Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
yogananda
Product and Topic Expert
Product and Topic Expert
14,375
Dear All,
 
This article is mainly for partners and customers who want to automate internal & external users sync (on-boarding) to SAP IAS by using the below SCIM APIs from your external system or applications. I have listed out all the examples for you to understand..

This below flow makes you understand automating Users Sync from any of your 3rd party applications, so once user is on-boarded they would get appropriate access to SAP Applications


Note :

SAP Cloud Identity Services offers standard user provisioning sync through SAP IPS for user sync process with SCIM 2.0


IAS SCIM REST API provides developers to Create & Manage users, groups and custom schemas in the cloud.

For more information, see the latest SCIM API Documentation: Identity Directory SCIM REST APIInformation published on SAP siteThe identity directory provides a System for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups and custom schema)

API Documentation for SAP IAS is available under SAP Cloud Identity Services

Get's Started


Read Users

 

###  https://api.sap.com/api/IdDS_SCIM/resource Identity Directory Service

GET https://<iastenant>.accounts.ondemand.com/scim/Users
Content-Type: application/scim+json
Authorization: Basic @{{token}}

 

This is how you compare 2 different results from Deprecated API endpoint vs latest API endpoint


Filter Method

 

#### Filter on userName 

GET https://<iastenant>.accounts.ondemand.com/scim/Users?filter=userName eq "sapscaadmin@sap.com"

Authorization: Basic @{{token}}

 

Another example using sub filter on Json value

 

#### Filter on emails.value

GET https://<iastenant>.accounts.ondemand.com/scim/Users?filter=emails.value eq "sapscaadmin@sap.com"

Authorization: Basic @{{token}}

 


Another example to filter Users based on count and Index

 

###  https://api.sap.com/api/IdDS_SCIM/resource Identity Directory Service

GET https://<iastenant>.accounts.ondemand.com/scim/Users?startIndex=2&count=5

Content-Type: application/scim+json

Authorization: Basic @{{token}}

 


Create User

 

###

POST https://<iastenant>.accounts.ondemand.com/scim/Users
Content-Type: application/scim+json
Authorization: Basic @{{token}}

{
  "emails": [
    {
      "primary": true,
      "value": "abc@domain.com"
    }
  ],
  "active":"True",
  "name": {
    "familyName": "Muthaiah",
    "givenName": "Yogananda"
  },
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "userName": "yoga"
}

 


Delete a User

 

#### Delete the user

DELETE https://<iastenant>.accounts.ondemand.com/scim/Users/280b8446-7ce2-4a91-b6a0-18777d1ffea2
Authorization: Basic @{{token}}

id refers Users GUID

 


Read Groups

 

###

GET https://<iastenant>.accounts.ondemand.com/scim/Groups

Content-Type: application/scim+json

Authorization: Basic @{{token}}

 


Create Groups

 

###
POST https://<iastenant>.accounts.ondemand.com/scim/Groups
Content-Type: application/scim+json
Authorization: Basic @{{token}}

{
  "displayName": "New group name",
  "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group",
        "urn:sap:cloud:scim:schemas:extension:custom:2.0:Group"
      ]
}

 


Assign Group to a User

 

###
PATCH https://<iastenant>.accounts.ondemand.com/scim/Groups/e26f6138-c382-4be5-addb-459186030f6e
Content-Type: application/scim+json
Authorization: Basic @{{token}}

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "add",
      "path": "members",
      "value": [
        {
          "display": "yoga",
          "value": "280b8446-7ce2-4a91-b6a0-18777d1ffea2"
        }
      ]
    }
  ]
}

 

26 Comments
kcezar
Explorer

Hi yoganandamuthaiah

I've been having difficulties configuring this API in a freestyle application. I am studying this part and I followed the following steps:

Create a destination:
Creation of destination.

Obs: In "URL" is tentant of IAS is red and client on "User".



Add on routes of xs-app.json:

Add route



For testing, I included on ui5-local.yaml in fiori-tools-proxy:

Local proxy

After those steps i try to make a call by ajax:
Ajax Call

Results:
Call


Can you help me understand where I'm going wrong?

yogananda
Product and Topic Expert
Product and Topic Expert
kcezar

Did you try to test with your credentials - IAS SCIM API through postman ? Did it work ? I am assuming you don't have Administrator role for your userid.
kcezar
Explorer
yoganandamuthaiah

Yes, I tried using the "Client ID" and the "Client Secret", in the postman works fine. And I have de Administrator role.
yogananda
Product and Topic Expert
Product and Topic Expert
I see in your screenshot - you have updated with Basic Authentication but it must be OAuth if you're tested with Client ID and Client Secret
kcezar
Explorer

I tried this way, but I don't know where to find the Token url.

kcezar
Explorer
yoganandamuthaiah   I tried combine two more tutorials to consume IAS API by Destination Service.

Integrate the REST API via Destination Service:


https://help.sap.com/docs/CP_FORMS_BY_ADOBE/dcbea777ceb3411cb10500a1a392273e/051d651b628c496c86bd1d4...

In this tutorial, he creates a credential key for the instance created through the API.
Then create the application and use a destination service for the application in the MTA.

It declares that it is needed in the HTML module, and puts a destination route that will be created below.


After the application is deployed, it goes inside the destination service and creates the destination using the credentials created in the first step, giving the same name as the one placed in the route above.

IAS Instance and Key:

IAS Destination Service:

Destination route on xs-app.json:




Destination created inside of Destination Service:


Declare the proxy inside of  ui5-local.yaml to consume in the test locally.



Try to consume the service:




I create the IAS Instance Service watching the microlearning:

https://microlearning.opensap.com/media/Cloud+Identity+Services+Identity+Authentication+-+SAP+Busine...


I thank you in advance for your willingness to contribute to my technical growth and continuous improvement. In the scenario I mentioned above, I still can't consume the IAS API.

yogananda
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi kcezar

I am not sure on how you're integrating with using BTP Extensions..  Were you able to make a successful IAS SCIM API's through postman  ?? If yes, then it works the same way in BTP Destinations as well
kcezar
Explorer
0 Kudos
I've never seen destination make direct requests, the postman examples are just for testing the APIs. All tutorials and documentation configure the domain in destination and in the AJAX call specify which entity and filters.
SubbuIyer
Participant
Hi Yogananda,

Thanks for sharing this information.

Do you know if the SCIM API be used to read the employee's manager from source systems such as Okta or Workday and update them on iAS user management?

Regards,

Subbu Iyer
yogananda
Product and Topic Expert
Product and Topic Expert
0 Kudos
subbu3189 Yes, you can make use of it.
SubbuIyer
Participant
Hi Yogananda,

We are trying to integrate Identity Provisioning (IPS) with Okta using SCIM to read users from Okta using the OAuth Client Credentials flow. Apparently, Okta requires a private_key_jwt authentication method for this integration which is not supported by IPS. I raised an incident with SAP and they confirmed that this scenario is not supported. So does it mean that we cannot use SCIM APIs with Okta from IPS?

 

Regards,

Subbu Iyer
former_member758604
Discoverer
Hi,

How does the automated email work with the above payload when trying to create a new user? I have set the active flag to true. But I do not receive any email from IAS to register my account. Could you please help me if I need to enter any other properties when passing the create payload?

 

thanks and Regards,

supreetha bhat
yogananda
Product and Topic Expert
Product and Topic Expert
0 Kudos

supri53



This is related to SCIM APIs. you will have to trigger it from other API (IDS - Identity Directory Service) for sending email for user.
mcc2
Explorer
0 Kudos

We are trying to incorporate this into some applications to perform inquiry, on-boarding, and  maintenance on users for several applications and services we have developed.

 

Even using https://<tenant>.accounts.ondemand.com/service/scim/Users/{userid}

tenant and userid are well known to us.

 

What group rights are needed to use the API?

 

We are always getting 401 - Not Authorized.

Even though using a User credentials that has rights to use the Admin Console for Cloud Identity Services that can maintain / lookup users or groups for our tenant configuration we are being blocked with User Not authorized via Try Out.

 

zameer0448
Participant
0 Kudos

Hi Yoga,

Thanks for the detailed blog. Earlier version of SAP IAS API, We are able to update the password for the user using put service and making the user password as productive password.

 

I am not able to see any replacement of the password field in new SCIM API services. So what could be the reason.

So I have 2 questions with respect mass password reset for few users.

As I mentioned in earlier version, We are able to set the password of the user while creation or updating the user. How we will achieve in new one? we use to do with the help of collection runner in Postman.

 

{

    "userName""",

    "id""{{PID}}",

    "name": {

        "givenName""tcs",

        "familyName""performance.{{SID}}",

        "middleName""performance.{{SID}}",

        "honorificPrefix"""

    },

    "emails": [{

        "value""performance.{{SID}}@tcs.com"

    }],

    "department""",

    "password""Welocme@1",

 

    "passwordStatus""enabled"

 

    "mailVerified""true"

 

}

What is the replacement of password in new IAS API.

https://help.sap.com/docs/identity-authentication/identity-authentication/migrating-identity-authent...

Password Attribute

Thanks and Regards

Zameer Ahamad

lal_sap
Explorer
0 Kudos
Hi siyer7 ,

 

We are also looking to do provisioning with Okta. Were you able to get this to work?

 

Thanks,

Lalitha
SubbuIyer
Participant
0 Kudos
Hello Lalitha,

We did not go ahead with the solution because the Okta server needed the private_jwt authentication method with OAuth. We went back to provisioning from Azure AD after SAP released a new functionality to retrieve managers in Azure.

Regards,

Subbu Iyer
priyankgaddala
Explorer
Hi Zameer,

 

I am facing similar issue with setting password for new users. Did you get any resolution for above issue?  Thanks for any pointers.

 

Regards,

Priyank
imancour
Explorer
0 Kudos

Hi mcc2

I have the same issue, did you manage to solve the problem ?

Many thanks !

Idriss

MichaelBuonoGKN
Participant
0 Kudos

@yogananda ,

Are we able to use PATCH function to set the user's password using this new SCIM 2.0 API?

CC: @imancour , @priyankgaddala , @zameer0448 

MichaelBuonoGKN
Participant

Colleagues, here's an approach that worked for me (to change one user's password in IAS via SCIM 2.0 API):

STEP 1 - Obtain the user's SCIM ID.  Either find it via IAS directly, or run a GET function call from the /scim/Users object (filter on whatever attribute), or craft a more dynamic way preferably. 

MichaelBuonoGKN_0-1713896694754.png

 

STEP 2 - Build the PATCH function call to the /scim/Users/ object, with {id} on the end:

https://{tenant_id}.accounts.ondemand.com/scim/Users/xx916dc5-u1u2-4e94-9a92-1d48fb519999

STEP 3 - Run the PATCH call with this body:

{
   "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
      "Operations": [
      {
         "op": "replace",
         "path": "password",
         "value": "{new password goes here}"
      }
   ]
}

CC: @imancour , @priyankgaddala , @zameer0448 , @yogananda ,

timsen
Discoverer
0 Kudos

Hi all,

was anyone able to set the password Status using the API?

Setting the password is working easy but then users (in this case it is about testusers) have an init password. For testuser purposes that is quite annoying.

Every time I try to set the passwordStatus by adding following to the request Body I get an error that passwordStatus is an invalid user attribute.

"password": "TestuserPW#!",
"passwordStatus": "enabled",

schwetim_0-1714745286858.png

Same result with new attribute folowing Migrating Identity Authentication SCIM REST API to Identity Directory Service API | SAP Help Portal

"password": "TestuserPW#!",
"urn:ietf:params:scim:schemas:extension:sap:2.0:User.passwordDetails.status": "enabled",

schwetim_1-1714747728830.png

Also tried it with patch but no luck.

Hope anyone came across that already.

Cheers,

Tim

 

MichaelBuonoGKN
Participant

@timsen ,

Yes, I had a difficult time changing the password status value, also.  It had a hard time navigating to the "status" attribute of the [passwordDetails] object. I needed the explicit full path.

Here is a PATCH body that worked for me, finally:

{
   "schemas": [
      "urn:ietf:params:scim:api:messages:2.0:PatchOp",
      "urn:ietf:params:scim:schemas:extension:sap:2.0:User"
      ],
   "Operations": [
      {
         "op": "replace",
         "path": "urn:ietf:params:scim:schemas:extension:sap:2.0:User:passwordDetails.status",
         "value": "enabled"
      }
   ]
}

 

MichaelBuonoGKN
Participant

Sorry, @timsen .

The difference between these was pretty minor!!

urn:ietf:params:scim:schemas:extension:sap:2.0:User.passwordDetails.status

urn:ietf:params:scim:schemas:extension:sap:2.0:User:passwordDetails.status
Prasad823
Newcomer
0 Kudos

Hii @yogananda ,
Can you please let me know, if i can sync users across all sap services by using sap ips?
My end goal is to be able to create and manage users and groups for various sap services, since all services don't support scim, what i'm trying to achieve is using scim v2, create users in sap ips then provision users to the various sap services. Does that make sense?

lordofthering
Discoverer
0 Kudos

Hello,

Can anyone please provide me how Json should look like to deactivate large number of the users in one request instead of going user by user in below example  PATCH request?

 

{
   "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
      "Operations": [
      {
         "op": "replace",
         "path": "active",
         "value": "false"
      }
   ]
}