Use of SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate Identity Lifecycle Management into a hybrid system landscape – Part 1
Nowadays, our systems run in a hybrid system landscape with On-Premise and Cloud systems. For this reason, it makes sense to be able to centrally manage the user accounts for On-Premise as well as for Cloud systems. To centrally managed, there is the SAP Cloud Identity Provisioning Service (Identity Provisioning Service), which cooperates with SAP NetWeaver Identity Management (IDM) and the SAP Cloud Identity Authentication Service (Identity Service), to achieve these requirements.
Table of Contents
Pre-requisite
To implement Identity Lifecycle Management in a hybrid system landscape, you require the following:
- at least one cloud system as the target system for the Identity Provisioning Service,
- a tenant ID for the Identity Service,
- an account in the SAP Cloud Platform Cockpit and
- a SAP NetWeaver Identity Management System (at least version IDM 8.0 SP03).
The Identity Provisioning Service is a service in the SAP Cloud Platform Cockpit. This service allows you to implement cloud systems in an automated identity lifecycle management (Figure below). The Identity Provisioning Service enables users to manage user accounts and authorizations centrally in IDM, and to provision them to Cloud Target Systems from an On-Premise or Cloud Source system.
The source system can be on-premise or in the cloud, while the target system must be a Cloud system. The table below lists the available source and target systems:
| On-Premise System | Cloud System | |
| Available Source Systeme |
|
|
| Available Target Systeme |
|
How does IDM work together with the Identity Service and the Identity Provisioning Service?
The Identity Provisioning Service enables you to manage both, On-Premise and Cloud user accounts, centrally in IDM. While the Identity Provisioning Service is dedicated to provisioning to Cloud systems, IDM focuses on provisioning on On-Premise systems.
To provision user accounts from On-Premise systems using IDM through the Identity Provisioning Service to the cloud systems, you require the Identity Service. The Identity Service transports On-Premise user accounts from IDM to the Identity Provisioning Service.
How does it work?
IDM writes the user accounts to On-Premise systems and the Identity Service. The Identity Provisioning Service loads user accounts via Read or Resync Job and writes these user accounts, which originally come from IDM, to the corresponding Cloud systems. The difference between the Read and the Resync job is that the Identity Provisioning Service uses the Read Job to load the new user accounts only, and uses the Resync Job to load and overwrite all user accounts. A so-called transformation is used to determine how the Identity Provisioning Service provides user accounts from the source system to the target systems. A description of the above-mentioned Read / Resync job, as well as transformation, can be found at SAP:
The user accounts provided by IDM are located in the user management area of the Identity Service.
Currently, the IDM attributes listed in the table below can be provisioned to On-Premise and Cloud systems. However, to date, IDM cannot provision authorizations to Cloud systems.
| SAP Identity Management Attributes | SAP Cloud Identity Attributes | Description |
| DISPLAYNAME | displayName | User-friendly name |
| MSKEYVALUE | username or id | Unique entry (user) identifier |
| MX_ADDRESS_CITY | city | City |
| MX_ADDRESS_COUNTRY | country | Country key |
| MX_ADDRESS_POSTAL_CODE | postalCode | Postal code |
| MX_ADDRESS_REGION | region | Region |
| MX_ADDRESS_STREET_1 | streetAddress | Street |
| MX_DEPARTMENT | department | Department |
| MX_DISABLED | active | User is disabled Boolean values User is not able to log on to Identity Management User Interface when disabled. |
| MX_ENCRYPTED_PASSWORD | password | Encrypted password used for password provisioning |
| MX_FIRSTNAME | firstName | User first name |
| MX_LASTNAME | lastName | User last name |
| MX_LANGUAGE | locale | User language |
| MX_MAIL_PRIMARY | Primary e-mail address | |
| MX_PHONE_PRIMARY | businessPhone | Primary telephone number |
| MX_MOBILE_PRIMARY | cellPhone | Primary mobile number |
| MX_TITLE | title | Title of user |
| ACCOUNT<Repository> | id | Unique user ID for the user in the target repository. For SAP Cloud Identity service, this should be the id of the user. The user has one attribute for each repository the user exists. |
Mapping between Identity Management and SAP Cloud Identity Attribute
Conclusion
As a result, with the collaboration of SAP NetWeaver Identity Management (IDM), the SAP Cloud Identity Authentication Service and the SAP Cloud Identity Provisioning Service, you can implement Identity Lifecycle Management in a hybrid system landscape with On-Premise and Cloud Systems. The basis for this is that the IDM provisions user accounts to the On-Premise systems and the Identity Service, and the Identity Provisioning Service copies these user accounts from the Identity Service and provisions them to the Cloud systems.
Both services, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service, are straight-forward to configure. It is most important to understand what the two services are, what they offer, and how you can use them to centrally manage user accounts for On-Premise and cloud systems in IDM.
Most of all, as customers will use more and more cloud systems in the future, IDM requires this connection to correctly provision On-Premise as well as Cloud systems.
- Integration of HCM Organizational Units in SAP Identity Management - 21. December 2018
- The Changes of the REST API v2 in SAP Identity Management SP06 at a glance - 14. December 2018
- SAP Fiori Xiting Starter Pack for SAP Identity Management - 30. August 2018
