We announced today, September 15th, 2016 the release of  the SAP HANA Cloud Platform Identity Provisioning – a new service in the SAP HANA Cloud Platform family that will help companies to push their technology easier into the cloud

Most of the cloud-driven companies extend their existing IT infrastructure rather than starting from scratch. This is why they need a reliable identity and access management solution, capable to handle properly the identities and their authorizations across heterogeneous landscapes.

The new SAP HANA Cloud Platform Identity Provisioning service (shortly Identity Provisioning) offers a comprehensive, low cost approach to identity lifecycle management in the cloud. This new service together with the already existing SAP HANA Cloud Platform Identity Authentication service (formerly known as SAP Cloud Identity) offer an end-to-end solution for identity and access management as a service from SAP.

IPS_Blog_15_9_2016.png

Now let us look into the supported scenarios and features with the first version of the Identity Provisioning service:

Provision on premise users to cloud applications

Customers, who currently manage their identities using an on premise user store like for example, Microsoft Active Directory or the Central User Administration (CUA) of the SAP Application Server ABAP can use the Identity Provisioning service to provision their users into the cloud applications like for example SAP Hybris Cloud for Customer.

Using policy based authorization management

Once the identities are created into the cloud applications, the users will need also proper authorizations in order to use the business scenarios that are relevant for their role, department, location, etc. This is where the access policies feature of the Identity Provisioning service comes into the play. It helps companies to define simple mappings between identity attributes and the authorization artifacts of the respective cloud business applications. A good example could be the mapping between Microsoft Active Directory groups and SAP Hybris Cloud for Customer roles. The access policies are considered during the provisioning process, and the authorizations of the individual user are determined and provisioned to the respective cloud applications.

Policy.png

Using a cloud user store

If the company is already using SAP SuccessFactors to manage employees, and if it is considered the central identity data store of the company, the SAP SuccessFactors system can be simply configured as a source system in the Identity Provisioning. These settings will push the SAP SuccessFactors users into the relevant cloud application with the respective for them policy-based authorizations when there are such configured.

There are two more scenarios supported when a cloud user store is used as a source and they are based on the integration between the Identity Provisioning service and the Identity Authentication service.

Easy consumer and partner provisioning

The first scenario concerns the external for the company users like for example, consumers and partners that are easy to handle using the cloud user store of the Identity Authentication service. When the Identity Authentication service is configured as a source system in the Identity Provisioning, it will be possible to provision existing or newly registered cloud users into the relevant for them, cloud applications like for example, SAP JAM or even systems that simply support the System for Cross-domain Identity Management (SCIM) open standard.

Untitled.png

Writing into the cloud user store

The other supported scenario that relates to the Identity Authentication service is the following: A company wants to integrate an existing on premise authentication solution with a simple and low cost strong authentication service (two-factor authentication, risk-based authentication, etc.) or to introduce to the business users Mobile SSO as a service. This is necessary to the companies in order to achieve better control over the authentication for the cloud business processes, and to keep the corporate security on a very high level while offering at the same time more flexibility to the business users to do their job. This scenario is possible because the integration with the Identity Authentication allows also provisioning in the other direction, when the on premise users are created into the cloud user store of the Identity Authentication service. This way companies will be able to manage an additional level of authentication security for the cloud applications like SAP Hybris Cloud for Customer and to offer to their business users simple and secure access to such cloud application from anywhere and on any device, on a low and attractive service cost.

Flexible data transformations

Almost every system (SAP or non-SAP) comes with a unique data model design of its identity and authorization store. The mapping between the data models of a source and a target system is the key aspect of one provisioning solution. The new Identity Provisioning service offers flexible transformations management that allow companies to extend the default transformation settings provided by the service for every integrated source or target system. Using the transformation configurations companies can configure different simple or complicated data transformation logic based on their business and security needs. For example, to filter the list with identities that have to be provisioned to SAP Hybris Cloud for Customer in the way that only users who have a certain group assigned as an attribute to get an identity created in the SAP Hybris Cloud for Customer.  

Comprehensive job scheduler

The frequency of the provisioning processes, that have to be performed on a regular basis, can be configured using the comprehensive job scheduler of the service. The operations related to the job management include activities like scheduling jobs, starting and stopping jobs, jobs monitoring, etc. The status of the jobs can be monitored using a Job Execution Log.

Figure1_Identity_Provisioning.png

Where to find more data

More details about the currently integrated source and target systems and also information how to configure different scenarios you will be able to find in the SAP documentation of the Identity Provisioning solution.

Future direction

As part of the roadmap for the service, it is planned to integrate further with more and more SAP solutions and also with the important for our customers non-SAP solutions like for example, Microsoft Office 365, etc. The solution will offer also new features related to the identity management and provisioning  processes.

Integrations_ALL.png

Using the SAP HANA Cloud Platform Identity Provisioning companies best leverage existing corporate infrastructure while also benefiting from the agility, flexibility, and simplicity provided by the cloud.

See also the SAP Insider Article: End-to-end identity and access management in the Cloud (October 2016)

To report this post you need to login first.

10 Comments

You must be Logged on to comment or reply to a post.

  1. Ian Daniel

    Hi,

    This is very exciting news – the link within “Where to find more data” points back to this blog. Is there anywhere that tells us what connectors are available?

    Thanks,

    Ian

    (1) 
  2. Lambert Boskamp

    Donka,

    thanks for this very useful post. Are there any interfaces that could be used to extend the product by customer-specific connectors? If so, could you provide links to relevant technical documentation?

    Cheers, Lambert

    (0) 
    1. Donka Dimitrova Post author

      Dear Lambert,

      With the very first release of the service you can configure as a target system a SCIM-enabled solution.
      You simply configure such target system and there will be a default transformation (SCIM) available out-of-the-box. You will be able to extend it with some additional conditions to fit your corporate scenarios.
      Verys soon I will post step-by-step guide how to do this end-to-end including the destination configurations necessary in the SAP HANA Cloud Platform account.
      In the meantime you can check the solution documentation here https://uacp2.hana.ondemand.com/viewer/#/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/f2b2df8a273642a1bf801e99ecc4a043.html
      Regards,
      Donka

      (0) 
    1. Donka Dimitrova Post author

      Hello Sachin,

      We are currently working on the trial concept for the solution and we will post a note in this blog or in a new blog to inform the community for the options.

      Regards,
      Donka

      (1) 
  3. Milan Sadil

    A little bit off topic, but  would you be able to recommend the most recent on-premise IDP alternative for Single Sign-on for SAP Fiori on mobile devices? We currently implementing such a solution and need to prepare a system for IDP. From that what I have learnt until today, I suppose it is needed to install SAP NetWeaver AS Java and the federation software component archive (IDMFEDERATION<release>.sca). What is not clear for me is SAP NetWeaver version needed for the newest IDMFEDERATION<release>.sca from SAP Single Sign-on 3.0. In the Implemenation Guide named Identity Provider for SAP Single Sign-On and SAP Identity Management it is possible to get info that the host SAP NetWeaver Application Server (AS) Java must be of the following releases – AS Java 7.3 SPS 13 or later, AS Java 7.31 SPS 15 or later, AS Java 7.4 SPS 10 or later. Isn’t there really a support for AS Java 7.5 yet?

    (0) 
  4. Parag Jain

    Hello Donka,

    Great blog and a very useful service.

    In the section “Easy consumer and partner provisioning“, we have another use case. All partners will be created in Cloud Identity store and will need to be provisioned with right roles in an onprem SAP Gateway and ERP. Is this also supported.

    Regards,

    Parag.

    (0) 

Leave a Reply