Exploring and Using Tenant Infrastructure

Identity Provisioning bundle tenants can run on the infrastructure of SAP Cloud Identity Services and the SAP BTP, Neo Environment.

Caution

Effective March 15, 2022, new Identity Provisioning bundle tenants are created on the infrastructure of SAP Cloud Identity Services only. Existing customers of bundle tenants on SAP BTP, Neo Environment can continue using them as-is.

Delivering bundle tenants on the infrastructure of SAP Cloud Identity Services improves the integration between the group of services that provide cloud identity capabilities: Identity Authentication, Identity Provisioning, and Identity Directory. The Identity Provisioning admin access is fully controlled and configured in the administration console of Identity Authentication, where customers can easily benefit from its numerous features, such as setting up single sign-on for corporate identity providers, enabling two-factor authentication and others.

Sharing the same infrastructure paves the way for tighter integration and common features in the future.

Caution

As of June 27, 2022, when the tenant migration from SAP BTP, Neo Environment to SAP Cloud Identity infrastructure was released, all new Identity Provisioning features are delivered only for tenants running on SAP Cloud Identity infrastructure.

Bundle tenants on this infrastructure come with the following specifics:

• The Identity Provisioning tenant URL uses the host of the corresponding Identity Authentication tenant of the customer. It follows the pattern: https://<ias-host>/ips.

  For example: https://best-run.accounts.ondemand.com/ips

• The Identity Provisioning administrator authenticates to the corresponding Identity Authentication tenant of the customer with the admin user that has the Manage Identity Provisioning role enabled in the Identity Authentication admin console.

  Further Identity Provisioning administration access, such as authorizations to access API for real-time provisioning and access API for provisioning identities through proxy systems, is granted in the Identity Authentication admin console.

• Almost all the provisioning systems (connectors) supported by Identity Provisioning are enabled by default for bundle tenants on the infrastructure of SAP Cloud Identity Services. This means that, in addition to the automatically pre-configured systems relevant for a bundled SAP cloud solution, customers can manually configure the supported connectors as source, target and proxy systems in the Identity Provisioning admin console.

Bundle tenants on this environment come with the following specifics:

• The Identity Provisioning tenant URL uses the bundle tenant ID and the region and host available for SAP BTP, Neo Environment. It follows the pattern: https://ips-<consumer_account>.dispatcher.<region_host>/webapp/index.html, where <consumer_account> is the Identity Provisioning bundle tenantID.

  For example: https://ips-a12345sdf678.dispatcher.ca1.hana.ondemand.com/webapp/index.html

• The Identity Provisioning administrator authenticates to the admin console of the service with his or her S-user credentials provided in the welcoming onboarding email from SAP. The admin user has the Manage Identity Provisioning role enabled in the Identity Provisioning admin console.

Further Identity Provisioning administration access, such as authorizations to register OAuth clients, create connectivity destinations and configure Cloud Connector connections, is granted on the Authorizations screen in Identity Provisioning admin console.

The set of provisioning systems enabled in bundle tenants on SAP BTP, Neo Environment is restricted. The only exception is the SAP Cloud Identity Access Governance bundle, which includes all supported provisioning systems by Identity Provisioning, except for Local Identity Directory.

You can access Identity Provisioning in all regions available for SAP BTP, Neo Environment. The only exception is standalone tenants purchased between September 1, 2020 and October 20, 2020, which you can access in all regions and data centers where the Identity Authentication is running.

Disaster recovery (DR) and high availability (HA) are based on the capabilities of the underlying infrastructure.

SAP Cloud Identity Services – Identity Provisioning is a multi-tenant system where tenants share the hardware and software and use dedicated (and isolated) database instances for persistence.

SAP BTP, Neo Environment

Ensure that you do the following:

• Ensure that your tenant is running on SAP BTP, Neo Environment.
• The Identity Provisioning service uses standard disaster recovery. Backups (complete data and log) are kept on a secondary location for the last 14 days, and are deleted afterward.

Note

High availability is not supported.

SAP Cloud Identity Infrastructure

Ensure that your tenant is running on SAP Cloud Identity Services infrastructure.

Enhanced disaster recovery and high availability are fully supported for your tenants.

Disaster recovery and high availability are available only for the regions where Identity Authentication and Identity Provisioning share the same infrastructure and both services are enabled in a common tenant.

High Availability / Disaster Recovery – Multi-Region Setup

Country/regions with two data centers operate in HA and DR mode among the respective data centers. Tenants located in these country/regions are distributed among the data centers there.

Identity Provisioning uses Akamai GTM to route the traffic to a failover data center in case of any issues in the primary data center. This principle covers both the HA and DR setup.

Disaster Recovery for IPS

ExerciseStart Exercise