Describing the Identity Directory

A user store is a system or database that stores information about users, such as their login credentials, personal information, and permissions. It is commonly used in software applications and websites to manage user accounts and access control. The user store allows the application to authenticate and authorize users and store and retrieve user-related data.

The SAP Cloud Identity Services are the default SAP Cloud services for authentication and user/group provisioning; hence, they are the default user store.

Several SAP integrations revolve around using SAP Cloud Identity Services, and their number is expected to increase over time. One of the most significant gains is the delivery of ready-to-use and secure cloud solutions from SAP. This makes it essential to have a single source of truth to manage user identities.

The Identity Authentication Service (IAS) and Identity Provisioning Service (IPS) have evolved into SAP Cloud Identity Services, now integrated through the common Identity Directory.

Diagram illustrating SAP Cloud Identity Services within the SAP Business Technology Platform. Features include Identity Directory, Provisioning, and Authentication. Labels: Intelligent Suite, Industry Cloud.

SAP Identity Directory is a central SAP Cloud Identity Services component that stores and manages users and groups. It's the source of truth for users who have or will have access to SAP Cloud applications.

The Identity Directory in SAP Cloud Identity Services is the persistency layer inside the services. It is a user store used to manage the identities and access rights of users within an organization. This component facilitates identity lifecycle flows and unlocks critical new features, such as a user store for newer SAP BTP applications.

Coming from outside the SAP landscape, it represents the central point of truth for users who have or will have access to SAP Cloud applications. Its SCIM 2.0 REST API allows you to programmatically access the directory's resources (user, groups, and customer schemas). It offers a central place for storing and managing users and groups. The Local Identity Directory connector of the Identity Provisioning service ensures the provisioning of these entities to and from the directory. APIs enable the customer to view predefined schemas and define custom schemas with the organization’s attributes.

You can use Identity Provisioning to read entities from user stores like Microsoft Active Directory or SAP Identity Management and replicate them in the directory. From there, you can provision them further to various cloud systems, like SAP S/4HANA Cloud.

Diagram showing SAP Cloud Identity Services with Identity Provisioning and Identity Directory connecting to both SAP Cloud Solutions and SAP On-Premise Solutions via SCIM. Third-party identity management is also supported.

For every newly created user, the directory generates a Global User ID—the unique user identifier across the landscape. This identifier can also be generated externally. Afterward, Identity Provisioning distributes the Global User ID to SAP Cloud applications, like SAP Task Center, which need the common user identifier in their integration scenarios.

For more information, see Global User ID in Integration Scenarios.

Identity Directory can be used in the following use cases:

Classic use case - the Local Identity Directory can be configured as a target and source system. See: Configuring Local Identity Directory in Target-Source Scenario
Proxy mode - the Local Identity Directory as a proxy connector. See: Configuring Local Identity Directory in Proxy Scenario
Merging attributes - read attributes of a single user in multiple source systems and merge the attributes in the directory. See: Patched and Merged Attributes

SAP recommends SAP Identity Management (IDM) for compliant identity management of a customer’s On-Premise systems for a hybrid landscape. SAP Identity Management is optimized for On-Premise systems. The SAP Cloud IPS is the recommended solution for identity lifecycle processes and cloud system provision. SAP customers with existing SAP IDM solutions can easily integrate with SAP Cloud IPS.

Diagram showing the integration of SAP Identity Management with SAP Cloud Platform. End user workflows connect to SAP NetWeaver, Business Suite, and third party apps via SCIM interface or API through the cloud.

Benefits of integrating SAP IDM and the SAP Cloud IPS include:

An existing SAP Identity Management installation is unaffected when enabling hybrid identity management.
Cloud-based business applications become available as supported systems in SAP IDM.
SAP IDM capabilities, such as self-service workflow, are available.
SAP IDM capabilities for reporting and auditing capabilities are available to cover cloud applications.
SAP IDM and SAP Cloud IPS both support SCIM standards and interfaces for SCIM-based systems.

Note

Maintenance for SAP Identity Management (SAP IDM), our on-premises tool for managing the identity lifecycle, ends in 2027. Extended maintenance is available until 2030. This extension gives your organization ample time to plan and execute a well-considered migration strategy.

Further information can be found at https://launchpad.support.sap.com/#/notes/3268799.

Lesson Summary

You can now describe the Identity Directory in the context of the SAP Cloud Identity Services.