In SAP Multichannel Foundation for Utilities and Public Sector, standard user management can be used. This user management uses both SAP NetWeaver and SAP Gateway user management functionality. It ensures that common processes like:
- user registration;
- user authentication;
- password reset;
- forgot password or/and user name.
are properly working.
Nevertheless, some customers would like to use external Identity Management systems to manage their users. There are many different Identity Management system offered on the market. We will be using SAP Identity Management product as an integration example. There are also existing different technical approaches for integration with 3rd party IDM’s or SAP IDM.
In this blog post we are showing only one possible variant of integration MCF with SAP IDM. This integration variant was fully set up and tested in our system landscape. Prerequisites for this integration variant are as following:
- You have complete installation of the add-ons on your SAP Gateway, SAP CRM for Utilities, SAP IS-U systems. (UMCUI01, UMCERP01 and UMCRM01)
- You have complete installation of the SAP Identity Management on your SAP Java AS together with SAP NetWeaver SSO component.
- You have full setup of your identity database and identity store. Dispatcher setup needs to be completed as well.
IDM integration scenario
We will be using SAP Identity Management system to manage identities of the MCF users. To access MCF application users will be authenticated in IDM system. For user authentication we will be using SAML protocol.
Users first will be created in the Identity Store of IDM system and then provisioned into all necessary backend systems. In our implementation we were reusing SAP Gateway user management OData services. Also, for simplicity we will be using the same Public UI application as in standard MCF with slight adjustments (user sign up UI part is moved to different view in public UI in comparison to standard).
Process flow for the user authentication and provisioning in our integration scenario:
1. Non-authenticated user sends a request
2. SAP NetWeaver redirects this authentication request to IDM system using SAML protocol
3. IDM system authenticates this user and send a SAML response to the SAP NetWeaver system
4. SAP NetWeaver sends back a response with SSO cookies.
As a result user is authenticated and all his next requests will not require authentication as SSO cookies will be used.
How to set up user authentication with SAML protocol is described in this document (coming soon).
For the User provisioning (orange arrows):
a. User sends a registration request (OData service).
b. This request is redirected to the leading user management system which is SAP CRM for Utilities in this example. This request is verified.
c. If verification of the request is successful, e-mail is sent to the user with URL to confirm registration.
d. User clicks on registration URL and registration confirmation is sent via OData service.
e. This request it redirected to the leading user management system.
f. Leading user management system sends a request to create a user to IDM system
g. IDM system creates this user in it’s own repository and provisions this user to all the necessary backend system where users are created as well.
How to set up user provisioning with SAP IDM system is described in this document.