This blog explores the latest 2024 updates in SAP's Identity and Access Management (IAM) portfolio derived from various early 2024 SAP events, particularly focusing on SAP Cloud Identity Services (SCI).
IAM 101: Identity Lifecycle, Authorization, and Authentication
In simple terms, Identity and Access Management (IAM) revolves around three core aspects:
- Identity Lifecycle: This encompasses the journey of user identities within a system, from creation to deletion.
- Authorization: Determining what actions users are allowed to perform within a system.
- Authentication: Ensuring that users are who they claim to be when accessing applications or services.
Identity Access Management Portfolio by SAP
SAP offers a Identity Access Management (IAM) portfolio that caters to both on-premises and public cloud solutions. Let's delve into each category - Identity Lifecycle, Authentication, and Authorization - highlighting the different components within SAP's Cloud Identity Services (SCI) suite.
Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg
Identity Lifecycle Management
For managing the lifecycle of identities, SAP provides several solutions:
- Identity Provisioning: Part of SCI. Facilitates seamless creation and management of user identities.
- Identity Directory: Part of SCI. Serves as a centralized repository for user and group information.
- SAP Identity Management: An on-premises product ensuring robust identity lifecycle management unitl the end of 2027/2030.
Authentication Solutions
SAP's authentication solutions ensure secure access to applications and services:
- Identity Authentication: Part of SCI. Provides seamless and secure authentication for users across applications.
- SAP Single Sign-On 3.0: An on-premises product offering single sign-on capabilities until the end of 2027.
- Secure Login Service: A standout addition to SAP's IAM lineup is the SAP Secure Login Service, heralded as the new star in the SAP Single Sign-On horizon. This service promises enhanced security and user experience in single sign-on scenarios.
Authorization Management
Authorization management is crucial for defining user permissions and access control:
- SAP Cloud Identity Access Governance: Symbiotically linked with SCI, it offers comprehensive authorization management and access governance.
- Authorization Management of SAP Cloud Identity Services: Streamlines authorization management for developers on SAP BTP. Define access policies with specified conditions, easily adjustable by administrators post-deployment. This centralizes access control, mitigating complexity and ensuring precise authorization levels.
- SAP Access Control: An on-premises product offering that enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance. An upcoming version (release 2026) will further enhance authorization capabilities within SAP's IAM portfolio.
While SAP's IAM portfolio boasts a comprehensive suite of solutions, it's worth noting that the SAP Customer Data Cloud is beyond the scope of this discussion due to the author's limited experience with it.
SAP Cloud Identity Services
Short Overview
SAP Cloud Identity Services (SCI) offer a suite of components tailored to address various facets of IAM:
- Identity Provisioning: Streamlining the process of creating and managing user identities.
- Identity Directory: Serving as a centralized repository for storing and accessing user and group information.
- Authorization Management: Facilitating the assignment and management of user permissions.
- Identity Authentication: Ensuring secure and seamless user authentication across applications.
Key Features of SCI
- Predefined Connectivity and Bundling: SCI seamlessly integrates with SAP cloud solutions, providing out-of-the-box configuration for user provisioning and authentication.
- Automated Service Enablement: Identity Services are automatically enabled as part of the product delivery process, simplifying setup for customers.
- Default Pre-Configuration: SAP cloud solutions come pre-configured with Identity Services, catering to common scenarios without the need for separate licensing.
Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg
Cross-Enterprise Access Governance
Cross-enterprise identity management and access governance integration is set to be streamlined with the integration of Microsoft Entra ID and Microsoft Entra ID Governance alongside SAP Cloud Identity services and SAP Cloud Identity Access Governance. This integration will empower organizations to achieve single sign-on and provisioning capabilities across a range of SAP business applications, including SAP S/4HANA Public Cloud, SAP Ariba, SAP Concur, and SAP SuccessFactors. Furthermore, the linkage between Microsoft Entra ID and Microsoft Entra ID Governance with SAP Cloud Identity Access Governance will enable cohesive identity and access risk assessments, alongside monitoring and management of compliance controls.
Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg
Identity Lifecycle Management with SCI
SAP Cloud Identity Services facilitates efficient management of the employee lifecycle, from onboarding to offboarding, ensuring smooth transitions and access management throughout.
It plays a key role by centralizing Identity Access Management. They collect the derived identities and act as a single source of truth. The Identity Directory and Identity Provisioning components of SAP Cloud Identity Services work together to manage identities efficiently across systems.
Identity Directory: Centralized User Management
The Identity Directory serves as a central repository for user and group information, accessible via APIs and admin UI, simplifying connectivity and integration with SAP SaaS applications. It provides a System for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups and custom schemas) with a set of attributes. Those attributes are defined in the SCIM 2.0 Core schema and the Enterprise user resource schema. Custom attributes are supported through a schema extension.
Identity Provisioning
Transformation Engine
Identity Provisioning Connectors play a crucial role in the Identity Lifecycle process. These connectors come in various types, including Source System Connectors, Target System Connectors, and Proxy System Connectors. They enable seamless integration between different systems, allowing for the provisioning and authentication of users.
The Identity Provisioning transformation engine offers several powerful capabilities:
- Assignment: Users can define rules for assignments based on input data. For instance, organizations can use the value of an identity's organizational unit to determine the roles required for that user.
- Mapping between identity models: The engine facilitates mapping between attributes in different models. For example, it can map the surname attribute to the family name attribute. Additionally, it allows for adjustments to data formats, such as converting time or number formats as needed.
- Filtering: Organizations can specify detailed criteria for determining which objects should be read or written. This enables fine-grained control over data synchronization and provisioning processes, ensuring that only relevant information is transferred between systems.
Various types of connectors to facilitate seamless integration
- Source System Connectors: These connectors enable the extraction of user data from source systems, such as SAP Cloud solutions, on-premise solutions, and third-party solutions.
- Target System Connectors: These connectors facilitate the transfer of user data to target systems, including SAP Cloud solutions, on-premise solutions, and third-party solutions.
- Proxy System Connectors: These connectors act as intermediaries between source and target systems, ensuring smooth data transfer and integration.
With support for over 20 SAP Cloud solutions, on-premise solutions, and third-party solutions, Identity Provisioning Connectors offer out-of-the-box configuration for user provisioning and authentication. This ensures quick and easy setup for organizations, enabling efficient management of user identities across diverse systems.
Authorization Management
Authorization plays a crucial role in ensuring secure access to applications and resources. Here's how SAP addresses authorization management:
- Internal Authorization Definition: Many applications define authorizations internally, tailored to their specific domain requirements.
- Central User Assignment: SAP Cloud Identity Services centralizes user assignment to roles and groups, streamlining access management.
- Authorization Management Service (AMS): This "new" service provides centralized management of end-user authorizations for applications on the SAP Business Technology Platform. AMS integrates seamlessly with SAP Cloud Identity Services, allowing for configuration and assignment of policies directly from the administration console.
- Policy Assignment: In SAP Cloud Identity, each policy corresponds to a group in the identity directory. Policies can be assigned to users by making them members of the respective policy group. Customers have the flexibility to assign SAP-provided or custom policies to users using the user-friendly UIs in the SAP Cloud Identity console or programmatically via the SCIM API of the Identity Directory.
Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg
Identity Access Governance
SAP Cloud Identity Access Governance (IAG) is already widely recognized, offering a comprehensive suite of features aimed at enhancing security and compliance.
Key Features:
- Privileged Access Management: Enables the management of super-user access, log consolidation, and automated log assessment to ensure stringent security measures.
- Access Certification: Facilitates the review of access, roles, risks, and mitigation controls to maintain compliance with regulatory standards.
- Access Analysis: Provides tools to analyze access, refine user assignments, and manage controls effectively.
- Access Request: Optimizes access by streamlining workflows, policy-based assignment, and processes to ensure efficient access provisioning.
- Role Design: Allows organizations to optimize role definition and governance processes, enhancing overall security posture.
Moreover, SAP Cloud Identity Access Governance offers HR-driven identity lifecycle management by integrating with SAP SuccessFactors. This integration enables automatic access requests triggered by changes in employee status within the HR system. The IAG Bridge Cloud facilitates the creation of access requests for cloud applications, with risk analysis and provisioning handled by SAP Cloud Identity Access Governance.
API-based integrations further enhance flexibility, allowing external applications to submit requests to SAP Cloud Identity Access Governance for processing. This enables efficient access provisioning and deprovisioning based on approval processes, with the option to retrieve request status periodically.
With support for over 16 SAP Cloud solutions, on-premises solutions, and third-party solutions, SAP Cloud Identity Access Governance provides a robust platform for organizations to maintain security, compliance, and efficient access management across their IT environment.
Authentication
Authentication within SAP's ecosystem is facilitated through SAP Cloud Identity Services, serving as the interface for Identity Access Management. Here's how authentication in the overall hybrid SAP landscape idealy works:
- SAP Cloud Identity Services: This platform acts as the primary hub for authentication. SAP applications inherently trust SAP Cloud Identity Services for identity authentication, ensuring a secure login process.
- User Interaction: Users have the flexibility to interact with either Identity Authentication provided by SAP Cloud Identity Services or third-party Identity Providers. Regardless of the chosen method, users benefit from Single Sign-On capabilities, enhancing user experience and simplifying access to multiple applications.
- Integration with SAP GUI: SAP GUI seamlessly integrates with short-term X.509 certificates from SAP Secure Login Service, further enhancing authentication security supporting MFA within SAP environments.
Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg
Short Comparative Note: SAP Secure Login Service (SLS) for SAP GUI versus SAP Single Sign-On (SSO) 3.0. While SAP Single Sign-On 3.0 remains a viable solution for certain use cases, the emerging preference leans towards the new SLS for SAP GUI for most scenarios. The rationale behind this shift lies in the fact that SSO relies on capabilities like multi-factor authentication and CLM (Certificate Lifecycyle Management with NDES CA-Integration) on SAP NetWeaver Application Server Java, which is scheduled to exit mainstream maintenance by the end of 2027.
Source SAP SE: Image from SAP
Contrarily, the new SLS does not depend on SAP NetWeaver AS Java; instead, it leverages a cloud-based service. It emphasizes seamless integration with cloud-centric identity providers, such as SAP Cloud Identity Services – Identity Authentication. Furthermore, it is offered as a cloud subscription, aligning with the contemporary preferences of software licensing among customers. However, it is important to note that currently, some features are still missing in direct comparison with the SAP SSO 3.0 Suite.
- Principal Propagation: SAP Cloud Identity Services facilitates principal propagation between applications, ensuring consistent authentication across various systems and enhancing interoperability.
Upcoming Developments and Enhancements
Upcoming: Simplified Principal Propagation for Authentication
SCI will act as a central token service, reducing complexity in system-to-system calls and enhancing trust between applications. In an upcoming development, SAP Cloud Identity Services is poised to introduce a significant enhancement aimed at simplifying principal propagation for authentication. Here's what to expect:
- Central Token Service: SAP Cloud Identity Services will transition into a central token service, streamlining the process of system-to-system calls. This move aims to reduce complexity and enhance efficiency in authentication workflows.
- Token Request Flow: When a sender application needs to call an API of the receiver application on behalf of the current user, it will request a token from Identity Authentication within SAP Cloud Identity Services.
- Trust in Tokens: SAP applications, along with third-party applications, will trust tokens issued by SAP Cloud Identity Services for API calls. This trust ensures secure and seamless communication between applications, regardless of their origin.
Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg
SCIM & SAP: Updates for Improved Enterprise Readiness
SAP is working on enhancements to the SCIM protocol, including cursor-based pagination and additional schema support, to enhance user assignment processes and enterprise readiness.
Here's an overview of the recent developments:
- SCIM Adoption: SAP initially adopted SCIM as a product standard with the Identity Provisioning Service (IPS). SCIM2 was subsequently designated as the primary user and group replication protocol for SAP applications, outlining the implementation guidelines.
- SCIM User Lifecycle: SCIM includes the "active" flag to control authentication and app interactions. It mandates responding to GET requests after a DELETE request with no result. Applications have the autonomy to set users to a blocked status or create new user records as needed.
- Enterprise Readiness: SAP identified areas for improving SCIM's enterprise readiness, including the lack of delta-read processes and index-based pagination. To address these concerns, SAP is working on implementing cursor-based pagination for entities like Users and Groups, as well as multi-valued attributes.
- SCIM Groups and Schema Enhancements: SAP envisions SCIM Groups as the primary method for user assignments, offering transparent concepts for SCIM clients. SAP's group schemas introduce additional capabilities, such as defining group types and supported operations, providing more precise operations for SCIM clients.
- SAP User Extensions: SAP plans to introduce additional user extensions for business attributes derived from the One Domain Model (ODM). This extension aims to enable applications to create users with related business attributes. The schema will support legacy approaches and integration scenarios with the Master Data Integration Service.
Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg
SAP Cloud Identity Services continue to evolve, offering comprehensive IAM solutions for businesses. With features such as predefined connectivity, automated service enablement, and upcoming enhancements, SAP remains innovative, ensuring secure and efficient identity and access management for its customers.