sap security blog

Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Management into a hybrid system landscape – Part 2

by

The first part of the blog, explains how SAP NetWeaver Identity Management (IDM) centrally manages and provisions On-Premise and Cloud Systems using SAP Cloud Identity Authentication Service (Identity Service) and SAP Cloud Identity Provisioning Service (Identity Provisioning Service).

This part of the blog explains the installation of the scenario where IDM utilizes Identity Service and Identity Provisioning Service to provision user accounts to On-Premise and Cloud systems.

Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
IDM provisions On-Premise user accounts to cloud systems

 

Implementation

Scenario: IDM provisions On-Premise user accounts to the Cloud Systems

Architecture:

  • Source: On-Premise SAP or non-SAP System
  • Target: Cloud System
  • Provisioning System: IDM and Identity Provisioning Service

Procedure

Step 1: Create a technical user for the Identity Service

The connection between IDM and the Identity Service requires a technical user. You create the technical user in the administrator cockpit of the Identity Service as shown below. The created user ID is required in the second step. Please make sure that the user has sufficient authorization to send and receive data. The below screenshot shows an example configuration of a technical user IDM_CONNECTION (User ID: T000000) in the Identity Service.

Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
Creation of a technical user in the Identity Service

Step 2: Connecting the IDM system to the Identity Service

Using the SCI connector allows you to connect the IDM to the Identity Service. To configure the SCI connector, you have to perform four steps as follows:

  1. Import the SCI connector

Import the “com.sap.idm.connector.sci” package for the SCI Connector to the IDM Store. With the SCI Connector, you can provision user accounts to the Identity Service. The following operations are available:

  • Create user
  • Edit user
  • Delete user
  • Activate user
  • Disable user
  • Set the user a productive password

The plugins for the provisioning of authorizations and groups are currently still empty, so it is currently not possible to centrally manage the authorizations and groups of Identity Service in the IDM.

Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
SCI Connector
  1. Creation of a repository for the Identity Service

You have to create a repository for the Identity Service in the IDM Admin UI. Therefore, configure the Repository Constants similarly to Table 1 and the Repository Type Constants similarly to Table 2. The screenshot below shows an example configuration of a repository for the Identity Service.

The constants SCI_HOST, SCI_PORT, SCI_USER, and SCI_PASSWORD are mandatory fields.

  • SCI_USER corresponds to the technical user from step 1
  • SCI_HOST is the host of the Identity Service

Table 1: Repository Constants for SAP Cloud Identity

Repository Constants Value
SCI_HOST SCI system hostname
SCI_PORT Default: 443

Default port for https

SCI_USER Username of the technical user
SCI_PASSWORD Password of the technical user
PROXY_HOST Proxy hostname
PROXY_PORT Proxy port
PROXY_USER User for proxy authentication
PROXY_PASSWORD Password for proxy user
TRUSTSTORE File location of the trust store to be used for establishing a secure connection
TRUSTSTORE_PASSWORD Password to access the trust store (only needed when using certificate authentication).
READ_TIMEOUT Default: 60000

Milliseconds to wait during read operations.

CONNECT_TIMEOUT Default: 60000

Milliseconds to wait when making the connection.

CONNECTION_KEEPALIVE Default: 60000

Milliseconds to wait before killing the connection

SYSTEM_PRIVILEGE PRIV:SYSTEM:<Repository>

<Repository> is the exact name of the repository to which the constants belong.

In SAP Identity Management Administration User Interface, the value of the SYSTEM_PRIVILEGE repository constant is read only. When a repository is created, the name of the repository is automatically filled in.

Table 2: Repository Type Constant for SAP Cloud Identity

Repository Type Constant Value
HTTP_PROTOCOL https

Protocol used for connection.

MX_ADD_MEMBER_TASK <process number for Provisioning>
MX_DEL_MEMBER_TASK <process number for Deprovisioning>
MX_MODIFYTASK <process number for Modify>
REPOSITORY_SYNC SYNC
REPOSITORY_TYPE SCI
INITIAL_LOAD <Initial Load Job>
MX_PRIV_GROUPING_ATTRIBUTE
MX_PRIV_GROUPING_RULE P:-1
Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
Repository sample configuration for Identity Service
  1. Start the Initial Load Job in IDM

Step 3: Configuration of the destination for the Identity Service in the SAP Cloud Platform Cockpit

To use the Identity Service in the Identity Provisioning Service as a source system, you have to configure a destination in the SAP Cloud Platform Cockpit. The screenshot below shows an example configuration of a destination in the Identity Service with the technical user from step 1.

Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
Sample of a destination configuration in Cloud Platform Cockpit

Step 4: Configuring the Source System in the Identity Provisioning Service

The Identity Service is configured as Source System in the Identity Provisioning Service. You can select the destination from step 4 as the destination name.

Setting up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate the Identity Lifecycle Managements into a hybrid system landscape
Configuration of the Source System in Identity Provisioning Service

Step 5: Configuration of the target system in the Identity Provisioning Service

Conclusion

In order to set up SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service, and SAP Cloud Identity Provisioning Service, you have to consider the following:

  • You cannot provision user accounts directly from the IDM to the cloud systems; it requires the Identity Service. The connection between the IDM system and the Identity Service requires the SCI Connector and the Repository for Identity Service. To map the user accounts between IDM and Identity Service, you have to perform an initial load that loads the user accounts of the cloud systems into the IDM system.
  • To set up the Identity Provisioning Service, Identity Service must be selected as a source system and any number of cloud systems as target systems. Only new user accounts from the Identity Service are loaded via the Readjob, or all user accounts are loaded and overwritten via the Resync Job. The Readjob should be scheduled as a periodic job. The transformation can be used to determine how the Identity Provisioning Service provides user accounts from source to target systems. The information on the read and resync jobs and transformations are found in the first part of the blogs: Use of SAP NetWeaver Identity Management, SAP HANA Cloud Identity Authentication Service and SAP HANA Cloud Identity Provisioning Service to integrate Identity Lifecycle Management into a heterogeneous system landscape – Part 1.

By using these two services, you can securely integrate cloud systems into a heterogeneous system landscape and centrally manage user accounts in the IDM.

Chen Chen

Chen is a Junior SAP Security Consultant at Xiting GmbH in Germany with a strong focus on SAP Identity Management.

Latest posts by Chen Chen (see all)