You have an SAP Cloud Identity Services tenant and want to use the functionality of the Identity Provisioning service. For simplicity, we will refer to it as the Identity Provisioning (IPS) tenant

You also have a set of different systems, from which you'd like to provision entities using the Identity Provisioning service.

Some of your systems are on-premise (like SAP Application Server ABAP, LDAP Server, Microsoft Active Directory, SAP S/4HANA On-Premise, SAP Enterprise Portal).

Have you wondered how the on-premise system can be used as a provisioning system in your IPS tenant?

This blog post will guide you through the needed configurations, so that IPS is able to provision from/to such an on-premise system.

The process is described on the following documentation page: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/connect-to-on-premise-syst...

We shall follow it with a concrete example - creating the configurations for a test IPS tenant in Japan region.

Let’s start.

In short, here’s what’s ahead of us:

We need to make sure the on-premise system is exposed to the Cloud via an SAP Cloud Connector. The Cloud Connector is connecting to an SAP BTP Cloud Foundry subaccount. The IPS tenant, once configured for the on-premise connectivity, also works with this subaccount. This way, IPS communicates with the subaccount and the connected Cloud Connector, which on its turn communicates with the on-premise system configured in it.

Prerequisites:

We have an SAP BTP Global Account.

We have also installed SAP Cloud Connector locally on a machine, which is connected to our corporate network. Thus, it can reach on-premise systems which are within the same corporate network. For more detailed steps how to connect the Cloud Connector to the subaccount, please refer to the documentation of the Cloud Connector: https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/cloud-connector?version=Cloud

I) Create a SAP BTP Cloud Foundry subaccount, which will be connected with a Cloud Connector.

In a global account, we create a dedicated subaccount. We can reuse an existing one, too, but it should be such that does not have already any other subscription of SAP Cloud Identity Services.

The subaccount should be in the same region as the IPS tenant. We can see the mappings between SAP Cloud Identity Infrastructure and Cloud Foundry regions from step 3 of the following documentation: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/connect-to-on-premise-syst...

In our case, the IPS tenant is in Japan region. We can see this in “Cloud Identity Services – Tenants” tool, available for every customer.

It corresponds to Japan (Tokyo) from AWS:

Now the subaccount is created in Japan region.

II) Enable "Connectivity Plan" of SAP Cloud Identity Services.

In the subaccount created in the previous step, we navigate to “Entitlements” to add the plan in the entitlements of the subaccount (if not already present).

We select “Edit” -> “Add Service Plans”.

We check the “connectivity” service plan checkbox of “Cloud Identity Services”.

Then we select “Add 1 Service Plan” button and after that “Save” button.

It might take a few moments before the service plan entitlement is saved for the subaccount.

After that, we enable the plan:

(1) We navigate to “Services” -> “Instances and Subscriptions”.

(2) “Create” button.

(3) For service we select “Cloud Identity Services”.

(4) For “Plan” we select “connectivity”.

(5) “Next” button.

(6) We select the type of the plan - test or productive. In our case, it is “test”.

(7) “Next” button.

(8) At the end, we select the “Create” button.

Now the “connectivity plan” is enabled in the subaccount (it might take a few moments).

There is no need to select “Go to Application”. In case more IPS tenants of the same type (test) are in the same region, all of them would be connected to this subaccount, so practically this button leads to only one of them.

III) Connect and set up the Cloud Connector.

For more detailed steps how to connect the Cloud Connector to the subaccount, please refer to the documentation of the Cloud Connector: https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/managing-subaccounts

Now the Cloud Connector is available in the subaccount -> “Connectivity” -> “Cloud Connectors”.

From here on, we will define two on-premise systems of types SAP Application Server ABAP and LDAP Server, which will be used in the IPS tenant. First, we need to configure them in the Cloud Connector.

IV) Configure the SAP Application Server ABAP And LDAP Server systems in the Cloud Connector.

For more information about detailed steps how to configure the two type of systems in the Cloud Connector, please refer to the documentation pages of the Cloud Connector:

https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/configure-access-control-rfc

https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/configure-access-control-ldap

For the Application Server ABAP system, we need to define also the resources, which IPS uses for executing requests to the system. We can use “exact name” of each resource, or “prefix” for those with same prefix in the names. The needed resources are described in the documentation of the corresponding source/target/proxy system: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/supported-systems?locale=e...

Now the two systems are visible in the subaccount -> “Connectivity” -> “Cloud Connectors” by their virtual hosts:

V) For the SAP Application Server ABAP system, we need to create a destination in the SAP BTP Cloud Foundry subaccount.

(1) We navigate to the subaccount created earlier -> “Connectivity” -> “Destinations”.

(2) We select “Create Destination” button.

(3) For “Type” we select “RFC”.

(4) Next we provide the details for the SAP Application Server ABAP system, depending on whether we use Load Balancing Connections or Direct Connections, and save. For more information about the required properties in each case, please refer to the documentation for creating RFC destinations: https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/create-rfc-destinations

For the LDAP server and all other type of on-premise systems, we should not create a destination, but rather define the connectivity details in the "Properties" tab of the provisioning systems. The next step gives us more details.

VI) In the IPS tenant, we create the provisioning systems.

Let’s see how to define two on-premise source systems of types SAP Application Server ABAP and LDAP Server.

a) SAP Application Server ABAP

We start creating a source system, select the type and provide a name.

The destination is mandatory. We choose the destination that we created in the previous step. Then we can save the provisioning system.

(It might take a few minutes for the destination to be visible in the IPS tenant.)

(Similar approach is valid when creating such a target or a proxy system. Some additional properties might be needed then, and the transformation would be different. You can refer to the IPS documentation of the corresponding system type for more details: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/supported-systems?locale=e...)

b) LDAP Server

We start creating a source system, select the type and provide a name. A destination cannot be selected. We define the connectivity details in “Properties” section of the provisioning system.

We add the mandatory properties one by one. The property “ldap.url” is in the format “ldap://<virtual host and port>”. We can take the host and port as seen in the subaccount -> “Connectivity” -> “Cloud Connectors” from step 4 above.

(Similar approach is valid when creating such a target or a proxy system. Some additional properties might be needed then, and the transformation would be different. You can refer to the IPS documentation of the corresponding system type for more details: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/supported-systems?locale=e...)

We just saw that the IPS lists available RFC destinations only for SAP Application Server ABAP provisioning systems. If you define a destination of another type (e.g. HTTP or LDAP) in the subaccount, it won’t be visible in the IPS tenant.

Finally, we define a target system and select the newly created source for it. After that we can execute a provisioning job for the source system.

There we go. We can now use the on-premise systems in the IPS tenant for our provisioning scenarios.

Note that as a result of the configurations above (steps I) - V)), ALL IPS tenants of the same type in the same region will be able to use the same configuration done above. We don't need to configure another connectivity plan with the same type (test in our case) in another subaccount in the same region.

For example, in another test IPS tenant in region Japan, we can see the same ABAP destination we created, available and ready to use.

We can also connect another Cloud Connector instance to the same subaccount with different back-end systems defined in it. A Cloud Connector Location ID should be defined for every other Cloud Connector connected to the subaccount. This way we can take advantage of having different system administrators manage the different Cloud Connectors and backend systems configurations in them. At the same time, the IPS administrator of each IPS tenant can select designated systems to use in it, despite the fact that the Cloud Connectors and the IPS tenants are using one and the same Cloud Foundry subaccount.

Thank you for taking the time to read this blog post. Did you find it useful? You can share your thoughts and any questions you might have in the comments below.