Understanding the Application Lifecycle Management for Identity Provisioning Services

Objectives

After completing this lesson, you will be able to:

  • Migrate Identity Provisioning bundle tenant.
  • Reset the Identity Provisioning system.

Identity Provisioning Bundle Tenant Migration

Migrate your Identity Provisioning bundle tenant on SAP BTP, Neo Environment to the infrastructure of SAP Cloud Identity Services.

Prerequisites

  • Ensure you have a bundle tenant running on SAP BTP, Neo environment. Standalone tenants cannot be migrated through the wizard option described below.

    For more information on how to proceed with standalone tenants on Neo environment, refer to the SAP Note 3278189

  • Ensure you have an admin user on the target Identity Authentication tenant.
  • Ensure that no provisioning jobs are running before you start the migration. Stop manually triggered jobs and pause the scheduled ones.
  • If you use connectivity destination for any of your systems, do not modify them while the migration is running.

Context

Any administrator with Manage Identity Provisioning permission can trigger the migration of Identity Provisioning bundle tenants on SAP BTP, Neo Environment to the infrastructure of SAP Cloud Identity Services.

As a result of a successful migration, you will have a tenant that includes Identity Authentication and Identity Provisioning services. You will use the same <ias-tenant-host> to access the administration console of both services as follows:

  • Identity Provisioning URL: https://<ias-tenant-host>/ips
  • Identity Authentication URL: https://<ias-tenant-host>/admin

During migration, your Identity Provisioning tenant will be disabled. Other administrators of this tenant will not be able to perform any operation or system modification until it completes.

Note

The migration process might take considerable time to complete depending on the amount of data you want to migrate. You will be updated regularly about its progress in the Identity Provisioning UI.

A wizard guides you through the migration process. First, you choose the target Identity Authentication tenant to which you want to migrate your Identity Provisioning tenant. Then, you select the provisioning systems - source, target, and proxy, regardless of their status (enabled or disabled). The process moves the system configurations, such as properties, destinations, credentials, and transformations, to the tenant in the new infrastructure. Provisioning job logs are not migrated. They are retained in your Neo tenant according to the period of time (7, 14 or 30 days) you have configured. The migration job log is retained for 30 days.

Note

Following a successful migration, you will have access to your Identity Provisioning tenant on SAP BTP, Neo environment for 30 days. After that time, the tenant is offboarded and cannot be restored.

To Complete Tenant Migration

To successfully complete tenant migration, complete the following steps.

Steps

  1. Log on to your Identity Provisioning tenant and select Tenant Migration.

  2. Choose Migrate.

    This opens the tenant migration wizard.

    On this step, you start configuring the data you want to migrate. The migration itself is triggered when you choose Finish on the last step of the wizard.

    Note

    From now on, if you choose Cancel on any of the steps below, configurations already made through the wizard will not be saved. The next time you choose Migrate, you will start over with your configurations.

  3. Select the target Identity Authentication tenant to which you want to migrate your Identity Provisioning tenant.

    The dropdown displays the available Identity Authentication tenants for your Identity Provisioning tenant on the Neo Environment. If you want to select a different tenant, open an incident to BC-IAM-IPS component and request it.

    When you make your selection, the following tenant specific information is displayed: name and ID, region and host, the date when the tenant was created and its initial administrator. Depending on the value of the Identity Provisioning already exists field, you could expect the following:

    • If it is set to true, this means that the Identity Provisioning service is already enabled for the selected Identity Authentication tenant in the SAP Cloud Identity infrastructure and your data will be migrated there.
    • If it is set to false, this means that there is no Identity Provisioning service enabled for the selected Identity Authentication tenant in the SAP Cloud Identity infrastructure. The service will be enabled and your data will be migrated there.

    When you view the details, choose Next.

    Note

    You are allowed to migrate the Identity Provisioning tenant without migrating its provisioning systems (step 4, 5, and 6 below). If migration finishes with errors, you can start over. If migration is successful, you cannot trigger the process again. You can only proceed with exporting the provisioning systems from your Neo tenant and importing them into the new tenant on SAP Cloud Identity infrastructure.

  4. Select the source systems that you want to migrate and choose Next.

    Initially, up to 10 systems are displayed. Be careful when you choose the select all checkbox at this point, as it will only select the initially displayed systems. Keep expanding the list until all your source systems are displayed.

  5. Select the target systems that you want to migrate and choose Next.

    Initially, up to 10 systems are displayed. Be careful when you choose the select all checkbox at this point as it will only select the initially displayed systems. Keep expanding the list until all of your target systems are displayed.

  6. Select the proxy systems that you want to migrate and choose Next.

    Initially, up to 10 systems are displayed. Be careful when you choose the select all checkbox at this point as it will only select the initially displayed systems. Keep expanding the list until all your proxy systems are displayed.

  7. Manage duplicate system names.

    This step appears in the wizard if the Identity Provisioning service has already been enabled for the selected Identity Authentication tenant, and on this tenant, there are provisioning systems with the same names as the ones you selected on step 4, 5, and 6.

    You must provide new names for the duplicate systems.

  8. Review your configurations.

    On this step, you can go back and change the configurations you have made on the previous steps. You can change the target Identity Authentication tenant to which you want to migrate your Identity Provisioning tenant, revise the provisioning systems you have selected and the names you provided for the duplicate system names.

    Note

    Double-check the data you want to migrate before you choose Finish on the next step. When your migration is completely successfully, you cannot trigger it again. Any data that you have not selected for migration must be exported and manually imported into your tenant on SAP Cloud Identity infrastructure within 30 days after the successful migration.

  9. Choose Finish.

    This triggers the migration process. It cannot be stopped and cannot be reverted.

Result

Completed successfully

If the migration is successfully completed, the Tenant Migration tile in the Identity Provisioning admin console displays the message: Tenant already migrated. In addition, on every screen you are notified of the following:

This tenant is already migrated to <ias-host>/ips on SAP Cloud Identity infrastructure and will be deleted on <date>.

  • Your Neo tenant is enabled again.
  • Your migrated tenant is also enabled; however, the provisioning systems are disabled. The scheduled jobs are paused. Modified transformations are migrated with status initial, which means that you cannot reset them to an earlier version.
  • Connectivity destinations are migrated as system properties. The only exception is SAP AS ABAP destination which needs to be created manually after the migration.
  • A technical user called PROXY is created in Identity Authentication for every migrated proxy system and source system that is set up for real-time provisioning only if those systems have been configured with inbound certificates in the Neo tenant.

    If those systems have been configured with authentication method other than inbound certificates (for example, OAuth or outgoing certificates), after migration, you need to create and configure the technical user (admin user of type System) manually in Identity Authentication.

Proceed with the post-migration tasks in the Next Steps section.

Finished with errors

If migration finished with errors, you need to see the logs for details. You are notified what has been migrated successfully and what has failed.

  • Your Neo tenant is enabled. You must start over with the migration. The next time you initiate it, only systems that failed to be migrated and systems that have not been previously selected for migration will be displayed in the wizard steps.

Next Steps

Hint

Start using your Identity Provisioning tenant on the SAP Cloud Identity infrastructure. Although your Neo tenant will be available for 30 days following a successful migration, we recommend that you do not perform any operations on it, such as running jobs, adding provisioning systems and others.

If you continue working in your Neo tenant - for example, if you run jobs and provision users - they will be created or updated in the target systems. However, one possible implication is that you will not be able to delete the created users when you start using the tenant on SAP Cloud Identity infrastructure.

  1. Log on to the target Identity Authentication tenant with your admin user.

    The URL follows this pattern: https://<ias-host>/admin

  2. Get administrative access for your migrated Identity Provisioning tenant.
  3. Log on to the Identity Provisioning admin console.

    The URL follows the pattern: https://<ias-host>/ips

  4. Review your migrated provisioning systems and job schedules. Some of the provisioning systems require post-migration adjustments. i. Proxy systems

    Update the Identity Provisioning URLs in the external application with the URLs pointing to proxy systems in your migrated Identity Provisioning tenant on SAP Cloud Identity infrastructure.

    Example

    If you have configured a proxy system for provisioning user data to and from the on-premise SAP Identity Management, you need to update the value of the SCIM_HOST repository constant in SAP Identity Management Admin UI to point to the <ias-tenant-host> of your migrated Identity Provisioning tenant.

    Note

    Be aware that the OAuth authentication type is now changed to Basic, therefore providing an OAuth URL for obtaining a token is no longer needed. The OAuth client ID and OAuth client secret must be replaced with the credentials of the technical user of type System created in Identity Authentication. For more information, see 3225329

    ii. Real-time provisioning systems

    Update the Identity Provisioning SCIM URLs in the systems from where you want to sync the real time of users. The SCIM URLs should point to the source systems (configured for real-time provisioning) in your migrated Identity Provisioning tenant on SAP Cloud Identity infrastructure.

    Example

    If you have configured Identity Authentication for real-time provisioning to target systems in Identity Provisioning, in Identity Authentication admin console, you need to update the value of the SCIM URL field.

    iii. On-premise systems

    Adjust the connection to on-premise systems.

    Note

    For SAP AS ABAP, you must create a connectivity destination.
  5. If everything is correct with the migrated systems, go back to your Identity Provisioning tenant on the Neo Environment and disable the provisioning systems there.
  6. Return to your migrated tenant and enable the provisioning systems.

    If a source system that is connected to a target system has not been selected for migration, a warning message will be displayed on the Details tab of the migrated target system saying that previously selected source system is invalid, deleted or missing. You will need to select a migrated source system. Otherwise, this target system will read entities from all enabled source systems.

  7. Return your provisioning jobs.

    Note

    The first provisioning job runs in Full Read mode, even if Delta Read has been configured. When it is successful full read, jobs with ips.delta.read set to enabled run as expected, that is, only modified data is provisioned from source to target systems.

Identity Provisioning System Reset

Resetting an Identity Provisioning system (source or target) deletes all Identity Provisioning operational data.

Context

There might be times when you would like to delete the current Identity Provisioning operational data for a particular system. For example, clearing entities that were read from the source system and were then mapped to SCIM specific attributes using the intermediate transformation logic.

This operation is called system reset. If you choose it, you only clear the Identity Provisioning operational data. The system configurations and all existing read and provisioned entities, along with their authorizations, will be preserved. To learn more, see Transformations.

If you want to reset your system, proceed as follows:

Procedure

  1. Access the Identity Provisioning User Interface (UI).
  2. Select the relevant source or target system.

    Note

    This reset operation is not applicable to proxy systems.
  3. Choose Edit from the top of the systems panel.
  4. From the following options, choose Reset.
  5. Confirm by selecting OK.

Next Steps

Regardless of the type of system that you have reset - source or target ones, continue with the following steps:

  1. Start a provisioning job.
  2. Set the ips.delete.existedbefore.entities to true on all affected target systems. This ensures that, if from now on you delete entities in the source system, those entities will be recognized as previously existed entities in the target systems and will be deleted there.
  3. Start a provisioning job again.

    Note

    Following a reset, scheduled jobs preserve their defined time period.

Identity Provisioning Transformations - Reset and Restoration

Resetting Identity Provisioning system transformations restores them to their initial state.

Context

An initial state is defined in the following way:

  • The default transformation when the system was created in the Identity Provisioning UI.
  • The transformation when the system was automatically created in an Identity Provisioning bundle tenant. This could be either the default transformation for the given system or a transformation provided specifically for it.

Resetting transformations is only available for modified transformations in newly created source, target, and proxy systems after November 1, 2021. Before doing that, it is always a good practice to copy and save your transformations (or export the system), in case you need to get back to them later. When the reset is complete, your modified transformations will be deleted.

Proceed in the following way.

Procedure.

  1. Access the Identity Provisioning User Interface (UI).
  2. From the UI home page, choose a tile – Source Systems, Target Systems, or Proxy Systems.
  3. Select a system and choose the Transformations tab.

    If the transformations have been modified, a message informs you about that, and the Reset button is displayed on the right of the screen. The button is grayed out.

  4. Select the Edit button.

    This is needed because resetting transformations requires that you start working in edit mode.

  5. Select the Reset button and confirm your choice in the Approve dialog.
  6. Save your changes.

Next Steps

When the reset is complete, you can start afresh with your transformations. You can modify them again to meet your provisioning scenarios needs and run a provisioning job.

Note that starting fresh with your transformations does not mean you are starting fresh with your system. Even though you reset the transformations of a given system and run a provisioning job, Identity Provisioning still keeps the data of the operation for that system (for example, which entities have been provisioned and whether they exist, and therefore need to be updated or deleted).

If you want to delete the data of the operation and start afresh with your system, you need to reset the system.

Reset the IPS Tenant

Activate the following video and audio to learn about how to reset a tenant.

ExerciseStart Exercise

Log in to track your progress & complete quizzes