SAP Cloud Identity Services & IAM Portfolio: What’s New? (2024)

About this Article

This blog delves into the latest 2024 updates in SAP’s Identity and Access Management (IAM) portfolio. Drawn from diverse early 2024 SAP events, with a particular focus on SAP Cloud Identity Services (SCI). Additionally, it offers insights into SAP IAG and highlights how Xiting is pioneering its path in Identity Governance and Administration (IGA) with the XSP solution. Lastly, it provides a brief introduction to the Xiting Consulting Unit IAM. Enjoy the read!

IAM 101: Identity Lifecycle, Authorization, and Authentication

In simple terms, Identity and Access Management (IAM) revolves around three core aspects:

1. Identity Lifecycle: This encompasses the journey of user identities within a system, from creation to deletion.

2. Authorization: Determining what actions users are allowed to perform within a system.

3. Authentication: Ensuring that users are who they claim to be when accessing applications or services.

Identity Access Management Portfolio by SAP

SAP offers a Identity Access Management (IAM) portfolio that caters to both on-premises and public cloud solutions. Let’s delve into each category – Identity Lifecycle, Authentication, and Authorization – highlighting the different components within SAP’s Cloud Identity Services (SCI) suite.

Identity Lifecycle Management

For managing the lifecycle of identities, SAP provides several solutions:

• • Identity Provisioning: Part of SCI. Facilitates seamless creation and management of user identities.

• • Identity Directory: Part of SCI. Serves as a centralized repository for user and group information.

• • SAP Identity Management: An on-premises product ensuring robust identity lifecycle management unitl the end of 2027/2030.

Authentication Solutions

SAP’s authentication solutions ensure secure access to applications and services:

• • Identity Authentication: Part of SCI. Provides seamless and secure authentication for users across applications.

• • SAP Single Sign-On 3.0: An on-premises product offering single sign-on capabilities until the end of 2027.

• • Secure Login Service: A standout addition to SAP’s IAM lineup is the SAP Secure Login Service, heralded as the new star in the SAP Single Sign-On horizon. This service promises enhanced security and user experience in single sign-on scenarios.

Want to know more? Read here: https://community.sap.com/t5/technology-blogs-by-members/exploring-sap-secure-login-service-for-sap-gui-a-comprehensive-review/ba-p/13573382

Authorization Management

Authorization management is crucial for defining user permissions and access control:

• • SAP Cloud Identity Access Governance: Symbiotically linked with SCI, it offers comprehensive authorization management and access governance.

• • Authorization Management of SAP Cloud Identity Services: Streamlines authorization management for developers on SAP BTP. Define access policies with specified conditions, easily adjustable by administrators post-deployment. This centralizes access control, mitigating complexity and ensuring precise authorization levels.

Want to know more? Read here: https://community.sap.com/t5/technology-blogs-by-sap/sap-btp-innobytes-january-2024/ba-p/13584601

• • SAP Access Control: An on-premises product offering that enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance. An upcoming version (release 2026) will further enhance authorization capabilities within SAP’s IAM portfolio.

While SAP’s IAM portfolio boasts a comprehensive suite of solutions, it’s worth noting that the SAP Customer Data Cloud is beyond the scope of this discussion due to the author’s limited experience with it.

SAP Cloud Identity Services

Short Overview

SAP Cloud Identity Services (SCI) offer a suite of components tailored to address various facets of IAM:

• • Identity Provisioning: Streamlining the process of creating and managing user identities.

• • Identity Directory: Serving as a centralized repository for storing and accessing user and group information.

• • Authorization Management: Facilitating the assignment and management of user permissions.

• • Identity Authentication: Ensuring secure and seamless user authentication across applications.

Key Features of SCI

• • Predefined Connectivity and Bundling: SCI seamlessly integrates with SAP cloud solutions, providing out-of-the-box configuration for user provisioning and authentication.

• • Automated Service Enablement: Identity Services are automatically enabled as part of the product delivery process, simplifying setup for customers.

• • Default Pre-Configuration: SAP cloud solutions come pre-configured with Identity Services, catering to common scenarios without the need for separate licensing.

Long story? Read here: https://xiting.com/en/downloads/download-sap-cloud-identity-services-e-book/

Cross-Enterprise Access Governance

Streamlining cross-enterprise identity management and access governance integration, Microsoft Entra ID and Microsoft Entra ID Governance will integrate with SAP Cloud Identity services and SAP Cloud Identity Access Governance. This empowers organizations to achieve single sign-on and provisioning capabilities across various SAP business applications, including SAP S/4HANA Public Cloud, SAP Ariba, SAP Concur, and SAP SuccessFactors. Additionally, the linkage between Microsoft Entra ID and Microsoft Entra ID Governance with SAP Cloud Identity Access Governance will enable cohesive identity and access risk assessments, alongside monitoring and management of compliance controls.

Identity Lifecycle Management with SCI

SAP Cloud Identity Services facilitates efficient management of the employee lifecycle, from onboarding to offboarding, ensuring smooth transitions and access management throughout.

It plays a key role by centralizing Identity Access Management. They collect the derived identities and act as a single source of truth. The Identity Directory and Identity Provisioning components of SAP Cloud Identity Services work together to manage identities efficiently across systems.

Identity Directory: Centralized User Management

The Identity Directory serves as a central repository for user and group information, accessible via APIs and admin UI, simplifying connectivity and integration with SAP SaaS applications.

It provides a System for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups and custom schemas) with a set of attributes. Those attributes are defined in the SCIM 2.0 Core schema and the Enterprise user resource schema. Custom attributes are supported through a schema extension.

Identity Provisioning

Transformation Engine

Identity Provisioning Connectors play a crucial role in the Identity Lifecycle process. These connectors come in various types, including Source System Connectors, Target System Connectors, and Proxy System Connectors. They enable seamless integration between different systems, allowing for the provisioning and authentication of users.

With over 20 SAP Cloud solutions, on-premise solutions, and third-party solutions, Identity Provisioning Connectors offer out-of-the-box configuration for user provisioning and authentication. This ensures smooth operations across various platforms.

The Identity Provisioning transformation engine offers several powerful capabilities:

1. 1. Assignment: Users can define rules for assignments based on input data. For instance, organizations can use the value of an identity’s organizational unit to determine the roles required for that user.
   2. Mapping between identity models: The engine facilitates mapping between attributes in different models. For example, it can map the surname attribute to the family name attribute. Additionally, it allows for adjustments to data formats, such as converting time or number formats as needed.
   3. Filtering: Organizations can specify detailed criteria for determining which objects should be read or written. This enables fine-grained control over data synchronization and provisioning processes, ensuring that only relevant information is transferred between systems.

Various types of connectors to facilitate seamless integration

1. 1. Source System Connectors: These connectors enable the extraction of user data from source systems, such as SAP Cloud solutions, on-premise solutions, and third-party solutions.
   2. Target System Connectors: These connectors facilitate the transfer of user data to target systems, including SAP Cloud solutions, on-premise solutions, and third-party solutions.
   3. Proxy System Connectors: These connectors act as intermediaries between source and target systems, ensuring smooth data transfer and integration.

With support for over 20 SAP Cloud solutions, on-premise solutions, and third-party solutions, Identity Provisioning Connectors offer out-of-the-box configuration for user provisioning and authentication. This ensures quick and easy setup for organizations, enabling efficient management of user identities across diverse systems.

Authorization Management

Authorization plays a crucial role in ensuring secure access to applications and resources. Here’s how SAP addresses authorization management:

• • Internal Authorization Definition: Many applications define authorizations internally, tailored to their specific domain requirements.

• • Central User Assignment: SAP Cloud Identity Services centralizes user assignment to roles and groups, streamlining access management.

• • Authorization Management Service (AMS): This “new” service provides centralized management of end-user authorizations for applications on the SAP Business Technology Platform. AMS integrates seamlessly with SAP Cloud Identity Services, allowing for configuration and assignment of policies directly from the administration console.

• • Policy Assignment: In SAP Cloud Identity, each policy corresponds to a group in the identity directory. Policies can be assigned to users by making them members of the respective policy group. Customers have the flexibility to assign SAP-provided or custom policies to users using the user-friendly UIs in the SAP Cloud Identity console or programmatically via the SCIM API of the Identity Directory.

Identity Access Governance

SAP Cloud Identity Access Governance (IAG) is already widely recognized, offering a comprehensive suite of features aimed at enhancing security and compliance.

Key Features:

• • Privileged Access Management: Enables the management of super-user access, log consolidation, and automated log assessment to ensure stringent security measures.

• • Access Certification: Facilitates the review of access, roles, risks, and mitigation controls to maintain compliance with regulatory standards.

• • Access Analysis: Provides tools to analyze access, refine user assignments, and manage controls effectively.

• • Access Request: Optimizes access by streamlining workflows, policy-based assignment, and processes to ensure efficient access provisioning.

• • Role Design: Allows organizations to optimize role definition and governance processes, enhancing overall security posture.

Moreover, SAP Cloud Identity Access Governance offers HR-driven identity lifecycle management by integrating with SAP SuccessFactors. This integration enables automatic access requests triggered by changes in employee status within the HR system. The IAG Bridge Cloud facilitates the creation of access requests for cloud applications, with risk analysis and provisioning handled by SAP Cloud Identity Access Governance.

Unlocking Efficiency: Seamless Access Provisioning with API-Driven Integrations in SAP Cloud Identity Access Governance

API-based integrations further enhance flexibility, allowing external applications to submit requests to SAP Cloud Identity Access Governance for processing. This enables efficient access provisioning and deprovisioning based on approval processes, with the option to retrieve request status periodically.

With support for over 16 SAP Cloud solutions, on-premises solutions, and third-party solutions, SAP Cloud Identity Access Governance provides a robust platform for organizations to maintain security, compliance, and efficient access management across their IT environment.

Authentication

Authentication within SAP’s ecosystem is facilitated through SAP Cloud Identity Services, serving as the interface for Identity Access Management. Here’s how authentication in the overall hybrid SAP landscape idealy works:

• • SAP Cloud Identity Services: This platform acts as the primary hub for authentication. SAP applications inherently trust SAP Cloud Identity Services for identity authentication, ensuring a secure login process.

• • User Interaction: Users have the flexibility to interact with either Identity Authentication provided by SAP Cloud Identity Services or third-party Identity Providers. Regardless of the chosen method, users benefit from Single Sign-On capabilities, enhancing user experience and simplifying access to multiple applications.

• • Integration with SAP GUI: SAP GUI seamlessly integrates with short-term X.509 certificates from SAP Secure Login Service, further enhancing authentication security supporting MFA within SAP environments.

Short Comparative Note: SAP Secure Login Service (SLS) for SAP GUI versus SAPSingle Sign-On (SSO) 3.0

While SAP Single Sign-On 3.0 remains a viable solution for certain use cases, the emerging preference leans towards the new SLS for SAP GUI for most scenarios. The rationale behind this shift lies in the fact that SSO relies on capabilities like multi-factor authentication and CLM (Certificate Lifecycyle Management with NDES CA-Integration) on SAP NetWeaver Application Server Java, which is scheduled to exit mainstream maintenance by the end of 2027.

Contrarily, the new SLS does not depend on SAP NetWeaver AS Java; instead, it leverages a cloud-based service. It emphasizes seamless integration with cloud-centric identity providers, such as SAP Cloud Identity Services – Identity Authentication. Furthermore, it is offered as a cloud subscription, aligning with the contemporary preferences of software licensing among customers. However, it is important to note that currently, some features are still missing in direct comparison with the SAP SSO 3.0 Suite.

• • Principal Propagation: SAP Cloud Identity Services facilitates principal propagation between applications, ensuring consistent authentication across various systems and enhancing interoperability.

Upcoming Developments and Enhancements

Upcoming: Simplified Principal Propagation for Authentication

SCI will act as a central token service, reducing complexity in system-to-system calls and enhancing trust between applications. In an upcoming development, SAP Cloud Identity Services is poised to introduce a significant enhancement aimed at simplifying principal propagation for authentication. Here’s what to expect:

• • Central Token Service: SAP Cloud Identity Services will transition into a central token service, streamlining the process of system-to-system calls. This move aims to reduce complexity and enhance efficiency in authentication workflows.

• • Token Request Flow: When a sender application needs to call an API of the receiver application on behalf of the current user, it will request a token from Identity Authentication within SAP Cloud Identity Services.

• • Trust in Tokens: SAP applications, along with third-party applications, will trust tokens issued by SAP Cloud Identity Services for API calls. This trust ensures secure and seamless communication between applications, regardless of their origin.

SCIM & SAP: Updates for Improved Enterprise Readiness

SAP is working on enhancements to the SCIM protocol, including cursor-based pagination and additional schema support, to enhance user assignment processes and enterprise readiness.

Here’s an overview of the recent developments:

• • SCIM Adoption: SAP initially adopted SCIM as a product standard with the Identity Provisioning Service (IPS). SCIM2 was subsequently designated as the primary user and group replication protocol for SAP applications, outlining the implementation guidelines.

• • SCIM User Lifecycle: SCIM includes the “active” flag to control authentication and app interactions. It mandates responding to GET requests after a DELETE request with no result. Applications have the autonomy to set users to a blocked status or create new user records as needed.

• • Enterprise Readiness: SAP identified areas for improving SCIM’s enterprise readiness, including the lack of delta-read processes and index-based pagination. To address these concerns, SAP is working on implementing cursor-based pagination for entities like Users and Groups, as well as multi-valued attributes.

• • SCIM Groups and Schema Enhancements: SAP envisions SCIM Groups as the primary method for user assignments, offering transparent concepts for SCIM clients. SAP’s group schemas introduce additional capabilities, such as defining group types and supported operations, providing more precise operations for SCIM clients.

• • SAP User Extensions: SAP plans to introduce additional user extensions for business attributes derived from the One Domain Model (ODM). This extension aims to enable applications to create users with related business attributes. The schema will support legacy approaches and integration scenarios with the Master Data Integration Service.

SAP Cloud Identity Services continue to evolve, offering comprehensive IAM solutions for businesses. With features such as predefined connectivity, automated service enablement, and upcoming enhancements, SAP remains innovative, ensuring secure and efficient identity and access management for its customers.

Finally, a little self-promotion

Xiting’s IGA Solution: A Cut Above the Rest

Xiting offers a standout Identity Governance and Administration (IGA) solution known as the Xiting Security Platform (XSP), distinguished by its innovative approach and advanced features. XSP provides efficient identity and access management across SAP and non-SAP applications through its intuitive interface and robust backend functionalities. Notably, Xiting prioritizes compliance and auditing, offering detailed audit trails and reporting capabilities for effortless regulatory adherence.

Our focus on SAP security and compliance sets us apart as a provider. We prioritize open APIs for seamless tool integration and emphasize delivering a bridge scenario for hybrid landscapes. Our primary focus is on conducting identity consolidation, risk analysis and managing associated rule sets, enabling cross-platform risk and SoD checks. XSP includes connectors to various systems such as Ariba, SuccessFactors, SAP BTP, and on-premises ABAP systems, with a potential IAM connector in the future.

Experience the difference with Xiting’s approach to SAP security and compliance. To learn more about how XSP can enhance your organization’s risk management capabilities and streamline your GRC processes, read here.

XSP in a Nutshell

XSP, a cloud-based solution, ensures compliance and robust security across hybrid SAP landscapes. Operating as a central hub, it consolidates identities and offers analysis dashboards for swift issue resolution. Built on SAP’s Business Technology Platform (BTP), XSP integrates seamlessly with SAP’s ecosystem.

Key Features: A Closer Look at XSP

XSP’s components cover User Lifecycle Management, Compliant Provisioning, and Access Governance. It automates workflows, offers self-service portals, ensures correct access rights assignment, and supports SCIM and LDAP integrations for efficient identity management. Access Governance features include SOD risk analysis, role mining, recertification of access, and privileged access management, bolstering overall security.

Xiting’s XSP offers comprehensive IGA services, managing identities across various applications while ensuring compliance and security. Its integrations, advanced features, and intuitive interface make it a powerful tool for enhancing security, efficiency, and compliance in organizations.

About the Xiting Consulting Unit IAM

Our consulting unit for Identity & Access Management (IAM) serves as a guiding star in the challenges of secure authentication, single sign-on, and user and identity management. Our team comprises experienced SAP consultants who can cover various SAP security topics, using both our own tools and SAP’s security solutions. We operate across three countries: Germany, Switzerland, and Romania. Our focus is on the extensive realm of identity and access management in hybrid SAP environments.

As the integration of cloud applications into SAP enterprises continues to grow, our consultants become indispensable partners for comprehensive identity management. This is particularly crucial in the current era, as numerous SAP companies increasingly adopt the SAP Cloud-First strategy and rely on SAP cloud applications such as SAP BTP and SaaS.

Empowering SAP Enterprises: Streamlining Cloud Identity and Access Management

SAP companies face the challenge of migrating their identity and access management processes to the cloud. The primary goal is to centrally manage the lifecycle of identities – from entry to exit – including authentication processes and access permissions. With the increasing integration of SAP SaaS apps and SAP BTP services, the manual creation of user accounts and password management becomes more complex. Centralized user authentication and provisioning in the hybrid SAP landscape are becoming increasingly unavoidable.

Transforming SAP Security: Comprehensive Consulting Solutions for Automated Identity Lifecycle Management and Seamless Access Control

Our comprehensive consulting approach assists SAP enterprises in automating the identity lifecycle, ensuring seamless single sign-on, and achieving compliance regarding permissions. We offer a wide range of services to strengthen our clients’ SAP security, optimize access management, identity lifecycle, and integration of SAP Cloud Services.

The team focuses on the following 3 key areas:

1. SAP Identity Management & Workflows: We cover the field of identity management, including SAP Identity Management 8.0, Xiting Fiori-UIs, and Xiting Central Workflows for efficient SAP ABAP Identity Management and hybrid IAM scenarios. We take into account integrations with HCM & LDAP systems, service desk tools & ticketing systems, Microsoft Entra ID, and 3rd Party IAM solutions in combination with SAP Cloud Identity Services as middleware.

2. Cloud Security & Identity Lifecycle Management (SAP BTP & SAP Cloud Identity Services): Our services for cloud security and identity lifecycle management, centered around SAP BTP and SAP Cloud Identity Services, enhance access management, protect identities, and seamlessly integrate cloud and on-premises environments. We provide comprehensive consulting, including best-practice workshops, authorization concepts, and additional services to ensure a solid foundation for your cloud security strategy.

3. User Authentication & Single Sign-On: In the Xiting Unit IAM, we are dedicated to transforming SAP security landscapes with state-of-the-art solutions and optimizing authentication. Our comprehensive range of SAP SSO services addresses every aspect of security, from conception to implementation, making us the preferred partner to ensure the highest protection for your SAP environment. Moreover, we cover secure authentication with MFA & SSO, ID Lifecycle Management, and SAP Cloud Security, utilizing solutions such as SAP® Cloud Identity Services, SAP® Single Sign-On 3.0, and SAP® Secure Login Service for SAP GUI.

Want to know more? Get in touch with us: