Introducing Bundle Tenants

Objectives

After completing this lesson, you will be able to:

  • Set up the systems for your provisioning scenario
  • Run the provisioning jobs
  • Provision systems for bundle tenants
  • Understand the availability of connectors in bundle tenants on SAP Cloud Identity Infrastructure
  • Use the Identity Provisioning Service to synchronize user data between source and target systems
  • Support provisioning between multiple supported cloud and on-premise systems
  • Work with proxy systems

Prerequisites

  • You have purchased an SAP cloud solution bundled with Identity Authentication and Identity Provisioning services.
  • Bundle tenants created after March 15, 2022, run on the infrastructure of SAP Cloud Identity Services.

Bundle tenants created before March 15, 2022, run on SAP BTP, Neo Environment.

Log On to the Identity Provisioning User Interface (UI)

Steps

  1. Log on to the Identity Provisioning user interface (UI).

  2. Set up the source, target, and proxy systems for your provisioning scenario.

    In bundle tenants, some source and target systems are pre-configured. This means that the connection to the relevant source and target systems is automatically set up and you can run provisioning jobs. When adding a system, Identity Provisioning works as follows:

    1. Identity Provisioning in default mode: Provision user data from source to target systems.

      You add source and target systems only. This could be one source connected to one or multiple target systems, or one target connected to one or multiple source systems.

    2. Identity Provisioning in proxy mode: Provision user data to and from а central identity management solution and a system with proxy configuration.

      You add a proxy system and you have an external identity management system (such as SAP Identity Management) in place.

  3. Configure the connection details for your systems if they are not automatically set in your bundle tenant. You have the following options:

    1. Add properties in the Identity Provisioning UI and provide the required connection information.

    2. Create a destination in your subaccount in SAP BTP cockpit and select it for the given provisioning system in the Identity Provisioning UI.

    If your bundle tenant is running on the SAP BTP, Neo Environment, the Identity Provisioning admin user must have the Manage Destinations role assigned.

    Note

    Creating a destination is mandatory for configuring SAP Application Server ABAP provisioning systems and on-premise systems using the Cloud Connector for which a Location ID is configured.

    You can also use it if you need to reuse one and the same configuration for multiple provisioning systems. In all other cases, we recommend that you use the Properties tab.

    If your bundle tenant is running on the infrastructure of SAP Cloud Identity Services, connectivity destinations can only be created for SAP Application Server ABAP provisioning systems.

  4. Define what data you want to provision. You have the following options:

    1. Adapt the default transformation logic or use it as-is.

    2. Configure filtering properties for users and groups.

  5. Run a provisioning job manually or set a time interval for scheduled jobs.

Obtain a Bundle Tenant

When an SAP cloud solution bundles with SAP Cloud Identity Services, you are entitled to receive Identity Authentication and Identity Provisioning tenants without additional costs on the purchase of the corresponding SAP cloud solution's license. These Identity Authentication and Identity Provisioning tenants come pre-configured with the SAP cloud solution.

Context

In the following, you can find detailed information about Identity Provisioning bundle tenant and all available bundle options. The documentation distinguishes between bundle tenant and bundle option as follows:

  • A bundle tenant is an instance of Identity Provisioning that comes with a set of pre-configured provisioning systems relevant to one or more bundled SAP cloud solutions.

  • A bundle option is an SAP cloud solution bundled with Identity Provisioning and Identity Authentication that comes with a set of provisioning systems relevant to this SAP cloud solution.

Access Identity Provisioning UI of Bundle Tenants

Access the Identity Provisioning UI (administration console) when the service is bundled as part of an SAP cloud solution's license.

Prerequisites

You have purchased an SAP cloud solution that bundles Identity Provisioning and Identity Authentication.

This solution is automatically available in the Identity Provisioning admin console as a source and/or target system, that is, as a system to read entities from and/or a system to write entities to. User stores, such as Microsoft Azure Active Directory, are available as source (read-only) systems for integration purposes.

Context

To access the Identity Provisioning UI, you need to open the URL link that you received when obtaining your bundle tenant. You get the URLs for your test and productive tenant in the onboarding e-mails from SAP. If you obtained it manually (by opening an incident), you get the URLs from the incident.

When you receive the onboarding e-mails from SAP and access the Identity Provisioning UI for the first time, your source and target systems will be pre-configured. That is, the connection to the relevant source and target systems will be set up and you can run provisioning jobs. For some bundle tenants, such as SAP Jam Collaboration, the first initial Read Job is scheduled and starts almost immediately.

Open the Testing or Productive URL from a Contract Email or Open Incident

Steps

  1. Open the testing or productive URL you have received either from the contract emails or from the incident you have opened.

    Depending on the infrastructure/environment your bundle tenant runs on, the URL follows the pattern:

    • SAP Cloud Identity infrastructure: https://<ias-host>/ips, where the Identity Provisioning tenant URL uses the host of the corresponding Identity Authentication tenant of the customer.
    • Neo environment: https://ips-<consumer_account>.dispatcher.<region_host>/webapp/index.html

  2. Log on to the Identity Provisioning UI with your administration credentials.

    • SAP Cloud Identity infrastructure: Identity Provisioning administrator authenticates to the corresponding Identity Authentication tenant of the customer with the admin user that has the Manage Identity Provisioning role enabled in the Identity Authentication admin console.
    • Neo environment: Identity Provisioning administrator authenticates to the admin console of the service with his or her S-user credentials provided in the welcoming onboarding email from SAP. The admin user has the Manage Identity Provisioning role enabled in the Identity Provisioning admin console.
  3. When the Identity Provisioning tenant is initially provisioned to your organization, only one user is added as a tenant administrator. After that, due to possible legal and security issues, SAP adds additional tenant administrators only in exceptional cases (for example, the existing administrator left the company, or for some reason there is no active administrator for this tenant).

  4. To avoid access-related issues in such cases, it is always a good practice for you to assign more than one administrator. Adding additional ones is exclusively in the responsibility of the current tenant administrators. 

  5. The Identity Provisioning UI opens as an independent HTML5 application. The Home page displays the following tiles:

    • SAP Cloud Identity infrastructure: Source Systems, Target Systems, Proxy Systems, Job Logs, and Authorizations
    • Neo environment: Source Systems, Target Systems, Proxy Systems, Job Logs, Authorizations, and OAuth

    In both standalone and bundle cases, secure communication is provided between this HTML5 application and the SAP BTP cockpit, realized by principal propagation. Unlike the standalone case however, with your bundle account you obtain the Identity Provisioning as software as a service. That means that we provide you with a global SAP Business Technology Platform account, and you do not need to operate in the platform cockpit.

    All source and target systems in your bundle tenant are available as proxy systems.

Provisioning Systems for Bundle Tenants

Provisioning systems (connectors) availability in bundle tenants depends on the infrastructure/environment on which your tenants are running.

Bundle tenants running on SAP Cloud Identity infrastructure and SAP BTP, Neo Environment, which are obtained after purchasing the following SAP cloud solutions, are the least restrictive in terms of connectors availability:

  • SAP Cloud Identity Access Governance bundle tenant has all connectors enabled, except for Local Identity Directory.
  • SAP Jam Collaboration bundle tenant has all source and proxy connectors enabled, except for Local Identity Directory.

SAP Cloud Identity Infrastructure

If your bundle tenant is running on the infrastructure of SAP Cloud Identity Services, most of the connectors are enabled by default.

SAP BTP, Neo Environment

If your bundle tenant is running on SAP BTP, Neo Environment, a limited number of connectors are enabled by default. The following table lists the enabled provisioning systems (connectors) and the SAP cloud solution bundle for which they are relevant:

SAP BTP, Neo Environment 1

SAP Cloud SolutionProvisioning SystemsSystem Type
SAP Business Technology Platform BundleIdentity AuthenticationSource, Target, Proxy
SAP BTP ABAP EnvironmentSource, Target, Proxy
SAP BTP Account Members (Neo)Source, Target, Proxy
SAP BTP Java/HTML5 apps (Neo)Source, Target, Proxy
SAP BTP XS Advanced UAA (Cloud Foundry)Source, Target, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
Microsoft Azure Active DirectorySource, Proxy
Microsoft Active DirectorySource, Proxy
Google G SuiteSource, Proxy
SCIM SystemSource, Proxy
LDAP ServerSource, Proxy
SAP Enterprise PortalSource

SAP BTP, Neo Environment 2

SAP Cloud SolutionProvisioning SystemsSystem Type
SAP Build Work Zone, advanced edition BundleIdentity AuthenticationSource, Target, Proxy
SAP Build Work Zone, advanced editionSource, Target, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
Microsoft Azure Active DirectorySource, Proxy
Microsoft Active DirectorySource, Proxy
Google G SuiteSource, Proxy
SAP BTP XS Advanced UAA (Cloud Foundry)Target, Proxy
SAP Build Work Zone, standard editionTarget, Proxy
SCIM SystemSource, Proxy
LDAP ServerSource, Proxy
SAP Enterprise PortalSource

SAP BTP, Neo Environment 3

SAP Cloud SolutionProvisioning SystemsSystem Type
SAP Commissions BundleIdentity AuthenticationSource, Target, Proxy
SAP CommissionsSource, Target, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
SAP Analytics CloudTarget, Proxy
Microsoft Azure Active DirectorySource, Proxy
Microsoft Active DirectorySource, Proxy
Google G SuiteSource, Proxy
SCIM SystemSource, Proxy
LDAP ServerSource, Proxy
SAP Enterprise PortalSource

SAP BTP, Neo Environment 4

SAP Cloud SolutionProvisioning SystemsSystem Type
  Source, Target, Proxy

SAP BTP, Neo Environment 5

SAP Cloud SolutionProvisioning SystemsSystem Type
SAP Integrated Business Planning for Supply Chain BundleIdentity AuthenticationSource, Target, Proxy
SAP Integrated Business Planning for Supply ChainSource, Target, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
Microsoft Azure Active DirectorySource, Proxy
Microsoft Active DirectorySource, Proxy
Google G SuiteSource, Proxy
SCIM SystemSource, Proxy
LDAP ServerSource, Proxy
SAP Enterprise PortalSource

SAP BTP, Neo Environment 6

SAP Cloud SolutionProvisioning SystemsSystem Type
 Identity AuthenticationSource, Target, Proxy

SAP BTP, Neo Environment 7

SAP Cloud SolutionProvisioning SystemsSystem Type
SAP Jam Collaboration BundleIdentity AuthenticationSource, Target, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
All *source and **proxy system connectorsSource, Proxy

SAP BTP, Neo Environment 8

SAP Cloud SolutionProvisioning SystemsSystem Type
SAP Marketing Cloud BundleIdentity AuthenticationSource, Target, Proxy
SAP Marketing CloudSource, Target, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
SAP Analytics CloudTarget, Proxy
Microsoft Azure Active DirectorySource, Proxy
Microsoft Active DirectorySource, Proxy
Google G SuiteSource, Proxy
SCIM SystemSource, Proxy
LDAP ServerSource, Proxy
SAP Enterprise PortalSource

SAP BTP, Neo Environment 9

SAP Cloud SolutionProvisioning SystemsSystem Type
SAP S/4HANA Cloud BundleIdentity AuthenticationSource, Target, Proxy
SAP S/4HANA CloudSource, Target, Proxy
SAP Central Business ConfigurationSource, Target, Proxy

SCIM System

*SCIM System can be used as a target system only in provisioning scenarios with SAP Central Business Configuration.

Source, Target*, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
SAP Analytics CloudTarget, Proxy
Microsoft Azure Active DirectorySource, Proxy
Microsoft Active DirectorySource, Proxy
Google G SuiteSource, Proxy
LDAP ServerSource, Proxy
SAP Enterprise PortalSource

SAP BTP, Neo Environment 10

SAP Cloud SolutionProvisioning SystemsSystem Type
SAP SuccessFactors BundleIdentity AuthenticationSource, Target, Proxy
SAP SuccessFactorsSource, Proxy
SAP Analytics CloudTarget, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
SCIM SystemSource, Proxy
LDAP ServerSource, Proxy
SAP Enterprise PortalSource

SAP BTP, Neo Environment 11

SAP Cloud SolutionProvisioning SystemsSystem Type
SAP SuccessFactors Learning BundleIdentity AuthenticationTarget, Proxy
SAP SuccessFactors LearningSource, Target, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
SCIM SystemSource, Proxy
LDAP ServerSource, Proxy
SAP Enterprise PortalSource

SAP BTP, Neo Environment 12

SAP Cloud SolutionProvisioning SystemsSystem Type
Sales Cloud – Analytics and AI BundleIdentity AuthenticationSource, Proxy
Sales Cloud – Analytics and AITarget, Proxy
SAP Analytics CloudTarget, Proxy
Microsoft Azure Active DirectorySource, Proxy
Microsoft Active DirectorySource, Proxy
Google G SuiteSource, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
SCIM SystemSource, Proxy
LDAP ServerSource, Proxy
SAP Enterprise PortalSource

SAP BTP, Neo Environment 13

SAP Cloud SolutionProvisioning SystemsSystem Type
 Identity AuthenticationSource, Target, Proxy

SAP BTP, Neo Environment 14

SAP Cloud SolutionProvisioning SystemsSystem Type
SAP Landscape Management Cloud BundleSAP Analytics CloudTarget, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
Microsoft Azure Active DirectorySource, Proxy
Microsoft Active DirectorySource, Proxy
Google G SuiteSource, Proxy
SCIM SystemSource, Proxy
LDAP ServerSource, Proxy
SAP Enterprise PortalSource

SAP BTP, Neo Environment 15

SAP Cloud SolutionProvisioning SystemsSystem Type
SAP Fieldglass BundleIdentity AuthenticationSource, Target, Proxy
SAP FieldglassSource, Target, Proxy
SAP Application Server ABAPSource, Target, Proxy
SAP S/4HANA On-PremiseSource, Target, Proxy
Microsoft Azure Active DirectorySource, Proxy
Microsoft Active DirectorySource, Proxy
Google G SuiteSource, Proxy
SCIM SystemSource, Proxy
LDAP ServerSource, Proxy
SAP Enterprise PortalSource

Bundle Tenants and Connectors

A bundle tenant is an instance of Identity Provisioning that comes with a set of pre-configured provisioning systems (connectors) relevant to one or more bundled SAP cloud solutions.

The communication between Identity Provisioning and the pre-configured systems is automatically set up, therefore administrators are ready to run or schedule provisioning jobs. Further usage of provisioning systems (connectors) and their availability depend on the infrastructure/environment on which your bundle tenant is running.

Note

Bundle tenants running on SAP Cloud Identity infrastructure and the SAP BTP, Neo Environment, which are obtained after purchasing the following SAP cloud solutions, are the least restrictive in terms of connectors availability:

  • SAP Cloud Identity Access Governance bundle tenant has all connectors enabled, except for Local Identity Directory.
  • SAP Jam Collaboration bundle tenant has all source and proxy connectors enabled, except for Local Identity Directory.

Bundle Tenants on SAP Cloud Identity Infrastructure

If your bundle tenant is running on the infrastructure of SAP Cloud Identity Services, most of the connectors are enabled by default, with few exceptions described in Connectors Availability in Bundle Tenants on SAP Cloud Identity Infrastructure section below.

As of March 15, 2022, Identity Provisioning bundle tenants are created on the infrastructure of SAP Cloud Identity Services only.

Bundle Tenants on SAP BTP, Neo Environment

If your bundle tenant is running on SAP BTP, Neo Environment, a limited number of connectors are enabled by default. You can extend the number of connectors by migrating the tenant to the SAP Cloud Identity infrastructure or by purchasing more SAP cloud solutions that bundle Identity Provisioning. In the latter case, along with the enabled provisioning systems of your bundle tenant, you will also get the provisioning systems relevant for the newly purchased solutions.

How to Use Bundle Tenants

The example in the following scenario explains the usage of Identity Provisioning bundle tenant that comes with a set of pre-configured systems relevant for a given SAP cloud solution. Although details vary from one bundle tenant to another, the overall process is the same.

The following figure illustrates the expected provisioning flow from source to target systems (the default provisioning mode).

  1. After purchasing an SAP cloud solution that bundles Identity Provisioning, the technical contact person in your organization receives the welcome email from SAP. He or she is granted the Administrator permissions for the bundle tenant and performs the initial logon by accessing the tenant URL provided in the email. The initial administrator is assigned the Manage Identity Provisioning role. He or she can configure provisioning systems, run jobs, view job logs, and add other users as administrators of the tenant.
  2. When you open the Identity Provisioning admin console, the pre-configured systems are displayed in the respective Source Systems and Target Systems tile. i. On the Details tab, the pre-configured systems are populated with their specific system name - for example:

    <System_name> – source (Identity Authentication)

    <System_name> – target (SAP Analytics Cloud)

    ii. On the Properties tab, the communication between Identity Provisioning and those systems is automatically set up.

    Connection properties are populated. The authentication type is specified. You have the following options: use BasicAuthentication or ClientCertificateAuthentication.

    You can modify properties to further control how user data is transferred, for example:

    a) You can configure filtering on source systems to provision users and groups matching specific criteria or to test the provisioning with few users and groups before you replicate all of them.

    b) You can enable bulk operations on the target system to speed up the provisioning.

    iii. On the Transformations tab, the user and group resource mappings are displayed.

    Transformations of the pre-configured systems might be adapted for the scenarios relevant to your bundled SAP cloud solution.

    For example, the read transformation of Identity Authentication source system in SAP Landscape Management Cloud bundle tenant contains a specific condition that is not available in the default read transformation of Identity Authentication. According to this condition, only users assigned to SAP Landscape Management Cloud specific groups in Identity Authentication are replicated to SAP Analytics Cloud and mapped to an embedded role there.

  3. Administrators can run Read or Resync job for the pre-configured systems.
  4. Administrators can also manually add and configure source, target, and proxy systems of their choice. Those systems are created with default properties and default transformations.

    The following figure illustrates the expected provisioning flow between an external identity management solution and a system with proxy configuration (the proxy provisioning mode).

In this mode, Identity Provisioning is used for synchronizing user data to and from a central identity management solution (for example, the on-premise SAP Identity Management) and a provisioning system with proxy configuration (for example, SAP Analytics Cloud, embedded edition). Here, Identity Provisioning acts as a proxy between the identity management solution and the system with proxy configuration.

Connectors Available in Bundle Tenants on SAP Cloud Identity Infrastructure

Almost all connectors are available. The following table lists only the few provisioning systems that are not supported for bundle tenants running on SAP Cloud Identity infrastructure:

Availability of Provisioning Systems (Connectors)

AvailabilityProvisioning Systems (Connectors)
Not supported as source, target, and proxy systemsCloud Foundry UAA Server
Local Identity Directory
Not supported as target systemsSCIM
LDAP Server
Microsoft Active Directory
Microsoft Azure Active Directory
Google G suite

The following table lists the provisioning systems available in all bundle tenants and their use case.

Provisioning Systems Available

ConnectorUse Case
Identity Authentication

Identity Authentication is available as source, target, and proxy system in all bundle tenants, except for a target system in Sales Cloud – Analytics and AI Bundle bundle).

Using Identity Authentication as a source system is relevant for new customers of SAP cloud solutions (green-field approach). Users are created in Identity Authentication (self-registered, uploaded from files or provisioned through Identity Provisioning from another source system) and afterward replicated to target systems.

Using Identity Authentication as a target system is relevant for existing customers of SAP cloud solutions (brown-field approach). Users are already created in the SAP cloud solutions and afterward provisioned to Identity Authentication that becomes the leading system in user provisioning.

Microsoft Azure Active DirectoryThese systems are available as source systems in all bundle tenants.
Microsoft Active Directory
Google G Suite

The reason is that they are normally used as corporate user stores and therefore can act as central place for user management in customers landscapes.

The only exception is SAP SuccessFactors bundle, where Microsoft Azure AD, Microsoft AD and Google G Suite are not available as source systems. However, its scope can be extended, and those systems can be enabled for reading entities upon purchasing more bundled SAP cloud solutions.

In addition to being available as source systems, SAP AS ABAP and SAP S/4HANA On-Premise are also available as target systems in all bundle tenants.

The reason is that they are normally part of the customers landscapes and therefore can be used for both - reading and replicating entities, when implementing user management and provisioning.

SAP Application Server ABAP
SAP S/4HANA On-Premise
SCIM System
LDAP Server

SAP Business Technology Platform Bundle

SAP Business Technology Platform bundle allows you to use the Identity Provisioning service for synchronizing user data between source and target systems. The available source and target systems in this bundle can also be configured as proxy systems for indirect connection to external identity management systems.

Note

As of March 15, 2022, Identity Provisioning bundle tenants are created on the infrastructure of SAP Cloud Identity Services only. These tenants have most of the provisioning systems (connectors) enabled by default.

Identity Provisioning bundle tenants running on SAP BTP, Neo Environment have a limited number of connectors enabled by default. They are illustrated in the following figure.

To Obtain the Identity Provisioning Tenant

After purchasing a global account for SAP Business Technology Platform (in short, SAP BTP), you can obtain Identity Provisioning tenant. To do this, your subaccount needs to be subscribed to the Cloud Identity Services application in SAP BTP cockpit.

To obtain the Identity Provisioning tenant, make sure your subaccount is subscribed to the application in the correct region. If you do this in multiple regions, the tenant you obtain in the first region will be reused in all other regions.

In addition, if you already have an existing Identity Provisioning, it will be reused for the relevant provisioning systems entitled to your SAP BTP product.

To activate your tenant, complete the following steps:

Steps

  1. In the SAP BTP cockpit, choose your subaccount in the SAP BTP, Cloud Foundry environment.

  2. Navigate to Services Service Marketplace and select Cloud Identity Services.

    Note
    If you do not see Cloud Identity Service, navigate to Entitlements and add the default plan.
  3. Under Application Plans, choose default and then Next.

  4. In the Cloud Service Type dropdown, choose the tenant type. You have the following options:

    • Test
    • Productive - this is the default value

    The default application plan allows you to consume Identity Provisioning, Identity Authentication, and Identity Directory. The new test or productive tenant will be only created if there is not an existing one already that is bound to your customer ID, regardless of the region.

    The default test and productive tenants will be created in the same region.

  5. Choose Next and Create to make a subscription to this application, bound to your customer ID.

    The default application plan allows you to consume Identity Provisioning, Identity Authentication, and Identity Directory. The new test or productive tenant will be only created if there is not an existing one already bound to your customer ID, regardless of the region.

    The default test and productive tenants will be created in the same region.

  6. In the side menu of the SAP BTP cockpit, go to Services Instances and Subscriptions.

    Under the Subscriptions tab, in the table, you can find the Cloud Identity Services application.

  7. Choose the icon (Actions) at the end of the subscription row and select Go to Application.

    This opens the Identity Provisioning administration console. The URL of your Identity Provisioning bundle tenant follows the pattern:

    • https://<ias-host>/ips

      This is valid for new Identity Provisioning bundle tenants created after March 15, 2022. They run on SAP Cloud Identity infrastructure.

    • https://ips-<consumer_account>.dispatcher.<region_host>/webapp/index.html

      This is valid for existing (reused) Identity Provisioning tenants created before March 15, 2022. They run on SAP BTP, Neo Environment.

    Note

    You can remove the subscription to the Cloud Identity Services application, that is to offboard your Identity Provisioning tenant, if you select the icon (Actions) and select Delete. Be aware of the following:

    • If your Identity Provisioning tenant is obtained only for SAP BTP and no other SAP cloud solutions are reusing it, this tenant will be deleted immediately.
    • If your Identity Provisioning tenant is reused in other SAP cloud solutions that bundle the service, this tenant will not be deleted until all SAP cloud solutions offboard it.

Supported Systems

The Identity Provisioning service supports provisioning of users and groups between multiple supported cloud and on-premise systems, both SAP and non-SAP.

For more information about all provisioning systems (connectors) that you can use as source, target, and proxy system types for your provisioning scenarios, refer to the topics in this section.

Source Systems

A source system is the connector used for reading entities (users, groups, and roles).

Source systems can be on-premise or cloud-based, SAP or non-SAP, and usually represent the corporate user store where identities are currently maintained. The Identity Provisioning service reads the entities from the source system and creates or updates them in the relevant target ones. The provisioning is triggered from the Jobs tab of a source system.

You can connect one source system to one or multiple target systems. In the case of multiple (enabled) target systems, when you start a Read or a Resync job, this operation will trigger provisioning of entities from this source system to all relevant target ones.

By default, the maximum number of productive source systems you are allowed to add for your tenant is 20.

Target Systems

A target system is the connector used for writing entities.

Target systems are usually cloud systems, where the Identity Provisioning service creates or updates the entities read from the source system.

A target system can be connected to a single source system, or multiple source systems. In the case of multiple source systems, we recommend that you run the provisioning jobs successively for each system, not simultaneously. This way, you will avoid incorrect overwriting or merging of entity data, hence failed provisioning jobs.

Note

By default, the maximum number of productive target systems you are allowed to add for your tenant is 50.

Proxy Systems

A proxy system is a special connector type you can use for hybrid scenarios.

It exposes any Identity Provisioning-supported backend system as a SCIM 2.0 service provider, which can be consumed by any SCIM 2.0 compatible client application, without making a direct connection between them.

When the proxy connector is configured, a consumer application can start sending CRUD requests to the Identity Provisioning proxy connector (which will play the role of a target system). The proxy connector will then read the entities (playing the role of a source system) and provision them to the backend of the SCIM 2.0 system.

Proxy Systems - How They Work

The Identity Provisioning service exposes a SCIM 2.0 based system (connector) as a proxy. Then, an external consumer system regards this proxy connector as its back-end system. Depending on the infrastructure/environment your Identity Provisioning tenant (bundle or standalone) runs on, you need to perform the following steps to start using a proxy system:

Infrastructure of SAP Cloud Identity Services

Your tenant type meets one of the following requirements:

  • Your bundle tenant is created after March 15, 2022.
  • Your Identity Provisioning is purchased as a standalone product between September 1, 2020 and October 20, 2020.

Complete the following steps:

  1. Log on to the Identity Provisioning admin console and navigate to Security Authorizations Manage User Authorizations.

    You are redirected to the Identity Authentication admin console, section Users and Authorizations  Administrators.

  2. Choose your technical user (administrator user of type System). If you do not have a technical user yet, create one.
  3. Configure the technical user authentication.

    Certificate

    Choose Certificate Configure certificate and Upload your certificate.

    Client certificates are used by HTTP REST clients as a means for SSL certificate authentication.

    Secrets

    Choose Secrets Add and provide the required information. After saving it, a Client ID and Client Secret are generated for the technical user. Make sure that you copy and save the client secret.

  4. Enable the Access Proxy System API permission for the technical user.
  5. Open the Identity Provisioning admin console and create a proxy system.
  6. (Optional) Export this system as a .csv file. This will help an administrator of the external consumer application to import the proxy configuration as a SCIM repository in SAP Identity Management, for example.
    Note
    The entities exposed by the backend system will be mapped to SCIM 2.0 entities, if possible. If this is not possible, the SCIM standard provides a mechanism to define a new resource type with the appropriate schema. You can use the custom resource type to map the back-end entities.
  7. Finally, the external application can start sending REST web service requests to the proxy system in order to read identities from the back end of the SCIM 2.0 system. For the authentication, you need to use the user ID and password of the Identity Authentication technical user for which you have set permission Access Proxy System API.

SAP BTP, Neo Environment

Your tenant type meets one of the following requirements:

  • Your bundle tenant is created before March 15, 2022.
  • Your Identity Provisioning is purchased as a standalone product before September 1, 2020.
  1. Create a technical user that will be used to connect to the Identity Provisioning proxy system and assign the necessary authorizations to your technical user.
  2. Finally, the external application can start sending REST web service requests to the proxy system in order to read identities from the backend of the SCIM 2.0 system. For the authentication, you need to use the client ID and secret of the registered OAuth client for which you have assigned the IPS_PROXY_USER role.

System Types

Log in to track your progress & complete quizzes