Introducing Identity Provisioning

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Introduce identity provisioning

Identity Provisioning

Overview

The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their authorizations to various cloud and on-premise business applications.

Environment

Identity Provisioning tenants run on the infrastructure of SAP Cloud Identity Services and the SAP BTP, Neo environment.

Features

User and Group Provisioning
Provision users and groups between multiple supported cloud and on-premise systems, both SAP and non-SAP.
User and Group Filtering
Configure default transformations or filtering properties to control what data to be provisioned and what to be skipped.
Full and Delta Read Mode
Run a provisioning job in full mode to read all entities from a source system, or in delta read mode - to read only the modified data.
Job Logging
View and export job logs from the Identity Provisioning administration console. Logs display details about the job status and the provisioned entities.
Notifications
Subscribe to a source system to receive notifications for the status of provisioning jobs.

Use Cases

Identity Provisioning supports the following use cases:

  • Provisioning from Source to Target Systems

    The main use case of Identity Provisioning is to read users and groups from a source system and provision them to a target system. Filtering and/or mapping are applied during job execution.

  • Hybrid Integration with Identity Management Systems

    Identity Provisioning can be used for integrating cloud solutions with on-premise or cloud identity management systems that support SCIM 2.0 standard, such as SAP Identity Management and SAP Cloud Identity Access Governance.

    In a hybrid integration scenario, Identity Provisioning acts as a proxy between a cloud solution and an on-premise or cloud system. This means the Identity Provisioning is used for configuring and exposing the cloud solution as a proxy system and connect it to the external identity management system without making a direct connection between them.

  • Real-Time Provisioning from Identity Authentication

    Identity Provisioning can be used for immediate, real-time provisioning of Identity Authentication users to any target system. Unlike the standard provisioning, where reading and writing of users is triggered by jobs, real-time provisioning is triggered by events (such as, user self-registration or user modification in Identity Authentication).

  • Storing Users and Groups in Local Identity Directory

    Identity Provisioning is mainly used for provisioning users and groups. However, it can also be used for storing users and groups when a specific type of system - Local Identity Directory, is configured. In a typical use case, the Local Identity Directory is first configured as a target system, where users and groups are provisioned to, and then configured as a source system, from where users and groups are read and provisioned to target systems.

    The identity directory provides a System for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups, and custom schemas).

Restriction

Local Identity Directory is not available in bundle tenants.

Prerequisites

To use Identity Provisioning, you need to obtain a tenant. The service provides two types of tenants - bundle and standalone.

Tools

You can access Identity Provisioning administration console as an HTML5 application. Depending on your Identity Provisioning tenant type, you can do this as follows:

  • Access Identity Provisioning UI of Bundle Tenants
  • Access Identity Provisioning UI of Standalone Tenants
Caution

Effective October 20, 2020, Identity Provisioning is offered bundled with SAP cloud solutions. You can obtain and use it, along with Identity Authentication, as part of a bundled SAP cloud solution that you need to purchase. The service is no longer sold as a standalone product. Existing customers of standalone Identity Provisioning can use it as-is until the end of their contracts.

Regional Availability

You can access Identity Provisioning tenants on the infrastructure of SAP Cloud Identity Services and the SAP BTP, Neo environment.

Tenant Model

Tenant Model

SAP Cloud Identity Services – Identity Provisioning provides two types of tenants - bundle and standalone.

Although bundle and standalone tenants differ in various aspects: pricing (in bundle tenants, Identity Provisioning is free of charge), connectors availability and level of access to SAP BTP cockpit, the provisioning functionality remains the same.

Both type of tenants can run on SAP Cloud Identity Services infrastructure and SAP BTP, Neo Environment.

Bundle Tenant

A bundle tenant is an instance of Identity Provisioning that comes with a set of pre-configured provisioning systems relevant to one or more bundled SAP cloud solutions.

Caution

Effective March 15, 2022, new Identity Provisioning bundle tenants are created on the infrastructure of SAP Cloud Identity Services only. Existing customers of bundle tenants on Neo environment can continue using them as-is.

When an SAP cloud solution bundles with SAP Cloud Identity Services, you are entitled to receive Identity Authentication and Identity Provisioning tenants without additional costs on the purchase of the corresponding SAP cloud solution's license. These Identity Authentication and Identity Provisioning tenants come pre-configured with the SAP cloud solution.

You obtain Identity Provisioning bundle tenant with a set of provisioning systems (source, target and proxy) for which you have a license. Those systems are pre-configured in your tenant. For example, when SAP SuccessFactors is bundled with Identity Provisioning, the bundle tenant is pre-configured with SAP SuccessFactors (source system), SAP Analytics Cloud (target system) and Identity Authentication, SAP AS ABAP and SAP S/4HANA on-premise (source and target systems). All source and target systems are also available as proxy systems.

The set of provisioning systems in Identity Provisioning bundle tenant is restricted. The only exception is SAP Cloud Identity Access Governance bundle, which includes all supported provisioning systems by Identity Provisioning, except for Local Identity Directory.

A bundle tenant can be extended when you purchase more bundled SAP cloud solutions. In this case, you don't get additional tenants.

Regardless of how many SAP cloud solutions you have purchased, you are entitled to two Identity Provisioning bundle tenants – one for testing and one for productive purposes.

Depending on the infrastructure or the environment your bundle tenant runs on, you can access and operate it as follows:

SAP Cloud Identity Services Infrastructure
Bundle tenants created after March 15, 2022 run on SAP Cloud Identity Services infrastructure.
The Identity Provisioning admin access is fully controlled and configured in the administration console of Identity Authentication. This access is based on roles which are assigned to admin users in the Users and Authorizations screen of the Identity Authentication administration console.
SAP BTP, Neo Environment
Bundle tenants created before March 15, 2022 run on SAP BTP, Neo environment.
Administrators of bundle tenants can only access their Identity Provisioning subaccount in SAP BTP cockpit to register OAuth clients, create connectivity destinations and configure Cloud Connector connections. This access is based on roles which are assigned to admin users in the Authorization tile of the Identity Provisioning administration console.
Standalone Tenant
A standalone tenant allows you to use Identity Provisioning as a separate (standalone) product.
Note
Effective October 20, 2020, Identity Provisioning is offered bundled with SAP cloud solutions. You can obtain and use it, along with Identity Authentication, as part of a bundled SAP cloud solution that you need to purchase. The service is no longer sold as a standalone product. Existing customers of standalone Identity Provisioning can use it as-is until the end of their contracts.
To check the list of SAP cloud solutions that bundle Identity Provisioning.
The scope of the standalone tenant is not restricted. It can be used for provisioning of users and groups to and from all supported systems by Identity Provisioning service.

Depending on the infrastructure or the environment your standalone tenant runs on, you can access and operate it as follows:

SAP Cloud Identity Services Infrastructure
Identity Provisioning service purchased between September 1, 2020 and October 20, 2020 runs on the infrastructure of SAP Cloud Identity Services.
You use a tenant that provides you access to both Identity Provisioning and Identity Authentication. You can access Identity Provisioning in all regions and data centers where the Identity Authentication is running.
SAP BTP, Neo Environment
Identity Provisioning service purchased before September 1, 2020 runs on SAP BTP, Neo environment.
You access Identity Provisioning admin console by using SAP Business Technology Platform subaccounts using the SAP BTP cockpit. You can access Identity Provisioning in all regions available for SAP BTP, Neo environment. 

Tenant Infrastructure

Tenant Infrastructure

Identity Provisioning bundle tenants can run on the infrastructure of SAP Cloud Identity Services and the SAP BTP, Neo environment.

Delivering bundle tenants on the infrastructure of SAP Cloud Identity Services improves the integration between the group of services that provide cloud identity capabilities: Identity Authentication, Identity Provisioning, and Identity Directory. The Identity Provisioning admin access is fully controlled and configured in the administration console of Identity Authentication, where customers can easily benefit from its numerous features, such as setting up single sign-on for corporate identity providers, enabling two-factor authentication and others.

Sharing the same infrastructure paves the way for tighter integration and common features in the future.

SAP Cloud Identity Infrastructure

Bundle tenants on this infrastructure come with the following specifics:

  • The Identity Provisioning tenant URL uses the host of the corresponding Identity Authentication tenant of the customer. It follows the pattern: https://<ias-host>/ips.

    An example of this is: https://best-run.accounts.ondemand.com/ips.

  • The Identity Provisioning administrator authenticates to the corresponding Identity Authentication tenant of the customer with the admin user that has the Manage Identity Provisioning role enabled in the Identity Authentication admin console.
  • The Identity Provisioning administrator authenticates to the corresponding Identity Authentication tenant of the customer with the admin user that has the Manage Identity Provisioning role enabled in the Identity Authentication admin console.

Further Identity Provisioning administration access, such as authorizations to access API for real-time provisioning and access API for provisioning identities using proxy systems, is granted in the Identity Authentication admin console.

SAP BTP, Neo Environment

Bundle tenants on this environment come with the following specifics:

  • The Identity Provisioning tenant URL uses the bundle tenant ID and the region and host available for SAP BTP, Neo environment. It follows the pattern: https://ips-<consumer_account>.dispatcher.<region_host>/webapp/index.html, where <consumer_account> is the Identity Provisioning bundle tenantID.
  • An example of this is: https://ips-a12345sdf678.dispatcher.ca1.hana.ondemand.com/webapp/index.html
  • The Identity Provisioning administrator authenticates to the admin console of the service with his or her S-user credentials provided in the welcoming onboarding email from SAP. The admin user has the Manage Identity Provisioning role enabled in the Identity Provisioning admin console.

Further Identity Provisioning administration access, such as authorizations to register OAuth clients, create connectivity destinations and configure Cloud Connector connections, is granted on the Authorizations screen in Identity Provisioning admin console. 

Regional Availability

You can access Identity Provisioning in all regions available for SAP BTP, Neo environment. The only exception is - standalone tenants purchased between September 1, 2020 and October 20, 2020, which you can access in all regions and data centers where the Identity Authentication is running.

Regional Availability

Tenant TypeSAP BTP Neo EnvironmentInfrastructure of SAP Cloud IdentityDetails

Bundle tenants

(Created before 15.03.2022)

Yes

No

Access: All Neo regions and data centers.

Bundle tenants

(Created after 15.03.2022)

No

Yes

Identity Provisioning and Identity Authentication are running on the same SAP Cloud Identity infrastructure.

Access: All regions and data centers where the Identity Authentication is running. 

Standalone tenants

(Purchased before 01.09.2020)

Yes

No

Existing customers can use standalone tenants as-is until the end of their contracts.

Access: All Neo regions and data centers.

Standalone tenants

(Purchased between 01.09.2020 – 20.10.2020)

No

Yes

Identity Provisioning and Identity Authentication are running on the same SAP Cloud Identity infrastructure.

Access: All regions and data centers where the Identity Authentication is running.

Standalone tenants

(After 20.10.2020)

No

No

Identity Provisioning can no longer be purchased as a standalone product.

Disaster Recovery/High Availability

Disaster recovery (DR) and high availability (HA) are based on the capabilities of the underlying infrastructure.

SAP Cloud Identity Services – Identity Provisioning is a multi-tenant system where tenants share the hardware and software and use dedicated (and isolated) database instances for persistence.

Disaster

A disaster is only declared by SAP when there is a loss of utilities and services and uncertainty on whether utilities and services can be restored within a reasonable period of time. As long as the production site has power and is connected to the Internet, it will not be considered a disaster.

Emergency incidents are assessed by SAP Business Technology Platform and SAP Corporate Infrastructure Services. An SAP management member with proper authorization must officially declare a disaster in order to initiate a disaster recovery plan.

Operations from the "disaster recovery site" could last anywhere from a few weeks to many months. Initiation of the failback plan is at SAP’s sole discretion.

SAP BTP, Neo Environment

Your bundle or standalone tenant is running on SAP BTP, Neo Environment:

  • Your bundle tenant is created before March 15, 2022.
  • Your Identity Provisioning is purchased as a standalone product before September 1, 2020.

The Identity Provisioning service uses standard disaster recovery. Backups (complete data and log) are kept on a secondary location for the last 14 days, and are deleted afterward.

Note
High availability is not supported.

SAP Cloud Identity Infrastructure

Your bundle or standalone tenant is running on the infrastructure of SAP Cloud Identity Services:

  • Your bundle tenant is created after March 15, 2022.
  • Your Identity Provisioning is purchased as a standalone product between September 1, 2020 and October 20, 2020.

Enhanced disaster recovery and high availability are fully supported for your tenants.

Disaster recovery and high availability are available only for the regions where Identity Authentication and Identity Provisioning share the same infrastructure and both services are enabled in a common tenant.

High Availability – Single Region Setup

All deployments which have one data center support replication of the data between two zones within the same region.

High Availability/Disaster Recovery – Multi-Region Setup

Country/regions with two data centers operate in high availability (HA) and disaster recovery (DR) mode among the respective data centers. Tenants located in these country/regions are distributed among the data centers there.

Identity Provisioning uses Akamai GTM to route the traffic to a failover data center in case of any issues in the primary data center. This principle covers both the HA and DR setup.

Log in to track your progress & complete quizzes