Skip to main content

IAM for SAP Joule

Last updated on by fabianleh

This architecture page focuses on Identity and Access Management (IAM) for SAP Business AI and SAP Joule. The key advantage of integrating AI is enabling users to leverage cross-domain capabilities, connecting processes and data across multiple business applications. Achieving this requires a robust architecture with comprehensive cybersecurity and IAM features. Note that this approach may differ from traditional project and customer landscapes, where user and access management were typically handled separately for each business application.

Architecture

image of solution diagram
Copy to clipboard
Solution Diagram Resources
You can download the Solution Diagram as a .drawio file for offline use. Alternatively, you may view and edit the Solution Diagram directly on draw.io.
Please note that any changes made online will need to be saved locally if you wish to keep them.
DownloadEdit

The reference architectures highlight the main capabilities and core Hub services available for SAP business applications. SAP Business AI serves as the central platform for AI features, while SAP Joule provides the conversational AI interface. For Identity and Access Management (IAM), SAP Cloud Identity Services are the standard and required solution. SAP Joule relies on these services, using SAP Cloud Identity Services as its user store, which can be shared with other SAP cloud applications through replication or direct access.

To enable SAP Business AI and SAP Joule to interact with multiple SAP business applications, a cross-application IAM setup is needed. This setup is established when the first application integrates with SAP Joule, and subsequent applications can reuse these foundational patterns.

As with other SAP applications that use decentralized user stores, it is essential to create users in the SAP Joule user store within SAP Cloud Identity Services.

SAP Joule primarily uses the OpenID Connect (OIDC) protocol for integration, which is the recommended approach for connecting Joule Functions, though other methods are also supported.

SAP Joule uses SAP Build Work Zone for navigation across applications.

Flow

Setup and during Designtime

The SAP Joule help page describes how to initially setup the application.

In this IAM related architecture we describe and highlight the important details. The flow is split in two ways #1 exposing content mapped to a rolename and #2 the user to role assignment during the session.

Common Data Model (CDM)

  • SAP business applications provide content using the "Common Data Model" (CDM). In this setup, the CDM defines which content—such as Joule Functions—is available and maps each item to a specific role name that grants access. This configuration is managed within the application settings. Originally introduced for SAP Build Work Zone integrations, the CDM enables clear assignment of content to roles and supports seamless navigation across applications.

This is shown in the following diagram:

image of solution diagram
Copy to clipboard
Solution Diagram Resources
You can download the Solution Diagram as a .drawio file for offline use. Alternatively, you may view and edit the Solution Diagram directly on draw.io.
Please note that any changes made online will need to be saved locally if you wish to keep them.
DownloadEdit

Identity Access Management (IAM)

  • Each user must be created in the SAP Cloud Identity Services - Identity Directory. This central user store can be managed through the web UI, the IdDS API, or by uploading a file.
    • When a user is created, a Global User ID is generated (unless a specific value is provided). This Global User ID is essential for linking user identities across different SAP applications and services.

The following diagram illustrates how user information and the Global User ID are distributed:

image of solution diagram
Copy to clipboard
Solution Diagram Resources
You can download the Solution Diagram as a .drawio file for offline use. Alternatively, you may view and edit the Solution Diagram directly on draw.io.
Please note that any changes made online will need to be saved locally if you wish to keep them.
DownloadEdit
  • Typically, the user already exists but must also be created in the SAP application, ensuring the Global User ID is set (either automatically via Identity Provisioning Service (IPS) and the SCIM protocol, or manually, depending on the application).
  • SAP business applications provide user-role assignment APIs, usually based on SCIM 2.0. SAP Cloud Identity Services use the Identity Provisioning Service to synchronize user and role data from the application and update user-role assignments in SAP Build Work Zone.
  • SAP Joule should be set up (using the recommended Booster) and integrated with SAP Cloud Identity Services.

The following diagram shows example IPS flows for replicating users and role assignments from each application.

image of solution diagram
Copy to clipboard
Solution Diagram Resources
You can download the Solution Diagram as a .drawio file for offline use. Alternatively, you may view and edit the Solution Diagram directly on draw.io.
Please note that any changes made online will need to be saved locally if you wish to keep them.
DownloadEdit

Runtime

Log-in to SAP Joule.

  • The user access SAP Joule.
  • SAP Joule does not have an active session and redirects the authentication to the connected SAP Cloud Identity Authentication Service.
  • A common scenario would now redirect the authentication attempt to a 3rd party corporate Identity Provider.
  • After successful login the SAP Cloud Identity Authentication Service creates an OIDC access token (simplified approach) for SAP Joule.
  • SAP Joule leverages now the SAP Build Work Zone Navigation Service to combine the logged in user with the stored user-role assignments and the role-content definition to understand which Joule Function this user during this session can use.

Performing a call

  • The logged in user asked SAP Joule something which invokes a Joule Function the user has access to for an application.
  • SAP Joule leverages the SAP BTP Destination Service to call the Joule Function / API in the name of the user (Principal Propagation).
    • The SAP BTP Destination Service exchanges the user access token from SAP Joule with the SAP Cloud Identity Authentication Service. This exchange provides a proper token for the application to call the Joule Function.
    • The SAP Joule calls the respective API and receives a response based on the user access.
  • SAP Joule answers with the received data.

The authentication-flow

image of solution diagram
Copy to clipboard
Solution Diagram Resources
You can download the Solution Diagram as a .drawio file for offline use. Alternatively, you may view and edit the Solution Diagram directly on draw.io.
Please note that any changes made online will need to be saved locally if you wish to keep them.
DownloadEdit

Characteristics

This setup has the following characteristics:

  • SAP Joule leverages the SAP Cloud Identity Services for IAM, SAP Build Work Zone for Navigation and SAP BTP Connectivity.
  • SAP Joule setup is across SAP applications.

IAM:

  • One Authentication interface for all SAP applications via the SAP Cloud Identity Services - Identity Authentication
  • Preconfigured trusts between the SAP Cloud Identity Services and the SAP Cloud applications
  • Resource Provider initiated and Service Provider initiated SAML and OIDC flows are supported. An Identity Provider initiated SAML flow is technically supported but not the default or recommendation.
  • The Central user store - SAP Cloud Identity Services - Identity Directory - is used to store the user identities and their assignments which allows the merge of attributes during the authentication flow into the tokens e.g. groups can be mapped from the IdDS to the application token.
  • Technically the IAS terminates the authentication flow and creates a new token for the application.

Services and Components

Resources