Integrating SAP Cloud Identity Access Governance with SAP Cloud Applications

The architecture overview shows all involved components / systems for the integration between SAP Cloud Identity Access Governance and SAP SuccessFactors. As you can see in the figure, Overview - Integration of SAP Cloud Identity Access Governance with SAP SuccessFactors, Overview - Integration of SAP Cloud Identity Access Governance with SAP SuccessFactors, we have a cloud-only scenario – there are no on-premise systems/components involved:

There is no involvement of on-premise systems needed for this scenario.

• SAP Cloud Identity Access Governance: SAP Cloud Identity Access Governance is running on SAP Business Technology Platform, Cloud Foundry environment (SAP BTP CF) and connects directly to the SAP SuccessFactors target system.

• IAS and IPS: Identity Authentication and Identity Provisioning are bundled in the "SAP Cloud Identity Services" (CIS) running on SAP BTP Cloud Foundry.

  • Identity Authentication is responsible for authentication (acts as central authentication component) on SAP BTP/cloud systems, therefore, it is also required for SAP Cloud Identity Access Governance and the respective SAP Cloud Identity Access Governance user authentication.

  • Identity Provisioning acts as proxy (see "IPS_PROXY") for several cloud systems and connects such systems with SAP Cloud Identity Access Governance. Therefore, it is mainly used for user provisioning.
    Note

    Identity Provisioning is not mandatory and is not used in this integration scenario. SAP Cloud Identity Access Governance has a direct connection to SAP SuccessFactors.

The architecture shows you all of components / systems involved for the integration between SAP Cloud Identity Access Governance and SAP Analytics Cloud. As you can see on the figure, Architecture Overview - Integration of SAP Cloud Identity Access Governance with SAP Analytics Cloud, we have a cloud-only scenario – there are no on-premise systems/components involved:

There is no involvement of on-premise systems needed for this scenario.

• SAP Cloud Identity Access Governance: SAP Cloud Identity Access Governance is running on SAP Business Technology Platform, Cloud Foundry environment (SAP BTP CF) and connects to SAP Analytics Cloud target system through Identity Provisioning.

• IAS and IPS: Identity Authentication and Identity Provisioning are bundled in the "SAP Cloud Identity Services" (CIS) running on SAP BTP Cloud Foundry.

  • Identity Authentication is responsible for authentication (acts as central authentication component) on SAP BTP/cloud systems; therefore, it is also required for SAP Cloud Identity Access Governance and the respective SAP Cloud Identity Access Governance user authentication.

  • Identity Provisioning acts as proxy (see "IPS_PROXY") for several cloud systems and connects such systems with SAP Cloud Identity Access Governance. Therefore, it is mainly used for user provisioning. For the integration setup with SAP Analytics Cloud, the Identity Provisioning is a crucial component, because there is no direct connection between SAP Cloud Identity Access Governance and SAP Analytics Cloud possible. The communication between both systems (SAP Cloud Identity Access Governance and SAP Analytics Cloud) can be achieved through the IPS_PROXY in between.

1. Initial SAP Cloud Identity Access Governance setup is done.
   • SAP Cloud Identity Access Governance subaccount created
   • SAP Cloud Identity Access Governance service is subscribed in the subaccount
2. Trust the connection between Identity Authentication and SAP Cloud Identity Access Governance is established and Identity Authentication setup is done.
   • Establish trust configuration (on both ends: SAP Cloud Identity Access Governance and Identity Authentication)
   • Create an application for SAP Cloud Identity Access Governance in Identity Authentication
   • Create a system user in Identity Authentication (used for SCI user group sync in SAP Cloud Identity Access Governance)

1. The URL of the SAP SuccessFactors API Service is known.

   The URL is used when you are creating a destination in SAP Cloud Identity Access Governance to the SAP SuccessFactors target system.

   The specific URL of the SAP SuccessFactors API Service can be delivered by the respective responsibilities.

   Further assistance and information can be found in the following SAP Note 2215682 - Successfactors API URLs for different Data Centershttps://launchpad.support.sap.com/#/notes/2215682.

2. Authenticated user with proper authorizations is created in the SAP SuccessFactors target system for the specific Company ID.
   Note

   This is only necessary if you are using BasicAuthentication as your authentication method for the creation of a destination in SAP Cloud Identity Access Governance.

   The user is used during the creation of a destination in the SAP Cloud Identity Access Governance to the SAP SuccessFactors target system.

   An authenticated user with proper authorizations is required to allow the communication between SAP Cloud Identity Access Governance (and respective services) and the SAP SuccessFactors target system.

   The following authorizations and roles are mandatory and have to be assigned to the respective user SAP SuccessFactors target system:

   On the SAP SuccessFactors tenant, open the Admin Center and navigate to the following:

   • Manage Role-Based Permission Access tool

     Create a new user or provide an exiting user with the privilege, Role-Based Permission Admin.

   • Manage Permission Roles tool

     Create a new role or choose an existing role to which the user is already assigned.

     On the Permission Role Detail screen, choose Permission settings.

     From the User Permissions list, choose Manage User and select the User Account OData entity setting.

1. Open SAP BTP cockpit.
2. Open Subaccounts and choose your SAP Cloud Identity Access Governance subaccount.
3. Navigate to Connectivity→Destinations.
4. Create a New Destination using the button.
5. Provide the following information:
   • Name: SuccessFactorsECIf you are using SAP SuccessFactors as a source system, you must enter the destination names exactly as described; for all other cases, you can use any desired name.
   • Type: HTTP
   • Description: <Any description>
   • URL: <URL of the SAP SuccessFactors API Server>
     Note

     The URL should end with suffix /.

     More information on Successfactors API URLs can be found in the following SAP Note: 2215682 - Successfactors API URLs for different Data Centers

   • Proxy Type: Internet
   • Additional Properties:

     Use default JDK truststore: TRUE

   • Authentication: <Choose your authentication method>
     Note

     Based on your requirements, you have to provide specific authentication data.

     In case you are using BasicAuthentication, consider the following:

     User: <Authenticated user created in the SAP SuccessFactors system with proper authorizations (see the "Specific Integration Prerequisites" section under "Prerequisites for the Integration Setup Between SAP Cloud Identity Access Governance and SAP SuccessFactors").

     Take account of adding the COMPANYID of the authenticated user, for example, <UserID@CompanyID>
   • Password: <PW of the authenticated user>.
6. Choose Save.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/f86291d204a74e849cf8ac40dc2ba4d9.html?locale=en-US

1. Open the SAP Cloud Identity Access Governance Fiori Launchpad.
2. Navigate to Administration→Applications.
3. Add a new Application by using the + button.
4. Provide the following information:
   • Application name: <Any application name>
     Note

     It is generally recommended to use the same name for the previously created destination in SAP Cloud Identity Access Governance and the new application.
   • Description: <Any description>
   • Application Type: SAP SuccessFactors
   • HCP Destination: <Name of the created SAP Cloud Identity Access Governance subaccount destination>
     Note

     This field is case sensitive.
5. Choose Save.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/f6e93b56c3d340b99813dbb799eeab88.html?locale=en-US

Schedule the following 2 job categories:

• Repository Sync: used to sync all relevant data from the SAP SuccessFactors target system to SAP Cloud Identity Access Governance, which can be applied in access request service
• Provisioning: used to trigger the provisioning of SAP Cloud Identity Access Governance access request
  Note

  The provisioning job is not needed for the integration scenario (applies for all integration scenarios. The integration completes with the repository sync job.

Perform the following steps:

1. Open the SAP Cloud Identity Access Governance Fiori Launchpad.
2. Navigate to Administration→Job Scheduler.
3. Schedule the job and provide the following information:
   • Job name: <Any Job name>
     Note

     No spaces are allowed.
   • Job category: Repository Sync and / or Provisioning
   • Recurring Job: Yes or No, depending on your needs
   • Start immediately: Yes or No, depending on your needs
   • Application Type: SAP SuccessFactors
     Note

     This field is only visible and has to be filled out for Repository Sync.
   • Application: <Previously created instance in SAP Cloud Identity Access Governance Fiori Launchpad>
     Note

     This field is only visible and has to be filled out for Repository Sync.
4. Choose Schedule Job.
5. Check the job status in the Job History List.

For more information, see SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/123e2bfaabc24f5c98e51a81f2ed5728.html?locale=en-US.

1. Initial SAP Cloud Identity Access Governance setup is done.
   • SAP Cloud Identity Access Governance subaccount created
   • SAP Cloud Identity Access Governance service is subscribed in the subaccount
2. Trust connection between Identity Authentication and SAP Cloud Identity Access Governance is established and Identity Authentication setup is done.
   • Establish trust configuration (on both ends: SAP Cloud Identity Access Governance and Identity Authentication)
   • Create an application for SAP Cloud Identity Access Governance in Identity Authentication
   • Create a system user in Identity Authentication (used for SCI user group sync in SAP Cloud Identity Access Governance)
3. Identity Provisioning setup done and Identity Authentication user created with the proper authorization (Manage Identity Provisioning) to access Identity Provisioning.

1. Identity Authentication administrator user (type: SYSTEM) is created with the option Access Proxy System API enabled.

   This user is used for IPS_PROXY destination in SAP Cloud Identity Access Governance subaccount.

   Regarding the authorizations of Identity Authentication administrator user (type: SYSTEM), refer to SAP Note: https://launchpad.support.sap.com/#/notes/3233319

   See the section "Case b) A bundle IPS on the SAP Cloud Identity (SCI) platform was created or updated for use with IAG", Step 2.

   For more information on Identity Authentication user / admin user authorizations, see the following pages on the SAP Help Portal:

   • Identity Authentication Authorizations overview in SAP Cloud Identity infrastructure (not NEO):

     https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/6aa2c7e7c76e4a40b0f6ac387101f909.html?locale=en-US

   • https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/86ee37423f8945a1898faff1e6308756.html?locale=en-US

2. OAuth token service is configured in SAP Analytics Cloud.

   This is used for the creation of a proxy system in Identity Provisioning.

   Note

   Regarding the Identity Provisioning setup and the IPS_PROXY destination creation, in case the Identity Provisioning is running on SAP BTP NEO environment, you have to perform the described steps on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/ae06bfacfbba43679b0ca802ca3b58d4.html?locale=en-US

1. Open the Identity Authentication Admin console.

   Alternative option: You can call the Identity Provisioning directly by using https://<Identity Authentication-Host>/ips

2. Navigate to Identity Provisioning.
3. Select Proxy Systems.
4. Create a new proxy system using the + Add button.
5. Provide the following information:

   Details tab:

   • Type: SAP Analytics Cloud
   • System Name: <Any name>
   • Destination Name: <Cannot be filled out>
   • Description: <Any description>

   Read/Write Transformation:

   Exchange the default transformations by the transformations provided from the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/86a23ca5808048789d76b7e6699ddfa7.html?locale=en-US

   Note

   The mentioned transformation is only an example – you have to adjust the transformation content based on your requirements and specific needs.

   Properties:

   • Authentication: BasicAuthentication
   • csrf.token.path: /api/v1/scim/Users?count=1
   • ips.trace.failed.entity.content: true
   • OAuth2TokenServiceURL: <OAuth token service configured in SAP Analytics Cloud>
     Note

     In SAP Analytics Cloud, choose System→Administration→App Integration and select Add a new OAuth Client. Details are described in the section Prerequisites for the Integration Setup Between SAP Cloud Identity Access Governance and SAP Analytics Cloud.
   • ProxyType: Internet
   • scim.api.csrf.protection: enabled
   • TrustAll: true
   • Type: HTTP
   • URL: <SAP Analytics Cloud tenant URL>
   • User: <Created client ID to retrieve the OAuth access token>
   • Password: <Client secret in SAP Analytics Cloud>
6. Choose Save.
7. Copy the external system ID in the URL (see step 7 in the figure above).

   This external system ID is used to set up the SAP Analytics Cloud instance in the Applications app within the SAP Cloud Identity Access Governance Fiori Launchpad.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/86a23ca5808048789d76b7e6699ddfa7.html?locale=en-US

Create an IPS_PROXY destination in the SAP Cloud Identity Access Governance Subaccount. Refer to the steps described in Unit 2: Initial Setup for SAP Cloud Identity Access Governance→Lesson 3: Setting Up SAP Cloud Identity Services→Identity Provisioning Setup.

As for creating a destination for the proxy system of SAP Analytics Cloud, specifically watch the demo.

For more information, see the following SAP Note: https://launchpad.support.sap.com/#/notes/3233319 - especially "Case b) A bundle IPS on the SAP Cloud Identity (SCI) platform was created or updated for use with IAG".

Perform the following steps:

1. Open the SAP Cloud Identity Access Governance Fiori Launchpad.
2. Navigate to Administration→Applications.
3. Add a new Application by using the + button.
4. Provide the following information:
   • Application name: <Any system name>
     Note

     It is generally recommended to use the same name for the previously created destination in SAP Cloud Identity Access Governance and the new system.
   • Description: <Any description>
   • Application Type: SAP Analytics Cloud
   • External System ID: <System ID of the created proxy system destination of SAP Analytics Cloud in Identity Provisioning>
     Note

     The external system ID is published in the URL of the respective proxy system.
   • HCP Destination: Notice that the HCP destination will be automatically filled out after saving the system entry
     Note

     In this case, it is the IPS_PROXY destination of the SAP Cloud Identity Access Governance subaccount.
5. Choose Save.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/d38e89c73f974d2eac11ce2f4f6eca1e.html?locale=en-US

Schedule the following 2 job categories:

• Repository Sync: used to sync all relevant data from the SAP SuccessFactors target system to SAP Cloud Identity Access Governance, which can be applied in access request service
• Provisioning: used to trigger the provisioning of SAP Cloud Identity Access Governance access request
  Note

  The provisioning job is not needed for the integration scenario (applies for all integration scenarios. The integration completes with the repository sync job.

Perform the following steps:

1. Open the SAP Cloud Identity Access Governance Fiori Launchpad.
2. Navigate to Administration→Job Scheduler.
3. Schedule the job and provide the following information:
   • Job name: <Any Job name>
     Note

     No spaces are allowed.
   • Job category: Repository Sync
   • Recurring Job: Yes or No, depending on your needs
   • Start immediately: Yes or No, depending on your needs
   • Application Type: SAP Analytics Cloud
     Note

     This field is only visible and has to be filled out for Repository Sync.
   • Application: <Previously created instance in SAP Cloud Identity Access Governance Fiori Launchpad>
     Note

     This field is only visible and has to be filled out for Repository Sync.
4. Choose Schedule Job.
5. Check the job status in the Job History List.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/4d0bacb6c3f0454cb88107ef806ddf43.html?locale=en-US