SAP Cloud Platform Identity Provisioning
We announced today, September 15th, 2016 the release of the SAP Cloud Platform Identity Provisioning – a new service in the SAP Cloud Platform family that will help companies to push their technology easier into the cloud
Most of the cloud-driven companies extend their existing IT infrastructure rather than starting from scratch. This is why they need a reliable identity and access management solution, capable to handle properly the identities and their authorizations across heterogeneous landscapes.
The new SAP Cloud Platform Identity Provisioning service (in short, Identity Provisioning) offers a comprehensive, low cost approach to identity lifecycle management in the cloud. This new service together with the already existing SAP Cloud Platform Identity Authentication service (formerly known as SAP Cloud Identity) offer an end-to-end solution for identity and access management as a service from SAP.
Now let us look into the supported scenarios and features with the first version of the Identity Provisioning service:
Provision on-premise users to cloud applications
Customers, who currently manage their identities using an on-premise user store, such as Microsoft Active Directory or the Central User Administration (CUA) of SAP Application Server ABAP, can use the Identity Provisioning service to provision their users into cloud applications, for example SAP Hybris Cloud for Customer.
Using policy-based authorization management
Once the identities are created into the cloud applications, the users will need also proper authorizations in order to use the business scenarios that are relevant for their role, department, location, etc. This is where the access policies feature of the Identity Provisioning service comes into play. It helps companies to define simple mappings between identity attributes and the authorization artifacts of the respective cloud business applications. A good example could be the mapping between Microsoft Active Directory groups and SAP Hybris Cloud for Customer roles. The access policies are considered during the provisioning process, and the authorizations of the individual user are determined and provisioned to the respective cloud applications.
Using a cloud user store
If the company is already using SAP SuccessFactors to manage employees, and if it is considered the central identity data store of the company, the SAP SuccessFactors system can be simply configured as a source system in the Identity Provisioning service. These settings will push the SAP SuccessFactors users into the relevant cloud application, along with their respective policy-based authorizations in case they have been configured accordingly.
There are two more scenarios supported when a cloud user store is used as a source and they are based on the integration between the Identity Provisioning service and the Identity Authentication service.
Easy consumer and partner provisioning
The first scenario concerns external users, for example, consumers and partners, that are easy to handle using the cloud user store of the Identity Authentication service. When the Identity Authentication service is configured as a source system in the Identity Provisioning service, it will be possible to provision existing or newly registered cloud users into the cloud applications relevant for them. For example, SAP JAM or even systems that simply support the System for Cross-domain Identity Management (SCIM) open standard.
Writing into the cloud user store
The other supported scenario that relates to the Identity Authentication service is the following: A company wants to integrate an existing on-premise authentication solution with a simple and low cost strong authentication service (two-factor authentication, risk-based authentication, etc.) or to introduce to the business users mobile single sign-on (SSO) as a service. This is necessary for companies in order to achieve better control over the authentication for the cloud business processes, and to keep the corporate security on a very high level while at the same time offering more flexibility to the business users to do their job. This scenario is possible because the integration with the Identity Authentication service allows also provisioning in the other direction, when the on-premise users are created into the cloud user store of the Identity Authentication service. This way companies will be able to manage an additional level of authentication security for cloud applications, such as SAP Hybris Cloud for Customer, and to offer to their business users simple and secure access to such cloud applications from anywhere and on any device, on a low and attractive service cost.
Flexible data transformations
Almost every system (SAP or non-SAP) comes with a unique data model design of its identity and authorization store. The mapping between the data models of a source and a target system is the key aspect of a provisioning solution. The new Identity Provisioning service offers flexible transformations management that allows companies to extend the default transformation settings provided by the service for every integrated source or target system. Using the transformation configurations, companies can configure different simple or complicated data transformation logic based on their business and security needs. For example, to filter the list with identities that have to be provisioned to SAP Hybris Cloud for Customer in the way that only users who have a certain group assigned as an attribute to get an identity created in the SAP Hybris Cloud for Customer.
Comprehensive job scheduler
The frequency of the provisioning processes, that have to be performed on a regular basis, can be configured using the comprehensive job scheduler of the service. The operations related to the job management include activities like scheduling jobs, starting and stopping jobs, jobs monitoring, etc. The status of the jobs can be monitored using a Job Execution Log.
Where to find more information
More details about the currently integrated source and target systems as well as information on how to configure different scenarios can be found in the documentation of the SAP Cloud Platform Identity Provisioning solution.
As part of the roadmap for the service, it is planned to integrate further with additional SAP solutions and also with non-SAP solutions important to our customers, for example, Microsoft Office 365, etc. The solution will also offer new features related to the identity management and provisioning processes.
Using the SAP Cloud Platform Identity Provisioning service, companies best leverage existing corporate infrastructure while also benefiting from the agility, flexibility, and simplicity provided by the cloud.
See also the SAP Insider Article: End-to-end identity and access management in the Cloud (October 2016)