Use of SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate Identity Lifecycle Management into a hybrid system landscape – Part 1

Nowadays, our systems run in a hybrid system landscape with On-Premise and Cloud systems. For this reason, it makes sense to be able to centrally manage the user accounts for On-Premise as well as for Cloud systems. To centrally managed, there is the SAP Cloud Identity Provisioning Service (Identity Provisioning Service), which cooperates with SAP NetWeaver Identity Management (IDM) and the SAP Cloud Identity Authentication Service (Identity Service), to achieve these requirements.

Pre-requisite

To implement Identity Lifecycle Management in a hybrid system landscape, you require the following:

  • at least one cloud system as the target system for the Identity Provisioning Service,
  • a tenant ID for the Identity Service,
  • an account in the SAP Cloud Platform Cockpit and
  • a SAP NetWeaver Identity Management System (at least version IDM 8.0 SP03).

The Identity Provisioning Service is a service in the SAP Cloud Platform Cockpit. This service allows you to implement cloud systems in an automated identity lifecycle management (Figure below). The Identity Provisioning Service enables users to manage user accounts and authorizations centrally in IDM, and to provision them to Cloud Target Systems from an On-Premise or Cloud Source system.

Use of SAP NetWeaver Identity Management, SAP HANA Cloud Identity Authentication Service and SAP HANA Cloud Identity Provisioning Service to integrate Identity Lifecycle Management into a heterogeneous system landscape
Identity Lifecycle Management

The source system can be on-premise or in the cloud, while the target system must be a Cloud system. The table below lists the available source and target systems:

On-Premise SystemCloud System
Available
Source Systeme
  • SAP Application Server ABAP
  • Microsoft Active Directory
  • LDAP Server
  • SAP Cloud Platform Identity Authentication
  • SAP Success Factors
  • Microsoft Azure Active Directory
  • SCIM System
Available
Target Systeme
  • SAP Cloud Platform Identity Authentication
  • SAP Cloud Platform Java/HTML5 Apps (only SAP AS ABAP and Microsoft AD as Sourcesystem are possible)
  • Microsoft Azure Active Directory
  • SAP Hybris Cloud for Customer
  • SAP Jam
  • Cloud Foundry UAA Server
  • SCIM System
  • Google G Suite
  • Concur

How does IDM work together with the Identity Service and the Identity Provisioning Service?

The Identity Provisioning Service enables you to manage both, On-Premise and Cloud user accounts, centrally in IDM. While the Identity Provisioning Service is dedicated to provisioning to Cloud systems, IDM focuses on provisioning on On-Premise systems.

To provision user accounts from On-Premise systems using IDM through the Identity Provisioning Service to the cloud systems, you require the Identity Service. The Identity Service transports On-Premise user accounts from IDM to the Identity Provisioning Service.

Use of SAP NetWeaver Identity Management, SAP HANA Cloud Identity Authentication Service and SAP HANA Cloud Identity Provisioning Service to integrate Identity Lifecycle Management into a heterogeneous system landscape
IDM provisions On-Premise user accounts to cloud systems

How does it work?

IDM writes the user accounts to On-Premise systems and the Identity Service. The Identity Provisioning Service loads user accounts via Read or Resync Job and writes these user accounts, which originally come from IDM, to the corresponding Cloud systems. The difference between the Read and the Resync job is that the Identity Provisioning Service uses the Read Job to load the new user accounts only, and uses the Resync Job to load and overwrite all user accounts. A so-called transformation is used to determine how the Identity Provisioning Service provides user accounts from the source system to the target systems. A description of the above-mentioned Read / Resync job, as well as transformation, can be found at SAP:

The user accounts provided by IDM are located in the user management area of the Identity Service.

Use of SAP NetWeaver Identity Management, SAP HANA Cloud Identity Authentication Service and SAP HANA Cloud Identity Provisioning Service to integrate Identity Lifecycle Management into a heterogeneous system landscape
SAP Cloud Platform Identity Authentication Administration Console

Currently, the IDM attributes listed in the table below can be provisioned to On-Premise and Cloud systems. However, to date, IDM cannot provision authorizations to Cloud systems.

SAP Identity Management AttributesSAP Cloud Identity AttributesDescription
DISPLAYNAMEdisplayNameUser-friendly name
MSKEYVALUEusername or idUnique entry (user) identifier
MX_ADDRESS_CITYcityCity
MX_ADDRESS_COUNTRYcountryCountry key
MX_ADDRESS_POSTAL_CODEpostalCodePostal code
MX_ADDRESS_REGIONregionRegion
MX_ADDRESS_STREET_1streetAddressStreet
MX_DEPARTMENTdepartmentDepartment
MX_DISABLEDactiveUser is disabled

Boolean values

User is not able to log on to Identity Management User Interface when disabled.

MX_ENCRYPTED_PASSWORDpasswordEncrypted password used for password provisioning
MX_FIRSTNAMEfirstNameUser first name
MX_LASTNAMElastNameUser last name
MX_LANGUAGElocaleUser language
MX_MAIL_PRIMARYemailPrimary e-mail address
MX_PHONE_PRIMARYbusinessPhonePrimary telephone number
MX_MOBILE_PRIMARYcellPhonePrimary mobile number
MX_TITLEtitleTitle of user
ACCOUNT<Repository>id

Unique user ID for the user in the target repository. For SAP Cloud Identity service, this should be the id of the user.

The user has one attribute for each repository the user exists.

Mapping between Identity Management and SAP Cloud Identity Attribute

Conclusion

As a result, with the collaboration of SAP NetWeaver Identity Management (IDM), the SAP Cloud Identity Authentication Service and the SAP Cloud Identity Provisioning Service, you can implement Identity Lifecycle Management in a hybrid system landscape with On-Premise and Cloud Systems. The basis for this is that the IDM provisions user accounts to the On-Premise systems and the Identity Service, and the Identity Provisioning Service copies these user accounts from the Identity Service and provisions them to the Cloud systems.

Both services, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service, are straight-forward to configure. It is most important to understand what the two services are, what they offer, and how you can use them to centrally manage user accounts for On-Premise and cloud systems in IDM.

Most of all, as customers will use more and more cloud systems in the future, IDM requires this connection to correctly provision On-Premise as well as Cloud systems.

Chen Chen
Latest posts by Chen Chen (see all)
    Fabian Honervogt
    Contact

    Get in touch with us!

    Do you have questions about our products?

    +41 43 422 8803
    [email protected]
    +49 7656 8999 002
    [email protected]
    +1 855 594 84 64
    [email protected]
    +44 1454 838 785
    [email protected]
    Contact
    Webinars

    Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

    Register now