Connecting SAP Identity Management (IdM) to the Cloud

SAP IdM maintains user data securely and consistently; it supports customers by implementing integrated identity lifecycle scenarios with SAP's Cloud or on-premise HR solutions: SAP SuccessFactors solutions (Cloud) and SAP ERP Human Capital Management (on-premise).

SAP IdM provides the following functionality:

• Integrated business processes
  • Integration with SAP SuccessFactors solutions and SAP ERP automates user access provisioning based on current business roles
  • Built-in compliancy in the process integrates with SAP Access Control for segregation of duty conflict analysis
• Improved productivity
  • Self-service for end-user password reset
  • Self-service for end-user access request
• Improved security
  • Reduces risk with centralized user IdM across SAP and non-SAP solutions
  • Automatically revokes or adapts access when a person leaves a company or in case of an internal move

SAP IdM is recommended for on-premise landscapes as it is optimized for on-premise applications in terms of customization and performance etc.

Identity provisioning is recommended for Cloud systems as it:

• Offers a deployment model and simplicity suitable for Cloud-based business applications.
• Allows customers to efficiently on-board new applications.

Hybrid scenarios recommendations:

• Customers of SAP IdM can extend their identity lifecycle management to the Cloud using identity provisioning.
• Integration of SAP IdM with identity provisioning allows customers to benefit from the advantages of both methods.

The benefits provided are as follows:

• An existing SAP IdM installation is not affected when enabling hybrid identity management.
• Cloud-based business applications become available as supported systems in SAP IdM.
• SAP IdM capabilities, such as, self-service, workflows, or business role management are still available even for the hybrid scenarios.
• SAP IdM capabilities for reporting and auditing purposes are reused to cover the Cloud.

• It establishes secure VPN connection between the SAP Business Transformation Platform and on-premise systems
• There are no required changes in the existing corporate firewall configuration
• It initiates encrypted connections to Cloud application from inside the on-premise network to the Cloud
• It secures access to on-premise systems, include the following:Fine grained access control lists of allowed on-premise resourcesFine grained audit logging for traceabilityTrust relation with on-premise system based on X.509 certificatesPrincipal propagation from Cloud to on-premise

The Cloud connector supports the following communication protocols:

• HTTP(s)
• RFC
• LDAP
• TCP

The configuration package concept was introduced with SAP Identity Management 8.0. A configuration package is a collection of configuration information including constants, scripts, repository types, processes, forms, and jobs.

Users are granted access to different packages, which allows multiple users to work on the configuration and transport separately. These configuration packages are delivered as part of the SAP Identity Management core component and imported into the SAP Identity Management database to provide a starting point for the configuration of the solution.

Generally, those split in two categories – provisioning frameworks and connectors. Provisioning frameworks designate a set of reusable jobs, tasks, and functions that are necessary when provisioning various system types, for example, SAP Provisioning framework, GRC provisioning framework, and so on. Connectors are a set of reusable IdM artifacts, which are used for the connection to the target repositories within IdM, for example, AS ABAP, AS Java, SAP SuccessFactors, and so on.