Hi yoganandamuthaiah

I've been having difficulties configuring this API in a freestyle application. I am studying this part and I followed the following steps:

Create a destination:
Creation of destination.

Obs: In "URL" is tentant of IAS is red and client on "User".



Add on routes of xs-app.json:

Add route



For testing, I included on ui5-local.yaml in fiori-tools-proxy:

Local proxy

After those steps i try to make a call by ajax:
Ajax Call

Results:
Call


Can you help me understand where I'm going wrong?

kcezar

Did you try to test with your credentials - IAS SCIM API through postman ? Did it work ? I am assuming you don't have Administrator role for your userid.

yoganandamuthaiah

Yes, I tried using the "Client ID" and the "Client Secret", in the postman works fine. And I have de Administrator role.

I see in your screenshot - you have updated with Basic Authentication but it must be OAuth if you're tested with Client ID and Client Secret

I tried this way, but I don't know where to find the Token url.

yoganandamuthaiah   I tried combine two more tutorials to consume IAS API by Destination Service.

Integrate the REST API via Destination Service:

https://help.sap.com/docs/CP_FORMS_BY_ADOBE/dcbea777ceb3411cb10500a1a392273e/051d651b628c496c86bd1d4...

In this tutorial, he creates a credential key for the instance created through the API.
Then create the application and use a destination service for the application in the MTA.

It declares that it is needed in the HTML module, and puts a destination route that will be created below.

After the application is deployed, it goes inside the destination service and creates the destination using the credentials created in the first step, giving the same name as the one placed in the route above.

IAS Instance and Key:

IAS Destination Service:

Destination route on xs-app.json:




Destination created inside of Destination Service:


Declare the proxy inside of  ui5-local.yaml to consume in the test locally.



Try to consume the service:




I create the IAS Instance Service watching the microlearning:

https://microlearning.opensap.com/media/Cloud+Identity+Services+Identity+Authentication+-+SAP+Busine...


I thank you in advance for your willingness to contribute to my technical growth and continuous improvement. In the scenario I mentioned above, I still can't consume the IAS API.

Hi kcezar

I am not sure on how you're integrating with using BTP Extensions..  Were you able to make a successful IAS SCIM API's through postman  ?? If yes, then it works the same way in BTP Destinations as well

I've never seen destination make direct requests, the postman examples are just for testing the APIs. All tutorials and documentation configure the domain in destination and in the AJAX call specify which entity and filters.

Hi Yogananda,

Thanks for sharing this information.

Do you know if the SCIM API be used to read the employee's manager from source systems such as Okta or Workday and update them on iAS user management?

Regards,

Subbu Iyer

subbu3189 Yes, you can make use of it.

Hi Yogananda,

We are trying to integrate Identity Provisioning (IPS) with Okta using SCIM to read users from Okta using the OAuth Client Credentials flow. Apparently, Okta requires a private_key_jwt authentication method for this integration which is not supported by IPS. I raised an incident with SAP and they confirmed that this scenario is not supported. So does it mean that we cannot use SCIM APIs with Okta from IPS?

 

Regards,

Subbu Iyer

Hi,

How does the automated email work with the above payload when trying to create a new user? I have set the active flag to true. But I do not receive any email from IAS to register my account. Could you please help me if I need to enter any other properties when passing the create payload?

 

thanks and Regards,

supreetha bhat

We are trying to incorporate this into some applications to perform inquiry, on-boarding, and  maintenance on users for several applications and services we have developed.

 

Even using https://<tenant>.accounts.ondemand.com/service/scim/Users/{userid}

tenant and userid are well known to us.

 

What group rights are needed to use the API?

 

We are always getting 401 - Not Authorized.

Even though using a User credentials that has rights to use the Admin Console for Cloud Identity Services that can maintain / lookup users or groups for our tenant configuration we are being blocked with User Not authorized via Try Out.

 

Hi Yoga,

Thanks for the detailed blog. Earlier version of SAP IAS API, We are able to update the password for the user using put service and making the user password as productive password.

 

I am not able to see any replacement of the password field in new SCIM API services. So what could be the reason.

So I have 2 questions with respect mass password reset for few users.

As I mentioned in earlier version, We are able to set the password of the user while creation or updating the user. How we will achieve in new one? we use to do with the help of collection runner in Postman.

 

{

    "userName": "",

    "id": "{{PID}}",

    "name": {

        "givenName": "tcs",

        "familyName": "performance.{{SID}}",

        "middleName": "performance.{{SID}}",

        "honorificPrefix": ""

    },

    "emails": [{

        "value": "performance.{{SID}}@tcs.com"

    }],

    "department": "",

    "password": "Welocme@1",

 

    "passwordStatus": "enabled", 

 

    "mailVerified": "true", 

 

}

What is the replacement of password in new IAS API.

https://help.sap.com/docs/identity-authentication/identity-authentication/migrating-identity-authent...

Password Attribute

Thanks and Regards

Zameer Ahamad

Hi siyer7 ,

 

We are also looking to do provisioning with Okta. Were you able to get this to work?

 

Thanks,

Lalitha

Hello Lalitha,

We did not go ahead with the solution because the Okta server needed the private_jwt authentication method with OAuth. We went back to provisioning from Azure AD after SAP released a new functionality to retrieve managers in Azure.

Regards,

Subbu Iyer

Hi Zameer,

 

I am facing similar issue with setting password for new users. Did you get any resolution for above issue?  Thanks for any pointers.

 

Regards,

Priyank

Hi mcc2

I have the same issue, did you manage to solve the problem ?

Many thanks !

Idriss

@yogananda ,

Are we able to use PATCH function to set the user's password using this new SCIM 2.0 API?

CC: @imancour , @priyankgaddala , @zameer0448 

Colleagues, here's an approach that worked for me (to change one user's password in IAS via SCIM 2.0 API):

STEP 1 - Obtain the user's SCIM ID.  Either find it via IAS directly, or run a GET function call from the /scim/Users object (filter on whatever attribute), or craft a more dynamic way preferably. 

 

STEP 2 - Build the PATCH function call to the /scim/Users/ object, with {id} on the end:

https://{tenant_id}.accounts.ondemand.com/scim/Users/xx916dc5-u1u2-4e94-9a92-1d48fb519999

STEP 3 - Run the PATCH call with this body:

{
   "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
      "Operations": [
      {
         "op": "replace",
         "path": "password",
         "value": "{new password goes here}"
      }
   ]
}

CC: @imancour , @priyankgaddala , @zameer0448 , @yogananda ,

Hi all,

was anyone able to set the password Status using the API?

Setting the password is working easy but then users (in this case it is about testusers) have an init password. For testuser purposes that is quite annoying.

Every time I try to set the passwordStatus by adding following to the request Body I get an error that passwordStatus is an invalid user attribute.

"password": "TestuserPW#!",
"passwordStatus": "enabled",

Same result with new attribute folowing Migrating Identity Authentication SCIM REST API to Identity Directory Service API | SAP Help Portal

"password": "TestuserPW#!",
"urn:ietf:params:scim:schemas:extension:sap:2.0:User.passwordDetails.status": "enabled",

Also tried it with patch but no luck.

Hope anyone came across that already.

Cheers,

Tim

 

@timsen ,

Yes, I had a difficult time changing the password status value, also.  It had a hard time navigating to the "status" attribute of the [passwordDetails] object. I needed the explicit full path.

Here is a PATCH body that worked for me, finally:

{
   "schemas": [
      "urn:ietf:params:scim:api:messages:2.0:PatchOp",
      "urn:ietf:params:scim:schemas:extension:sap:2.0:User"
      ],
   "Operations": [
      {
         "op": "replace",
         "path": "urn:ietf:params:scim:schemas:extension:sap:2.0:User:passwordDetails.status",
         "value": "enabled"
      }
   ]
}

 

Sorry, @timsen .

The difference between these was pretty minor!!

urn:ietf:params:scim:schemas:extension:sap:2.0:User.passwordDetails.status

urn:ietf:params:scim:schemas:extension:sap:2.0:User:passwordDetails.status

Hii @yogananda ,
Can you please let me know, if i can sync users across all sap services by using sap ips?
My end goal is to be able to create and manage users and groups for various sap services, since all services don't support scim, what i'm trying to achieve is using scim v2, create users in sap ips then provision users to the various sap services. Does that make sense?

Hello,

Can anyone please provide me how Json should look like to deactivate large number of the users in one request instead of going user by user in below example  PATCH request?

 

{
   "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
      "Operations": [
      {
         "op": "replace",
         "path": "active",
         "value": "false"
      }
   ]
}