Objectives
After completing this lesson, you will be able to:
Bundle tenants created before March 15, 2022, run on SAP BTP, Neo Environment.
Log on to the Identity Provisioning user interface (UI).
Set up the source, target, and proxy systems for your provisioning scenario.
In bundle tenants, some source and target systems are pre-configured. This means that the connection to the relevant source and target systems is automatically set up and you can run provisioning jobs. When adding a system, Identity Provisioning works as follows:
Identity Provisioning in default mode: Provision user data from source to target systems.
You add source and target systems only. This could be one source connected to one or multiple target systems, or one target connected to one or multiple source systems.
Identity Provisioning in proxy mode: Provision user data to and from а central identity management solution and a system with proxy configuration.
You add a proxy system and you have an external identity management system (such as SAP Identity Management) in place.
Configure the connection details for your systems if they are not automatically set in your bundle tenant. You have the following options:
Add properties in the Identity Provisioning UI and provide the required connection information.
Create a destination in your subaccount in SAP BTP cockpit and select it for the given provisioning system in the Identity Provisioning UI.
If your bundle tenant is running on the SAP BTP, Neo Environment, the Identity Provisioning admin user must have the Manage Destinations role assigned.
Note
Creating a destination is mandatory for configuring SAP Application Server ABAP provisioning systems and on-premise systems using the Cloud Connector for which a Location ID is configured.
You can also use it if you need to reuse one and the same configuration for multiple provisioning systems. In all other cases, we recommend that you use the Properties tab.
If your bundle tenant is running on the infrastructure of SAP Cloud Identity Services, connectivity destinations can only be created for SAP Application Server ABAP provisioning systems.
Define what data you want to provision. You have the following options:
Adapt the default transformation logic or use it as-is.
Configure filtering properties for users and groups.
Run a provisioning job manually or set a time interval for scheduled jobs.
When an SAP cloud solution bundles with SAP Cloud Identity Services, you are entitled to receive Identity Authentication and Identity Provisioning tenants without additional costs on the purchase of the corresponding SAP cloud solution's license. These Identity Authentication and Identity Provisioning tenants come pre-configured with the SAP cloud solution.
In the following, you can find detailed information about Identity Provisioning bundle tenant and all available bundle options. The documentation distinguishes between bundle tenant and bundle option as follows:
A bundle tenant is an instance of Identity Provisioning that comes with a set of pre-configured provisioning systems relevant to one or more bundled SAP cloud solutions.
A bundle option is an SAP cloud solution bundled with Identity Provisioning and Identity Authentication that comes with a set of provisioning systems relevant to this SAP cloud solution.
Access the Identity Provisioning UI (administration console) when the service is bundled as part of an SAP cloud solution's license.
You have purchased an SAP cloud solution that bundles Identity Provisioning and Identity Authentication.
This solution is automatically available in the Identity Provisioning admin console as a source and/or target system, that is, as a system to read entities from and/or a system to write entities to. User stores, such as Microsoft Azure Active Directory, are available as source (read-only) systems for integration purposes.
To access the Identity Provisioning UI, you need to open the URL link that you received when obtaining your bundle tenant. You get the URLs for your test and productive tenant in the onboarding e-mails from SAP. If you obtained it manually (by opening an incident), you get the URLs from the incident.
When you receive the onboarding e-mails from SAP and access the Identity Provisioning UI for the first time, your source and target systems will be pre-configured. That is, the connection to the relevant source and target systems will be set up and you can run provisioning jobs. For some bundle tenants, such as SAP Jam Collaboration, the first initial Read Job is scheduled and starts almost immediately.
Open the testing or productive URL you have received either from the contract emails or from the incident you have opened.
Depending on the infrastructure/environment your bundle tenant runs on, the URL follows the pattern:
Neo environment: https://ips-<consumer_account>.dispatcher.<region_host>/webapp/index.html
Log on to the Identity Provisioning UI with your administration credentials.
When the Identity Provisioning tenant is initially provisioned to your organization, only one user is added as a tenant administrator. After that, due to possible legal and security issues, SAP adds additional tenant administrators only in exceptional cases (for example, the existing administrator left the company, or for some reason there is no active administrator for this tenant).
To avoid access-related issues in such cases, it is always a good practice for you to assign more than one administrator. Adding additional ones is exclusively in the responsibility of the current tenant administrators.
The Identity Provisioning UI opens as an independent HTML5 application. The Home page displays the following tiles:
In both standalone and bundle cases, secure communication is provided between this HTML5 application and the SAP BTP cockpit, realized by principal propagation. Unlike the standalone case however, with your bundle account you obtain the Identity Provisioning as software as a service. That means that we provide you with a global SAP Business Technology Platform account, and you do not need to operate in the platform cockpit.
All source and target systems in your bundle tenant are available as proxy systems.
Provisioning systems (connectors) availability in bundle tenants depends on the infrastructure/environment on which your tenants are running.
Bundle tenants running on SAP Cloud Identity infrastructure and SAP BTP, Neo Environment, which are obtained after purchasing the following SAP cloud solutions, are the least restrictive in terms of connectors availability:
If your bundle tenant is running on the infrastructure of SAP Cloud Identity Services, most of the connectors are enabled by default.
If your bundle tenant is running on SAP BTP, Neo Environment, a limited number of connectors are enabled by default. The following table lists the enabled provisioning systems (connectors) and the SAP cloud solution bundle for which they are relevant:
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| SAP Business Technology Platform Bundle | Identity Authentication | Source, Target, Proxy |
| SAP BTP ABAP Environment | Source, Target, Proxy | |
| SAP BTP Account Members (Neo) | Source, Target, Proxy | |
| SAP BTP Java/HTML5 apps (Neo) | Source, Target, Proxy | |
| SAP BTP XS Advanced UAA (Cloud Foundry) | Source, Target, Proxy | |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| Microsoft Azure Active Directory | Source, Proxy | |
| Microsoft Active Directory | Source, Proxy | |
| Google G Suite | Source, Proxy | |
| SCIM System | Source, Proxy | |
| LDAP Server | Source, Proxy | |
| SAP Enterprise Portal | Source |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| SAP Build Work Zone, advanced edition Bundle | Identity Authentication | Source, Target, Proxy |
| SAP Build Work Zone, advanced edition | Source, Target, Proxy | |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| Microsoft Azure Active Directory | Source, Proxy | |
| Microsoft Active Directory | Source, Proxy | |
| Google G Suite | Source, Proxy | |
| SAP BTP XS Advanced UAA (Cloud Foundry) | Target, Proxy | |
| SAP Build Work Zone, standard edition | Target, Proxy | |
| SCIM System | Source, Proxy | |
| LDAP Server | Source, Proxy | |
| SAP Enterprise Portal | Source |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| SAP Commissions Bundle | Identity Authentication | Source, Target, Proxy |
| SAP Commissions | Source, Target, Proxy | |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| SAP Analytics Cloud | Target, Proxy | |
| Microsoft Azure Active Directory | Source, Proxy | |
| Microsoft Active Directory | Source, Proxy | |
| Google G Suite | Source, Proxy | |
| SCIM System | Source, Proxy | |
| LDAP Server | Source, Proxy | |
| SAP Enterprise Portal | Source |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| Source, Target, Proxy |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| SAP Integrated Business Planning for Supply Chain Bundle | Identity Authentication | Source, Target, Proxy |
| SAP Integrated Business Planning for Supply Chain | Source, Target, Proxy | |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| Microsoft Azure Active Directory | Source, Proxy | |
| Microsoft Active Directory | Source, Proxy | |
| Google G Suite | Source, Proxy | |
| SCIM System | Source, Proxy | |
| LDAP Server | Source, Proxy | |
| SAP Enterprise Portal | Source |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| Identity Authentication | Source, Target, Proxy |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| SAP Jam Collaboration Bundle | Identity Authentication | Source, Target, Proxy |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| All *source and **proxy system connectors Note *Link to source systems here: https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/58033bec92124ef2a7905b37d0f50704.html **Link to proxy system here: https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/b10d68a92d3a43f49e202ca0d6862493.html | Source, Proxy |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| SAP Marketing Cloud Bundle | Identity Authentication | Source, Target, Proxy |
| SAP Marketing Cloud | Source, Target, Proxy | |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| SAP Analytics Cloud | Target, Proxy | |
| Microsoft Azure Active Directory | Source, Proxy | |
| Microsoft Active Directory | Source, Proxy | |
| Google G Suite | Source, Proxy | |
| SCIM System | Source, Proxy | |
| LDAP Server | Source, Proxy | |
| SAP Enterprise Portal | Source |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| SAP S/4HANA Cloud Bundle | Identity Authentication | Source, Target, Proxy |
| SAP S/4HANA Cloud | Source, Target, Proxy | |
| SAP Central Business Configuration | Source, Target, Proxy | |
SCIM System *SCIM System can be used as a target system only in provisioning scenarios with SAP Central Business Configuration. | Source, Target*, Proxy | |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| SAP Analytics Cloud | Target, Proxy | |
| Microsoft Azure Active Directory | Source, Proxy | |
| Microsoft Active Directory | Source, Proxy | |
| Google G Suite | Source, Proxy | |
| LDAP Server | Source, Proxy | |
| SAP Enterprise Portal | Source |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| SAP SuccessFactors Bundle | Identity Authentication | Source, Target, Proxy |
| SAP SuccessFactors | Source, Proxy | |
| SAP Analytics Cloud | Target, Proxy | |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| SCIM System | Source, Proxy | |
| LDAP Server | Source, Proxy | |
| SAP Enterprise Portal | Source |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| SAP SuccessFactors Learning Bundle | Identity Authentication | Target, Proxy |
| SAP SuccessFactors Learning | Source, Target, Proxy | |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| SCIM System | Source, Proxy | |
| LDAP Server | Source, Proxy | |
| SAP Enterprise Portal | Source |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| Sales Cloud – Analytics and AI Bundle | Identity Authentication | Source, Proxy |
| Sales Cloud – Analytics and AI | Target, Proxy | |
| SAP Analytics Cloud | Target, Proxy | |
| Microsoft Azure Active Directory | Source, Proxy | |
| Microsoft Active Directory | Source, Proxy | |
| Google G Suite | Source, Proxy | |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| SCIM System | Source, Proxy | |
| LDAP Server | Source, Proxy | |
| SAP Enterprise Portal | Source |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| Identity Authentication | Source, Target, Proxy |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| SAP Landscape Management Cloud Bundle | SAP Analytics Cloud | Target, Proxy |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| Microsoft Azure Active Directory | Source, Proxy | |
| Microsoft Active Directory | Source, Proxy | |
| Google G Suite | Source, Proxy | |
| SCIM System | Source, Proxy | |
| LDAP Server | Source, Proxy | |
| SAP Enterprise Portal | Source |
| SAP Cloud Solution | Provisioning Systems | System Type |
|---|---|---|
| SAP Fieldglass Bundle | Identity Authentication | Source, Target, Proxy |
| SAP Fieldglass | Source, Target, Proxy | |
| SAP Application Server ABAP | Source, Target, Proxy | |
| SAP S/4HANA On-Premise | Source, Target, Proxy | |
| Microsoft Azure Active Directory | Source, Proxy | |
| Microsoft Active Directory | Source, Proxy | |
| Google G Suite | Source, Proxy | |
| SCIM System | Source, Proxy | |
| LDAP Server | Source, Proxy | |
| SAP Enterprise Portal | Source |
A bundle tenant is an instance of Identity Provisioning that comes with a set of pre-configured provisioning systems (connectors) relevant to one or more bundled SAP cloud solutions.
The communication between Identity Provisioning and the pre-configured systems is automatically set up, therefore administrators are ready to run or schedule provisioning jobs. Further usage of provisioning systems (connectors) and their availability depend on the infrastructure/environment on which your bundle tenant is running.
Note
Bundle tenants running on SAP Cloud Identity infrastructure and the SAP BTP, Neo Environment, which are obtained after purchasing the following SAP cloud solutions, are the least restrictive in terms of connectors availability:
SAP Jam Collaboration bundle tenant has all source and proxy connectors enabled, except for Local Identity Directory.
If your bundle tenant is running on the infrastructure of SAP Cloud Identity Services, most of the connectors are enabled by default, with few exceptions described in Connectors Availability in Bundle Tenants on SAP Cloud Identity Infrastructure section below.
As of March 15, 2022, Identity Provisioning bundle tenants are created on the infrastructure of SAP Cloud Identity Services only.
If your bundle tenant is running on SAP BTP, Neo Environment, a limited number of connectors are enabled by default. You can extend the number of connectors by migrating the tenant to the SAP Cloud Identity infrastructure or by purchasing more SAP cloud solutions that bundle Identity Provisioning. In the latter case, along with the enabled provisioning systems of your bundle tenant, you will also get the provisioning systems relevant for the newly purchased solutions.
The example in the following scenario explains the usage of Identity Provisioning bundle tenant that comes with a set of pre-configured systems relevant for a given SAP cloud solution. Although details vary from one bundle tenant to another, the overall process is the same.
The following figure illustrates the expected provisioning flow from source to target systems (the default provisioning mode).
<System_name> – source (Identity Authentication)
<System_name> – target (SAP Analytics Cloud)
ii. On the Properties tab, the communication between Identity Provisioning and those systems is automatically set up.Connection properties are populated. The authentication type is specified. You have the following options: use BasicAuthentication or ClientCertificateAuthentication.
You can modify properties to further control how user data is transferred, for example:
a) You can configure filtering on source systems to provision users and groups matching specific criteria or to test the provisioning with few users and groups before you replicate all of them.
b) You can enable bulk operations on the target system to speed up the provisioning.
iii. On the Transformations tab, the user and group resource mappings are displayed.Transformations of the pre-configured systems might be adapted for the scenarios relevant to your bundled SAP cloud solution.
For example, the read transformation of Identity Authentication source system in SAP Landscape Management Cloud bundle tenant contains a specific condition that is not available in the default read transformation of Identity Authentication. According to this condition, only users assigned to SAP Landscape Management Cloud specific groups in Identity Authentication are replicated to SAP Analytics Cloud and mapped to an embedded role there.
The following figure illustrates the expected provisioning flow between an external identity management solution and a system with proxy configuration (the proxy provisioning mode).
In this mode, Identity Provisioning is used for synchronizing user data to and from a central identity management solution (for example, the on-premise SAP Identity Management) and a provisioning system with proxy configuration (for example, SAP Analytics Cloud, embedded edition). Here, Identity Provisioning acts as a proxy between the identity management solution and the system with proxy configuration.
Almost all connectors are available. The following table lists only the few provisioning systems that are not supported for bundle tenants running on SAP Cloud Identity infrastructure:
| Availability | Provisioning Systems (Connectors) |
|---|---|
| Not supported as source, target, and proxy systems | Cloud Foundry UAA Server |
| Local Identity Directory | |
| Not supported as target systems | SCIM |
| LDAP Server | |
| Microsoft Active Directory | |
| Microsoft Azure Active Directory | |
| Google G suite |
The following table lists the provisioning systems available in all bundle tenants and their use case.
| Connector | Use Case |
|---|---|
| Identity Authentication | Identity Authentication is available as source, target, and proxy system in all bundle tenants, except for a target system in Sales Cloud – Analytics and AI Bundle bundle). Using Identity Authentication as a source system is relevant for new customers of SAP cloud solutions (green-field approach). Users are created in Identity Authentication (self-registered, uploaded from files or provisioned through Identity Provisioning from another source system) and afterward replicated to target systems. Using Identity Authentication as a target system is relevant for existing customers of SAP cloud solutions (brown-field approach). Users are already created in the SAP cloud solutions and afterward provisioned to Identity Authentication that becomes the leading system in user provisioning. |
| Microsoft Azure Active Directory | These systems are available as source systems in all bundle tenants. |
| Microsoft Active Directory | |
| Google G Suite | The reason is that they are normally used as corporate user stores and therefore can act as central place for user management in customers landscapes. The only exception is SAP SuccessFactors bundle, where Microsoft Azure AD, Microsoft AD and Google G Suite are not available as source systems. However, its scope can be extended, and those systems can be enabled for reading entities upon purchasing more bundled SAP cloud solutions. In addition to being available as source systems, SAP AS ABAP and SAP S/4HANA On-Premise are also available as target systems in all bundle tenants. The reason is that they are normally part of the customers landscapes and therefore can be used for both - reading and replicating entities, when implementing user management and provisioning. |
| SAP Application Server ABAP | |
| SAP S/4HANA On-Premise | |
| SCIM System | |
| LDAP Server |
SAP Business Technology Platform bundle allows you to use the Identity Provisioning service for synchronizing user data between source and target systems. The available source and target systems in this bundle can also be configured as proxy systems for indirect connection to external identity management systems.
Note
As of March 15, 2022, Identity Provisioning bundle tenants are created on the infrastructure of SAP Cloud Identity Services only. These tenants have most of the provisioning systems (connectors) enabled by default.
Identity Provisioning bundle tenants running on SAP BTP, Neo Environment have a limited number of connectors enabled by default. They are illustrated in the following figure.
After purchasing a global account for SAP Business Technology Platform (in short, SAP BTP), you can obtain Identity Provisioning tenant. To do this, your subaccount needs to be subscribed to the Cloud Identity Services application in SAP BTP cockpit.
To obtain the Identity Provisioning tenant, make sure your subaccount is subscribed to the application in the correct region. If you do this in multiple regions, the tenant you obtain in the first region will be reused in all other regions.
In addition, if you already have an existing Identity Provisioning, it will be reused for the relevant provisioning systems entitled to your SAP BTP product.
To activate your tenant, complete the following steps:
In the SAP BTP cockpit, choose your subaccount in the SAP BTP, Cloud Foundry environment.
Navigate to Services Service Marketplace and select Cloud Identity Services.
Note
If you do not see Cloud Identity Service, navigate to Entitlements and add the default plan.Under Application Plans, choose default and then Next.
In the Cloud Service Type dropdown, choose the tenant type. You have the following options:
The default application plan allows you to consume Identity Provisioning, Identity Authentication, and Identity Directory. The new test or productive tenant will be only created if there is not an existing one already that is bound to your customer ID, regardless of the region.
The default test and productive tenants will be created in the same region.
Choose Next and Create to make a subscription to this application, bound to your customer ID.
The default application plan allows you to consume Identity Provisioning, Identity Authentication, and Identity Directory. The new test or productive tenant will be only created if there is not an existing one already bound to your customer ID, regardless of the region.
The default test and productive tenants will be created in the same region.
In the side menu of the SAP BTP cockpit, go to Services Instances and Subscriptions.
Under the Subscriptions tab, in the table, you can find the Cloud Identity Services application.
Choose the icon (Actions) at the end of the subscription row and select Go to Application.
This opens the Identity Provisioning administration console. The URL of your Identity Provisioning bundle tenant follows the pattern:
This is valid for new Identity Provisioning bundle tenants created after March 15, 2022. They run on SAP Cloud Identity infrastructure.
This is valid for existing (reused) Identity Provisioning tenants created before March 15, 2022. They run on SAP BTP, Neo Environment.
Note
You can remove the subscription to the Cloud Identity Services application, that is to offboard your Identity Provisioning tenant, if you select the icon (Actions) and select Delete. Be aware of the following:
The Identity Provisioning service supports provisioning of users and groups between multiple supported cloud and on-premise systems, both SAP and non-SAP.
For more information about all provisioning systems (connectors) that you can use as source, target, and proxy system types for your provisioning scenarios, refer to the topics in this section.
A source system is the connector used for reading entities (users, groups, and roles).
Source systems can be on-premise or cloud-based, SAP or non-SAP, and usually represent the corporate user store where identities are currently maintained. The Identity Provisioning service reads the entities from the source system and creates or updates them in the relevant target ones. The provisioning is triggered from the Jobs tab of a source system.
You can connect one source system to one or multiple target systems. In the case of multiple (enabled) target systems, when you start a Read or a Resync job, this operation will trigger provisioning of entities from this source system to all relevant target ones.
By default, the maximum number of productive source systems you are allowed to add for your tenant is 20.
A target system is the connector used for writing entities.
Target systems are usually cloud systems, where the Identity Provisioning service creates or updates the entities read from the source system.
A target system can be connected to a single source system, or multiple source systems. In the case of multiple source systems, we recommend that you run the provisioning jobs successively for each system, not simultaneously. This way, you will avoid incorrect overwriting or merging of entity data, hence failed provisioning jobs.
Note
By default, the maximum number of productive target systems you are allowed to add for your tenant is 50.
A proxy system is a special connector type you can use for hybrid scenarios.
It exposes any Identity Provisioning-supported backend system as a SCIM 2.0 service provider, which can be consumed by any SCIM 2.0 compatible client application, without making a direct connection between them.
When the proxy connector is configured, a consumer application can start sending CRUD requests to the Identity Provisioning proxy connector (which will play the role of a target system). The proxy connector will then read the entities (playing the role of a source system) and provision them to the backend of the SCIM 2.0 system.
The Identity Provisioning service exposes a SCIM 2.0 based system (connector) as a proxy. Then, an external consumer system regards this proxy connector as its back-end system. Depending on the infrastructure/environment your Identity Provisioning tenant (bundle or standalone) runs on, you need to perform the following steps to start using a proxy system:
Your tenant type meets one of the following requirements:
Complete the following steps:
You are redirected to the Identity Authentication admin console, section Users and Authorizations Administrators.
Choose Certificate Configure certificate and Upload your certificate.
Client certificates are used by HTTP REST clients as a means for SSL certificate authentication.
Choose Secrets Add and provide the required information. After saving it, a Client ID and Client Secret are generated for the technical user. Make sure that you copy and save the client secret.
Note
The entities exposed by the backend system will be mapped to SCIM 2.0 entities, if possible. If this is not possible, the SCIM standard provides a mechanism to define a new resource type with the appropriate schema. You can use the custom resource type to map the back-end entities.Your tenant type meets one of the following requirements:
Log in to track your progress & complete quizzes