Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
ivelinakiryakov
Product and Topic Expert
Product and Topic Expert
1,487

SAP Cloud Identity Services consolidated the documentation for Identity Authentication, Identity Provisioning, Identity Directory and Authorization Management. They now come under one product name, on a unified SAP Help Portal page, accessible through a single link.

The integration of Identity Provisioning functionality into the SAP Cloud Identity Services administration console, formerly known as the Identity Authentication admin console, has streamlined the process.

What’s been changed?

  • Identity Authentication product documentation has been rebranded as SAP Cloud Identity Services. With this change, SAP Cloud Identity Services now becomes the home of Identity Provisioning features for the Cloud Identity Services infrastructure, joining the already existing Identity Directory and Authorization Management.
  • The product documentation for Identity Provisioning has been rebranded as Identity Provisioning Service in the Neo Environment. It will only cover features for the Neo environment until its deprecation (as previously announced).
  • You can find the release notes for Identity Authentication, Identity Provisioning, Identity Directory and Authorization Management under the single component Cloud Identity Services by following this link. If there are new features for IPS in the Neo environment, they can still be found under Identity Provisioning component for Neo at this link.

What does this mean for you?

  • Unified Access – You get all the information you need in one single guide. No more switching between product documentations. It comes as little surprise that Identity Authentication ranked among the most frequently searched and visited topics within the Identity Provisioning documentation.
  • No URL Changes – You access the Cloud Identity Services documentation from the same URL you used to access the Identity Authentication one. You access the Identity Provisioning Service in the Neo Environment documentation from the same URL you used to access the Identity Provisioning documentation.
  • Simplicity – We believe reading and navigating through the Identity Provisioning content has become easier now that we have separated and placed the documentation relevant to each specific infrastructure or environment.

Bookmarked URLs of topics relevant for Cloud Identity infrastructure will redirect you to the common documentation.

Here are some examples of what you can find where:

 

FeatureSAP Cloud Identity ServicesIPS in the Neo Environment
Jobs

Read Provisioning Job

Resync Provisioning Job

Simulate Provisioning Jobs

Validate Provisioning Jobs

Run Provisioning Jobs via API

Only read and resync jobs are supported.

 

Read Provisioning Jobs

Resync Provisioning Jobs

LogsMonitor Real-Time Logs

Real-time logs are not supported.

Transformations

Working with Graphical Editor 

Manage Transformations History

Graphical editor and managing transformation history are not supported.

ConnectorsLocal Identity Directory

Local Identity Directory connector is not supported.

MigrationNot applicableMigrate Identity Provisioning Bundle Tenant
  • Consistent structure - The documentation of SAP Cloud Identity Services and Identity Provisioning follow the same service guide template. You can easily identify IPS-related concepts and supported systems (connectors), operations and logs in the common documentation:

 

ivelinakiryakov_5-1712824531944.png

 

ivelinakiryakov_6-1712824552755.png

 

ivelinakiryakov_0-1712825276265.png

 

ivelinakiryakov_0-1712825600868.png

 

We believe the newly released documentation will be easy to navigate, familiar, and consistent for you. If anything appears unclear, please do reach out. In the never-ending quest for quality, there is always room for improvement.

 

 

4 Comments
tskwin
Participant
0 Kudos

Hi @ivelinakiryakov 

Thank you for this blog post.

I still don't  understand the scenario where, for example, users are deleted in the source system but don't want to delete those users in the target system. How should that be handled?

My second question is: Will the exact same users be deleted in the target system that were deleted in the source system?

Thank you very much

Best Regards

viacheslav1987
Explorer
0 Kudos

Dear @ivelinakiryakov,

I am working on getting more details and understanding of SAP Cloud Identity Services through implementing cases focused on the integration of SAP Cloud Identity Services with local or customer identity providers, such as AD, ADFS, or local LDAP.

Currently, I would like to set the connection to SAP ALM for users who belong to a local identity provider. We have many people who would like to work in ALM but I don't want to create manually the account for each user. The best is the user can login in ALM with the password of local identity provider and if the user belongs to the specific group in local Idp, then it should get a basic rights in ALM tenant. Specifically and most interesting, I am aiming to configure a scenario where users can log in to SAP ALM using their local identity provider passwords. From my understanding, there are three possible approaches:

  1. User provisioning operates in real-time, creating users upon their first connection to ALM. However, it appears that there is no target application related to ALM within IPS documentation.

  2. User provisioning operates in real-time, where the user is first created in IAS, with provisioning configured so that both source and target are set as IAS. A specific group can then be assigned to the user in IAS based on their group membership in the local identity provider. Using AD as a source in IPS is not good for us because we don't want to synch all AD users with IAS. *but may be we can use group as a filter to restrict the user list, however, AD as a source in IPS should be the last option if nothing else is available.

  3. Using the shadow user feature within the ALM tenant.

Questions:

  1. I have not found any documentation on configuring a scenario where a user can log in to a BTP application using the login and password from a local identity provider. Is there guidance on this setup?

  2. Which of the three integrations above do you think would be the most effective for this task?

Thank you in advance for your feedback.

ivelinakiryakov
Product and Topic Expert
Product and Topic Expert
0 Kudos

@tskwin 

Hi,

Deletion of entities in the target system is controlled by the ips.delete.existedbefore.entities = true property. Refer to the scenarios described in: Manage Deleted Entities | SAP Help Portal

Best regards,

Ivelina

ivelinakiryakov
Product and Topic Expert
Product and Topic Expert
0 Kudos

@viacheslav1987 

Hi Viacheslav,

I'm not sure I've encountered any documentation describing the end-to-end scenario, either. In general, those users are called business users. You need at least these high-level steps:

  1. Establish Trust and Federation Between SAP Authorization and Trust Management Service and SAP Cloud ...
  2. Map User Attributes from a Corporate Identity Provider for Business Users
  3. Configure Corporate Identity Providers
  4. Decide on Identity Federation

Apologies, but I'm not an expert, so I can't determine which scenario is more effective.

Best regards,

Ivelina