Troubleshooting Issues and Customizing Joule

Objective

After completing this lesson, you will be able to troubleshoot common issues and customize Joule to meet specific business needs.

Troubleshooting and Advanced Configuration

Whether you’re experiencing performance bottlenecks or looking to enhance the AI-driven recommendations, check out the following common issues and delve into advanced configuration option to fine-tune Joule to equip you with the necessary tools and techniques to ensure smooth and efficient operation.

  1. Joule is not functioning in the SAP SuccessFactors account

    Reason: This issue is connected to the Configure Trusted Domains for SAP Authorization and Trust Management Service in your setup.

    Solution: Please revisit the Module 2 and refer to the relevant section.

  2. Joule gives me the option to select Default Login and IAS Login

    Reason: Both Default Logon and IAS are enabled for user login in your BTP subaccount.

    Solution: Log in to your SAP BTP Cockpit and navigate to your Joule subaccount. Expand the Security section and select Trust Configuration. Edit the Default Identity Provider (SAP.default), uncheck the box labeled Available for User Logon, and save the changes. After saving, clear your cookies and try logging in again.

  3. Joule displays a blank screen when using Azure AD/OKTA and Cloud Identity as a Proxy System

    Reason: In most cases, your SSO should be properly configured, allowing Joule to log you in via SAP SuccessFactors. However, if you encounter a login screen or a blank screen, and you are using Cloud Identity as a proxy, additional configuration may be required.

    Solution:
    1. Go to SAP Cloud Identity Services -> click on Identity Providers -> then click on Corporate Identity Providers.
    2. Select your configured provider (Azure AD/OKTA) and ensure that Forward All SSO Requests to Corporate IDP is turned off.
    3. Next, navigate to Applications & Resources -> Applications -> select your BTP Joule Application.
    4. Click on Conditional Authentication and change the Default Authentication Identity Provider to your Azure AD/OKTA.
    5. Save the settings.
  4. LPS_SFSF_dt destination check connections fail with 401: Unauthorized

    Reason: This may occur if the URL is incorrect or if your username and password are invalid.

    Solution:
    1. Verify that your SAP SuccessFactors URL is correct. You can refer to SAP Note 2215682 for information on SAP SuccessFactors API URLs and external IPs.
    2. Check for any internal IP restrictions that might be in place. You can refer to the available Regions and API Endpoints for the Cloud Foundry environment for more details.
    3. If necessary, reset your password.
    4. If the issue persists, verify the URL using the Postman client to ensure that the correct URL is being used.
    5. Best Practice: Create a technical user in your SAP SuccessFactors system that is not assigned to any individual user, and set the password to never expire.
  5. I can see the Joule chat history in another/colleague's system

    Issue: Users are able to see Joule conversations across multiple logins with different systems, even though the login details vary.

    Reason: In many SAP SuccessFactors Development/Preview systems, a common dummy email is used for all users, even though actual employee details are present. This practice often results from copying production data into the Development/Preview environment. The dummy email addresses are utilized to prevent emails from being sent to real users from these non-production systems. Examples of dummy emails include sap@dummy.com or dummy@dummy.com.

    Solution: If your Dev/Preview system uses dummy emails for users, you can resolve this issue by trying one of the following options:

    1. Update User Email Addresses.
    2. Change the email addresses of developers/users in the Dev/Preview system to their actual user IDs. Keep in mind that if you perform an IPS sync from your production system, the dummy emails will be restored as per your settings.
    3. Change the Subject Name Identifier.
    4. In your Cloud Identity Services, modify the Subject Name Identifier under Basic Configurations from "Email Address" to "Login Name." This change is specific to your Joule application. After making this change, users will be required to log in using their Login Name instead of their email address.
    5. Add the Launchpad_Admin User to SAP BTP Subaccount.
    6. Once the changes are made, ensure that you add the Launchpad_Admin user with the Login Name to your SAP BTP Subaccount. If the user already exists with an email address, delete the current user, recreate the user with the Login Name, and assign the necessary roles.
  6. The Joule Navigation button is missing after a successful Jobrun or Jobsync

    Issue: Although most of the setup is complete and jobs have been executed as required, the navigation button may be missing .

    Solution: Check the Navigation Service settings in your subaccount destinations. Follow these steps:

    1. Navigate to your subaccount -> Go to Connectivity -> Select Destinations -> Choose Navigation Service -> Click Export.
    2. Open the exported file in a notepad and confirm that the value of tokenServiceURLType is set to Dedicated. If the value is Common, return to your BTP Cockpit, edit the Navigation Service, set it to Dedicated, and save the settings.
    3. Export the settings again and validate that the changes were applied. If the issue persists, manually refresh the Content Channel in the Workzone instance to ensure the Service Provider details are correctly updated.
    4. Next, in the Work Zone service instance in your BTP subaccount, do the following:
      1. Select the Content Channel, choose the service provider connected to SAP SuccessFactors, click Report, and verify that the Role is assigned correctly. If the Role field is empty , go back to the Channel Manager screen and click the Refresh button to update the Role for the provider you created.
      2. Wait for the refresh to complete. Afterward, click Report again to review the details. If the Role section displays "19/19," everything is set.
      3. Log off from SAP SuccessFactors, wait for 30 minutes for the background jobs to finish, and then try again.
  7. CDM Prevents Users from Launching Site Manager – Channel Manager, Displaying an Error

    Issue: When launching the admin user from SAP SuccessFactors to Workzone, an error may occur if user synchronization is incomplete.

    Reason: The user synchronization process has not yet been completed.

    Solution:
    1. Verify that the correct role is assigned to the user via a custom identity service.
    2. Navigate to the Launchpad_Admin role and go to the Users section to add the appropriate user.
    3. In the Admin Center, go to the Job Scheduler tab, select the job type Refresh Synthetic Group Data, and click Run Now to initiate the job.
  8. IPS – Workzone Standard Edition Not Appearing as a Target System

    Issue: When creating a target system, the Workzone Standard Edition does not appear. This happens when the customer has separate IAS and IPS tenants, not combined in a common tenant.

    Reason: The IPS landscape is on SAP NEO, and the service needs to be upgraded to a multi-cloud environment.

    Solution: The customer can upgrade the IPS service by following the help guide or referring to the blog: SAP Help Guide: Migrate Identity Provisioning Bundle Tenant

    Important: The upgrade process can take anywhere from 1 hour to 1 day, depending on the complexity of the customer's IPS setup. Be sure to monitor the status of the source, target systems, and scheduled jobs during the upgrade process.

  9. How to Identify and Change SCIM or oData URL in Your IPS Source File

    Issue: Workzone Groups support SCIM 2.0, and the oData API version is not recommended.

    How to Check:
    1. Navigate to the Source System of your SAP SuccessFactors instance.
    2. Go to Properties and check the URL as shown in the screenshot.
    Solution:
    1. Create a copy of your Source System and update the values according to the Joule setup, or use the Source and Target files attached to the blog .

      Instructions for adding the Source and Target details are provided in the next step.

    Note

    If you download the Source and Target files attached to the blog, change the file extension from .txt to .json before importing them into your Cloud Identity Services. Refer to step 10 for detailed setup instructions.
  10. Quick Setup Using "Source System and Target System" .json Files

    In the previous module on the Joule setup, we discussed configuring the setup using the existing SAP SuccessFactors Source. Here, we will create a new Source System whether your URL uses oData or you're setting up Joule from scratch. This new Source System will keep the Joule setup separate from your existing SAP SuccessFactors configuration.

    Adding Source System:
    1. Go to SAP Cloud Identity Services.
    2. Navigate to Source System -> Click Add -> Import the file SuccessFactors-SF-Company-ID-Joule.json.
    3. Edit the System Name to match your SAP SuccessFactors Company ID, add a description if needed, and save the settings.

      The necessary "Transformation" adjustments are pre-configured in the attached JSON file, so you can directly go to the Properties tab and update the values based on the Joule Setup.

    4. Since this is a new Source System, you’ll also need to export the certificate:
      • Click on Outbound Certificate -> Download the certificate.
      • Go to your SuccessFactors system -> Navigate to Security Center -> Click on X.509 Public Certificate Mapping -> Click Add.
      • Update the Configuration Name as required, change the Integration Name to Identity Provisioning Service, and upload the new certificate. Save the settings.

        Note

        Leave the "Login Name" field blank.
    Adding Target System:
    1. Navigate to your Target System, click Add, and select the file WorkZone_Target_ForJoule.json.
    2. After importing, change the System Name and add a description to identify your setup.
    3. Ensure you select the Source System you saved earlier before moving to the Properties tab.
    4. In the Properties tab, enter the details from the ServiceKey file downloaded from your SAP Workzone Subaccount.
    5. Once the required details are entered, you can proceed with syncing your jobs.

    Note

    Since we are using certificates for authentication, copy your URL based on your data center from the mTLS Certificate Server. Example: https://api55preview.cert.sapsf.eu. For more details, refer to the official SAP Help documentation: List of SAP SuccessFactors API Servers
  11. Joule Authentication Fails When Browser's '3rd-Party Cookie Blocking Policy' is Enabled

    Issue: Joule may not function properly if third-party cookies are blocked, which often occurs when using incognito or private browsing mode.

    Solution: Refer to SAP Note 3428564 for detailed guidance on resolving the issue.

  12. How to Verify If All Groups Are Created for Joule

    Issue: If there are setup issues, jobs may not run correctly, and it’s important to validate the groups created or assigned to a user.

    Solution:
    1. Check your job logs in Cloud Identity Services.
    2. Log in to SAP Workzone and navigate to your Joule Subaccount.
    3. Click on Instances and Subscriptions, then select SAP Workzone, Standard Edition.
    4. Ensure the Launchpad_Admin role is assigned to you.
    5. Go to the Settings tab and enter the user’s email or Global User ID to verify the assigned roles.

    For further analysis, refer to this blog.

  13. New Common Super Domain (CSD) Causing SAP SuccessFactors and Joule URL Validation to Fail During Booster

    Issue:If you're using a new CSD, your SAP SuccessFactors

    Solution: Refer to the CSD Migration Customer/Partner Guide to ensure your SAP SuccessFactors Admin URL matches the updated format. For specific URL details, refer to Chapter 5 of the Guide to Successfully Run the Booster.

  14. Unable to use Joule in Incognito Mode on Chrome Browser

    Issue: Joule may not function properly when using Incognito mode in the Chrome browser.

    Reason: Third-party cookies might be blocked in your browser settings.

    Solution:
    1. Disable Third-Party Cookie Blocking:
      • Open Chrome and click on the three dots in the upper-right corner to access the menu.
      • Select Settings.
      • Navigate to Privacy and security.
      • Click on Cookies and other site data.
      • Choose Allow all cookies or Block third-party cookies in Incognito based on your preference.
    2. Restart the Browser: After adjusting the settings, close and reopen Chrome.
    3. Log in to Joule: Try accessing Joule again to see if the issue is resolved.

    Note

    Enabling third-party cookies may affect your privacy settings. Ensure you understand the implications before making changes.
  15. Booster execution fails with an error

    Reason: A common reason for this error is that trust has not been established between your subaccount and SAP Cloud Identity Services.

    Solution: Before running the Joule Booster, ensure you have configured SAP Cloud Identity Services (CIS) by following the steps in the previous module. You need to establish trust between your subaccount and Cloud Identity Services, as this is now a prerequisite for the updated Booster.

  16. "Oops, something went wrong. How about trying something different?" - Error occurs in SuccessFactors Joule use cases

    Reason: This error may occur due to various issues such as GUID mismatch, IP restrictions, or login and password policies for individual users.

    Case 0: GUID Mismatch

    Fix: Refer to SAP KBA 0003488269. If the issue persists, check the following cases.

    Case 1: IP Restrictions
    • Navigate to IP Restriction Management in your SAP SuccessFactors account.
      • If the page shows "No data," you are good to proceed.
      • If your company uses IP whitelisting for internal rules, add the SAP BTP NAT IPs related to your Joule service. Follow the steps after Case 2 for guidance.
    Case 2: User-Specific IP Restrictions
    • If your company restricts users by specific IPs, the error may occur only for you. To verify:
    • Go to Password & Login Policy Settings.
    • Expand the option Set API login exceptions.
    • If no User ID is listed, everything is fine.
    • If a User ID is listed with an IP address, Joule will display the error.
    Solution:
    • For Case 1 and Case 2:
      • Identify your SAP BTP Subaccount Data Center:
      • Go to your SAP BTP Account -> Navigate to the Subaccount with Joule Services.
      • In the Overview section, find the Cloud Foundry Environment and look at the API Endpoint. For example, if the endpoint is https://api.cf.us10-01.hana.ondemand.com/, your CF Data Center is "us10."
      • Go to the Regions and API Endpoints Available for the Cloud Foundry Environment, and find your data center's technical key.
      • Look for the "NAT IPs (egress, IPs for requests from a Cloud Foundry app)" and copy the IPs for your CF account.
    • For Case 1:

      Copy each IP and create an entry in your SAP SuccessFactors System’s IP Restrictions Management. After adding, re-login.

      Caution: If your company does not use IP restrictions, adding IPs only for BTP may block logins from other unlisted IPs. Be careful before making changes.

    • For Case 2:

      Copy the entire IP address from NAT IPs and edit the User ID in Set API login exceptions. Append the IP to the list and save the settings.

      Hint

      Apply this process to all affected users. If a user is not listed, there's no need to add them.

Check out additional common setup issues for Joule with SAP SuccessFactors here

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn