SAP Identity Provisioning Service – Identity Provisioning In The Cloud

Many companies are looking for solutions and best practices to integrate cloud applications into their existing IT infrastructure, meaning users could not only have access to local applications, but also existing cloud applications. At best, a single identity is used for both local and cloud applications.

This blog focuses on the SAP Cloud Identity Provisioning Service and presents its main functions, the possibility of integrating it in a hybrid scenario as well as the advantages and disadvantages of this cloud service.

Before digging into Identity provisioning, it is essential to understand the concept of IAM. Identity and Access Management (IAM) is simply a way to authenticate and grant access to particular data, systems, or applications in an organization. An important branch of IAM is known as identity provisioning. It takes care of the user lifecycle from hire to retire providing and managing user accounts for your business end-users.


SAP Cloud Platform Identity Provisioning service (IPS) is part of the SAP Cloud Identity Services and enables automated identity lifecycle processes. Authorizations and identities are available for both local business applications and cloud applications. SAP IPS does user provisioning along with user authorization to various cloud and on-premise business applications. It helps provisioning users and groups between multiple supported cloud and on-premise systems, both SAP and non-SAP.

Figure 1: Overview of SAP Cloud Platform services (Source:

The Provisioning Service offers a comprehensive user approach for identity lifecycle management in the cloud application. One can consider this as the counterpart of SAP Identity Management. The service offers a solution for access and identity management together with the SAP Cloud Platform Identity Authentication Service (IAS) and the cloud-based governance service (SAP Cloud Identity Access Governance). Companies that have a hybrid IT landscape can use the SAP IPS to obtain a solution for access and identity management within the cloud applications.

The Identity Provisioning service can be consumed either directly through its APIs, or through the SAP Fiori apps on the user interface (UI). To operate with the service, you need to have admin permissions.


The definition of user access is based on the current role and group assignment, or any identity attribute defined internally, within the company. Access to the databases in a corporate identity store such as SAP SuccessFactors, SAP AS ABAP, or Microsoft Active Directory can hereby be ensured. If the company is already using SAP SuccessFactors to manage employees, the SuccessFactors system can also be implemented and used as a source system in the Provisioning Service. Through authorizations based on guidelines, corresponding settings can be copied into the different cloud applications. SAP IPS provides customizable JSON-based transformation management that allows companies to extend the transformation settings provided by this service for both the target and source systems. With these transformation configurations, the companies control the transformation logic for the data based on the security and business requirements. By doing so, filters can be used, for example, to allow only a single user group to access the necessary applications. The accounts are assigned to the users with the necessary authorizations and secure authentication for different mobile devices from any location. It is also possible to integrate and synchronize on-premise applications within these hybrid systems.

Access to the cloud applications can be simplified and secured using SAP Single Sign-On (SSO) through the SAP Cloud Identity Authentication Service. This enables secure and fast access to any device from anywhere via SSO.          


A hybrid scenario represents a combination of one or several cloud systems and on-premise systems. The topics related to cloud applications have already been in the strong focus of the corporate world for some time now and are highly prioritized. SAP Identity Management (IDM) customers or interested parties have often asked themselves what is actually happening with the SAP IDM system. How can the SAP IDM, which is generally a tried and tested on-premise product, also connect the cloud systems? 

Figure 2: Architecture of a hybrid landscape (Source:

An existing SAP IDM can be used and set up further on as an on-premise system. The existing on-premise systems can therefore be used as known. As you can see below the red line in the figure above. Above the red line, the users are in the area of ​​the well-known cloud systems. The administrators can also connect the existing cloud systems to the on-premise systems. The systems are accessed via the SAP IPS proxy system. A parallel connection between the SAP IDM and the SAP IPS is provided by the SCIM connector from SAP. This means that user and authorization entities can be managed consistently and uniformly without building up proprietary schemes and interfaces. Read the Xiting blog post on standardized user management in the cloud.

The goal of implementing a hybrid system landscape is to integrate the existing cloud systems into the existing IT infrastructure quickly and securely, but the SAP IDM is to be used as the central data provider in the future. Following list shows which systems can currently be connected as a proxy system. This blog describes the connection of Azure Active Directory as a cloud system with SAP IDM.  With the provisioning service and the available options for connecting the cloud systems, SAP has created the possibility for a hybrid SAP IDM scenario. The use case presented in the blog mentioned above shows that non-SAP systems can also be easily integrated into an existing system landscape.


The service enables identity management for all cloud environments. Above all, this can reduce compliance costs and increase IT security. Given that synchronization with other on-premise processes and applications is possible, this is also suitable for hybrid SAP landscapes.

Similar to SAP Identity Management, the SAP IPS provides identities, authorizations, and groups for different applications. The SAP Cloud Platform creates a uniform platform on which the SAP IPS acts as a suitable transformer to break up different data sources and manage the corresponding data in the respective systems.

The extension of the company’s processes to the cloud application can be more easily implemented. The provisioning service automates the setup and direct maintenance of all users’ accounts. It also ensures that authorizations for the corresponding user accounts, which are no longer required, are automatically revoked. User and account authorizations can be dynamically adjusted to the constant updates of compliance and business requirements. In addition, the existing data from already existing user accounts can be imported to enable effective implementation and rapid application.

Companies can now count on simple and fast provisioning of the SAP cloud service and minimal operating costs. Of course, there are also disadvantages that need to be weighed against the advantages. The use of the SAP IPS will entail limited development and expansion options. Business processes, which deviate greatly from the available standards, in most cases lead to the need of changing and standardizing your processes. This applies, for example, to the adjustment of the unique user identification and the proper maintenance of the user master data.

Monitoring logs, which are stored in SAP IDM for each executed task, are only provided in SAP IPS for read jobs for the source systems. An error analysis of the queries sent from an SAP IDM to a cloud system is currently not possible.


With the help of the SAP Cloud Platform Identity Provisioning Service, companies now have comprehensive automation options for cloud applications. IT security can be increased, and compliance costs reduced through modern authentication/authorization techniques (e.g. SAML 2.0, OAuth 2.0).

Companies that are already using SAP Identity Management 8.0 can connect the respective cloud systems using the SAP Identity Provisioning Service. The connection between SAP IDM and IPS is created by the SCIM connector, which is by default present in the SAP Provisioning Framework. Such a scenario, in which the existing SAP IDM system continues to assume the role of data supplier, is referred to as a hybrid system solution. However, if companies want to opt for a cloud solution, they can also use the SAP Identity Authentication Service as an identity provider, for example.

Companies that use hybrid IT system landscapes also need a hybrid solution for security and user management. The services and system connections for which connectors are used are always different depending on the case so that the right users can be provided with the necessary resources at the right time.

We usually present you our IDM services and you have the opportunity to see our Xiting IDM Fiori interfaces live in the system. Also, get to know our other IDM services:

  • Xiting IDM Power Workshop
  • XAMS Integration
  • Org Unit Integration
  • WSDL Connector
  • Xiting IDM Starter Service

You can find an overview of our SAP IDM services here.

Check all our webinar dates here!


Can the SAP Cloud Identity Provisioning Service be used without an IDM/IAM solution?

Yes, it is possible to control identity provisioning via the SAP Identity Provisioning Service. However, SAP Cloud Identity Access Governance (IAG) is the central solution to manage user and authorization processes as well as audits and business role management in the cloud.

Does Identity Provisioning Service replace an IDM solution in any way?

SAP IPS offers identity provisioning. However, you must keep in mind that role and group assignments, for example, may not be audit-compliant because the Identity Provisioning Service does not support approval workflows.

Can approval workflows be configured in the Identity Provisioning Service?

The service does not offer a workflow engine. Approval workflows can be integrated with the Identity Provisioning Service via SAP Identity Management or SAP Cloud Identity Access Governance (IAG). SAP Cloud IAG can be used standalone, or in the IAG Bridge scenario with SAP Access Control (GRC).

Is the Identity Provisioning Service also available in the Cloud Foundry environment?

No, currently only in the Neo environment.

Which cloud systems does the Identity Provisioning Service support?

SAP IPS offers various source and target systems including the most popular ones like SAP S/4HANA Cloud, SAP SuccessFactors, SAP Analytics Cloud, SAP Business Technology Platform (SAP BTP), SAP Fieldglass, and many more. A full list of supported systems can be found here.

Which on-premise applications does the Identity Provisioning Service support?

SAP IPS offers standard integration to ABAP-based systems like SAP S/4HANA and SAP ERP/ECC, as well as SAP HANA databases but also Active Directory, and LDAP servers.

Does the Identity Provisioning Service also support non-SAP systems?

SAP IPS offers standard integration to non-SAP systems like Microsoft Azure Active Directory (Azure AD), and Google G Suite, as well as standard integration through the SCIM standard.

Does the Identity Provisioning Service provide a user store?

The Identity Provisioning Service does not offer a user store. The SAP Cloud Platform Identity Authentication service has several key features including serving as a SAML Identity Provider (IdP), the ability to integrate with OnPrem user stores, and serving as a proxy pass-through for OnPremise IdPs, and many more.

Tam Nguyen

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now