The integration between the SAP and Microsoft world is still a task that is not easy to accomplish. We have already dealt with this in an earlier blog post. The challenge of integration becomes particularly clear when matching user data to build a common user base, which is essential for seamless working with the correct authorizations. How can a common user base between SAP and Microsoft systems automatically be guaranteed in the cloud? SAP has established the SAP Cloud Platform Identity Provisioning Service (IPS) for this purpose.
What is the SAP Identity Provisioning Service actually?
The Identity Provisioning Service of SAP Cloud Platform, launched in 2016, automates identity lifecycle processes. It helps to provision identities and their permissions for various cloud and on-premise business applications. It is also integrated with single sign-on and governance micro-services, such as SAP Cloud Platform Identity Authentication Service (IAS) and SAP Cloud Identity Access Governance (IAG). While IAS is responsible for cross-system, SAML2-compliant authentication, IAG is used for risk assessment in the cloud.
The Identity Provisioning Service belongs to the Neo environment of the SAP Cloud Platform and is hosted in different regions. It performs the following tasks, among others:
- (De-)Provisioning of user identities and authorizations in IT landscapes
- Determination of the frequency of the provisioning plan, based on the business requirements
- Implementation of a policy-based authorization management
However, the IPS cannot be used to process workflows and approvals or to implement a deeper logic. SAP Identity Management (IdM) on-premise still covers these functionalities.
What configuration options are available?
Selection of systems
Users and groups can be provisioned between different business applications that can be defined as source and target systems. A proxy connector can also be used to provision identities from a SCIM-based system to a non-SCIM system. The list of systems is constantly being expanded; the current status is available here. Extensive setting options and filter properties are available for the configuration of the systems.
Configuration of attribute transformations
The standard system transformations can be used directly or adapted to the business requirements. Attribute transformations can be adapted both in the source system and in the target system. Or they have to be alligned in order to write source attributes in the correct format to the specific target attributes. This is done using the JSON schema declaration.
Provisioning jobs can be executed manually or scheduled for automatic execution at a certain time interval. A complete or synchronized read job is available for selection. The synchronization job reads and provisions only the new and updated entities, since a delta mechanism is used to calculate which changes have occurred.
View job logs and notifications
If a job was not completed successfully, its logs can be displayed and downloaded directly in the user interface. The logs provide information about which entities failed and why. It is also possible to subscribe to a source system to be notified by email when a job has failed.
What are the different operating modes?
Standard provisioning scenario with source and target systems
This scenario is suitable for initial, regular and scheduled read and synchronization jobs of all identities from any supported source system to any target system. One or more source systems can always react to changes in a target system.
The existing user directory of the company, such as the central user administration of AS ABAP or Microsoft Active Directory, normally functions as the source system. This can be either a cloud system or an on-premise system. The target system is a cloud or on-premise system that is to be filled with entities from the source system. This requires the start of a provisioning job.
Real-time provisioning scenario with SAP Cloud Platform Identity Authentication Service
It is possible to provision entities from IAS immediately for each target system without rejecting a manual or scheduled job. With real-time provisioning, newly created or updated users can be distributed without the need to manually run a job or wait for a scheduled job.
This feature is useful for scenarios that require synchronous provisioning and immediate system access, such as self-registration of users. It can also be used for single or multiple entities that need to be rebuilt in the IAS administration console or via its SCIM API and immediately synchronized for each supported target system. It is not necessary to start a provisioning job for this.
Hybrid scenario in proxy mode with SAP Identity Management on-premise
The proxy mode is a special connector type for hybrid scenarios. This means that entities can be provisioned from one SCIM-based system to another external system that is not based on SCIM, without having to establish a direct connection between the systems. To achieve this, an identity provisioning proxy connector is added that plays the role of a SCIM 2.0 endpoint and uses the respective API of the connected system.
SAP Identity Management (IdM) on-premise can use this proxy connector directly with an import functionality. To do this, the configuration of the system must be downloaded in the IPS and imported into SAP IdM as a new repository. Afterwards, initial load jobs for this system can be executed in SAP IdM to import the system. The system can then be used in SAP IdM like other system types.
Local identity directory
The local identity directory is part of SAP IPS and provides organizations with a directory for storing and managing users and groups in SAP Cloud Platform. Unfortunately, it is not possible to view data or make changes to data in this system using user interfaces.
How can an integration scenario with Microsoft Azure AD as the source system look like?
Configuration of the Microsoft Azure AD source system
The first step is the creation of an application client with reading permission in Microsoft Azure AD. Microsoft Azure AD is selected as the new source system in the IPS and the application client and other parameters are entered in the system settings. Mappings between attributes of Microsoft Azure AD and SAP IPS can be performed in the transformation schema.
Configuration of the target system, for example SAP Cloud Platform
To be able to write data from the source system - such as user data - to SAP Cloud Platform as a member, you need to create a target system for this system type. The Microsoft Azure AD created previously is selected as the source for the target system.
An application client with the correct authorizations has also to be created for SAP Cloud Platform. It is entered in the system settings along with other communication parameters. In the transformation schema, the mappings of the attributes of SAP IPS and SAP Cloud Platform must be adjusted accordingly.
The synchronization starts with the manual start of a sync job in the source system. This can also be scheduled after successful processing. The job log provides an overview of the successfully transferred data and any errors.
Currently, the SAP Identity Provisioning Service (IPS) enables data synchronization between systems. However, workflows for role assignments cannot be implemented. This can only be achieved using the IPS proxy functionality and SAP Identity Management on-premise in a hybrid scenario. In the future, existing SAP cloud services such as IAS and IAG will grow closer together with the IPS.