As SAP’s generative AI assistant, Joule is designed to deliver a consistent, AI-powered experience across SAP’s portfolio—spanning applications like SAP S/4HANA Cloud Public Edition, SAP SuccessFactors, and more. A Unified Joule instance ensures seamless interactions and insights across these systems, improving productivity and decision-making at scale.
To help customers set up Unified Joule efficiently, I’ve created a series of step-by-step missions in the SAP Discovery Center. These missions guide you through the process of configuring a Unified Joule instance tailored to your SAP environment.
Core Discovery Center Missions:
Establish a Unified Joule Instance (pre-requisite for enabling Joule across your SAP landscape)Activate Joule for SAP SuccessFactorsActivate Joule with SAP S/4HANA Cloud Public Edition
While the Discovery Center missions above include detailed guidance to help ensure a smooth Joule setup experience, I still frequently receive questions—particularly around SAP Cloud Identity Services integration. Setting up Joule correctly requires consistent SAP Cloud Identity Services (IAS/IPS) integration across your SAP portfolio in alignment with Identity and Access Management reference architectures.
In this section, I’ll address some of the most common questions and highlight key considerations for integrating Cloud Identity Services across your SAP landscape when enabling Joule.
Identity & Security Considerations for Joule Setup
1. Can I use different IAS tenants for different SAP applications and still have a unified Joule experience?
No. For a Unified Joule setup, all production applications must use the same IAS production tenant for authentication. Likewise, all non-production systems must use a shared non-prod IAS tenant. This architecture enables you to maintain one Joule instance for production and another for non-production.
2. My landscape isn’t fully aligned with the reference architecture yet, but there’s pressure from the business to enable Joule. What are my options?
If your applications aren’t yet configured to use a common Cloud Identity Services (IAS) tenant, you can still move forward by setting up individual Joule instances per application.
This allows you to enable Joule for each application independently; however, it does not follow the Unified Joule model. In this setup:
Joule can only respond to queries related to the specific application it’s configured with
There is added complexity in managing multiple BTP subaccounts and maintaining separate Joule configurations
While this approach can meet short-term business demands, aligning with the reference architecture remains the recommended path for a scalable and integrated experience.
3. My SAP application supports Joule, but it’s not yet integrated with IAS for authentication. What should I consider when setting up SAML or OIDC trust with IAS?
When configuring trust between your SAP application and SAP Cloud Identity Services (IAS) using SAML or OIDC, it’s important to follow SAP’s recommended domain and configuration guidelines to ensure Joule works as expected.
Key considerations:
Use the cloud.sap domain for all integration points.
For example, when configuring SAML, ensure the Assertion Consumer Service (ACS) URL in your application uses the cloud.sap domain—not ondemand.com.
Access your IAS tenant at:
https://<tenant>.accounts.cloud.sap/admin
(Avoid using ondemand.com for any trust-related setup.)
To retrieve the correct SAML metadata:
Log into your IAS tenant
Navigate to: Application & Resources > Tenant Settings > SAML 2.0 Configuration
Download the metadata file and use it to configure your application’s SAML settings
For OIDC integration:
Go to: Application & Resources > Tenant Settings > OpenID Connect Configuration
Use the configuration details provided there to establish the trust relationship
Important: Do not manually change key parameters in IAS (e.g., the issuer). Altering these settings may disrupt existing trust configurations and prevent your application from authenticating properly.
4. I see a blank screen when launching Joule. What’s wrong?
This often points to a misconfigured OIDC trust between BTP subaccount and IAS. Verify that trust is set up with the cloud.sap domain—not ondemand.com.
5. My existing SAP application is configured with SAML trust to IAS using the ondemand.com domain. Can I enable Joule for this application?
Not in its current configuration. To use Joule, your application’s SAML trust must be updated to use the cloud.sap domain.
As outlined earlier, Joule requires trust configurations aligned with the cloud.sap namespace. While SAP is working on an enhancement to simplify this requirement, updating the SAML configuration to use cloud.sap endpoints is currently mandatory for Joule integration.
6. My application uses a corporate Identity Provider for authentication. How should I configure the Joule application in IAS?
When you run the Joule booster in SAP BTP, it automatically creates a corresponding Joule application in IAS (typically named das-ias-<appname>).
To ensure seamless user authentication, you’ll need to update the conditional authentication settings of this Joule application in IAS so they align with the configuration used by your source application (e.g., SuccessFactors, S/4HANA). This ensures that users are routed correctly through your corporate Identity Provider when accessing Joule.
7. My IAS tenant is configured in pure proxy mode with a corporate Identity Provider like Microsoft Entra ID or Okta. Can I still use Joule?
Not in its current form. For Joule to function properly, a user record must exist in the SAP Cloud Identity Services (IAS) user store, as Joule relies on attributes like the Global User ID (GUID), which are stored there.
If your IAS tenant is set up in pure proxy mode—meaning Identity Federation is disabled—IAS doesn’t pick up the user records and therefore can’t provide the GUID Joule requires. In this configuration, Joule will not work.
To enable Joule:
Ensure Identity Federation is enabled in IAS (either tenant-wide or for specific applications)
Maintain a user profile in IAS for each user, even if authentication is delegated to a corporate IdP
This hybrid setup allows authentication to flow through your corporate IdP while still enabling IAS to store essential user attributes needed by Joule.
8. When integrating SAP Cloud Identity Services (IAS) with a corporate Identity Provider (IdP) for use with Joule, what should I keep in mind?
Enable Identity Federation: This must be turned on either at the IAS tenant level or for the specific applications that will use Joule.Maintain user records in IAS: Even when using a corporate IdP, user profiles must exist in the IAS user store. Joule relies on fields like the Global User ID (GUID), which are stored in IAS.Correct SAML/OIDC trust setup: Ensure that the trust between IAS and your corporate IdP is configured properly, using the correct domain(cloud.sap) and metadata. Misconfigured trust can prevent Joule from functioning as expected.
For OIDC integration between IAS and corporate IDP, refer to the blogs below:
Connect SAP Cloud Identity Authentication Service as a proxy to Okta using OpenID Connect
Configuring SAP Cloud Identity Services and Microsoft Entra ID for Joule
For SAML integration:
Connect Okta to Identity Authentication
Configure SAP Cloud Identity Services for Single sign-on with Microsoft Entra ID
NOTE: For SAML integration between IAS and your corporate IDP, make sure to get the IAS SAML metadata using the URL: http://<iashost>.accounts.cloud.sap/admin.
9. Can I setup Unified Joule instance if my applications use a different corporate Identity Providers?
If your SAP applications—such as SAP SuccessFactors and SAP S/4HANA Cloud Public Edition—are connected to the same IAS tenant but each is integrated with a different corporate Identity Provider (e.g., SuccessFactors with MS Entra ID and S/4HANA with Okta), a Unified Joule instance is not supported.
This is because Joule requires consistent conditional authentication settings in IAS, and those settings must point to a single corporate Identity Provider. Since IAS can’t route authentication to multiple IdPs for the same Joule instance, you’ll need to configure separate Joule instances for each application and tailor the IAS settings accordingly.
10. I don’t see the Identity Provisioning tab in the admin console of SAP Cloud Identity Services. Why?
Two possibilities:
Your user lacks the “Manage Identity Provisioning” permission. Assign this to the user through the admin console of SAP Cloud Identity Services.Your tenant is still using Neo-based Identity Provisioning, which has a separate admin console
11. Can I use Neo Identity Provisioning Service (IPS) for Joule?
While possible, we recommend migrating to the latest SAP Cloud Identity Services for IPS. To use Neo IPS tenant, you will need to make sure that SAP Build Work Zone, standard edition connector is available when creating a target system in IPS.
Benefits of migration:
Unified admin console for IAS and IPSOut-of-the-box availability of SAP Build Work Zone connector.Improved logging, visual transformation editor, and job simulation
Learn how to migrate your IPS instance:
Go for your quick win! Migrate Identity Provisioning tenants to SAP Cloud Identity infrastructure.
12. Why is it necessary to synchronize users from applications like SuccessFactors or S/4HANA into SAP Build Work Zone for Joule?
Joule supports a range of interaction patterns—including informational, transactional, analytical, and navigational use cases.
To enable navigational experiences (e.g., allowing Joule to guide users directly to relevant pages or apps), user data must be synchronized from your source systems (like SuccessFactors or S/4HANA) into the SAP Build Work Zone instance that’s configured for Joule.
Without this synchronization, navigational capabilities won’t be available to end users during their interactions with Joule.
13. Joule works for SSO users in SuccessFactors, but not for password-based users. Why?
As a SuccessFactors customer using Joule, you might have a mix of users—most authenticating via SSO through your corporate Identity Provider, and others using password-based login via the IDP-initiated URL. While Joule functions correctly for SSO users, it may not work for password-based users accessing the system through the IDP-initiated login.
To resolve this, configure conditional authentication rules in IAS:
Redirect SSO users to your corporate Identity Provider
Allow password-based users to authenticate directly with IAS
Use the standard SuccessFactors tenant URL for all users (not the IDP-initiated URL)
You can achieve this by grouping users in IAS (e.g., SSO vs. password users) and applying conditional authentication settings to manage the appropriate login paths for SuccessFactors.
Final Thoughts
Establishing a Unified Joule instance requires careful planning around identity, trust configuration, and provisioning. Following the SAP Discovery Center missions and aligning with the Identity and Access Management reference architectures will ensure you unlock the full potential of Joule across your SAP landscape.
If you have more questions or unique scenarios, feel free to leave a comment or reach out directly.
As SAP’s generative AI assistant, Joule is designed to deliver a consistent, AI-powered experience across SAP’s portfolio—spanning applications like SAP S/4HANA Cloud Public Edition, SAP SuccessFactors, and more. A Unified Joule instance ensures seamless interactions and insights across these systems, improving productivity and decision-making at scale.To help customers set up Unified Joule efficiently, I’ve created a series of step-by-step missions in the SAP Discovery Center. These missions guide you through the process of configuring a Unified Joule instance tailored to your SAP environment.Core Discovery Center Missions:Establish a Unified Joule Instance (pre-requisite for enabling Joule across your SAP landscape)Activate Joule for SAP SuccessFactorsActivate Joule with SAP S/4HANA Cloud Public EditionWhile the Discovery Center missions above include detailed guidance to help ensure a smooth Joule setup experience, I still frequently receive questions—particularly around SAP Cloud Identity Services integration. Setting up Joule correctly requires consistent SAP Cloud Identity Services (IAS/IPS) integration across your SAP portfolio in alignment with Identity and Access Management reference architectures.In this section, I’ll address some of the most common questions and highlight key considerations for integrating Cloud Identity Services across your SAP landscape when enabling Joule.Identity & Security Considerations for Joule Setup1. Can I use different IAS tenants for different SAP applications and still have a unified Joule experience?No. For a Unified Joule setup, all production applications must use the same IAS production tenant for authentication. Likewise, all non-production systems must use a shared non-prod IAS tenant. This architecture enables you to maintain one Joule instance for production and another for non-production.2. My landscape isn’t fully aligned with the reference architecture yet, but there’s pressure from the business to enable Joule. What are my options?If your applications aren’t yet configured to use a common Cloud Identity Services (IAS) tenant, you can still move forward by setting up individual Joule instances per application.This allows you to enable Joule for each application independently; however, it does not follow the Unified Joule model. In this setup:Joule can only respond to queries related to the specific application it’s configured withThere is added complexity in managing multiple BTP subaccounts and maintaining separate Joule configurationsWhile this approach can meet short-term business demands, aligning with the reference architecture remains the recommended path for a scalable and integrated experience.3. My SAP application supports Joule, but it’s not yet integrated with IAS for authentication. What should I consider when setting up SAML or OIDC trust with IAS?When configuring trust between your SAP application and SAP Cloud Identity Services (IAS) using SAML or OIDC, it’s important to follow SAP’s recommended domain and configuration guidelines to ensure Joule works as expected.Key considerations:Use the cloud.sap domain for all integration points.For example, when configuring SAML, ensure the Assertion Consumer Service (ACS) URL in your application uses the cloud.sap domain—not ondemand.com.Access your IAS tenant at:https://<tenant>.accounts.cloud.sap/admin(Avoid using ondemand.com for any trust-related setup.)To retrieve the correct SAML metadata:Log into your IAS tenantNavigate to: Application & Resources > Tenant Settings > SAML 2.0 ConfigurationDownload the metadata file and use it to configure your application’s SAML settingsFor OIDC integration:Go to: Application & Resources > Tenant Settings > OpenID Connect ConfigurationUse the configuration details provided there to establish the trust relationshipImportant: Do not manually change key parameters in IAS (e.g., the issuer). Altering these settings may disrupt existing trust configurations and prevent your application from authenticating properly.4. I see a blank screen when launching Joule. What’s wrong?This often points to a misconfigured OIDC trust between BTP subaccount and IAS. Verify that trust is set up with the cloud.sap domain—not ondemand.com.5. My existing SAP application is configured with SAML trust to IAS using the ondemand.com domain. Can I enable Joule for this application?Not in its current configuration. To use Joule, your application’s SAML trust must be updated to use the cloud.sap domain.As outlined earlier, Joule requires trust configurations aligned with the cloud.sap namespace. While SAP is working on an enhancement to simplify this requirement, updating the SAML configuration to use cloud.sap endpoints is currently mandatory for Joule integration.6. My application uses a corporate Identity Provider for authentication. How should I configure the Joule application in IAS?When you run the Joule booster in SAP BTP, it automatically creates a corresponding Joule application in IAS (typically named das-ias-<appname>).To ensure seamless user authentication, you’ll need to update the conditional authentication settings of this Joule application in IAS so they align with the configuration used by your source application (e.g., SuccessFactors, S/4HANA). This ensures that users are routed correctly through your corporate Identity Provider when accessing Joule.7. My IAS tenant is configured in pure proxy mode with a corporate Identity Provider like Microsoft Entra ID or Okta. Can I still use Joule?Not in its current form. For Joule to function properly, a user record must exist in the SAP Cloud Identity Services (IAS) user store, as Joule relies on attributes like the Global User ID (GUID), which are stored there.If your IAS tenant is set up in pure proxy mode—meaning Identity Federation is disabled—IAS doesn’t pick up the user records and therefore can’t provide the GUID Joule requires. In this configuration, Joule will not work.To enable Joule:Ensure Identity Federation is enabled in IAS (either tenant-wide or for specific applications)Maintain a user profile in IAS for each user, even if authentication is delegated to a corporate IdPThis hybrid setup allows authentication to flow through your corporate IdP while still enabling IAS to store essential user attributes needed by Joule.8. When integrating SAP Cloud Identity Services (IAS) with a corporate Identity Provider (IdP) for use with Joule, what should I keep in mind?Enable Identity Federation: This must be turned on either at the IAS tenant level or for the specific applications that will use Joule.Maintain user records in IAS: Even when using a corporate IdP, user profiles must exist in the IAS user store. Joule relies on fields like the Global User ID (GUID), which are stored in IAS.Correct SAML/OIDC trust setup: Ensure that the trust between IAS and your corporate IdP is configured properly, using the correct domain(cloud.sap) and metadata. Misconfigured trust can prevent Joule from functioning as expected.For OIDC integration between IAS and corporate IDP, refer to the blogs below:Connect SAP Cloud Identity Authentication Service as a proxy to Okta using OpenID ConnectConfiguring SAP Cloud Identity Services and Microsoft Entra ID for JouleFor SAML integration:Connect Okta to Identity AuthenticationConfigure SAP Cloud Identity Services for Single sign-on with Microsoft Entra IDNOTE: For SAML integration between IAS and your corporate IDP, make sure to get the IAS SAML metadata using the URL: http://<iashost>.accounts.cloud.sap/admin.9. Can I setup Unified Joule instance if my applications use a different corporate Identity Providers?If your SAP applications—such as SAP SuccessFactors and SAP S/4HANA Cloud Public Edition—are connected to the same IAS tenant but each is integrated with a different corporate Identity Provider (e.g., SuccessFactors with MS Entra ID and S/4HANA with Okta), a Unified Joule instance is not supported.This is because Joule requires consistent conditional authentication settings in IAS, and those settings must point to a single corporate Identity Provider. Since IAS can’t route authentication to multiple IdPs for the same Joule instance, you’ll need to configure separate Joule instances for each application and tailor the IAS settings accordingly.10. I don’t see the Identity Provisioning tab in the admin console of SAP Cloud Identity Services. Why?Two possibilities:Your user lacks the “Manage Identity Provisioning” permission. Assign this to the user through the admin console of SAP Cloud Identity Services.Your tenant is still using Neo-based Identity Provisioning, which has a separate admin console11. Can I use Neo Identity Provisioning Service (IPS) for Joule?While possible, we recommend migrating to the latest SAP Cloud Identity Services for IPS. To use Neo IPS tenant, you will need to make sure that SAP Build Work Zone, standard edition connector is available when creating a target system in IPS. Benefits of migration:Unified admin console for IAS and IPSOut-of-the-box availability of SAP Build Work Zone connector.Improved logging, visual transformation editor, and job simulationLearn how to migrate your IPS instance:Go for your quick win! Migrate Identity Provisioning tenants to SAP Cloud Identity infrastructure.https://help.sap.com/docs/identity-provisioning/identity-provisioning/migrate-identity-provisioning-bundle-tenant12. Why is it necessary to synchronize users from applications like SuccessFactors or S/4HANA into SAP Build Work Zone for Joule?Joule supports a range of interaction patterns—including informational, transactional, analytical, and navigational use cases.To enable navigational experiences (e.g., allowing Joule to guide users directly to relevant pages or apps), user data must be synchronized from your source systems (like SuccessFactors or S/4HANA) into the SAP Build Work Zone instance that’s configured for Joule.Without this synchronization, navigational capabilities won’t be available to end users during their interactions with Joule.13. Joule works for SSO users in SuccessFactors, but not for password-based users. Why?As a SuccessFactors customer using Joule, you might have a mix of users—most authenticating via SSO through your corporate Identity Provider, and others using password-based login via the IDP-initiated URL. While Joule functions correctly for SSO users, it may not work for password-based users accessing the system through the IDP-initiated login.To resolve this, configure conditional authentication rules in IAS:Redirect SSO users to your corporate Identity ProviderAllow password-based users to authenticate directly with IASUse the standard SuccessFactors tenant URL for all users (not the IDP-initiated URL)You can achieve this by grouping users in IAS (e.g., SSO vs. password users) and applying conditional authentication settings to manage the appropriate login paths for SuccessFactors.Final ThoughtsEstablishing a Unified Joule instance requires careful planning around identity, trust configuration, and provisioning. Following the SAP Discovery Center missions and aligning with the Identity and Access Management reference architectures will ensure you unlock the full potential of Joule across your SAP landscape.If you have more questions or unique scenarios, feel free to leave a comment or reach out directly. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
