Use of SAP NetWeaver Identity Management, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service to integrate Identity Lifecycle Management into a hybrid system landscape – Part 1

by

Nowadays, our systems run in a hybrid system landscape with On-Premise and Cloud systems. For this reason, it makes sense to be able to centrally manage the user accounts for On-Premise as well as for Cloud systems. To centrally managed, there is the SAP Cloud Identity Provisioning Service (Identity Provisioning Service), which cooperates with SAP NetWeaver Identity Management (IDM) and the SAP Cloud Identity Authentication Service (Identity Service), to achieve these requirements.

Pre-requisite

To implement Identity Lifecycle Management in a hybrid system landscape, you require the following:

  • at least one cloud system as the target system for the Identity Provisioning Service,
  • a tenant ID for the Identity Service,
  • an account in the SAP Cloud Platform Cockpit and
  • a SAP NetWeaver Identity Management System (at least version IDM 8.0 SP03).

The Identity Provisioning Service is a service in the SAP Cloud Platform Cockpit. This service allows you to implement cloud systems in an automated identity lifecycle management (Figure below). The Identity Provisioning Service enables users to manage user accounts and authorizations centrally in IDM, and to provision them to Cloud Target Systems from an On-Premise or Cloud Source system.

Identity Lifecycle Management

The source system can be on-premise or in the cloud, while the target system must be a Cloud system. The table below lists the available source and target systems:

On-Premise System Cloud System
Available
Source Systeme
  • SAP Application Server ABAP
  • Microsoft Active Directory
  • LDAP Server
  • SAP Cloud Platform Identity Authentication
  • SAP Success Factors
  • Microsoft Azure Active Directory
  • SCIM System
Available
Target Systeme
  • SAP Cloud Platform Identity Authentication
  • SAP Cloud Platform Java/HTML5 Apps (only SAP AS ABAP and Microsoft AD as Sourcesystem are possible)
  • Microsoft Azure Active Directory
  • SAP Hybris Cloud for Customer
  • SAP Jam
  • Cloud Foundry UAA Server
  • SCIM System
  • Google G Suite
  • Concur

How does IDM work together with the Identity Service and the Identity Provisioning Service?

The Identity Provisioning Service enables you to manage both, On-Premise and Cloud user accounts, centrally in IDM. While the Identity Provisioning Service is dedicated to provisioning to Cloud systems, IDM focuses on provisioning on On-Premise systems.

To provision user accounts from On-Premise systems using IDM through the Identity Provisioning Service to the cloud systems, you require the Identity Service. The Identity Service transports On-Premise user accounts from IDM to the Identity Provisioning Service.

IDM provisions On-Premise user accounts to cloud systems

How does it work?

IDM writes the user accounts to On-Premise systems and the Identity Service. The Identity Provisioning Service loads user accounts via Read or Resync Job and writes these user accounts, which originally come from IDM, to the corresponding Cloud systems. The difference between the Read and the Resync job is that the Identity Provisioning Service uses the Read Job to load the new user accounts only, and uses the Resync Job to load and overwrite all user accounts. A so-called transformation is used to determine how the Identity Provisioning Service provides user accounts from the source system to the target systems. A description of the above-mentioned Read / Resync job, as well as transformation, can be found at SAP:

The user accounts provided by IDM are located in the user management area of the Identity Service.

SAP Cloud Platform Identity Authentication Administration Console

Currently, the IDM attributes listed in the table below can be provisioned to On-Premise and Cloud systems. However, to date, IDM cannot provision authorizations to Cloud systems.

SAP Identity Management Attributes SAP Cloud Identity Attributes Description
DISPLAYNAME displayName User-friendly name
MSKEYVALUE username or id Unique entry (user) identifier
MX_ADDRESS_CITY city City
MX_ADDRESS_COUNTRY country Country key
MX_ADDRESS_POSTAL_CODE postalCode Postal code
MX_ADDRESS_REGION region Region
MX_ADDRESS_STREET_1 streetAddress Street
MX_DEPARTMENT department Department
MX_DISABLED active User is disabled

Boolean values

User is not able to log on to Identity Management User Interface when disabled.

MX_ENCRYPTED_PASSWORD password Encrypted password used for password provisioning
MX_FIRSTNAME firstName User first name
MX_LASTNAME lastName User last name
MX_LANGUAGE locale User language
MX_MAIL_PRIMARY email Primary e-mail address
MX_PHONE_PRIMARY businessPhone Primary telephone number
MX_MOBILE_PRIMARY cellPhone Primary mobile number
MX_TITLE title Title of user
ACCOUNT<Repository> id

Unique user ID for the user in the target repository. For SAP Cloud Identity service, this should be the id of the user.

The user has one attribute for each repository the user exists.

Mapping between Identity Management and SAP Cloud Identity Attribute

Conclusion

As a result, with the collaboration of SAP NetWeaver Identity Management (IDM), the SAP Cloud Identity Authentication Service and the SAP Cloud Identity Provisioning Service, you can implement Identity Lifecycle Management in a hybrid system landscape with On-Premise and Cloud Systems. The basis for this is that the IDM provisions user accounts to the On-Premise systems and the Identity Service, and the Identity Provisioning Service copies these user accounts from the Identity Service and provisions them to the Cloud systems.

Both services, SAP Cloud Identity Authentication Service and SAP Cloud Identity Provisioning Service, are straight-forward to configure. It is most important to understand what the two services are, what they offer, and how you can use them to centrally manage user accounts for On-Premise and cloud systems in IDM.

Most of all, as customers will use more and more cloud systems in the future, IDM requires this connection to correctly provision On-Premise as well as Cloud systems.

Chen Chen

Chen is a Junior SAP Security Consultant at Xiting GmbH in Germany with a strong focus on SAP Identity Management.

Latest posts by Chen Chen (see all)