AegisAI
Contact Book a demo
Integrations › SAP Joule

SAP Joule → AegisAI

Custom Action via a BTP destination using OAuth2SAMLBearerAssertion. The SAML assertion is exchanged at your IdP (IAS by default for BTP customers; or Entra ID / Okta / Auth0 / Cognito) for a JWT with aud=aegisai; AegisAI verifies that JWT via JWKS rotation. Setup time: about thirty minutes if you already have a BTP subaccount and Joule Studio access.

Why route Joule through AegisAI

Even SAP-native agents need the same gate.

Joule lives inside SAP and has direct access to S/4HANA. So why route it through AegisAI? Two reasons. First, SAP API Policy 4.2026a, Section 2.2.2 applies symmetrically — the structured, identity-propagating, auditable requirement is about the property, not the vendor. Second, customers who already standardised on AegisAI's audit chain want Joule's actions in the same chain, not in a separate Joule-only log nobody else can re-walk.

Setup

Three steps. Thirty minutes.

1. Register in your IdP, configure the BTP destination

AegisAI does not host an OAuth/SAML token service. Register an OAuth2 client in your IdP — SAP IAS by default for BTP customers, or Entra ID / Okta / Auth0 / Cognito if that's what your enterprise runs — with audience aegisai. Then BTP Cockpit → Connectivity → Destinations → New. Paste btp-destination.json, fill in the AegisAI URL, the IdP's tokenServiceURL, and the client id/secret from your IdP. Authentication is OAuth2SAMLBearerAssertion so the SAP user's identity flows through.

2. Import the action

Joule Studio → Actions → Import → upload action-manifest.json. Map the intent parameter to Joule's userUtterance slot and the context object to tenant_id and company_code.

3. Trigger phrases

Publish the action with phrases like "ask aegis about", "look up via aegis", "route to aegis". When a user fires one of these inside Joule, the request lands in AegisAI's standard POST /query.

What's in the kit

Three files in samples/connectors/sap-joule/.

FilePurpose
README.mdSetup walkthrough plus mapping of SAP's four policy goals to this configuration.
action-manifest.jsonJoule Custom Action manifest with input/output schemas and HTTP error mapping.
btp-destination.jsonThe HTTP destination Joule (and any other SAP-native consumer) uses to reach AegisAI.
Honest caveats

Two things to know.

Synchronous only (today)

Joule's Custom Actions only support synchronous HTTP. Long-running AegisAI queries (over 10 seconds) will time out from Joule's side. If you need that, use the Anthropic Claude pattern with the async tool-use loop instead.

No card response shape

Joule does not currently expose response-shape negotiation, so the action receives the canonical {data, trace_id, trace} envelope. Render data and trace_id in your Joule response template.

Want help with the BTP destination?

Half the Joule setup is BTP plumbing. We'll join your subaccount for an hour and get the destination, the OAuth client, and the action all wired in one pass.

Email us