Explaining Identity Provisioning Reference Architecture

Objective

After completing this lesson, you will be able to use the user-management reference architecture in SAP environments.

Identity Provisioning Reference Architecture

Reference Architecture for Cloud Leading Identity Lifecycle

The figure shows the SAP's cloud-driven Identity and Access Management architecture.

The diagram illustrates SAP's cloud-driven Identity and Access Management architecture, emphasizing seamless interaction among SAP SuccessFactors, Fieldglass, SAP BTP and SAP Cloud Identity Services. It highlights the interconnected components including identity provisioning, directory, authorization management, along with SAP cloud identity governance and BTP applications, ensuring efficient data flows and mutual trust within the SAP ecosystem.

The cloud-driven identity lifecycle centralizes user management across SAP systems to ensure consistent identity storage, replication, and lifecycle management. Users, including employees, consumers, and business partners, are stored in a central SAP Cloud Identity Services - Identity Directory which facilitates efficient synchronization using SCIM2 for replication and enables merging attributes into tokens during authentication. Identity Directory acts as a unified user and group store, integrating with SAP Authorization Management Service (AMS) for policy management. It supports replication via Identity Provisioning Service, connecting to SAP applications and external systems. SAP Cloud Identity Services streamlines user lifecycle management by deriving digital identities from workforce data managed in systems like SAP SuccessFactors or SAP Fieldglass. These identities are replicated into the Identity Directory and further distributed to target systems via IPS. Optional access requests and analyzes through SAP Cloud Identity Access Governance ensure secure and compliant access.

To learn more about the reference architecture for Cloud leading identity lifecycle authorizations, see SAP Architecture Center.

Source/ Target vs. Proxy Mode

In Identity Provisioning, the concepts of Source/Target and Proxy Mode refer to different ways of handling data synchronization and management between IPS and external systems such as SAP S/4HANA, SAP SuccessFactors, Active Directory, or other target systems or rather their user stores.

The figure shows the PS Source/ Target Mode capability.

This diagram illustrates the IPS Source/ Target Mode capability to manage data flow between multiple systems; it can integrate with on-premise SAP solutions, cloud solutions from SAP, and any IDM system. Arrows indicate the bidirectional flow of data between these sources and targets through the IPS.

Source/Target Mode: This is the standard provisioning mode where IPS is reading users and groups from a source system and provisions them to a target system.

  • Source System: This is where the user data originates or is managed. It could be an HR system, an Active Directory, or any system that creates or stores user information.
  • Target System: This is the system that will receive the user data. It can be another application like SAP S/4HANA, SAP SuccessFactors, or any third-party systems.

The figure shows the integration flow for SAP solutions.

The diagram illustrates the integration flow for SAP solutions, depicting on-premise solutions and third-party apps interacting with any Identity Management (IDM) system, which then connects through IPS to SAP cloud solutions. Arrows indicate data flow pathways between the systems and components for seamless connectivity and integration.

Identity Provisioning can also operate in a proxy mode. In this configuration, the service facilitates the synchronization of user data between a central identity management system (such as on-premise SAP Identity Management) and a provisioning system, referred to as the proxy system (for example, SAP Analytics Cloud, embedded edition). In this setup, Identity Provisioning serves as an intermediary between the identity management solution and the system with proxy settings.

SAP Business Technology Platform (SAP BTP) and SAP Cloud Identity Services

SAP BTP consists of global accounts, directories, and subaccounts that manage SaaS solutions, custom applications, and services. Administrators set up trust with SAP Cloud Identity Services for platform users (such as administrators, developers, and operators) using OpenID Connect (OIDC), enabling login to SAP BTP account management tools. For business users in SAP BTP subaccounts, administrators can set up trust via the "Establish Trust" option, using OIDC or SAML 2.0 protocols. This integration supports custom domains, application-specific authentication, principal propagation, and Authorization Management services. SAP also plans to enable centralized management of BTP authorizations across subaccounts using the Identity Directory service.

While existing SAP BTP applications using the SAP Authorization and Trust Management service (XSUAA) are supported, administrators can now manage application policies centrally via SAP Cloud Identity Services, improving authorization control. Currently, most SAP applications and subaccounts maintain separate user stores, which complicates remote management and compliance. SAP's long-term strategy aims to centralize user and group management in SAP Cloud Identity Services, reducing complexity and allowing remote management through APIs. To use new applications and features, users must be in the Identity Directory. While initial setup with SAP Cloud Identity Services may require more effort, subsequent integrations are easier as there's no need to populate additional application-specific user stores.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn