SAP Jam App Integration with OAuth2SAMLBearerAssertion flow.

SAP Jam is no longer available as a service on SAP BTP. Still its application integration capabilities are an excellent integration playground for whoever is keen to understand the internal workings of the OAuth2SAMLBearerAssertion flow together with SAP BTP Destination service.

Happy exploring!

This blog is about SAP Jam App Integration with OAuth2SAMLBearerAssertion flow implemented with SAP BTP Destination service.

SAP Jam assets can be embedded by a third party application and SAP Jam can be embedding third party application assets as well.

The Third-Party OData API integration explains what it takes to make an external application ready for integration with SAP Jam Collaboration.

However, in order to enable a 3rd party application’s access to SAP Jam assets, you  also need to perform the following access and authorization configuration steps in SAP Jam:

  • If you want to display the external application’s business records in SAP Jam, you must Configure SAP Jam as a SAML Local Identity Provider. This step ensures that users can view only the content from the external application that they have been authorised to view when that material is displayed in SAP Jam.
  • If you want to display SAP Jam content in the external application, you must:
    • Add an OAuth Client. This configuration provides the external application with authorised access to the SAP Jam API.
    • Add a SAML Trusted IDP. This step ensures that users can view only the content from SAP Jam that they have been authorised to view when that material is displayed in the external application.

SAP JAM OAuth2.0 configuration story board.

Here goes the story board with all the required configuration steps at a glance. Please click on it in order to magnify it.

Actually all the manual configuration steps on the SAP JAM side could be likely automated with for instance an iRPA bot.

SAML Local Identity Provider.

This configures the signing private key/certificate pair used by SAP Jam to generate SAML assertions as depicted below:

Issuer: Contains the unique identifier for SAML assertions issued by SAP Jam Signing Private Key (Base64)* below:
Private key used to sign the SAML assertions generated by SAP Jam X509 Certificate (Base64)* -----BEGIN RSA PRIVATE KEY-----
..... (truncated).................
-----END RSA PRIVATE KEY----- X.509 certificate used to verify the signature of SAML assertions generated by SAP Jam -----BEGIN CERTIFICATE-----
..... (truncated).................
  • create a PKCS12-formatted .pfx or .p12 keystore.
    • run the below openssl command to create a PKCS12-formatted pfx keystore as depicted below:
$ openssl pkcs12 -export -inkey jam_saml_idp.key -in jam_saml_idp.cer -out jam_saml_idp.pfx
Enter Export Password:
Verifying - Enter Export Password: ----------------------------------------------------------
Please make note of the password as you will need it later
in the destination definition.
    • base64-encode the jam_saml_idp.pfx file into a string for instance:
$ cat jam_saml_idp.pfx | base64 MIIJ6QIBAzCCCa8GCSqGSIb3DQEHAaCCCaAEggmcMIIJmDCCBE8GCSqGSIb3DQEH ............(truncated)............................ SUwIwYJKoZIhvcNAQkVMRYEFHZ5s0a18OthZsFneRNGzeyXHBXlMDEwITAJBgUrD gMCGgUABBQoy4rfqR4tO9Q2SFrHF4v0um//WwQIQx+ZVam++bgCAggA 

From now on you can follow the steps c,d and e below (described in more details here), namely:

c.  Using the DestinationService APIs add jam_saml_idp.pfx certificate keystore encoded as a string to the secure vault .

d. Create a new destination to the Quovadis-JAM-SAML-IDP OAuth application with our jam_saml_idp.pfx keystore.

e. Use (=Find) the Quovadis-JAM-SAML-IDP destination to acquire the bearer access token as demonstrated below:

Find Quovadis-JAM-SAML-IDP destination:
{ "owner": { "SubaccountId": "xxxxxxx-4d96-4bc0-a4fd-xxxxxxxxx", "InstanceId": null }, "destinationConfiguration": { "Name": "Quovadis-JAM-SAML-IDP", "Type": "HTTP", "URL": "", "Authentication": "OAuth2SAMLBearerAssertion", "ProxyType": "Internet", "KeyStorePassword": "<password>", "tokenServiceURLType": "Dedicated", "audience": "", "companyId": "SFPART058654", "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession", "apiKey": "<apiKey>", "KeyStoreLocation": "jam_saml_idp.pfx", "clientKey": "<apiKey>", "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "nameQualifier": "", "SystemUser": "sfadmin", "tokenServiceURL": "" }, "certificates": [ { "Name": "jam_saml_idp.pfx", "Content": "MIIJ6QIBAzCCCa8GCSqGSIb3DQEHAaCCCaAEggmcMIIJmDCCBE8GCSqGSIb3DQEHBqCCBEAwggQ8AgEAMIIENQYJKoZIhvcNEiEZrlpZ7InokXjD2dUNKzxO0QeGPsBw2wYCQDpoA+uNA0bRHTpyFao+Oom5cCS+lD+yMSUwIwYJKoZIhvcNAQkVMRYEFHZ5s0a18OthZsFneRNGzeyXHBXlMDEwITAJBgUrDgMCGgUABBQoy4rfqR4tO9Q2SFrHF4v0um//WwQIQx+ZVam++bgCAggA", "Type": "CERTIFICATE" } ], "authTokens": [ { "type": "bearer", "value": "QYoCNNWFsITGgX0ggJZtqx7Egh1oxxxxxxxxxxxxx", "http_header": { "key": "Authorization", "value": "Bearer QYoCNNWFsITGgX0ggJZtqx7Egh1oxxxxxxxxxxxxx" }, "expires_in": "0" } ]

Consuming the remote ODATA endpoint.

The above OAuth access token can then be used to easily make calls to the OData API for instance using curl:

Find destination API call  retrieves an OAuth access token from

Then, you may use the following curl command to get the profile of the user authenticated by this OAuth access token in a JSON format:

$ curl -H "Authorization: OAuth QYoCNNWFsITGgX0ggJZtqx7Egh1od9BUe8xYYYY" -H "Accept: application/json"
{ "d": { "results": { "__metadata": { "uri": "Members('LwLXVuYewcjb0pbyu0HLCE')", "type": "SAPJam.Member"
}, "Id": "xxxxxxxxxxxxxxxxx", "FirstName": "Aanya", "LastName": "Sing", "Nickname": null, "Title": "Administrative Support", "Email": "", "FullName": "Aanya Sing", "Role": "company", "IsFollowing": false, "WebURL": "", "IsAway": false, "PersonGuid": null, "JobDescription": null, "Messages": { "__deferred": { "uri": "Members('xxxxxxx')/Messages"
}, "FeedEntries": { "__deferred": { "uri": "Members('xxxxxxx')/FeedEntries"
}, "ProfilePhoto": { "__deferred": { "uri": "Members('xxxxxxxx')/ProfilePhoto"
} "QrImage": { "__deferred": { "uri": "Members('LwLXVuYewcjb0pbyu0HLCE')/QrImage"
}, "Expertises": { "__deferred": { "uri": "Members('xxxxxxxxxx')/Expertises"


Given the API capabilities of SAP BTP Destination service I was able fully automated all the steps related to the management of the destination. In other words no need to access the BTP cockpit to manage destinations, certificates and so on.

Please have a closer look at the API Management portal with the screenshot of the policy that implements access to my destination service APIs and then the APIs sandbox.

The API Management exposed endpoint can be used from any programming language or LCNC framework like SAP Appgyver or Mendix.

Thanks for reading!
Piotr Tesny

Additional resources.

SAP Jam Collaboration Developer Guide and its pdf version.


The SAP Jam Collaboration OData API allows you to integrate SAP Jam Collaboration features into your business critical applications, and it allows you to integrate data from your business critical applications into SAP Jam.

This part of the SAP Jam Collaboration Developer Guide provides the following sections of API Documentation:

  • Please see the SAP Jam API Reference at the following location:
  • SAP Jam OData API Tutorial: This tutorial is designed to give you a good understanding of SAP Jam Collaboration‘s OData API implementation and to help you to quickly get up to speed using the SAP Jam API.
  • Authentication and Authorization API: Client applications using the SAP Jam REST or OData APIs have two options for providing authorization and authentication for their users: an OAuth1.0a 3-Legged workflow, or SAML assertions from a trusted identity provider. The OAuth1.0a workflow is best for client applications without access to a SAML identity provider (IDP), although it requires some interaction with the end user. The SAML assertions from a trusted IDP configured in the SAP Jam Admin console by your company administrator. Additionally, there is the possibility of single-use tokens, although this approach is better suited to granting immediate, short-term access to single pages.
  • SAP Jam REST API: The SAP Jam Collaboration REST API has mostly been ported to the OData API; however, one set of REST API calls remain: the REST Social Reports API calls. The Social Reports REST API calls allow you to generate and retrieve reports on social activity in SAP Jam.