer Settings

The CLBVC_APPLI_PLATF view cluster handles the actual application-specific settings for each server.It must be maintained for each system and client.

The first level is used to assign a server of the service provider to the backend application(Application ID).The application shown here (SAIL) will be delivered as a preset; the server for SAP Jam was created insection Create Server Definition for SAP Jam.

The server settings contain information about the name of the OAuth Client on the service provider'sside and about which Consumer Key has been assigned to it. You need this consumer key for accesswith the help of the OAuth log.

3.4 TransactionsThe following transactions are available for direct access:

CLB_PTYPE Service Provider




of 34

CLB_APPLI Backend ApplicationsCLB_AUTH_CONT Authorization ContextCLB_AUTH_METH Authorization MethodsCLB_PLATF_DEF Server DefinitionsCLB_PLATF Service Provider SettingsCLB_APPLI_PLATF Application SettingsCLB_IC_DISP Dispatcher

3.5 Proposal for Naming IDPsIn each system, for each client you want to connect to SAP Jam, you have to create a new IDP thathas to be unique worldwide. The proposal is to use the following naming convention:

<company ID >_<system ID>_<client>

So, for example, the ACME company, which has the system ACM and a client 100, would simplyname this IDP

ACME_ACM_100

3.6 Tiny Little Helpers

3.6.1 Sample ReportsWe provide sample reports for the most important API features. You can use them if you want tocheck whether the configuration (still) works or if you want to see an example of how tasks can besolved using the Social Media Integration API. The most important are:

- RSTW_LIBRARY_TEST_FEEDGet the personal feed. Select the Application ID of the system you just configured, choosethe function Get personal feed and press Execute - if this report works without an error, youcan be sure that the SAML2 setup worked.

- RSTW_LIBRARY_TEST_TOPICCreate a topic for your company. Choose Create a Topic as the function, select theApplication ID you just configured and press Execute - if this works without error you can besure that the 3legged authorization works, too, and that that part of configuring the accessto SAP Jam work is done.

To see all of the reports provided as examples, just use the value help in SE38 with the patternRSTW_LIBRARY_TEST*.

3.6.2 Customizing CheckIf you want to check the current Customizing version, you can use the report RCLB_CUST_CHECK. Itchecks selected platforms to see whether Customizing is complete and plausible.

The following assumptions are made for the NetWeaver releases including SAP_BASIS 7.31SP05,7.30SP08, or 7.02SP12:




of 34

- Table CLBC_PTYPE should list the platform type StreamWork- All methods that are supported are checked in table CLBC_PTYPE_METH- At least one version for each method should be available (in table CLBC_PTYPE_VERS)- Implementation classes in CLBC_PTYPE_CF- One dispatcher for SAP Jam is expected (SW_SAML2) in table CLBC_IC_DISP- Server definitions in table CLBC_PLATF_DEF for StreamWork's productive and sandbox

servers and the servers defined in the section Create Server Definition for SAP Jam- The default application SAIL (= Social Media ABAP Integration Library) in CLBV_APPLI- Authentication contexts APPLI, APPUSR, USER, and NONE in table CLBC_AUTH_CONT- Authentication methods in CLBC_AUTH_METH: at least OAUTH_10_SHA1,

OAUTH_10_SHA1_3, SAML_20, and NONE should be available- Definition of authentication methods per server in CLBC_PLATF_AUTH: Entries for productive

and sandbox servers of SAP StreamWork

3.6.3 Customizing TransferWe created a small report that allows you to import common Customizing settings from one systeminto another. This is helpful if you quickly want to connect a system, for example, to Sandbox butdon’t want to go through all of the Customizing steps such as updating the SAP Jam server settingsand such. Basically, this report connects via RFC to a system of your choice and tries to read theCustomizing from there; if this was successful, the common settings are applied to the currentsystem and the missing Customizing will be added.Of course, it’s a rather rough report, far away from productive quality; so if you think you need sucha helper and if you feel tough enough to face a hacking style of coding, please contact us.




of 34

3.7 Most Valued Errors

If an API connection to SAP Jam does not work, first try to log on to SAP Jam using the browser ofyour choice. If SAP Jam is in maintenance mode, you may not be able to log on for a short period oftime and the API calls will also fail.

The following mistakes/errors happen from time to time when making changes to the systemsettings:

Error Reason SolutionHTTPcode 407

SAP Jam certificate not added to the list ofcertificates in STRUST.

Read this document again. Read carefully.Concentrate on chapter 2.3.2.

SAP Jam certificate has reached the end ofits validity.

Get a new certificate as described in chapter2.3.2

No SAMLassertion

The IDP in the backend system has adifferent name than in SAP Jam.

Read this document again. Read carefully.Concentrate on chapter Setting up SAML2 anddouble check the IDP names.

Nosignature

The SSFA certificate used the wrongalgorithm for the public key.

Read this document again. Read carefully.Concentrate on chapter 2.3.4.1. Delete the PSEand try again with RSA as the algorithm.




of 34

3.8 Potential ErrorsYou may encounter situations in which you followed all the instructions in this document and still geterrors. The following is a – non-comprehensive – list of places where you can look. The error doesnot list the exact error message but only the most important key words of the error message.

Error Possible Reason Possible SolutionNo signature No PSE has been

distributed.Start transaction STRUST, searchthe node for your SSFA (thestandard delivery contains thenode SSF CollaborationIntegration), right-click andperform the Distribute-command.

Signature validation failed The SSF parameters ofthe SAML SSF applicationare wrong.

Start transaction SSFA and lookfor the entry “SAML2 ServiceProvider – Signature”. Ensurethat the SSF format is set toPKCS#1. Ensure that the hashalgorithm is set to SHA1.

The SSF parameters ofthe SSF applicationCLBOAU are incorrect.

See the entry for SAML SSF, oneline above.

Invalid SAML2 signature The certificate hasexpired, is not valid yet,or simply missing.

Start transaction STRUST, double-click on the SSF SAML2 ServiceProvider – S-node, then double-click on the subject field in thedetail screen and check thevalidity on the lower part of thescreen.

SAML Serviced Provider does notmatch audience

The IDP name as listed intransaction SAML2 isdifferent from the namein SAP Jam.

Use the same name as in theback end when creating an IDP asoutlined in Setting up SAML2.

SAML: Issuer is not an IDP The IDP of the backendsystem has not beenentered into the SAP Jamconfiguration.

Use the same name as in theback end when creating an IDP asoutlined in Setting up SAML2.

HTTP code 404 (Not Found) You are trying to accessan endpoint of the RESTAPI that either does not(yet) exist or that isspelled wrong.

Check if you try to access anendpoint in the productiveenvironment that has not beentransported there yet

HTTP code 407 When connecting to thecloud you get a 407although the SSLcertificate has beenadded to the trustedcertificates of the clientSSL ANONYM.

The certificate chain provided bySAP Jam has been broken.Reinstall the SSL certificatefollowing chapter 2.3.2.




of 34

HTTP code 401: account notactivated

The account has justbeen created or thepassword of the accounthas been reset.

Log on to SAP Jam using thebrowser of your choice.

HTTP code 401: oAuthauthorization failed

SSFA certificate has beenchanged in the back end,a new SAPCryptolib hasbeen installed

Download the consumerapplication certificate asdescribed at the end of chapter2.3.4.1 illustrated as Image 1:Export Certificate.Import the certificate into yourOAuth Client you have created in2.4.2

Error “E-Mail address does notexist”

There is no e-mailaddress maintained inthe user data in the backend.

Maintain the e-mail address intransaction SU01.

User does not belong to anorganization this IDP can provisionusers into

The backend IDP is validand recognized by SAPJam; but the user has notbeen added to thecompany to which thisparticular IDP is assigned.

Go to SAP Jam and checkwhether the user has beencreated at all or if it does notexist; secondly, check whetherthe user is assigned to yourcompany.

Invalid OAuth protected resourceaccess request

The consumer key of theOAuth client is incorrect.

Get the consumer key you havecreated here and compare it withthe application settings in theback end.

HTTP code 402: Timeout The request has beensent to an HTTPS port butas plain HTTP.

Possibly the proxy settings (proxyand host) do not match the realworld. This happens for example,when you use a proxy but thetarget is behind the firewall andtherefore can’t be accessedwithout proxy.

HTTP code 400: Bad request The server URL usesprotocol HTTP instead ofHTTPS

Verify that the server URL in theServer Definitions matches thetarget URL.

One of the parameters inthe request sent to SAPJam is out of range.

This is most likely to be solved viadebugging. A breakpoint can beset in CL_CLB_CONNECTOR,method DO_RECEIVE.

HTTP code 400 withICM_HTTP_CONNECTION_FAILED

The authenticationmethods are notcompletely customized.

Have a look at chapter 3.1.1 andcheck if the authenticationmethods are properly customized(cf. also Adjust Server Settings).




of 34

Appendix

LinksSAML 2.0Specification

http://www.oasis-open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf

OASIS Website http://www.oasis-open.org/oAuth http://oauth.net

http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-i-overview/

GlossaryServiceProvider

Web resource that provides consumable services via API

SAML (SAML2)

Security Assertion Markup Language (Version 2.0)

oAuth Open log for authentication via API for Web application as well as for Desktop application.RSA-SHA1

RSA: An asymmetric cryptosystem created by the mathematicians Rivest, Shamir, andAdelman for the encryption of data, based on a public and a private key.

SHA1: Secure Hash Algorithm #1Procedure for calculation hash values. See Wikipedia.RSA-SHA1: Is a combination of RSA and SHA1 – An SHA value is encrypted with an RSAmessage and transferred.

IDP Identity ProviderPSE Personal Secure EnvironmentEndpoint Part of the URL that identifies the executing resource of the service provider. The URL to

be called is made up of the root URL and the endpoint. If the root URL ishttps://www.cubetree.com and the endpoint is /members/groups, then the final URL ishttps://www.cubetree.com/members/groups.

SSL Secure Sockets Layer: Internet log developed by Netscape; it is used to makecommunication in the internet more secure.

http://www.oasis-open.org/committees/download.php/20645/sstc-saml-

http://www.oasis-open.org/

http://oauth.net/

http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-i-overview/

https://www.cubetree.com/

https://www.cubetree.com/members/groups.

© 2014 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP

products and services mentioned herein as well as their respective

logos are trademarks or registered trademarks of SAP AG in Germany

and other countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as

well as their respective logos are trademarks or registered trademarks

of Business Objects Software Ltd. Business Objects is an SAP

company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL

Anywhere, and other Sybase products and services mentioned herein

as well as their respective logos are trademarks or registered

trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are

registered trademarks of Crossgate AG in Germany and other

countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions

with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express

warranty statements accompanying such products and services, if

any. Nothing herein should be construed as constituting an additional

warranty.

www.sap.com

sap jam abap integration – configuration guide · this configuration guide supports this process...

Documents