Understanding Access Management

Every SAP S/4HANA Cloud Public Edition instance uses SAP Cloud Identity Services - Identity Authentication as identity provider (IdP). You can either use Identity Authentication natively as the source of user identities, or you can use a proxy setup to connect to an existing corporate IdP.

If you already have a corporate identity provider in place, you can configure Identity Authentication to run in proxy mode. This way, you can use a single corporate identity provider across multiple applications.

The SAP Cloud Identity Services primary manage identities, authentication and Single Sign-On (SSO) across cloud and on-premise solutions.

SAP Cloud Identity Services are a group of services of SAP Business Technology Platform (SAP BTP), that enable you to integrate identity and access management between systems. The goal is to provide a seamless single sign-on experience across systems while ensuring that system and data access are secure. SAP Cloud Identity Services include Identity Authentication, Identity Provisioning, Identity Directory, and Authorization Management.

A tenant refers to your (customer-specific) instance of SAP Cloud Identity Services. It's delivered to you as part of a bundle with an SAP cloud solution (for example SAP S/4HANA Cloud Public Edition) or as part of a self-service request in SAP BTP cockpit. When SAP Cloud Identity Services are bundled with an SAP cloud solution, you are entitled to one productive and one test tenant preconfigured with the SAP cloud solution.

If you get another solution that also bundles SAP Cloud Identity Services, you don't get an additional tenant. Your existing one is reused.

It comes with the following features:

Authentication and SSO

Choose one of the supported authentication methods to control access to your application, like Form, SPNEGO, Social, or 2FA. Use OpenID Connect or SAML 2.0 to provide single sign-on. Integrate your application programmatically using authentication via API.

Data Persistence

Store and manage users and groups in Identity Directory - the user store of SAP Cloud Identity Services.

Delegate Authentication

Delegate authentication to a 3rd party or on-premise IdP, by default or based on a condition like IdP, email domain, user type or user group, and thus enable SSO across on-premise and the cloud.

Job Logging and Notifications

View and manage job logs and real-time provisioning logs. Subscribe to source systems and receive notifications for the status of provisioning jobs.

Policy-Based Authorizations

Develop SAP BTP applications with instance-based authorizations. Configure those instance-based authorizations centrally as policies within SAP Cloud Identity Services.

Risk-Based Authentication

Help enforce two-factor authentication based on IP ranges, user groups, user type, or authentication method to manage access to a business application.

User and Group Management via API:

Use SCIM REST API to manage users and groups, invite users, and customize end-user UI texts in any language.

User and Group Provisioning

Synchronize users and groups between multiple supported cloud and on-premise systems, both SAP and non-SAP. Filter data. Run jobs in full and delta read mode.

The following slide shows it's main components:

The graphic can be explained as follows:

Business User

On the left-hand side, you find the Business User, like Employees, Customer, or Partners.

Corporate IdP

The Corporate IdP (=Identity Provider) is a system that creates, maintains, and manages identity information for users and offers authentication services within a federated network. IdPs provide user authentication as a service, allowing applications like web apps to outsource the authentication step. Currently, two types are used:

• OpenID Connect (OIDC) is an identity layer built on OAuth. In its domain model, an identity provider is an OAuth 2.0 authorization server that issues JSON-formatted identity tokens to OIDC relying parties via a RESTful HTTP API.
• SAML (Security Assertion Markup Language) is a set of profiles for exchanging authentication and authorization data. In its domain model, an identity provider is an authentication authority that issues authentication assertions using an SSO profile of SAML. A relying party that consumes these assertions is called a SAML service provider.

Examples: Okta, Auth0, Azure AD, Keycloak, …

The following components are elements of the SAP Cloud Identity Services:

Identity Authentication

It provides you with controlled cloud-based access to business processes, applications, and data. It simplifies your user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options.

Identity Provisioning

Simplifies and secures identity lifecycle management by automating identity and authorization provisioning and deprovisioning. It speeds up user onboarding and offboarding, supports centralized management of corporate identities in the cloud, and can automatically provision existing on-premise identities to cloud applications.

Authorization Management

It enables you to refine authorization policies that give access to resources in enabled SAP BTP-based business applications. You can restrict policies based on the values of user or business object attributes. You can assign policies to users with the identity directory's group management capabilities. You can use the corresponding user interfaces of SAP Cloud Identity Services or the SCIM API of the identity directory.

This feature controls access to various services and functionalities within the SAP Business Technology Platform (BTP) and it involves defining roles, permissions, and policies.

Identity Directory

It is the persistence layer of SAP Cloud Identity Services, providing a centralized storage and management system for users and groups. It features a SCIM 2.0 REST API that enables customers to define custom schemas with their own attributes. The directory generates the Global User ID, a unique identifier distributed by Identity Provisioning to SAP cloud applications which require a common user identifier for integration purposes.

User Stores

A central repository where user identity information is stored. This information typically includes data such as user names, passwords, and other attributes relevant to user profiles.

Examples: ABAP Platform, MS Active Directory, Apache Directory Server, OpenLDAP, …

Hint

To connect On-Premise components, Cloud Connector is used.

When the SAP Cloud Identity Services tenant is initially provisioned to your organization, only one user is added as a tenant administrator. After that, due to possible legal and security issues, SAP adds additional tenant administrators only in exceptional cases (for example, the existing administrator left the company, or for some reason, there is no active administrator for this tenant). To avoid access-related issues in such cases, it is always a good practice for you to assign more than one administrator. Adding additional ones is exclusively in the responsibility of the current tenant administrators.

The SAP Cloud Identity Services administration and configuration tasks are intended for administrators. They include configuring tenant settings, applications, authorization policies, and provisioning, as well as managing users and groups, to ensure proper operations. For these configurations, administrators mainly use the administration console for SAP Cloud Identity Services, a Fiori-based user interface adaptive to most browsers.

Some of the possible configuration options:

• Configuring Applications: This section describes how to configure user authentication and access to an application and use a branding style in accordance with your company's requirements. It also explains the trust configuration between Identity Authentication and a service provider or client (relying party).
• Configuring Tenant Settings: Initially, the tenants are configured to use default settings. This section describes how you as a tenant administrator can create custom tenant configurations.
• Configuring Password Policies: Passwords for the authentication of users are subject to certain rules. These rules are defined in the password policy. Identity Authentication provides you with two predefined password policies, in addition to which you can create and configure up to three custom password policies
• Configuring Privacy Policies: You can configure a custom privacy policy document by creating a new document, adding and editing its language versions, and defining the document for an application.
• Configuring Authorization Policies: Authorization management enables SAP Cloud Identity Services administrators to use authorization policies, customize them, and assign them to users.
• Configuring Terms of Use: You can configure a custom terms of use document by creating a new document, adding and editing its language versions, and defining the document for an application.
• Configuring Email Templates: Tenant administrators can use the default or a custom email template set for the application processes.
• Managing Administrators: This section describes how, as a tenant administrator, you can list all administrators in the administration console for SAP Cloud Identity Services, add new administrators, edit the administrator authorizations, and remove administrators.
• Managing Users: Tenant administrators can manage user accounts via the SAP Cloud Identity Services administration console and APIs.
• Managing Groups: Tenant administrators can create groups, and assign and unassign these groups to users via the administration console for SAP Cloud Identity Services.
• Configuring Provisioning Systems: Configure provisioning systems for synchronizing users and groups between business applications.
• Configuring Real-Time Provisioning: As a tenant administrator, you can configure real-time provisioning to immediately provision entities from source to target systems.
• Configuring Social Identity Providers: By configuring a social provider, users can log on to applications with their social media credentials by linking their accounts in Identity Authentication to the social media account.
• Integrating with Existing Customer Landscape: Identity Authentication can be integrated with already existing customer landscape and supports different types of delegated authentication.
• Configuring External Authentication Providers: To manage users from external providers, configure authentication providers in the administration console for SAP Cloud Identity Services.
• Configuring OpenID Connect: You can use Identity Authentication for authentication in OpenID Connect protected applications.

For more information, please check the following resources:

• SAP Help Portal SAP - SAP Cloud Identity Services page
• SAP Discovery Center - Services - SAP Cloud Identity Services
• SAP Learning - Introducing SAP Cloud Identity Services