QuickStart Implementation for SAP Cloud Identity Services
Table of Contents
The Xiting QuickStart Implementation Service for the basic configuration of SAP Cloud Identity Services is here!
Hello, SAP Cloud Security enthusiasts! Today I would like to introduce you to our newest service. The Xiting QuickStart Implementation Service!
Our service is designed to help you implement and establish a future-proof foundation for managing access and identities in your organization’s SAP cloud universe in a simple and standardized way.
The Xiting QuickStart Implementation Service is the fastest way to get your organization set up for SAP Cloud Identity Services. Our package includes a fixed service scope that benefits from our best-practice experience and provides immediate benefits and basic functionality for user authentication and provisioning in the SAP cloud universe.
With our service, we would like to offer you an attractive fixed price offer, which is aimed at small and medium-sized companies that do not have an Identity Management System (IDM) in place.
Take a look at our Xiting Quick Start Implementation Service flyer!
Access and ID Lifecycle Management Challenges in the SAP Cloud Universe
When it comes to the topic of access and ID lifecycle management in the SAP Cloud environment, most of you will notice that it is different from a classic SAP On-Premise environment.
Most of us SAP Security Administrators/Consultants gained their experience from the – by now well known – SAP On-Premise Systems.
When it comes to user lifecycle processes you mostly have a very high automated approach with the use of a centralized user administration system (CUA), or an Identity Management System (IdM) in place. These support the automated distribution of identities to additional SAP target Systems.
Even when it comes to accessing most SAP On-Premise Systems, the use of SAP Single Sign-On 3.0 makes it possible to log on smoothly without any passwords at all. Authentication in this case is no longer performed locally in one of the many SAP on-premise systems, but against a central identity provider, which issues a security token. A separate password for each SAP system is then no longer necessary.
If you have already gained some experience in the environment of SAP Cloud applications (BTP & SaaS), you may have noticed that the management of the ID lifecycle is mostly manual and that Single-Sign-On is not really available from scratch. From a SAP Security perspective, this sometimes feels like a bit of a step backwards.
But wait! With SAP Cloud Identity Services (SCI), SAP has created a service bundle that can support you with exactly these topics!
What are the SAP Cloud Identity Services (SCI)?
The SAP Cloud Identity Services (SCI) include the components Identity Authentication (IAS) and Identity Provisioning (IPS). Both services are established as so-called core services in the SAP Business Technology Platform (SAP-BTP) and provide elementary building blocks for the administration of accesses and ID lifecycle management. In a constantly growing SAP cloud landscape, it is essential to be able to manage and consolidate all identities and accesses at a central point.
The Identity Provisioning Service (IPS) is used to provision user identities based on specifications and filter rules from a specified Source System (e.g. Azure Active Directory) into the Identity Directory Service.
The Identity Directory Service (IdDS) is used by the two services IAS and IPS as a user database in the SAP cloud environment. Based on a group concept, the user and group assignments will be automated to various SAP cloud applications.
Changes such as the creation of a new employee in the Azure Active Directory, adjustments to user data and group assignments or the deactivation of an account are detected and automatically implemented by a job at scheduled intervals. Thus, new identities can be created in the SAP cloud environment or existing ones can be adjusted or deleted.
The IPS uses the proven industry standard System for Cross-Domain Identity Management (SCIM) for provisioning.
The Identity Authentication Service (IAS), on the other hand, represents a central identity provider. All SAP cloud applications are then connected centrally in the IAS by creating a mutual trust relationship. The aim of this approach is to standardize the onboarding of further SAP cloud applications so that the same scheme is always used here. This simplifies the entire onboarding process. For user authentication, the IAS uses common standards such as Security Assertion Markup Language 2.0 (SAML 2.0) and OpenID Connect.
On our website you will find interesting blogs from our colleagues on the topic of IAS and IPS:
These two blogs describe the two services in more detail. Our E-Book also covers the integration of SAP Identity Authentication Service with your Azure Tenant. In it, we outline this topic in more detail, especially in relation to OpenID Connect. At the same time, we cover some basics, explain the functionality and use cases of the most relevant standards such as SAML 2.0, OAuth 2.0 and OpenID Connect. It’s worth taking a look if you are not yet familiar with these services.
What is included in the Xiting QuickStart Implementation Service?
In the context of our service offering, we integrate SAP Cloud Identity Services into your organization as part of a pilot. Based on our best practices, we configure two SAP cloud applications and configure the identity federation between your SAP-IAS and your existing identity provider (Azure AD, ADFS, Okta, etc.) via SAML 2.0 or OpenID Connect.
At the same time, we work with you to develop a customized group concept for the distribution of user identities. Based on the SCIM standard, we integrate Azure AD as the source system. We create the technical users and connect two SAP cloud applications, configure the required filters and JSON transformations, and create jobs to automate the lifecycle of your identities.
What are the basic requirements for our service?
As already mentioned in the preface, our service offering is aimed at small and medium-sized enterprises that do not have an Identity Management System (IDM) in place. The SAP Cloud Identity Services, so an IAS and IPS, should already be in place. These are usually bundled with your already existing SAP Cloud applications.
With the following link you can check if you already have SAP Cloud Identity Service Tenants in your organization: https://iamtenants.accounts.cloud.sap
You should also already use Azure Active Directory as a central data source for your employees.
With which additional services can our service be extended?
On request, we integrate additional source systems for provisioning via IPS, such as the Active Directory, for an additional charge. If you are not yet using an SAP Cloud Connector, we will install and configure it accordingly to ensure a secure tunnel between your SAP Cloud Tenants and your intranet.
What are the benefits of an established ID lifecycle management?
In general, a good and automated ID lifecycle management process offers several advantages. No matter if in the SAP cloud or on-premise environment. Finally, we would like to mention a few advantages:
1. Enhanced security: User lifecycle management helps ensure that users have access only to the resources they need and that unauthorized access to sensitive information is prevented.
2. More efficient management: User Lifecycle Management automates many tasks that would otherwise have to be done manually, making the management of user accounts and access much more efficient.
3. Cost savings: By automating tasks and improving security, User Lifecycle Management can help reduce costs in an organization.
4. Improved compliance: user lifecycle management helps ensure that user accounts and access meet applicable compliance requirements, which is especially important for organizations operating in regulated industries.
5. Improved user experience: user lifecycle management can help ensure that users can quickly and easily access the resources they need, which improves the user experience.
About the Author & IAM-Team
Alex is working as SAP Security Consultant, at Xiting AG in Switzerland. He is part of the IAM-Team and manages security related topics in the SAP-Cloud universe. Alex started his journey as a SAP Security consultant back in 2017 for various SAP systems. Nowadays he is focused on SAP security topics for the whole SAP Cloud universe. In his function, he helps optimize enterprise ID lifecycle, authentication, and authorization management in the SAP cloud environment, by configuring the SAP Cloud Identity Services, creating SAP Security Concepts for SAP-BTP and for various SAP-SaaS solutions.
The Xiting IAM team deals with identity and access management in hybrid SAP landscapes. Currently an important topic for many companies that are increasingly following the SAP strategy and relying on cloud applications. Central management of identities with the entire lifecycle from entry to transfer to exit, secure authentication processes with MFA & SSO, and access authorizations are becoming increasingly relevant.
With our holistic consulting approach, we support customers in automating the identity lifecycle and ensuring convenience SSO + compliance concerning authorizations.
We have an excellent team of SAP consultants and our development team. We cover many other topics with our tools. In the context of IAM, infrastructure, and cloud security, our consulting teams consist of two subject areas SAP Identity Management (with the SAP IDM 8.0 our Fiori UIs and our solution Xiting Central Workflows) as well as ID lifecycle, secure authentication & SSO (with the SAP Cloud Identity Services and the solution SAP Single Sign-On 3.0).
Do you have any questions or would you like to talk to one of our experts?
- QuickStart Implementation for SAP Cloud Identity Services - 10. February 2023