Identity and authentication management can be a little confusing for new customers who are getting started with SAP S/4HANA Cloud deployments or currently deploying S/4HANA Cloud. Although several great resources already exist on this topic including blogs, how to guides, accelerators, etc., I’d thought that I would write a blog to quickly summarize user management in SAP S/4HANA Cloud and the role of the SAP Cloud Platform. In addition, some options will be provided for user authentication and provisioning. I have provided the links to the existing documentation and/or blogs for further reading at the end of this post.
NOTE: The information in this blog is subject to change based on application functionality. I’ll try to keep this blog updated accordingly.
It’s important to cover some basic terminology concepts when discussing identity access and authorizations as sometimes they get mixed up in conversation. There are multiple pieces to the “security equation” when it comes to users. For example, a user may be required in the system for authentication purposes but how the user was created there would be handled by a different process.
Identity Provisioning & Authorization
Identity Provisioning covers the process(es) of how the user principal was created in the appropriate systems such as S/4HANA Cloud and SAP Cloud Platform. This usually is closely related to authorizations which determine what the user can do in the system (i.e. roles/permissions).
For cloud based identity provisioning, SAP offers SAP Cloud Platform Identity Provisioning. For OnPremise applications, you may already be familiar with SAP Identity Management. The two products can be used together in hybrid landscapes however these products are not the focus of this blog.
Authentication is the process of identifying the user based on some credentials (username & password, SAML assertion, x.509 certification, etc). Authentication is the process by which the user gains access to the system. Ideally, users will authenticate once to a central location (for example, an SAML Identity Provider) via username and password or some other token and then they will be signed in via single sign on (SSO) to other applications (in the case of SAML a “Service Provider”).
SAP Cloud Platform and SAP S/4HANA Cloud
End users will not authenticate to the S/4HANA Cloud system directly. Instead, they authenticate to the SAP Cloud Platform Identity Authentication service. The SAP Cloud Platform Identity Authenticaiton service has several key features including serving as a SAML Identity Provider (IdP), the ability to integrate with OnPrem user stores, serve as a proxy pass-through for OnPremise IdPs and many more. Click here to learn more about the SAP Cloud Platform Identity Authentication SaaS offering.
What does all this mean for S/4HANA Cloud systems? In short, S/4HANA Cloud is a service provider and will use the SAP Cloud Platform Identity Authentication as an IdP. Users authenticate to the SAP Cloud Platform via Identity Authentication Service and are signed into the S/4HANA Cloud system via SSO using a SAML Assertion. They do not authenticate directly to SAP S/4HANA Cloud interactively with username & password.
Using the SAP Cloud Platform Identity Authentication service as the IdP provides a scalable approach for integrating multiple cloud applications. For example, a customer could also provide SSO to a SuccessFactors system and SAP S/4HANA Cloud as shown in Figure 1.
Figure 1: Default Authentication Architecture
As you may have already guessed, this means that a user principal needs to be in both SAP Cloud Platform user store and in the SAP S/4HANA Cloud system (more to come later).
S/4HANA Cloud Identity Provisioning
The place to start for an understanding of how users are provisioned and assigned roles in SAP S/4HANA Cloud and SAP Cloud Platform is the “User Onboarding Guide for SAP S/4HANA Cloud.pdf”. The document can be found in the Accelerator section of several deliverables within the SAP Activate Roadmap Viewer but the document is also linked from the main help page under “Additional Information” https://uacp2.hana.ondemand.com/viewer/product/SAP_S4HANA_CLOUD/
To grant a user access the system, you will need to perform three steps:
- Create business users in the S/4HANA Cloud system
- Assign the users to business roles in the S/4HANA Cloud system
- Create user in the SAP Cloud Identity system.
Of course, SAP provides tools to import users into both the S/4HANA Cloud system and the SAP Cloud Platform.
This process works great for the starter system but you may want to leverage existing pieces of your infrastructure for the quality and/or production systems. For example, you may want to replicate employees from SuccessFactors Employee Central to S/4HANA Cloud instead of manually creating them. Or you may want to use an existing Corporate LDAP provider as a user store for the SAP Cloud Identity instead of creating users in this system. These (and many more) are all options. Some are already covered in existing blogs and others will be covered in future blogs.
As shown in Figure 2, the User Name in the S/4HANA Cloud system must match the Login Name in the SAP Cloud Identity. Furthermore, if the same user(s) will access the Starter, Q and/or P systems then the S/4HANA User Name in the systems must match. The user name can be changed manually after the upload in any of the systems if required.
Figure 2: Users in SCI and S4HC
The following links expand on the content covered in this blog:
SAP S/4HANA Cloud and Azure AD
- Microsoft Blog: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-successfactors-tutorial
- SAP Note: https://apps.support.sap.com/sap/support/knowledge/public/en/2348735
- SAP Cloud Platform Identity Authentication Service Integration with Azure AD https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/626b17331b4d4014b8790d3aea70b240.html
- Azure and CP tutorial: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-sap-hana-cloud-platform-identity-authentication-tutorial
SAP S/4HANA Cloud User Management:
- Tutorials: https://cp.hana.ondemand.com/dps/d/preview/ec9f0755c754ef14e10000000a4450e5/1702%20500/en-US/5da6fc57ade5ed0ee10000000a4450e5/content.htm
SAP Cloud Identity Authentication Service
- SAP Cloud Identity Authentication Service: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=448474827
- User Management: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/228428f9f476449cafd841a68d75b234.html
- Delivered roles in SAP S/4HANA Cloud: https://roadmapviewer-supportportal.dispatcher.hana.ondemand.com/#/group//roadmap/IMPS4HANACLDENMGMT/phase/001999B7BD851ED68D97F853D2C742CE/node/001999B7BD851ED68D97F853D2DEE2CE
- Maintaining Business Users & Roles: https://cp.hana.ondemand.com/dps/d/preview/ec9f0755c754ef14e10000000a4450e5/1702%20500/en-US/5da6fc57ade5ed0ee10000000a4450e5/content.htm
SAP Cloud Platform Identity Service Onboarding Guide: https://www.sap.com/documents/2016/06/9a11bcb9-757c-0010-82c7-eda71af511fa.html