The content of the blog-post is a bit outdated (published 2021-09-28) but kept as reference. Please refer to the SAP Discovery Center for the newest IAM reference architectures and related missions or further links.
With the SAP’s Integration Plan in the Cloud distinct suite qualities were introduced. Those suite qualities are getting more important for the whole SAP portfolio. You as a customer get end-2-end automated solutions across different applications aligned with the business processes. Capabilities which belong to multiple applications are defined in those suite qualities centrally like the topic security and identity management.
You may also look into the SAP Integration Strategy Community Topic Page to stay informed and please ask questions.
In this blog post series we want to share the recommended architectures which offer you options to adapt the IES design for identity access management (IAM). Still this blog post will not be able to provide answers for all questions around how to setup IAM in a certain landscape. The intention is rather to provide food for thought for what to take into account.
We will concentrate on employee related integration scenarios (B2E).
There are corresponding blog posts dealing with master-data to identity-flow and reference architectures for single sign-on posted by my colleague marko.sommer.
The SAP apps in this scope are:
A very common setup for SAP SaaS/PaaS applications is the usage of an identity management system mainly for account/authorization management for SAP on premises and/or SaaS/PaaS solutions. In this blog post I will describe it with the SAP Identity Management.
Let’s assume in your case the SAP landscape grows and you want to benefit from automated Hire2Retire flows. How can you move (near) to the reference architecture?
For the identity lifecycle the way to the reference architecture contains mainly the setup of the SAP Cloud Identity Services in between the identity management (on-premises) and the SAP applications.
In this example you have already SAP Identity Management as your solution to provision access to your landscape and you want to benefit from the automation of the greenfield cloud architecture for Identity Access Management. The determination of the access and workflows to assign authorizations have been set up already in your SAP Identity Management. This blog post describes how you can make use of the more and more integrated SAP SaaS/PaaS solutions for the Intelligent Enterprise with your investments into SAP Identity Management.
First of all: SAP Identity Management can be the leading system in this flow. To benefit from workforce-person to identity conversions and in regard of the creation of the User UUID in the SAP Cloud Identity Services the flow contains a two-way integration between SAP Identity Management (since SP08 PL10) and the SAP Cloud Identity – Directory Service (IdDS).
SAP Identity Management can get via this interface the identity. The identity management then use your local rules to trigger your current user provisioning. This interface allows to amend attributes into the Directory Service for example: In case your SAP Identity Management creates a logon-name which is used in Non-SAP and SAP-ABAP based systems. The identity management should write it back as login name to the Directory Service too. This way it can be used especially in the authentication flows (please check Markos blog posts for this topic too).
After configuring the SAP Cloud Identity Services your user flow automatically replicates from SAP SuccessFactors to the SAP Cloud Identity Services. Finally, the SAP Cloud Identity Services to the target applications. It is possible for (non-)SAP identity managements to synchronize (bi-directional) with the SAP Cloud Identity Services as integration-point.
For your particular landscape you might have a different integration of source-systems to your SAP Identity Management system which cannot, or only with high effort, be replaced by the flow with the Master Data Integration Service. In such cases the Cloud Identity Services could work as secondary systems behind your leading Identity Management system. It is planned that we will share a separate blog post for such scenarios. But please keep in mind that the Cloud Identity Services still own important features like the User UUID which have to be synchronised back as attribute to the leading solution. With SAP Identity Management 8 Service Pack 8 PL10 (SAP-Note 3047993) the internal schema offers the load of the attribute from the Cloud Identity Services and the distribution of the User UUID to your on-premises SAP S/4HANA.
Figure 5 IAM reference architecture: hybrid integration with SAP Identity Management (SAP cross architecture, technology & innovation)
Pros
Cons:
Recommendation:
We are planning to release multiple reference architectures based on this structure. The next one – how can you leverage your existing SAP Access Control landscape (on-premises) for a hybrid IAM landscape using the Intelligent Enterprise reference architectures and how to leverage your existing HCM (or 3rd party HR) integration with SAP Identity Management to get near to the reference architecture.
Please also read the corresponding blog posts:
CIO Guide: Identity Lifecycle in Hybrid Landscapes
Secure Operations Map
SAP Cloud Identity Services community
Evolving IAS and IPS into SAP Cloud Identity Services
Task-Center
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
26 | |
25 | |
21 | |
12 | |
9 | |
8 | |
8 | |
8 | |
8 | |
8 |