- SAP Managed Tags:
Part I of this blog series described a federated approach for cross-domain identity and access management by using the groups claim in the OAuth access token sent by Microsoft Entra ID to the SAP Cloud Identity Services (CIS) Identity Authentication tenant. With the tenant acting as an identity provider (IdP) proxy in part I, the user's group membership(s) in the groups claim were forwarded to the SAP Business Technology Platform (BTP). By sharing the user's identity information in a secure and interoperable token across system and technology boundaries, the application on BTP (SAP Business Application Studio) could successfully authenticate and authorize the user, even without creating a user account in the application's database or in the CIS tenant's identity directory.
Part II of the blog post series extends the Cloud-only scenario in part I with a hybrid identity setup that requires managing the user lifecycle across Microsoft Active Directory, Microsoft Entra, SAP BTP, SAP CIS, and an SAP system on-premise. Again, this blog post aims to provide technical guidance for migrating identity management processes from SAP Identity Management (IDM) to Microsoft Entra. Kudos to Marko Sommer (@MSo) for supporting the SAP cloud setup.
| 📢 📢 📢 Note |
For a live demo recording (in German language) of the scenario in this blog post, check out the online session from January 16th 2025 with the Deutschsprachige SAP Anwendergruppe e.V. (DSAG) working group Identity Access Management. For a demo in English language, tune in to the SAP on Azure video podcast episode 226. |
Scenario overview
Similar to part I, this scenario follows SAP's reference architecture for Cloud-leading identity lifecycle, It relies on the Identity Provisioning service (IPS) in SAP Cloud Identity Services (CIS) to replicate users stored in the CIS tenant's Identity Directory into the target application(s), which is an SAP Application Server ABAP system on-premises in this scenario. This scenario also continues like in part I to use access packages from Entitlement Management in Microsoft Entra ID Governance to centrally control who has access to which resources across the application portfolio of the fictitious company BestRun Corp.
Figure 1 shows the hybrid landscape and provisioning flow for a new employee. Instead of the manual approval workflow as implemented in part I, the objective in this part is to fully automate the lifecycle management of user accounts, license assignments, and authorizations of new employees with Entra and ClS to implement the following requirements:
- Every new employee must have instant access to the productivity and AI tools from BestRun's Microsoft 365 enterprise subscription.
- Employees in BestRun's IT department need access to the SAP system on-premise with the required authorizations for ABAP development. BestRun's security policy requires an SNC (Secure Network Communications)-secured connection and single sign-on (SSO) from SAP GUI with a Kerberos ticket issued by the corporate Active Directory (AD) Domain Controller (DC). For SSO, the Kerberos principal for the Windows user must be mapped to the SAP user in the backend.
Let's have a look at the provisioning flow for a new user in this hybrid scenario in more detail:
- A new user account is created in BestRun's AD for the new employee. Every employee has a common set of organizational attributes, such as companyName ("BestRun Corp.") and department, which is set according to the employee's role in the organization, for example "Information Technology" for new members in BestRun's IT team.
- The Microsoft Entra Cloud Sync Provisioning Agent on the DC host provides the connectivity between the corporate network and Microsoft Entra ID. It takes care for synchronizing users and groups created, updated or deleted in AD to BestRun's Entra ID tenant every 2 minutes.
- The agent follows the de-facto standard SCIM (System for Cross-domain Identity Management) 2.0 that is detailed in SCIM 2.0 Core Schema (RFC 7643) and SCIM 2.0 Protocol (RFC 7644) to provision and deprovision users and groups in Entra ID. The agent also supports the synchronization of the user password hash to allow users to sign-in to Cloud services like Microsoft 365 with the same password they use to sign in to the AD on-premise. With password writeback, the agent enables self-service scenarios to reset or change the user's password in the Cloud, and have that updated password synchronized back to the AD on-premises environment. To configure the provisioning from AD, the Entra administrator creates a syncronization configuration for the agent in the Cloud that can be tailored towards specific users or groups, mapping of attributes etc.
- To auto-assign new employees and their accounts to a Microsoft 365 license, the M365 access package has a policy configured to automatically assigns each (new or updated) user with the attribute companyName set to "BestRun Corp." and who are members (not guests) in the Entra ID tenant to the "M365 User" group. In the Microsoft 365 admin center, the Microsoft 365 license is assigned to the "M365 User" group.
- A second access package in this scenario, "SAP A4H", auto-assigns users to the "SAP User" group who have their department attribute set to the value "Information Technology".
- Configuring the Entra ID tenant to provision users into the SAP CIS tenant requires to add "SAP Cloud Identity Services" from the Microsoft Entra application gallery to the Entra ID tenant's list of enterprise applications. This enterprise application is scoped to provision only users from the "SAP User" group, and has access to the credentials (username and password) of a system administrator with the name "Entra tenant bestruncorp" created in the SAP CIS tenant. This system administrator account has the required authorization in the SAP CIS tenant to execute the provisioning operations in the scenario. For applications listed in the gallery like "SAP Cloud Identity Services", provisioning follows the SCIM standard to ensure cross-domain interoperability. The enterprise application centrally controls all required identity attribute mapping and transformation logic in the scenario, such as the SAP login name derived from the Windows user name, and construction of the SNC mapping following the format "p:<Windows user name>@<Kerberos realm name>". For transferring both values to CIS, the custom attributes defined in SAP's SCIM user schema extension "urn:sap:cloud:scim:schemas:extension:custom:2.0:User" are used.
- New users in Entra are provisioned to the SAP CIS tenant's identity directory. As the persistent layer in the SAP CIS tenant, the identity directory is the source system in the tenant's IPS for the synchronization of users and groups to downstream target systems, such as the on-premise SAP system in this scenario.
- SAP CIS IPS uses SAP BTP's connectivity service to establish a secure connection from CIS to the SAP system on the corporate network. All required configuration settings for the connection, such as the SAP System ID or authentication details to connect to the SAP application server, are stored in a destination in the SAP BTP subaccount. For the provisioning service to successfully use the destination and connectivity service, the BTP subaccount must have a subscription to the SAP CIS tenant with plan type "connectivity" and the required entitlement in the subaccount for it.
- Finally, the connectivity services uses the destination to establish the connection to the SAP system on-prem via the SAP Cloud Connector.
- Cloud connector uses the SAP Java Connector (JCo) to call the Business Application Programming Interfaces (BAPIs) for managing users in the SAP ABAP application server and creating the new user in the system. As part of this operation, it also writes the SNC mapping required for SSO that were created in step 6 with the attribute transformation in Entra.
Prerequisites and lab setup
Before you start, check if you fulfill the following prerequisites for a working lab environment for this scenario:
- A test or productive CIS tenant with full administrative access. Note: This scenario cannot be implement with a free trial tenant because it cannot connect to on-premise systems using the cloud connector.
- An SAP BTP enterprise account (a global account of type enterprise). Note: It is not possible to subscribe to the CIS connectivity plan in a trial account. If you do not have an enterprise account and wish to explore or buy one, you may refer to a pay-as-you-go license.
- Administrative access to a subaccount in your enterprise account that maps to the CIS tenant's region according to the table documented here. For example, if your CIS tenant is located in "US West", your subaccount must be created in the BTP region "US West (WA)" on Azure. Once you create the subaccount, you must enable Cloud Foundry for this subaccount.
- Administrator-level access to an Microsoft Entra ID P2 subscription. You can obtain a P2 tenant for development and learning purposes with a free Microsoft 365 E5 developer program subscription. To qualify for the developer program, a valid Visual Studio subscription is required. With this subscription you can request a trial of Microsoft Entra ID Governance by following these steps.
- Administrative access to an AD Domain Services (DS) instance. I've created this system in my lab environment as a Hyper-V Windows Server 2019 guest operation system Virtual Machine (VM) on my Windows 11 host, but you can also run your AD instance in the cloud on an Azure VM. The VM has the AD DS role added to it and is promoted to a DC following this documentation. The domain name used in this tutorial is corp.bestrun.com (NetBIOS: CORP), but you can also choose a different name. The VM has the Microsoft Entra Provisioning Agent installed following these instructions, and the SAP Cloud Connector as documented here. Configuration of the provisioning agent and cloud connector for the scenario will be covered in the tutorial steps below.
- Administrative access to an SAP Application Server ABAP that serves as the target system in the provisioning scenario. One of the easiest ways to setup a free development and test system is to run the ABAP Platform Trial on Docker. Setup of the SNC configuration for Kerberos SSO is described in this related blog post (see section "Configure SAP for Kerberos-based SSO with Active Directory").
- For testing a successful end-to-end provisioning in this scenario, the user will single sign-on via SAP GUI to the SAP system. This requires a Windows 10 or 11 workstation that is domain-joined and has SAP GUI for Windows and SAP Secure Login Client (SLC) installed. In my lab environment, I am running Windows 10 in a Hyper-V VM to simulate the user's workstation. In a simplified setup you can also run the test from the AD DC.
Ready? Then let's get started with preparing the SAP system for the integration with IPS. Some steps will refer to the associated GitHub repository that contains configuration files to simplify the setup.
Create System User and Role for provisioning in the SAP system
A system user with the required authorizations to execute the user management BAPIs will be created in the SAP system and its credentials will be shared later to configure the destination for IPS in SAP BTP.
| Step | Description | Screenshot |
| 1.1 | Login to the SAP ABAP application server as an administrator (e.g. user DEVELOPER if you are using the ABAP Developer trial Docker image). All steps in this tutorial will be executed in SAP logon client "001", but you may choose a different client. Start by creating a role with the required authorizations for provisioning users from IPS. Execute transaction PFCG for role maintenance. Enter SAP_BC_JSF_COMMUNICATION in the Role field and click Copy. |  |
| 1.2 | Enter name of the new role in the to role field, for example "ZIPS_USER_PROVISIONING". Click Copy all. |  |
| 1.3 | Enter the new role's name in the Role field and click Change. |  |
| 1.4 | Change the Description and Long Text. Click Save. Switch to the Authorizations tab. |  |
| 1.5 | Click Change Authorization Data. |  |
| 1.6 | Expand the subtree of Object class AAAB. For Authorization object S_RFC, click Change to edit the value of field name RFC_NAME for Authorization "Authorizat. 01". |  |
| 1.7 | Scroll down in the table and select the first empty row. Enter RFC_METADATA_GET in the 'From' field. Select the next empty row, and enter RFCPING in the 'From' field. The table should now list the following RFC function modules that are authorized with the new role ZIPS_USER_PROVISIONING copied from SAP_BC_JSF_COMMUNICATION:
Click Save. |  |
| 1.8 | Click Generate to update the profile(s). |  |
| 1.9 |
Confirm the generation of the new default profile for your role. |  |
| 1.10 | Click Exit. |  |
| 1.11 | Go to user maintenance with transaction code "/nSU01". |  |
| 1.12 | In the User field, enter "SAPIPS". Click Create User (F8). |  |
| 1.13 | Enter "SAPIPS" for the Last Name. Switch to the Logon Data tab. |  |
| 1.14 | Select User Type "System". Enter a password in New Password, and enter it again in Repeat Password. Note: You will need the password later for the configuration of the destination for IPS in SAP BTP. Click Save. |  |
| 1.15 | Switch to the Roles tab. Select the Role column of the first row in the Role assignment table and click on the value help button. |  |
| 1.16 | Switch to the Single Roles tab. In the Single Role field, enter "ZIPS_*" Click Start Search. |  |
| 1.17 | Activate the checkbox for the ZIPS_USER_PROVISIONING role in the search results. Click Copy. |  |
| 1.18 | Click Save. |  |
Configure SAP Cloud Connector
The following steps assume that the SAP Cloud Connector is already installed and started on the AD DC host with Internet access and connectivity to the SAP system on the internal network.
| Step | Description | Screenshot |
| 2.1 | Login to the SAP BTP Cockpit and select your subaccount. As mentioned in the prerequisites section, make sure that the region of the selected subaccount maps to the region of your CIS tenant as documented in this table. |  |
| 2.2 | Navigate to Connectivity -> Cloud Connectors. Click Download Authentication Data. |  |
| 2.3 | Login to the AD DC as the domain administrator. Open a browser and access the login page of your SAP Cloud Connector instance at https://<AD DC IP address or hostname>:8443 Login with the SAP Cloud Connector Administrator user. |  |
| 2.4 | Click Add subaccount. |  |
| 2.5 | Select Configure using authentication data from file. Click Next. |  |
| 2.6 | Click Browse and select the file you downloaded in step 2.2. Click Next. |  |
| 2.7 | Click Finish. |  |
| 2.8 | Navigate to Cloud To On-Premise in the newly added subaccount. On the ACCESS CONTROL tab, click '+' to add a new system mapping. |  |
| 2.9 | Select "ABAP System" as the Back-end Type. Click Next. |  |
| 2.10 | Select RFC as the Protocol. Click Next. |  |
| 2.11 | Select Without load balancing (application server and instance number). Click Next. |  |
| 2.12 | Enter your SAP ABAP server IP address in the Application Server field. Enter the instance number (e.g. '00' if you are using the ABAP Platform Trial on Docker). Click Next. |  |
| 2.13 | Enter a name for the Virtual Application Server, e.g. "sap<SID>" ("sapa4h" if you are using the ABAP Platform Trial on Docker). Enter a Virtual Instance Number (e.g. "00"). Click Next. |  |
| 2.14 | The value for the entry field System ID should be populated automatically in a few seconds with the SID for your ABAP application server (e.g. "A4H" if you are using the ABAP Platform Trial on Docker). Click Next. |  |
| 2.15 | Optionally enter a description for the new system mapping. Click Next. |  |
| 2.16 | Activate the checkbox for Check Internal Host. Click Finish. |  |
| 2.17 | The new system mapping for the ABAP system is added to the list and should report the status Reachable in the column Check Result. |  |
| 2.18 | Click '+' in the Resources Of section to add the function modules accessible for this system. Alternatively, you can also click Import. Download the resource file from this Git repository and import it. You can then skip steps 2.19 and 2.20. |
|
| 2.19 | Enter PRGN_ROLE_GETLIST for the Function Name. Click Save. |  |
| 2.20 | Repeat the previous step for the following functions:
|  |
Configure the destination in the SAP BTP subaccount
With the SAP Cloud Connector now connected to the subaccount, a destination from SAP BTP to the SAP system on-premise is required to enable IPS to provision the users.
| Step | Description | Screenshot |
| 3.1 | Go back to the SAP BTP Cockpit browser window from the previous step. Verify that the Cloud Connector is successfully connected to the subaccount and shows the ABAP application server in the Exposed Back-End Systems section. Navigate to Connectivity -> Destinations. |  |
| 3.2 | Click Create Destination. Note: You cal also click Import Destination and import the configuration from this file on the Git repository. Enter the password from step 1.3 and verify the property values against your setup. Save the destination and continue with step 3.6. |  |
| 3.3 | Enter the following values:
Click New Property. |  |
| 3.4 | Select jco.client.client from the list of properties and enter 3-digit number of the SAP logon client you used to configure the steps in the first section of this tutorial (e.g. "001"). Click New property. |  |
| 3.5 | Repeat the previous step for the follow properties:
Click Save. |  |
| 3.6 | Click Check availability of destination connection to verify that the connection between BTP and and the SAP system on-premise via SAP Cloud Connector works. |  |
| 3.7 | Wait for the confirmation of the successful connection. Click Close. |  |
Create the system user in SAP CIS tenant
To authorize Microsoft Entra for provisioning and de-provisioning users to SAP CIS, a system user must be created in SAP CIS that will be used in the next step in Entra.
| Step | Description | Screenshot |
| 4.1 | Login to the Administration Console of your SAP CIS tenant at https://<tenant_hostname>.accounts.ondemand.com/admin |  |
| 4.2 | Navigate to Users & Authorizations -> Administrators from the top menu bar. Click "+ Add" and select System from the drop-down list- |  |
| 4.3 | Enter a name for the new Administrator of type System, for example "Entra Tenant <name of your tenant, e.g. bestruncorp". Activate the check-boxes for the following authorizations:
Click Save. |  |
| 4.4 | Select Secrets from the configuration settings. |  |
| 4.5 | Click "+ Add". |  |
| 4.6 | Enter a description for the new secret and choose an expiration time. For testing purposes you may choose "Never" from the drop-down list. Click Save. |  |
| 4.7 | Copy & paste the values for Client ID and Client Secret into a notepad. You will need them in the next section. Click OK. |  |
Create groups in Microsoft Entra
Let's move over to the Microsoft Entra Admin Center to create the required groups for the scenario: "SAP User" and "M365 User".
| Step | Description | Screenshot |
| 5.1 | Login with your Microsoft Entra tenant administrator to the Entra admin center with an additional URL query parameter Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled set to true: https://entra.microsoft.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true. This query parameter enables the Entra administrator to edit and enhance the list of supported Entra attributes for the provisioning configuration of the CIS tenant continued in the admin center in the next section. The additional attribute is required to access the Windows user name and Kerberos realm to construct the SNC mapping in the scenario. Navigate to Identity -> Groups -> Overview. Click New group. |  |
| 5.2 | Enter "SAP User" for the Group name. Click Create. |  |
| 5.3 | Click New group. |  |
| 5.4 | Enter "M365 User" for the Group name. Click Create. |  |
Setup SAP Cloud Identity Services Provisioning in Microsoft Entra
To simplifies the process for setting up automatic user provisioning from Microsoft Entra to the SAP CIS tenant, create an enterprise application from the Microsoft Entra application gallery.
| Step | Description | Screenshot |
| 6.1 | Navigate to Identity -> Applications -> Enterprise Applications. Click New application. |  |
| 6.2 | From the Microsoft Entra Gallery, enter "SAP Cloud Identity Services" in the search field. Click on the tile with the label "SAP Cloud Identity Services" from the search results. |  |
| 6.3 | Enter a name for the new enterprise application that represents your CIS tenant, e.g. "SAP Cloud Identity Services (<tenant>)", and replace <tenant> with the hostname of your CIS tenant. Click Create. |  |
| 6.4 | Click Add user/group. |  |
| 6.5 | Click None Selected. |  |
| 6.6 | Type "SAP User" in the Search field. From the search results, active the checkbox for the SAP User group. Click Select. |  |
| 6.7 | Click Assign. By assigning the SAP User group to the enterprise application you can scope provisioning to SAP CIS for only those users who are a member in this group. |  |
| 6.8 | Navigate to Manage -> Provisioning. |  |
| 6.9 | Select Manage -> Provisioning and switch to Provisioning Mode "Automatic". Expand the Admin Credentials section and provide the following configuration:
Click Test Connection. |  |
| 6.10 | Wait for the successful confirmation of the connection test from Entra to CIS. Click Save. |  |
| 6.11 | Expand the Mapping section. Click Provision Microsoft Entra ID Users to edit the pre-configured list of attribute mappings for SAP CIS.
|  |
| 6.12 | Activate the checkbox Show advanced options. By accessing the Microsoft Entra Admin Center with the addition URL query parameter in step 5.1, the additional option to edit the attributes for Entra appears in the Supported Attributes section. Click Edit attribute list for Microsoft Entra ID. |  |
| 6.13 | Scroll down to the last row in the table and enter "onPremisesUserPrincipalName" in the attribute name field. Click Save, and confirm the dialog with Yes. |  |
| 6.14 | Click Add New Mapping to provision the user's company name ("BestRun Corp.") to CIS. |  |
| 6.15 | For the Source attribute in Entra, select companyName. For the Target attribute in CIS, select company. Click Ok. |  |
| 6.16 | Click Add New Mapping to provision the user's SAP login name to CIS using custom attribute 1 from the SCIM user schema extension in CIS. Note: The definition of the custom schema extension can be a retrieved from the CIS tenant with the URL https://<tenant_name>.accounts.ondemand.com/scim/Schemas/ |  |
| 6.17 | Select "Expression" for Mapping type. The Entra attribute "onPremisesUserPrincipalName" added in step 6.13 has the format "<Windows user name>@<Kerberos realm name>". The SAP login name should be equal to the Windows user name that can be considered unique across all users in the organization. The following expression extracts the Windows user name from the "onPremisesUserPrincipalName" and converts it to upper case for the SAP login name: ToUpper(Item(Split([onPremisesUserPrincipalName], "@"), 1), ) Enter this string for the Expression. As the Target attribute, select "urn:sap:cloud:scim:schemas: extension:custom:2.0:User:attributes:customAttribute1" from the list. Click Ok. |  |
| 6.18 | Click Add New Mapping to provision the user's SNC mapping using custom attribute 2 from the SCIM user schema extension in CIS. |  |
| 6.19 | Select "Expression" for Mapping type. The Entra attribute "onPremisesUserPrincipalName" added in step 6.13 contains the same value as the user's identifier in the Kerberos ticket issued by the DC when the user single signs-on in SAP GUI with SAP Secure Login Client. To map the Windows user to the SAP user in the backed system, the onPremisesUserPrincipalName must be prefixed with the string "p:" using the following expression with the Join function: Join("", "p:CN=", ToUpper([onPremisesUserPrincipalName], )) Enter this string for the Expression. As the Target attribute, select "urn:sap:cloud:scim:schemas: extension:custom:2.0:User:attributes:customAttribute2" from the list. Click Ok. |  |
| 6.20 | Click Save. Confirm the dialog with Yes. Navigate back to Identity -> Applications -> Enterprise Applications. |  |
| 6.21 | Navigate to Manage -> All applications. Enter the SAP CIS enterprise application's name in the search field (e.g. "SAP Cloud Identity Services (<tenant>)"). Select the enterprise application from the list. |  |
| 6.22 | Click Edit provisioning. |  |
| 6.23 | Expand the Settings section. Check that the Scope is set to "Sync only assigned users and groups". Turn the Provisioning Status from Off to On. |  |
Auto-assign users to the scenario groups with access packages
Access packages in Microsoft Entra ID Governance entitlement management can be used to automatically assign users to groups. In this scenario, the assignment to the "SAP User" and "M365 User" groups is based on the user's organizational attributes memberType, companyName and department.
| Step | Description | Screenshot |
| 7.1 | Navigate to Identity Governance -> Entitlement management. Select Access packages from the submenu. Click New access package. |  |
| 7.2 | Enter "M365" for the Name of the new access package, and provide a description. Click Next: Resource roles. |  |
| 7.3 | Click Groups and Teams. |  |
| 7.4 | Switch to the Groups tab and activate the checkbox for the "M365 User"group. Click Select. |  |
| 7.5 | Select "Member" from the Role drop-down list. Click Next: Requests. |  |
| 7.6 | Select None for the Users who can request access. Set Require approval to No. Set Email Notifications to No. Set Enable new requests to Yes. Click Lifecylce. |  |
| 7.7 | For this test lab setup, select Never for Access package assignment expire. Switch Users can request specific timeline to No. Set Require access reviews to No. Click Review + create. |  |
| 7.8 | Click Create. |  |
| 7.9 | Select Policies from the menu. Activate the checkbox for "Initial Policy". From the context menu ('...'), select Delete.
|  |
| 7.10 | Click Add auto-assignment policy. |  |
| 7.11 | Click Edit. |  |
| 7.12 | Enter the following values for the first configuration rule:
Click Add expression. |  |
| 7-13 | For the second rule enter the following values:
Click Save. |  |
| 7.14 | Switch to the Review tab. Click Create. |  |
| 7.15 | Click Identity Governance | Access packages from the breadcrumb navigation. |  |
| 7.16 | Click New access package. |  |
| 7.17 | Enter "SAP A4H" for the Name of the new access package, and provide a description. Click Next: Resource roles. |  |
| 7.18 | Click Groups and Teams. |  |
| 7.19 | Switch to the Groups tab and activate the checkbox for the "SAP User"group. Click Select. |  |
| 7.20 | Select "Member" from the Role drop-down list. Click Next: Requests. Apply steps 7.6 to 7.11 to the "SAP A4H" access package. |  |
| 7.21 | Enter the following values for the configuration rule of the access package's auto-assignment policy:
Click Save. |  |
| 7.22 | Click Create. |  |
Assign Microsoft 365 licenses to the M365 User group
With group-based licensing, users auto-assigned to the "M365 User" group with the "M365" access package created in the previous section will be assigned to the required Microsoft 365 license to use all AI and productivity apps.
| Step | Description | Screenshot |
| 8.1 | Sign in to the Microsoft 365 admin center as a License Administrator. Navigate to Billing -> Licenses. Select the Microsoft 365 E5 Developer license. Note: The license name is "Microsoft 365 E5" for a non-developer subscription. |  |
| 8.2 | On the Licenses page, select the Groups tab. Click + Assign Licenses. |  |
| 8.3 | Search for the "M365 User" group and select the group. Click Assign. |  |
Configure provisioning in IPS
To complete the setup of the scenario, provisioning in IPS must be configured to synchronize the users from the CIS tenant's Identity Directory to the SAP system on-premise. The corresponding source and target systems are imported with configuration files from the GitHub repository for this blog post series.
| Step | Description | Screenshot |
| 9.1 | Login to the Administration Console (https://<tenant>.accounts.ondemand.com/admin) of your CIS tenant. Go to Identity Provisioning -> Source Systems. |  |
| 9.2 | Click Add. |  |
| 9.3 | Click Browse... and open the file LocalDirectory.json from the GitHub repository. |  |
| 9.4 | Upon successful import, click Save. |  |
| 9.5 | Switch to the Jobs tab and click Schedule |  |
| 9.6 | Turn the Job Scheduler to On. Enter a time interval, e.g. 30 minutes for testing purposes. Click Save. |  |
| 9.7 | Go to Identity Provisioning -> Target Systems |  |
| 9.8 | Click Add. |  |
| 9.9 | Click Browse... and open the file SAPA4H_IPS.json from the GitHub repository. |  |
| 9.10 | Upon successful import. click Save. |  |
| 9.11 | Switch to the Transformation tab. Click on the JSON editor. |  |
| 9.12 | The lines marked in yellow show the mappings for SAP login name and SNC name added to the default configuration of a target system of type "SAP Application Server ABAP". The mappings extract the values from the custom SCIM attributes 1 and 2, and pass their values to the corresponding fields in the target system data structure.
|  |
| 9.13 | For a better understanding of the targetPath values in the mappings, run transaction SE37 in the ABAP system. Enter "BAPI_USER_CREATE1" in Function Module and click Display. |  |
| 9.14 | Go to More -> Function Module Documentation. |  |
| 9.15 | The documentation for the function module opens in a new window. Click SNC from the Parameters list. |  |
| 9.16 | The data structure and field names for SNC are shown, such as SNC-PNAME that is used in the transformation to map the incoming SCIM user custom attribute 2 to the SAP user's SNC name. |  |
| 9.17 | Note: The following steps 9.17 to 9.19 are optional. If you want to assign the provisioned users to roles in the SAP ABAP system, create an equally named group in the SAP CIS tenant. For the scenario test in the next section, we want to assign the user the SAP role SAP_BC_ABAP_DEVELOPER_5. In the SAP CIS Administration Console, go to Users & Authorizations -> Groups. Click Create. |  |
| 9.18 | Enter "SAP_BC_ABAP_DEVELOPER_5" as the Name and Display Name for the new group. Click Next Step, and again Next Step on the next screen. |  |
| 9.19 | Click Finish. |  |
Testing the scenario
Congratulations! You've completed the scenario setup and are now ready for testing with a new user for Susan Miller. In the course of provisioning Susan's account from AD to the SAP system, all intermediate steps in the Cloud will be inspected and troubleshooting techniques explored.
| Step | Description | Screenshot |
| 10.1 | On the DC host, launch Windows Administrative Tools -> Active Directory Users and Computer from the Start menu. |  |
| 10.2 | Expand the domain tree and right-click on Users. From the context menu, select New -> User. |  |
| 10.3 | Enter first and last name, for example "Susan Miller". As the User logon name, choose a unique value, for example "smiller". Click Next. |  |
| 10.4 | Enter a password. For testing purposes, disable to option that the user must change the password at next login. Click Next. |  |
| 10.5 | Click Finish. |  |
| 10.6 | The user has not yet configured any organizational properties which are required for the auto-assignment to the groups in Entra. Right-click on the new user object and select Properties from the context menu. |  |
| 10.7 | Switch to the Organization tab. Enter "Information Technology" in Department. Enter "BestRun Corp." in Company. Click OK. |  |
| 10.8 | Go back to the Microsoft Entra admin center. Go to Identity -> Hybrid management -> Microsoft Entra Connect. Select Cloud Sync from the navigation menu. |  |
| 10.9 | Check that the configuration status for your on-premise domain is healthy. Select Provisioning logs. |  |
| 10.10 | From the logs you can see two entries for the new user Susan Miller: The first one (Action Create) when the user was created, the second one (Action Update) when the organizational attributes were changed. |  |
| 10.11 | Verify that the new user has been assigned to the groups in Entra via the auto-assignment policies of the access packages. Navigate to Identity Governance -> Entitlement Management -> Access packages. Select the "M365" access package from the list. |  |
| 10.12 | Go to Assignments and check if the new user is listed. Note: It can take several minutes until the evaluation of the auto-assignment criteria are reflected in the access package assignments. |  |
| 10.13 | Repeat the previous step for the "SAP A4H" access package and wait until the assignment for the new user is delivered. |  |
| 10.14 | Navigate to Identity -> Applications -> Enterprise Applications. Select the enterprise application for your SAP CIS tenant from the list. From the menu go to Provisioning -> Provisioning Logs. In the search bar, enter the new user's name, for example "Susan". Check the log entries. The first one in the list shows a provisioning status "Skipped", and second has status "Success". Click on the first entry with status "Skipped". |  |
| 10.15 | From the description you can see that the user object was not (yet) assigned to the application. Based on the scope settings (see steps 6.4 and 6.23), only members of group "SAP User" are provisioned to SAP CIS. Since the user hasn't been auto-assigned to the group based on the missing department value at this time, the provisioning was skipped. On the next provisioning interval 40 minutes later, the auto-assignment occurred, and the user was now in scope for provisioning to CIS. |  |
| 10.16 | Move over to the SAP CIS administration console. Go to Users & Authorizations -> User Management. Search for the new user, e.g. by login name ("smiller"). |  |
| 10.17 | Check if the user has already been provisioned to the SAP system. Go to Identity Provisioning -> Provisioning Logs. |  |
| 10.18 | Check the Job Logs for the most recent entry of the Source System "LocalDirectory". Click on the log entry. |  |
| 10.19 | From the Statistics section, check that an Entity of type user has been created in (target) system SAPA4H. |  |
| 10.20 | Note: The following steps 10.20 to 10.23 are optional. If you want to test role provisioning for the SAP user, go to Users & Authorizations, select the SAP_BC_ABAP_DEVELOPER_5 group. In User Members, click Add. |  |
| 10.21 | Search for the new user (e.g. "Susan Miller") and click Add. |  |
| 10.22 | Go back to Identity Provisioning -> Source Systems, and select the LocalDirectory. Switch to the Jobs tab. To trigger an immediate provisioning of the new group membership, click Run Now for the Read Job. |  |
| 10.23 | Go to Identity Provisioning -> Provisioning Logs. Check for the most recent entry that for Entity group a new entry has been updated in (target) system SAPA4H. |  |
| 10.24 | Login to the SAP system as the administrator (e.g. user DEVELOPER if you are using the ABAP Developer trial Docker image). Run transaction SU01. Enter "SMILLER" in the User field and click Display. |  |
| 10.25 | Check if the Address fields are set correctly. Switch to the SNC tab. |  |
| 10.26 | Verify that the user's SNC name is correctly mapped according to the expression used in step 6.19 to create the string, and the transformation used in step 9.12 to set the value. |  |
| 10.27 | Optionally switch to the Roles tab if you ran steps 10.20 to 10.23 before and check if the role SAP_BC_ABAP_DEVELOPER_5 has been assigned successfully. |  |
| 10.28 | Login as the new user to AD from the domain-joined workstation. |  |
| 10.29 | Launch the SAP GUI and create a new connection to the SAP system. |  |
| 10.30 | For the Secure Network Settings, make sure to click the checkbox "Activate Secure Network Communication", and enter the correct SNC Name for your SAP system. If you are using the ABAP Developer trial Docker image, the value is "p:CN=A4H, OU=IDEMOSYSTEM, OU=SAP Web AS, O=SAP Trust Community, C=DE". |  |
| 10.31 | Double-click on the new entry. |  |
| 10.32 | Because this is the first login for the new user you are prompted to either reset the initial password, or deactivate it. Click on Delete to use SNC and Kerberos-based SSO. |  |
| 10.33 | You are single signed-on to the SAP system using SNC and Kerberos SSO. |  |
| 10.34 | Finally, also verify if the Microsoft 365 license has been successfully assigned to the new user. Open a browser and go to https://www.office.com. |  |
| 10.35 | Sign-in as the new user to the Entra ID tenant. |  |
| 10.36 | Click on Apps to see all office applications assigned to the user. |  |
Wow! This was a longer journey through an extensive user provisioning scenario across SAP's and Microsoft's on-premise and cloud platforms! Hope you enjoyed it and worth spending your time. Let me know your thoughts and any open questions in the comments.
15 Comments
