Setting up SAP NW IDM, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Management into a hybrid system landscape – Part 2
The first part of the blog, explains how SAP NetWeaver Identity Management (IDM) centrally manages and provisions On-Premise and Cloud Systems using SAP Cloud Identity Authentication Service (Identity Service) and SAP Cloud Identity Provisioning Service (Identity Provisioning Service).
This part of the blog explains the installation of the scenario where IDM utilizes Identity Service and Identity Provisioning Service to provision user accounts to On-Premise and Cloud systems.
Table of Contents
Implementation
Scenario: IDM provisions On-Premise user accounts to the Cloud Systems
Architecture:
- Source: On-Premise SAP or non-SAP System
- Target: Cloud System
- Provisioning System: IDM and Identity Provisioning Service
Procedure
Step 1: Create a technical user for the Identity Service
The connection between IDM and the Identity Service requires a technical user. You create the technical user in the administrator cockpit of the Identity Service as shown below. The created user ID is required in the second step. Please make sure that the user has sufficient authorization to send and receive data. The below screenshot shows an example configuration of a technical user IDM_CONNECTION (User ID: T000000) in the Identity Service.
Step 2: Connecting the IDM system to the Identity Service
Using the SCI connector allows you to connect the IDM to the Identity Service. To configure the SCI connector, you have to perform four steps as follows:
Import the SCI connector
Import the “com.sap.idm.connector.sci” package for the SCI Connector to the IDM Store. With the SCI Connector, you can provision user accounts to the Identity Service. The following operations are available:
- Create user
- Edit user
- Delete user
- Activate user
- Disable user
- Set the user a productive password
The plugins for the provisioning of authorizations and groups are currently still empty, so it is currently not possible to centrally manage the authorizations and groups of Identity Service in the IDM.
Creation of a repository for the Identity Service
You have to create a repository for the Identity Service in the IDM Admin UI. Therefore, configure the Repository Constants similarly to Table 1 and the Repository Type Constants similarly to Table 2. The screenshot below shows an example configuration of a repository for the Identity Service.
The constants SCI_HOST, SCI_PORT, SCI_USER, and SCI_PASSWORD are mandatory fields.
- SCI_USER corresponds to the technical user from step 1
- SCI_HOST is the host of the Identity Service
Table 1: Repository Constants for SAP Cloud Identity
| Repository Constants | Value |
| SCI_HOST | SCI system hostname |
| SCI_PORT | Default: 443 Default port for https |
| SCI_USER | Username of the technical user |
| SCI_PASSWORD | Password of the technical user |
| PROXY_HOST | Proxy hostname |
| PROXY_PORT | Proxy port |
| PROXY_USER | User for proxy authentication |
| PROXY_PASSWORD | Password for proxy user |
| TRUSTSTORE | File location of the trust store to be used for establishing a secure connection |
| TRUSTSTORE_PASSWORD | Password to access the trust store (only needed when using certificate authentication). |
| READ_TIMEOUT | Default: 60000 Milliseconds to wait during read operations. |
| CONNECT_TIMEOUT | Default: 60000 Milliseconds to wait when making the connection. |
| CONNECTION_KEEPALIVE | Default: 60000 Milliseconds to wait before killing the connection |
| SYSTEM_PRIVILEGE | PRIV:SYSTEM:<Repository> <Repository> is the exact name of the repository to which the constants belong. In SAP Identity Management Administration User Interface, the value of the SYSTEM_PRIVILEGE repository constant is read only. When a repository is created, the name of the repository is automatically filled in. |
Table 2: Repository Type Constant for SAP Cloud Identity
| Repository Type Constant | Value |
| HTTP_PROTOCOL | https Protocol used for connection. |
| MX_ADD_MEMBER_TASK | <process number for Provisioning> |
| MX_DEL_MEMBER_TASK | <process number for Deprovisioning> |
| MX_MODIFYTASK | <process number for Modify> |
| REPOSITORY_SYNC | SYNC |
| REPOSITORY_TYPE | SCI |
| INITIAL_LOAD | <Initial Load Job> |
| MX_PRIV_GROUPING_ATTRIBUTE | |
| MX_PRIV_GROUPING_RULE | P:-1 |
Start the Initial Load Job in IDM
Step 3: Configuration of the destination for the Identity Service in the SAP Cloud Platform Cockpit
To use the Identity Service in the Identity Provisioning Service as a source system, you have to configure a destination in the SAP Cloud Platform Cockpit. The screenshot below shows an example configuration of a destination in the Identity Service with the technical user from step 1.
Step 4: Configuring the Source System in the Identity Provisioning Service
The Identity Service is configured as Source System in the Identity Provisioning Service. You can select the destination from step 4 as the destination name.
Step 5: Configuration of the target system in the Identity Provisioning Service
Conclusion
In order to set up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service, and SAP Cloud Identity Provisioning Service, you have to consider the following:
- You cannot provision user accounts directly from the IDM to the cloud systems; it requires the Identity Service. The connection between the IDM system and the Identity Service requires the SCI Connector and the Repository for Identity Service. To map the user accounts between IDM and Identity Service, you have to perform an initial load that loads the user accounts of the cloud systems into the IDM system.
- To set up the Identity Provisioning Service, Identity Service must be selected as a source system and any number of cloud systems as target systems. Only new user accounts from the Identity Service are loaded via the Readjob, or all user accounts are loaded and overwritten via the Resync Job. The Readjob should be scheduled as a periodic job. The transformation can be used to determine how the Identity Provisioning Service provides user accounts from source to target systems. The information on the read and resync jobs and transformations are found in the first part of the blogs: Use of SAP NetWeaver Identity Management, SAP HANA Cloud Identity Authentication Service and SAP HANA Cloud Identity Provisioning Service to integrate Identity Lifecycle Management into a heterogeneous system landscape – Part 1.
By using these two services, you can securely integrate cloud systems into a heterogeneous system landscape and centrally manage user accounts in the IDM.
- Integration of HCM Organizational Units in SAP Identity Management - 21. December 2018
- The Changes of the REST API v2 in SAP Identity Management SP06 at a glance - 14. December 2018
- SAP Fiori Xiting Starter Pack for SAP Identity Management - 30. August 2018
