Before deploying Joule across an SAP landscape, implementation consultants must verify identity and access management of readiness. A unified Joule experience depends on a consistent Identity and Access Management foundation, not just "turning on" an assistant.
At a high level, SAP’s IAM model for SaaS is built around three pillars —Authentication & Single Sign-On,Identity Lifecycle, and Authorization with SAP Cloud Identity Services acting as the central interface to standardize these across SAP solutions.
SAP IAM as the Foundation for Joule
Core Architecture Components (Readiness View)
1) SAP Cloud Identity Services (Central IAM Interface)
SAP Cloud Identity Services provide the IAM foundation for SAP cloud landscapes. They include:
- Identity Authentication (authentication and SSO)
- Identity Provisioning (identity lifecycle management)
- Identity Directory (central user store)
- Authorization Management (policies/authorization services)
SAP’s IAM reference architecture emphasizes that SAP Cloud Identity Services serve as the designated IAM interface for SAP SaaS integrations and that standard SSO protocols such as SAML2 and OIDC are both used in real-world landscapes.
Joule-specific note: While enterprise SSO can use SAML2 and/or OIDC, the trust configuration used for Joule onboarding is OpenID Connect (OIDC) and SAML-based trust is not supported for Joule trust setup.
2) SAP BTP (Platform Layer for Joule Onboarding and Integration)
Joule is integrated and configured through SAP BTP as part of the onboarding process described in Integrating Joule with SAP. This includes setting up trust, running the Joule Booster, and managing integration via the BTP system landscape and formations.
3) SAP Build Work Zone (Navigation & Content Federation Layer)
For navigational scenarios, Joule uses the navigation service of SAP Build Work Zone to resolve intent-based navigation targets and to consume exposed content from SAP solutions.
4) SAP Solutions (Business Systems Providing Content and Authorizations)
Joule is embedded into SAP solutions and must integrate with SAP products that support Joule. The target SAP product(s) must already be integrated with Identity Authentication because Joule leverages the IAS setup of the SAP product for user login.
Access-Management Readiness Requirements (What to Verify)
1) Unified Identity Tenant Strategy (Critical for Unified Joule)
To enable a unified Joule experience across SAP products, ensure that:
- All SAP products integrated with Joule must use the same SAP Cloud Identity Services tenant.
- The same identity (Global User ID) must be present across all products in scope.
This aligns with readiness service messaging emphasizing a consistent, unified Cloud Identity Services infrastructure as a prerequisite for unified Joule.
2) Identity Lifecycle & Replication (Keep Users and Groups Consistent)
SAP’s IAM reference architecture highlights that user data is stored across service providers, and that replication is essential, with SAP using standards such as SCIM2 to replicate users and groups and maintain a consistent identity lifecycle.
In Joule onboarding, Identity Provisioning is positioned as the service that handles provisioning of identities and their authorizations across integrated applications (for example, provisioning to Identity Authentication and SAP Build Work Zone).
3) Global User ID / Attribute Alignment (Identity Correlation)
Configure user attributes from the Identity Directory and map user_uuid to Global User ID (as listed in the attribute table). This enables single identity across products for unified Joule deployments.
4) Trust & SSO Readiness (Where the Landscape Must Be Precise)
Here are the trust setup steps:
- Configure trust to the Identity Authentication tenant (IAS) from the BTP subaccount
- Ensure the IAS tenant domain matches the SAP product trust setup for SSO to work
- Configure trusted domains (IAS + BTP)
This aligns with the IAM reference architecture’s focus on standardized authentication interfaces and consistent integration patterns for SAP SaaS.
How Joule Onboarding Works (High-Level)
A structured onboarding process has been developed to facilitate Joule's integration with SAP solutions. In summary:
- Confirm prerequisites (licenses, entitlements, product integration with IAS).
- Configure trust to IAS and configure user attributes from the Identity Directory.
- Run the Joule Booster to provision Joule and create a Joule formation including selected integration systems.
- Configure trusted domains (IAS and BTP).
Key Considerations (What Consultants Should Emphasize)
- IAM is the real dependency: Joule depends on a trusted, consistently available identity interface across SAP solutions (Cloud Identity Services), aligning to SAP’s IAM reference architecture.
- Protocol clarity: Landscapes can use SAML2 and OIDC for SSO broadly, but Joule onboarding requires an OIDC-based trust configuration as described in the onboarding guide.
- Unified tenant principle: Unified Joule requires the same Cloud Identity Services tenant and consistent Global User ID across products in scope.
- Navigation requires content + Work Zone: For navigational scenarios, content must be exposed by the SAP product and consumed through SAP Build Work Zone navigation service.
Summary
- SAP’s IAM reference architecture defines three IAM pillars (Authentication/SSO, Identity Lifecycle, Authorization) and positions SAP Cloud Identity Services as the central interface for SAP SaaS IAM.
- Joule readiness and unified Joule experiences depend on a consistent Cloud Identity Services setup, including unified tenant usage and consistent Global User ID across products.
- Joule onboarding follows a standardized BTP-based process (trust, attributes, booster, trusted domains, and solution integration), documented in Integrating Joule with SAP.
Key References
- SAP IAM reference architecture: [SAP IAM integration with SAP Cloud Identity Services]
- SAP Cloud Identity Services overview and scope: [SAP Cloud Identity Services on SAP Help Portal]