Setting up SAP NW IDM, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Management into a hybrid system landscape – Part 2

The first part of the blog, explains how SAP NetWeaver Identity Management (IDM) centrally manages and provisions On-Premise and Cloud Systems using SAP Cloud Identity Authentication Service (Identity Service) and SAP Cloud Identity Provisioning Service (Identity Provisioning Service).

This part of the blog explains the installation of the scenario where IDM utilizes Identity Service and Identity Provisioning Service to provision user accounts to On-Premise and Cloud systems.

Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
IDM provisions On-Premise user accounts to cloud systems

 

Implementation

Scenario: IDM provisions On-Premise user accounts to the Cloud Systems

Architecture:

  • Source: On-Premise SAP or non-SAP System
  • Target: Cloud System
  • Provisioning System: IDM and Identity Provisioning Service

Procedure

Step 1: Create a technical user for the Identity Service

The connection between IDM and the Identity Service requires a technical user. You create the technical user in the administrator cockpit of the Identity Service as shown below. The created user ID is required in the second step. Please make sure that the user has sufficient authorization to send and receive data. The below screenshot shows an example configuration of a technical user IDM_CONNECTION (User ID: T000000) in the Identity Service.

Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
Creation of a technical user in the Identity Service

Step 2: Connecting the IDM system to the Identity Service

Using the SCI connector allows you to connect the IDM to the Identity Service. To configure the SCI connector, you have to perform four steps as follows:

  1. Import the SCI connector

Import the “com.sap.idm.connector.sci” package for the SCI Connector to the IDM Store. With the SCI Connector, you can provision user accounts to the Identity Service. The following operations are available:

  • Create user
  • Edit user
  • Delete user
  • Activate user
  • Disable user
  • Set the user a productive password

The plugins for the provisioning of authorizations and groups are currently still empty, so it is currently not possible to centrally manage the authorizations and groups of Identity Service in the IDM.

Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
SCI Connector
  1. Creation of a repository for the Identity Service

You have to create a repository for the Identity Service in the IDM Admin UI. Therefore, configure the Repository Constants similarly to Table 1 and the Repository Type Constants similarly to Table 2. The screenshot below shows an example configuration of a repository for the Identity Service.

The constants SCI_HOST, SCI_PORT, SCI_USER, and SCI_PASSWORD are mandatory fields.

  • SCI_USER corresponds to the technical user from step 1
  • SCI_HOST is the host of the Identity Service

Table 1: Repository Constants for SAP Cloud Identity

Repository ConstantsValue
SCI_HOSTSCI system hostname
SCI_PORTDefault: 443

Default port for https

SCI_USERUsername of the technical user
SCI_PASSWORDPassword of the technical user
PROXY_HOSTProxy hostname
PROXY_PORTProxy port
PROXY_USERUser for proxy authentication
PROXY_PASSWORDPassword for proxy user
TRUSTSTOREFile location of the trust store to be used for establishing a secure connection
TRUSTSTORE_PASSWORDPassword to access the trust store (only needed when using certificate authentication).
READ_TIMEOUTDefault: 60000

Milliseconds to wait during read operations.

CONNECT_TIMEOUTDefault: 60000

Milliseconds to wait when making the connection.

CONNECTION_KEEPALIVEDefault: 60000

Milliseconds to wait before killing the connection

SYSTEM_PRIVILEGEPRIV:SYSTEM:<Repository>

<Repository> is the exact name of the repository to which the constants belong.

In SAP Identity Management Administration User Interface, the value of the SYSTEM_PRIVILEGE repository constant is read only. When a repository is created, the name of the repository is automatically filled in.

Table 2: Repository Type Constant for SAP Cloud Identity

Repository Type ConstantValue
HTTP_PROTOCOLhttps

Protocol used for connection.

MX_ADD_MEMBER_TASK<process number for Provisioning>
MX_DEL_MEMBER_TASK<process number for Deprovisioning>
MX_MODIFYTASK<process number for Modify>
REPOSITORY_SYNCSYNC
REPOSITORY_TYPESCI
INITIAL_LOAD<Initial Load Job>
MX_PRIV_GROUPING_ATTRIBUTE
MX_PRIV_GROUPING_RULEP:-1
Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
Repository sample configuration for Identity Service
  1. Start the Initial Load Job in IDM

Step 3: Configuration of the destination for the Identity Service in the SAP Cloud Platform Cockpit

To use the Identity Service in the Identity Provisioning Service as a source system, you have to configure a destination in the SAP Cloud Platform Cockpit. The screenshot below shows an example configuration of a destination in the Identity Service with the technical user from step 1.

Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
Sample of a destination configuration in Cloud Platform Cockpit

Step 4: Configuring the Source System in the Identity Provisioning Service

The Identity Service is configured as Source System in the Identity Provisioning Service. You can select the destination from step 4 as the destination name.

Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
Configuration of the Source System in Identity Provisioning Service

Step 5: Configuration of the target system in the Identity Provisioning Service

Conclusion

In order to set up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service, and SAP Cloud Identity Provisioning Service, you have to consider the following:

  • You cannot provision user accounts directly from the IDM to the cloud systems; it requires the Identity Service. The connection between the IDM system and the Identity Service requires the SCI Connector and the Repository for Identity Service. To map the user accounts between IDM and Identity Service, you have to perform an initial load that loads the user accounts of the cloud systems into the IDM system.
  • To set up the Identity Provisioning Service, Identity Service must be selected as a source system and any number of cloud systems as target systems. Only new user accounts from the Identity Service are loaded via the Readjob, or all user accounts are loaded and overwritten via the Resync Job. The Readjob should be scheduled as a periodic job. The transformation can be used to determine how the Identity Provisioning Service provides user accounts from source to target systems. The information on the read and resync jobs and transformations are found in the first part of the blogs: Use of SAP NetWeaver Identity Management, SAP HANA Cloud Identity Authentication Service and SAP HANA Cloud Identity Provisioning Service to integrate Identity Lifecycle Management into a heterogeneous system landscape – Part 1.

By using these two services, you can securely integrate cloud systems into a heterogeneous system landscape and centrally manage user accounts in the IDM.

Chen Chen
Latest posts by Chen Chen (see all)
    Fabian Honervogt
    Contact

    Get in touch with us!

    Do you have questions about our products?

    +41 43 422 8803
    [email protected]
    +49 7656 8999 002
    [email protected]
    +1 855 594 84 64
    [email protected]
    +44 1454 838 785
    [email protected]
    Contact
    Webinars

    Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

    Register now