Technology Blog Posts by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Real-time user provisioning using SAP Cloud Identity Service (Identity Provisioning)

bpasynkov
Product and Topic Expert
Product and Topic Expert
‎2024 Jul 29 3:05 PM
3,396

Introduction

Hello SAP Community,

Today, I'm going to walk you through setting up real-time user provisioning using SAP Identity Provisioning Service (IPS). Recently, I faced a task requiring real-time user provisioning but struggled to find detailed explanations or how-to guides. So, I decided to document the process myself. If you notice any mistakes or have tips, please share them in the comments. Let’s dive in!

 

Feature Overview

As a tenant administrator, you can configure real-time provisioning to instantly sync users and groups from source to target systems. This means newly created, updated, or deleted users are automatically synced without manual or scheduled jobs in Identity Provisioning.

Important Note: For real-time provisioning, the source system must be either Identity Authentication Service (IAS) or SuccessFactors. This setup is perfect for scenarios where immediate system access is needed, like user self-registration. With real-time provisioning, changes are reflected instantly across your systems.

We’ll skip comparing Standard vs. Real-Time provisioning since this info is already available in the official documentation.

 

Technical Overview

Assuming you’re already familiar with configuring source and target systems in IPS (since there are plenty of detailed guides available), let’s focus on the essentials. Here’s a quick rundown of the technical architecture and prerequisites.

General diagrams-Real time IPS.drawio.svg

 

 

Prerequisites

  • Target system: Cloud Identity Service tenant 2 or IAS 2 (Target system) - though in your case, it could be any other supported target system.
    • Again, I'll skip the technical details of the target system, as they will vary based on your specific use case.

 

Configuration

1) First, you need to configure both the source and target systems in the corresponding IPS menu. After completing this step, you will see a System ID in the URL for your systems. For real-time provisioning, we will need the source System ID: 213...dd7

Sorce system ID.png

2) And, of course, the target system IAS 2, where our IAS 1 will be the source:

Target system.png

3) As a next and last step we will need to go IAS Admin Console ➡️ Users & Authorizations ➡️ Real-Time Provisioning:

 

real time system.png 

Configure your target for real-time user provisioning with the corresponding credentials:

  • Type: Identity Provisioning
  • Version: 1
  • SCIM URL: https://ias1.accounts400.ondemand.com/ipsproxy/service/api/v1/systems/213...dd7/entities/user

The authentication mechanism may vary. In my case, I simply utilized my technical user credentials from the prerequisites.

 

Conclusion

Once our real-time provisioning is configured, you can test it: newly created users should be provisioned automatically, or you can select an already existing user in the User Management menu:

user.png

In case of any issues, real-time provisioning logs are available to help troubleshoot:

logs.png

Hope this guide helps you set up real-time user provisioning using SAP Identity Provisioning Service. If you have any issues or tips, drop them in the comments. Happy provisioning!

 

 

2 Comments