Skip to Content

AddOns for SAP NW IdM: Part I – Creating a java connection to the identity store via SPML

Developing Java-AddOns for SAP IdM is a mighty instrument to enhance the usability and the functionality of SAP NetWeaver Identity Management. In this blog series we will show how to connect to SAP IdM out of a java. There will be two parts in this series.

Part I: The first part provides a view on the java application and the connection to the SAP Virtual Directory Server (VDS) via SPML.

AddOns for SAP NW IdM: Part II – Realising Async Requests for Identity ServicesThe second part will provide a detailed view on the necessary configuration of the SAP Identity Center and Virtual Directory Server. (comming soon)



               The following systems / applications have been used in this blog                


  • Java 1.5 runtime / compiler

  • OpenSPML library [OpenSPML]

  • Further you need a SAP NetWeaver Identity Management 7.0 to connect to

               Knowledge / experience in the following area(s) is helpful:                


  • SAP NW Identity Management knowledge

  • Basic Java knowledge




The following example describes an additional workflow AddOn for SAP IdM, but the basic doing can also be used to create a management AddOn for batch processing or managing entries of the identity store another way.


We designed a java application with a web based user interface to run BPEL workflows on to of the identity store. You are able to use all java technologies like the spring framework [Spring] or the hibernate persistence layer [Hibernate] like we’ve done here. Our AddOn is running on a separate application server (Apache Tomcat 5.5) but can also be a console program or something else. After showing the surrounding use case in this blog we will focus on the doing to get a connection to the identity store.


Getting the use case


At the beginning Jessica Baker (personal number 00900044) has no roles other than a business role Employee (figure 1). In the first step Jessica gets a business role “Basic Audit” that contains two technical roles in a target system, name them SAP_TST_XI_DISPLAY_USER and SAP_TST_XI_MONITOR and call the system CX0CLNT100 (figure 2). Jessica does not have already a user for this system. Our application assigns Jessica the two technical roles in the SAP IdM identity store. After that the SAP IdM has to create a new user in the target system (CX0CLNT100) and the two technical roles will be assigned (figure 3).


               Figure 1: Information of Jessica Baker before assigning an additional business role

               Figure 2: User interface to request a business role          


               Figure 3: The “Basic Audit” business role groups two privileges           


Look at the figure 4 to get an overview of our java application. In the following we take a detailed view on the communication layer, the SPMLConnector.


               Figure 4: AddOn overview          


Build the SPMLConnector class


To communicate with the identity store we will use the OpenSPML library [OpenSPML] to connect to the SAP Virtual Directory Server. This library allows us to send a request to modify an entry in the identity store. First one has to create a java class like SPMLConnector.


As you can see in listing 1 the basic authorization method is used here. This has to be configured according in the SAP Virtual Directory Server, like the URL of the SPML [SPML] webservice interface. The configuration of the VDS will be explained in the second part of this blog series.


public SPMLConnector {

public SPMLConnector client;

public SPMLConnector (String url, String username, String password)
     throws EpeException {

     String urlWithPwd = "";
     try {
          urlWithPwd = "http://"+password+":"+username+"@"+url;
          client = new SpmlClient();
          log.debug("Connected to Server: " + url);
     } catch (Exception e) {
          log.error("Error while connecting to sap idm on url: "+url);
          log.debug("username "+username);
          log.debug("password "+password);
          EpeException.logStackTrace(e, log);
          throw new EpeException("Connection fails!",e);

} // class SPMLConnector


                 Listing 1: SPMLConector class          


In our use case we would like to modify Jessica by assigning two additional technical roles. The assignment is done by user interaction in a GUI. The modification now will be sent via the Virtual Directory Server to the identity store. This will be done in a modifyEntry(…) method.


In the identity store there is a special entry type to handle asynchrony requests on the identity store. How this entry types works and how one has to use it in detail will be part of the second part of this blog series.


The main steps in the modifyEntry(…) method are:                


  • Create a SPML AddRequest
                        We have to create a AddRequest to add a new entry of the type AsyncReqeust in the Identity Store. This AsyncRequest object contains the information about modify the target person, in this case Jessica Baker.

  • Set all required attributes
                        There are two parts of attributes to set: special attributes to control the AsyncRequest and data attributes to describe the modification. One of these special attributes is the mskey-value of the new AsyncRequest entry. This has to be a unique id (according to the policy of the identity center), for this

  • Send the SPML Request to VDS-host
                        Sending the request to the SPML-Interface of the VDS and handling the result.




The modifyEntry method is shown exemplarily in listing 2.


public boolean modifyEntry(Person person, String baseRepositoryName) {
     // create a unique mskey value for the async request
     String uid = createUniqueID(object);
     String mskeyValueAR = "MX-ASYNC-MSKEYVALUE:"+uid;

     // the VDS needs an identitfier in a LDAP syntax
     String identifier = "cn="+mskeyValueAR+","+baseRepositoryName;
     // create the open spml request
     AddRequest request = new AddRequest();

     // identify identifier
     // set special attributes to announce modification of a MX_PERSON
     request.setAttribute("MX-ASYNC-MSKEYVALUE", person.getMskeyValue());
     request.setAttribute"MX-ASYNC-OBJECTCLASS", "MX-PERSON");
     request.setAttribute("MX-ASYNC-ORIG-OPERATION", "MODIFY");
     request.setAttribute("MSKEYVALUE", mskeyValueAR);
     request.setAttribute("MX-ENTRYTYPE", "MX_ASYNC_REQUEST");
     // add attributes to modify (data attributes)
     // person.getPrivilegesMSKEYList() returns a java List object containing
     // string values representing MSKEYSs - each MSKEY refers a privilege
     // entry in the identity store
     request.setAttribute("MX_ASYNC_PRIVILEGE", person.getPrivilegesMSKEYList());
     // ... set additional attribues like name or a new telephone number

     SpmlResponse response;
     try {
          // send the request and handle the response
          response = client.request(request);
          if ((response.getError()==null) &&
                   (response.getErrorMessage()==null)) {
               return true;
          } else {
               // performe some advances error handling here
               return false;
     } catch (SpmlException e) {
          // handle errors
          return false;


                      Listing 2: Method modifyEntry() of SPMLConector class               


Showing the result


The underlying SAP NetWeaver Identity Center now has to create the user and assign the privileges to this new user. After that, our AddOn is able to to retrieve this information from the identity store (by using a SPML SearchRequest) and display it in the user interface (figure 5)


               Figure 5: Information of Jessica Baker after assigning a role and get back the created user (in system CX0CLNT100) from SAP NetWeaver Identity Center.          




At the end we created a java application that connects to the identity store and modifies data in there. The shown technique could also be used for other AddOns to the identity store as the core of the SAP NetWeaver Identity Management. In this way we use the entry types of the identity store and so we are able to use all benefits of this tool. A possible other way would be to access the database directly but this is very risky according to the hard database model and you are not able to use entry types, versioning, jobs and so on. Read the following second part of this blog series with information about configuring the necessary counterpart in the SAP NetWeaver Identity Management.

This blog series will be continued in AddOns for SAP NW IdM: Part II – Realising Async Requests for Identity Services (coming soon)


Software / Links


               Hibernate is a open source project that provides a data persistence layer for java and .net – you can find more information at


               The toolkit and additional information can be obtained here, the direct link to used library is


               Service Provisioning Markup Language (SPML) v1.0, [OASIS 200306] is a OASIS standard, additional Information can be obtained here .


               The spring framework is a open source, easy to use java application framework that allows you to build large scale java applications – you can find more information at

You must be Logged on to comment or reply to a post.
  • Hello Felix!

    In the method example (Figure 1) you use http in the urlWithPwd.

    I am not a programmer, so I might be out on deep water, but doesn't this mean you will transfer the username and password in clear text in the network?


    • Hi Lasse,

      the question of http or https will depend on the system landscape. Of course there should be no clear text password sending via open internet or even local intranet. In our setting we use a strong encryptet (Tripple DES) pwd and a local request via http only.