This is quick informational post based on a recent conversation about SAP Identity Provisioning Service (IPS) and "unavailable" connector bundles. In short: if your IPS tenant is missing a connector, check out the available connectors on the new IPS tenant on the SAP Identity Service Infrastructure.
About me (disclaimer)
In my role at SAP, I help our customers to wrap their heads around the security of SAP Cloud Products. As I am doing that in a presales capacity for many years, I have been part of many deals, discussion and architecture talks. But as I am NOT a consultant who tinkers with those SAP Systems every day, I can and will not provide any type of recommendations. All of my writings are purely my own opinion. So you need to read the respective sources and documents that I may have interpreted (wrongly) and come up with your own educated decisions.
Identity Provisioning Service (IPS)
The IPS is part of the SAP Identity Services (IAS+IPS). It does transport User Identities and their assigned roles from one system to an other. In order to do that, IPS does bring a bunch of so called connectors and it also exposes a SCIM interface.
The (new) IPS tenants bring most of the available system connectors out of the box right away. Let`s look at this particular part of the documentation (as of 02/26/2023) below. If you read carefully, it says all connectors are available just not those listed in this table.
IPS SAP Help: Most connectors are available
How do I find out if my IPS tenant is "New" or still on BTP NEO?
You might want to try the IAMTENANTS interface. That system should give you a list of all your available IAS & IPS tenants and when they have been created. The creation date is a very good indicator of what IPS deployment type you are facing - anything deployed after March 15th 2022 should be a IPS tenant on SAP Cloud Identity Infrastructure. And thus should contain most of the connectors right away.
You can also check if you can access the IPS tenant like any other BTP NEO service. If yes, you obviously got a BTP NEO IPS tenant.
And unfortunately, not all SAP Cloud Systems are yet integrated with IPS. You might want to check with the respective product sources and road maps about potential plans to support IPS.
Where can I find the IPS SCIM API? [New 2023-03-07]
This is a bit hidden in plain sight within the IPS docs. Check out the IPS Proxy functionality. This so called IPS proxy does expose the SCIM API in the IPS service (here SCIM Endpoint). So if you got a system that can trigger outbound SCIM call, you can use this IPS proxy to push and pull user data into the various supported SAP Systems.
Why is there no SCIM target connector? [New 2023-03-07]
First we got to keep in mind that IPS is a cloud service. That means, when ever this service is used, it will incur costs on our SAP side. Then there is Dev/Ops, support and maintenance that needs to be taken care of as well.
With the decision to include IPS with every SAP Cloud product (aka no extra license costs for IPS), the commercial IPS version (IPS stand alone tenant) has become unavailable. The operational costs for IPS are now covered by SAP. But that means, SAP has good reasons to control those costs and make sure the use case has a SAP product focus.
With this move, the focus of IPS shifted from a sellable "stand alone" product to an enabler of SAP Cloud Solutions. So this previous IPS capability to include 3rd party SCIM destinations has become obsolete as there is simply no one there to pay for that party any more.
And if you look into the market of cloud based identity provisioning systems, I guess there will be no free offering to integrate one 3rd party to an other 3rd party for free, right? If there is, people are welcome to use it.
If you want to license SAP Identity Access Governance, that happens to bring a SCIM destination (via IPS Stand Alone tenant functionality), please reach out to your local SAP sales representative. I guess that explains who pays for that particular SCIM destination party 🙂
BTP: SAP Business Technology Platform
BTP NEO: SAP Business Technology Platform NEO
IAS: SAP Cloud Identity Services – Identity Authentication
IPS: SAP Cloud Identity Services – Identity Provisioning