cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

IAS as central user management system

Go to solution
tskwin
Participant

‎2024 Sep 27 8:49 AM - edited ‎2024 Sep 27 9:49 AM

0 Kudos
966

Hello Experts,

If I understand correctly, it is recommended to use the IAS user store as the central user management system.

I have the following question for clarification:

I have configured Azure as the Idp and the IAS as a proxy. Using the IPS, the groups from Azure are provisioned to IAS. If I, for example, delete/modify a user in IAS, that user is re-provisioned to the IAS user store during the next IPS job. Or, for example, the users were still existing as shadow users in the BTP subaccounts, even though they were deleted in Azure AD

How is central user management in IAS configured?

Is this the recommended approach?

Many Thanks

 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

Colt
Active Contributor
‎2024 Oct 07 11:32 AM

SAP Cloud Identity Services have emerged as the central approach for identity and access management (IAM) in SAP landscapes over the past few years. The key benefit of this strategy is the unification and simplification of user and rights management across all SAP applications. This is highlighted in the latest SAP CIO Guide on "Identity Lifecycle in SAP Landscapes," which focuses on consolidating IAM services.

Benefits of SAP Cloud Identity Services:

  • Centralized User Management: Many SAP applications and sub-accounts within the SAP Business Technology Platform (BTP) currently manage their own users, resulting in unnecessary complexity and increased administrative effort. With SAP Cloud Identity Services, centralized user management is enabled, eliminating this challenge.

  • Reduced Effort in Deploying New Applications: New applications and functionalities in SAP BTP require that the identity directory in SAP Cloud Identity Services includes all relevant users. Centralized management through this service significantly reduces the effort needed to manage user directories, as subsequent applications no longer require separate directories. For example, activating SAP Task Center becomes much simpler without the need for extensive IAM projects.

  • Future-Proof and Scalable: Many new SAP applications, such as SAP Joule and upcoming features, already rely on SAP Cloud Identity Services. These services form the backbone for future expansion and integration of new features into SAP landscapes. Without using SAP Cloud Identity Services, it would be much harder to benefit from new innovations and functionalities.

  • Strategic Alignment: SAP's strategy focuses on centralizing identity and access management and consolidating user administration. SAP Cloud Identity Services serve as the central IAM interface, simplifying not only integration and security but also allowing for easier and more consistent cross-vendor integrations, such as with Microsoft Entra ID.

  • Summary: SAP Cloud Identity Services offer a centralized and future-proof framework for integrating and managing identities across the entire SAP landscape. This reduces complexity and administrative burden, while also enabling companies to take advantage of future innovations without requiring extensive adjustments to existing systems.

To fully utilize new applications and functionalities within SAP BTP, it’s essential that the identity directory in SAP Cloud Identity Services contains all relevant users. SAP's long-term strategy aims to simplify this complexity using SAP Cloud Identity Services by centralizing user and group management, enabling remote administration of the entire SAP cloud landscape through APIs. For this functionality, the identity directory must be populated with all necessary users, making it easier to manage policies via the Authorization Management Service (AMS).

It is recommended to persist user profiles in the IAS and enable identity federation. Persisting user profiles in the Identity Directory (IdDS) is also essential for authorization in SAP applications. For new applications in the SAP Business Technology Platform (BTP), the UUID or SAP global User ID plays an increasingly important role (e.g., for the BTP Task Center).

While the initial setup of SAP Cloud Identity Services may involve additional effort for the first application, it greatly reduces the workload for subsequent applications since no additional application-specific user directories are required.

Conclusion:

  • SAP Cloud Identity Services act as the "single point of configuration and integration" for SAP applications with APIs to Microsoft Entra ID as the leading system.
  • Access to individual hybrid SAP applications is managed through groups and user memberships in Entra ID.
  • Synchronization of these groups and users is ensured via SAP Identity Provisioning Service (IPS) and SCIM to integrate them into SAP Cloud Identity (SCI), specifically into the Identity Directory (IdDS).
  • Entra ID (for example) continues to function in the background as the master controller for groups and the central source for user data, which is then enriched by SAP Cloud Identity Services. 
    SO YOU WONT MANAGE USERS MANUALLY IN IDDS BUT JUST IN ENTRA ID
  • The Identity Directory within SAP Cloud Identity Services centralizes user information and permissions, and Identity Provisioning enables the transfer of this information to business applications, ensuring synchronization of user attributes and permissions across systems.
  • SAP has developed a strategy where Cloud Identity Services are seen as the interface into the SAP world, with the goal of making integration with existing identity management as simple as possible.

 

Show replies
Show replies

Answers (1)

Answers (1)

BhagyaVenkatesha
Explorer
‎2024 Sep 27 12:27 PM
0 Kudos

Hi, 

If you manually delete a user in IAS, the next IPS job will replicate the user to IAS. Once you configure Azure as a corporate IdP, you need to manage your users in Azure. 

For the user delete scenario in Azure, you can add transformation logic to map the 'accountEnabled' flag from Azure to the 'Inactive' flag in IAS. However, the BTP shadow user will still exist.

Rrgards,

Bhagya

Show replies
Show replies
tskwin
Participant
‎2024 Oct 07 7:34 AM
0 Kudos
Hi @BhagyaVenkatesha, Thank you very much for the response. Does this mean that if I have Azure as the IdP, I cannot use IAS as the central user management system? Many Thanks
BhagyaVenkatesha
Explorer
‎2024 Oct 07 10:10 AM
0 Kudos
You can configure multiple corporate IdPs with IAS. Additionally, you can integrate Azure and also use user management within IAS. This setup is particularly useful for exceptionbal cases, where a user does not exist in Azure but still needs access to your applications.
tskwin
Participant
‎2024 Oct 07 11:16 AM

thanks

Ask a Question