3428564 - Joule authentication not working when browser '3rd-party cookie blocking policy' is enabled

• Joule requires IAS Login when user launches Joule from SuccessFactors top right corner.
• Joule authentication not working when browser '3rd-party cookie blocking policy' is enabled.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental. 

• SAP SuccessFactors HCM Suite

1. User login to SuccessFactors as usual.
2. Click Joule button from upper right corner to launch Joule.
3. In poped-up Joule Window, instead of loading Joule Starting page, it requires user IAS credentials to login.

This issue may happen when:

• User's browser with 3rd-party cookie blocking active.
• The rendering of Joule's XSUAA or IAS in an iFrame were missed to be enabled.
• Your IAS configured corporate IDP with IAS as proxy IDP.

Please follow below steps to resolve this issue:

1. User's browser with 3rd-party cookie blocking active, your browser must allow 3 domains for tracker:
- Joule's XSUAA URL (<subaccount>.authentication.<datacenter>.hana.ondemand.com), e.g. qacand-stedasit02.authentication.eu10.hana.ondemand.com
- Joule's WebClient URL (<subaccount>.<datacenter>.<joule-provider>.cloud.sap), e.g. qacand-stedasit02.eu10.sapdas.cloud.sap
- IAS URL (<customdomain>|<tenant>.<iaslandscape>.ondemand.com), e.g. mytenant.accounts.ondemand.com

*How to add Joule & IAS domains into your browser tracker? Different browser may have different sections to set tracker allowing, please check on your browser settings.

Here we take Microsoft Edge as an example:

*How to identify your Joule Application domains? Joule  XSUAA and Joule WebClient domains follow below format:

- Joule's XSUAA URL (<subaccount>.authentication.<datacenter>.hana.ondemand.com), e.g. qacand-stedasit02.authentication.eu10.hana.ondemand.com
- Joule's WebClient URL (<subaccount>.<datacenter>.<joule-provider>.cloud.sap), e.g. qacand-stedasit02.eu10.sapdas.cloud.sap

Take Microsoft Edge browser as an example:

1. Login to SuccessFactors with "Inspector" tool opening in your browser.
2. Launch Joule from SuccessFactors Header > Joule button
3. After launching Joule, from Inspector > Application > Cookies, you will find Joule XSUAA URL and Joule WebClient URL:

i.e below screenshot is an example:

• qacand-stedasit02.authentication.eu10.hana.ondemand.com
• qacand-stedasit02.eu10.sapdas.cloud.sap

2. Enable the rendering of Joule's XSUAA or IAS in an iFrame:

Both (XSUAA and IAS) must trust the SFSF URL:
For XSUAA : please go to BTP Subaccount Cockpit > Security > Settings > Trusted Domains (URL with https://), please refer to Configure Trusted Domains for SAP Authorization and Trust Management Service | SAP Help Portal 
For IAS : please go to IAS Tenant Admin Console > Applications & Resources > Tenant Settings > Customization > Trusted Domains (URL FQDN only)

3. Your IAS configured corporate IDP with IAS as proxy IDP:

Joule requires the same "Conditional Access" configuration as used for SFSF.

1. In your IAS tenant > Applications & Resources, please make sure the default Authentication Identity Provider of SF Application & BTP-subaccount application set the same Default Identity Provider (i.e Azure AD) from Conditional Authentication. For more details please refer to: Choose Default Identity Provider for an Application | SAP Help Portal

After completing above steps, launching Joule will open the Joule Starting page.

What is Joule? | SAP Help Portal

3390798 - Joule availability in SAP SuccessFactors - SAP for Me

SF, Joule, SuccessFactors, SAP SuccessFactors,  Digital Assistant, AI, IAS, login, authentication, cookies , KBA , LOD-SF-PLT-DA , Joule in SuccessFactors , CA-JOULE , Joule , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , How To