Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
donka_dimitrova
Contributor
14,429

We announced today, September 15th, 2016 the release of  the SAP Cloud Platform Identity Provisioning - a new service in the SAP Cloud Platform family that will help companies to push their technology easier into the cloud


Most of the cloud-driven companies extend their existing IT infrastructure rather than starting from scratch. This is why they need a reliable identity and access management solution, capable to handle properly the identities and their authorizations across heterogeneous landscapes.


The new SAP Cloud Platform Identity Provisioning service (in short, Identity Provisioning) offers a comprehensive, low cost approach to identity lifecycle management in the cloud. This new service together with the already existing SAP Cloud Platform Identity Authentication service (formerly known as SAP Cloud Identity) offer an end-to-end solution for identity and access management as a service from SAP.



Now let us look into the supported scenarios and features with the first version of the Identity Provisioning service:


Provision on-premise users to cloud applications


Customers, who currently manage their identities using an on-premise user store, such as Microsoft Active Directory or the Central User Administration (CUA) of SAP Application Server ABAP, can use the Identity Provisioning service to provision their users into cloud applications, for example SAP Hybris Cloud for Customer.


Using policy-based authorization management


Once the identities are created into the cloud applications, the users will need also proper authorizations in order to use the business scenarios that are relevant for their role, department, location, etc. This is where the access policies feature of the Identity Provisioning service comes into play. It helps companies to define simple mappings between identity attributes and the authorization artifacts of the respective cloud business applications. A good example could be the mapping between Microsoft Active Directory groups and SAP Hybris Cloud for Customer roles. The access policies are considered during the provisioning process, and the authorizations of the individual user are determined and provisioned to the respective cloud applications.



Using a cloud user store


If the company is already using SAP SuccessFactors to manage employees, and if it is considered the central identity data store of the company, the SAP SuccessFactors system can be simply configured as a source system in the Identity Provisioning service. These settings will push the SAP SuccessFactors users into the relevant cloud application, along with their respective policy-based authorizations in case they have been configured accordingly.


There are two more scenarios supported when a cloud user store is used as a source and they are based on the integration between the Identity Provisioning service and the Identity Authentication service.


Easy consumer and partner provisioning


The first scenario concerns external users, for example, consumers and partners, that are easy to handle using the cloud user store of the Identity Authentication service. When the Identity Authentication service is configured as a source system in the Identity Provisioning service, it will be possible to provision existing or newly registered cloud users into the cloud applications relevant for them. For example, SAP JAM or even systems that simply support the System for Cross-domain Identity Management (SCIM) open standard.



Writing into the cloud user store


The other supported scenario that relates to the Identity Authentication service is the following: A company wants to integrate an existing on-premise authentication solution with a simple and low cost strong authentication service (two-factor authentication, risk-based authentication, etc.) or to introduce to the business users mobile single sign-on (SSO) as a service. This is necessary for companies in order to achieve better control over the authentication for the cloud business processes, and to keep the corporate security on a very high level while at the same time offering more flexibility to the business users to do their job. This scenario is possible because the integration with the Identity Authentication service allows also provisioning in the other direction, when the on-premise users are created into the cloud user store of the Identity Authentication service. This way companies will be able to manage an additional level of authentication security for cloud applications, such as SAP Hybris Cloud for Customer, and to offer to their business users simple and secure access to such cloud applications from anywhere and on any device, on a low and attractive service cost.


Flexible data transformations


Almost every system (SAP or non-SAP) comes with a unique data model design of its identity and authorization store. The mapping between the data models of a source and a target system is the key aspect of a provisioning solution. The new Identity Provisioning service offers flexible transformations management that allows companies to extend the default transformation settings provided by the service for every integrated source or target system. Using the transformation configurations, companies can configure different simple or complicated data transformation logic based on their business and security needs. For example, to filter the list with identities that have to be provisioned to SAP Hybris Cloud for Customer in the way that only users who have a certain group assigned as an attribute to get an identity created in the SAP Hybris Cloud for Customer.  


Comprehensive job scheduler


The frequency of the provisioning processes, that have to be performed on a regular basis, can be configured using the comprehensive job scheduler of the service. The operations related to the job management include activities like scheduling jobs, starting and stopping jobs, jobs monitoring, etc. The status of the jobs can be monitored using a Job Execution Log.



Where to find more information


More details about the currently integrated source and target systems as well as information on how to configure different scenarios can be found in the documentation of the SAP Cloud Platform Identity Provisioning solution.


Future direction


As part of the roadmap for the service, it is planned to integrate further with additional SAP solutions and also with non-SAP solutions important to our customers, for example, Microsoft Office 365, etc. The solution will also offer new features related to the identity management and provisioning  processes.



Using the SAP Cloud Platform Identity Provisioning service, companies best leverage existing corporate infrastructure while also benefiting from the agility, flexibility, and simplicity provided by the cloud.


See also the SAP Insider Article: End-to-end identity and access management in the Cloud (October 2016)
25 Comments

Hi,

This is very exciting news - the link within "Where to find more data" points back to this blog. Is there anywhere that tells us what connectors are available?

Thanks,

Ian

lambert-giese
Active Participant
0 Kudos

Donka,

thanks for this very useful post. Are there any interfaces that could be used to extend the product by customer-specific connectors? If so, could you provide links to relevant technical documentation?

Cheers, Lambert

donka_dimitrova
Contributor
0 Kudos
Hello Ian,

Thanks for the note! I just updated the link to the documentation (it was wrong): https://uacp2.hana.ondemand.com/viewer/#/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/f2b2df8a273642...

Regards,
Donka Dimitrova
donka_dimitrova
Contributor
0 Kudos
Dear Lambert,

With the very first release of the service you can configure as a target system a SCIM-enabled solution.
You simply configure such target system and there will be a default transformation (SCIM) available out-of-the-box. You will be able to extend it with some additional conditions to fit your corporate scenarios.
Verys soon I will post step-by-step guide how to do this end-to-end including the destination configurations necessary in the SAP HANA Cloud Platform account.
In the meantime you can check the solution documentation here https://uacp2.hana.ondemand.com/viewer/#/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/f2b2df8a273642...
Regards,
Donka
Sachin_Singh
Discoverer
0 Kudos
Donka - This is great news. Is there a way for partners to get access to a sandbox tenant to try out the solution?

Cheers!
Sachin
donka_dimitrova
Contributor
Hello Sachin,

We are currently working on the trial concept for the solution and we will post a note in this blog or in a new blog to inform the community for the options.

Regards,
Donka
milan_sadil
Explorer
0 Kudos
A little bit off topic, but  would you be able to recommend the most recent on-premise IDP alternative for Single Sign-on for SAP Fiori on mobile devices? We currently implementing such a solution and need to prepare a system for IDP. From that what I have learnt until today, I suppose it is needed to install SAP NetWeaver AS Java and the federation software component archive (IDMFEDERATION<release>.sca). What is not clear for me is SAP NetWeaver version needed for the newest IDMFEDERATION<release>.sca from SAP Single Sign-on 3.0. In the Implemenation Guide named Identity Provider for SAP Single Sign-On and SAP Identity Management it is possible to get info that the host SAP NetWeaver Application Server (AS) Java must be of the following releases - AS Java 7.3 SPS 13 or later, AS Java 7.31 SPS 15 or later, AS Java 7.4 SPS 10 or later. Isn't there really a support for AS Java 7.5 yet?
ParagJain
Participant
0 Kudos
Hello Donka,

Great blog and a very useful service.

In the section "Easy consumer and partner provisioning", we have another use case. All partners will be created in Cloud Identity store and will need to be provisioned with right roles in an onprem SAP Gateway and ERP. Is this also supported.

Regards,

Parag.
donka_dimitrova
Contributor
0 Kudos
Hello Parag,

For the moment the SAP Application Server ABAP system is supported only as a source.

See the details in the table with supported source/target systems in the product documentation:

https://uacp2.hana.ondemand.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/f2b2df8a273642a1...

Regards,

Donka Dimitrova
ParagJain
Participant
0 Kudos

Thank you. Is ABAP app server as a target planned in the product roadmap and any tentative timelines ?

Regards,

Parag.

Former Member
 

Hello Donka, I hope you are fine!

I would like help to better understand this identity platform, can you help me?

What is the difference between the SAP HANA Cloud Platform Identity Provisioning service and the SAP HANA Cloud Platform Identity Authentication service?

Is it necessary to implement both to manage users and not sap end-to-end?

Ariba, success, hcp, hci, on premise ... these are some of the scenarios that I need to implement.

Thank you in advance!
MSo
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Thallita,

 

well the Identity Provisioning service is taking care of transerring users from source systems to target systems. Example: employees are usually being created in an HR system, but their user record needs to be propagated to an Active Directory and business systems. That's what IPS is doing in principle: copy users from A to B and thus ensuring a consistent user lifecycle across a system landscape. Of course IPS can to that with filtering, enriching records, conditional provisioning etc.

The Identity Authentication service takes care of authenticating users (= system where users log in) or it enables single sign-on by delegating authentication to a corporate user store. Thus IAS in principle takes care of logging users in to systems. After successful authentication it issues a so called SAML assertion and conveys some user information - via the browser - to the business system the user wants to access.

Thus for user management rather IPS is the right solution; for single sign-on IAS.

Best regards,
Marko
Former Member
0 Kudos
Can this replace SAP Identity and Access Management solution ?
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Azim,

SAP Identity Management is an ideal user and role provisioning solution for organizations seeking to manage identities and authorizations for their on-premise applications. Customers that plan to extend their landscape into the cloud should consider SAP Cloud Platform Identity Provisioning.

I recommend to read the following SAPinsider article, that provides you with detailed information about SAP Identity and Access Management and for which scenarios our various products should be used:

Identity and Access Management in Cloud and Hybrid SAP Landscapes

Hope this helps.

Regards,

Martina
akash_miskin
Explorer
0 Kudos
Hello Donka,

 

Hope your doing well...

 

As you mentioned earlier, Can you share the URL for step by step guide/process document for IDP.

My scenario is to use S4HANA cloud system & On-premise ABAP system user store's for accessing an application which is deployed in SAP cloud platform account.

Awaiting for your reply...

 

Regards,

Akash Miskin
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello Akash,

for authentication of users you could use the SAP Cloud Platform Identity Authentication service.

With SAP Cloud Platform Authentication, users can be authenticated with their corporate credentials from the corporate user store. See the blog How to Connect Your Cloud Applications with Your Corporate User Store and the documentation.

Regards,

Martina
akash_miskin
Explorer
0 Kudos
Thanks for the reply Martina...

The blog you shared above refers to the configuration/integration of corporate user store with SAP Cloud connector.

My scenario is to integrate the our MS ADFS 2.0 corporate user store as a Identity provider in IAS without SAP cloud connector with Identity authentication admin console. Is this scenario works. If yes can you please share any blog or step by step how to document.

Regards,

Akash M
akash_miskin
Explorer
0 Kudos
Thanks for the reply Martina…

The blog you shared above refers to the configuration/integration of corporate user store with SAP Cloud connector.

My scenario is to integrate the our MS ADFS 2.0 corporate user store as a Identity provider in IAS without SAP cloud connector with Identity authentication admin console. Is this scenario works. If yes can you please share any blog or step by step how to document.

Regards,

Akash M

 
MSo
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Akash,

as alternative you may use the IdP proxy flow via the SAML standard to delegate authentication fo ADFS.
This can be configured as follows:

The SP initiated authentication will then work as follows:

  • user will call SP URL

  • SP redirects to IAS

  • IAS looks up the configu for that SP and redirects to ADFS

  • if user does not yet have a session in ADFS it will display login screen and after successful authentication issue SAML assertion to IAS

  • IAS will forward the asssertion to SP.


BR, Marko
fralarsen
Participant
0 Kudos
Hi,

I see several experts following this post and really hope to find the right path to implement solution to the functionality that I'm working on now.

We are a 3rd party Identity and Access Management provider company and currently working on integrating SAP Cloud Solutions, C4C to start with and later Concur and Ariba. I believe, it would be an ideal solution to integrate with Identity Provisioning service to achieve this functionality as it would provide a more generic approach rather than connecting to each single system separately.

Reading through the documentation, I find the 'Proxy System' or the hybrid scenario would suit my case. It looks like it is currently enabled only for SAP-IDM. However, there are several other videos which do claim to connect to 3rd party systems.

I have registered for the trial version of Cockpit and enabled the Identity Provisioning Service. But, I couldn't find the possibility to configure a proxy system. I only see  the option to select the Source from the drop down list.

It would be nice if any of the experts can guide on how this can be achieved, if at all. And also share any info or links which describes the hybrid or 'Proxy system' scenario in detail and whether this can be achieved using the trial version or do we need an actual subscription. Also would like to know if there are any additional options as we are part of SAP Partner Edge program.
akash_miskin
Explorer
0 Kudos
Hello Marko,

 

Thanks for information..

 

We are successfully able to integrate our MS ADFS Corporate user as an IdP for an application.

Now we are able to authenticate application with our corporate credentials and IdP initiated SSO is also working fine.

 

Regards,

Akash Miskin
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Naresh,

to use the proxy mode, you need to create a ticket (incident) with request to get that access.

Details see here: https://help.sap.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/6fa419a1901a464ea7dd214bcf4....

Regards,

Martina
fralarsen
Participant
0 Kudos
Hi Martina,

Thanks for the response. I have created the ticket already for my trial account before posting the question here, but I guess, this 'proxy' feature is only available for 'Productive Use'. We have now subscribed for the productive SAP Cloud Platform account and hope I can access the IdP service with additional options.

Have you worked on the Hybrid scenario ? Can you share your knowledge on it as I find very limited info regarding it.

 

BR,

Naresh
Martina_Kirschenmann
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Naresh,

unfortunately, I have no experience working with the hybrid scenario. I am only aware of the documentation stated above.

Another option is SCIM, which is documented here:

https://help.sap.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/04278923ec8b4b34ac912897062....

Regards,

Martina

 
0 Kudos
Hi,

We have a senario, where the customer has NW SSO and SAP IDM (on-premise). Now the customer wants to connect to success factors and also he wanted to move the identity management to cloud and use the SAP Cloud Identity authentication and SAP Cloud provisioning service, and manage the ABAP and JAVA systems (that are on premise) and also the success factors.. Can this be possible ?.  Can you provide any blog that shows on, how to migrate the on-premise IDM to cloud identity/provisioning service

Its like a hybrid model (on-premise and cloud systems), but the customer wants to use the Cloud Identity servies and manage both.

 

Thanks

Siva