cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Identity Authentication vs. Local Identity Directory - Differences

tskwin
Participant

on ‎2024 Nov 08 11:45 AM

0 Kudos
396

Hello All,

What is the difference between SAP Identity Authentication and Local Identity Directory in SAP IPS/IAS ?

In both cases, users are stored in SAP IAS, but I don't understand the difference and when each solution should be used.

Thank you very much!

 

BEst Regards

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
Amin_Omidy
SAP Champion
SAP Champion
‎2024 Nov 09 10:31 PM

Hi tskwin,

SAP Cloud Identity Services includes three components:

1.Identity Authentication Service (IAS):
IAS is a cloud based SAML2 identity provider that offers an Identity Service tailored to business processes, applications, and data. It delivers single sign-on and seamless integration with both SAP and non-SAP applications, whether they are in cloud or on-premises. But its primary features more than a authentication task.
2.Identity Provisioning Service(IPS):The Identity Provisioning Service (IPS) can effectively oversee and automate identity lifecycle processes for both cloud and on-premises environments. IPS also takes care of the seamless provisioning of users and groups, ensuring a smooth transition from source to target systems.
3.Identity Directory: It is a repository (database) stores and persists user data, attribute and group assignments offering a System for Cross-domain Identity Management (SCIM) API for the management of resources, including users, groups, and customized schemas. The provisioning of these entities to and from the directory is guaranteed by the Local Identity Directory connector within the Identity Provisioning service. Upon the creation of a new user, the directory generates a Global User ID, which serves as the distinctive user identifier across the landscape. Identity Provisioning subsequently distributes this Global User ID to SAP cloud applications.
Please check my blog for further detailed explanation of each with diagram.
Hope this helps,
@Amin_Omidy

Show replies
Show replies
daryl_mennen989
Explorer
‎2025 Jan 27 9:25 PM
Amin - I don't think you understood the question or perhaps I don't understand your response. When we use IPS (identity provisioning service) we have an option to use many different "Target Systems". One type is the "Identity Authentication", which by the way can also be used as a "Source System". Another type of target system is "local Identity Directory". In both scenarios it seems that the user store is the same (i.e. Cloud Identity Services user store). So what's the difference in using either target system? Why are there two different target systems that seem to do the same thing? What's the benefit of one versus the other?
tskwin
Participant
‎2025 Feb 03 11:51 AM
0 Kudos

Hello all,

@Amin_Omidy Thanks for the feedback.

@daryl_mennen989  Thanks too. 

That's correct. I still don't understand why there are two target system types (Identity Authentication and Local Directory) and when to use which target system type.

 

Many Thanks

Best Regards

MatthiasL
Explorer
‎2025 Feb 14 4:08 PM
0 Kudos
Hi tskwin, I came here from Google for the same question.
MatthiasL
Explorer
‎2025 Feb 14 4:10 PM
0 Kudos

Hi tskwin, I came here from Google for the same question.

That said, I don't think there is much difference.

The IAS-route requires more configuration and I think it's the old way, the Local Identity Directory is gaining more traction in the documentation since a few months ago. In fact it doesn't even exist in the NEO documentation.

I would argue that LID is the newer way, which supports newer techniques (like application specific groups), paging and central user logs and other improvements that come with the new SCIM v2 API.

From my talks with the CIS-team and the roadmap, I think it's a new direction they're headed in - allowing for better and easier provisioning. 

Ask a Question