Technical Articles
Hybrid Scenarios with Identity Provisioning Proxy
If your company has complex IT infrastructure and runs both cloud-based and on-premise applications, you might need a component to bring these two “worlds” together. You need a reliable identity and access management solution that can properly handle the relevant identities and their authorizations between all products.
If you use SAP Identity Management (IDM) as an on-premise system, you are at the right place.
The following step-by step hybrid scenario demonstrates how you can load users from a non-SAP cloud system (Microsoft Azure Active Directory) into an SAP on-premise one (SAP Identity Management). You can then manually create new users in IDM, assign them privileges and groups, and provision them back to Azure AD. This way, you can manage your Azure AD users by working only within your IDM system.
Sounds interesting? Let’s go then!
The provider of this proxy solution is called Identity Provisioning, which is a service belonging to SAP Cloud Identity Services.
Prerequisites
- You have SAP Identity Management 8.0 SP05 or higher.
- You have a standalone or bundle productive version of SAP Cloud Identity Services – Identity Provisioning, and have administration rights for your subaccount/tenant.
- You have access to the proxy systems in the Identity Provisioning admin console. If you don’t see the Proxy Systems tile, create an incident for component BC-IAM-IPS to request it.
- You have credentials for Microsoft Azure Portal, and your user has the directory role Global administrator.
Now, let’s dive into the hybrid scenario!
I. Register an OAuth client and subscribe for the IPS proxy application
Go to the SAP BTP cockpit: https://account.hana.ondemand.com/cockpit
If your region is not in Europe, configure your URL accordingly. See: Regions and Hosts
- Navigate to Security → OAuth.
- Choose Clients → Register New Client.
- From the Subscription combo box, select <provider_subaccount>/ipsproxy. For example: a3a5c3a5c/ipsproxy
- From the Authorization Grant combo box, select Client Credentials.
- In the Secret field, enter a password (client secret). Note: Remember this OAuth secret as you’ll need it later, for the repository configuration in SAP Identity Management!
- Copy/paste and save (in a notepad) the generated Client ID. You’ll need that later, too.
- From the left-side navigation, choose Applications → Subscriptions.
- Under the Java Applications section, choose ipsproxy.
- From the left-side navigation, choose Roles.
- You have to assign the newly created OAuth client to your IPS_PROXY_USER role. Choose Assign and enter oauth_client_<client_ID>, where <client_ID> is the one from step 6.
- Go back to your subaccount.
- Navigate to Services → Identity Provisioning.
- Choose Go to Service. That opens the Identity Provisioning user interface.
II. Configure the proxy system in the Identity Provisioning UI
- The Identity Provisioning admin console is open.
- Choose Proxy Systems, and then +Add.
- From the Type dropdown, select Microsoft Azure Active Directory.
- Enter a name for your Azure AD system. NOTE: If you want to export the system in CSV format and import it later in IDM as a SCIM repository, the system name must be no longer than 6 symbols, and should contain only capital letters and dashes (_). For our scenario, we’ll use this export/import functionality, thus we’ll name the system AZURE1.
- Open the Properties tab to configure the connection settings the following way:
Type |
Enter: HTTP |
URL |
Enter: https://graph.microsoft.com |
ProxyType |
Enter: Internet |
Authentication |
Enter: BasicAuthentication |
User |
Enter the application ID registered in your Azure AD subscription (see the Prerequisites section at the beginning of this blog post). |
Password |
Enter the secret key associated to your app registration. |
aad.domain.name |
Enter a verified domain name from the corresponding Azure AD tenant. On this domain, you will perform the provisioning operations. To learn more, see Microsoft: Manage domain names. |
OAuth2TokenServiceURL |
Enter: https://login.microsoftonline.com/{your_domain}/oauth2/token where {your_domain} is the one you have set in property aad.domain.name. |
oauth.resource.name |
Enter: https://graph.microsoft.com |
ips.trace.failed.entity.content |
Enter: false |
aad.group.member.attributes |
(Optional property) It defines the attributes of a group member to be read by the Identity Provisioning. By default, it always reads the type and the id of a member. If you prefer the Identity Provisioning to read additional attributes, you can add them as a single or a comma-separated value. For example:
aad.group.member.attributes=mail This will read a member’s type, ID and e-mail.
aad.group.member.attributes=mail,mobilePhone,displayName This will read a member’s type, ID, e-mail, phone and display name. |
- Save your changes.
- Configure the transformations, if needed.
- Now, export your newly created proxy system. Choose Export → CSV format.
III. Import the proxy system in IDM as a SCIM repository and load the Azure AD users
- Log on to your SAP Identity Management system.
- Open the System Configuration tab in the Administration UI and choose Import.
- Import the AZURE1.csv file as a SCIM repository.
- Manually add your AUTH_USER and AUTH_PASSWORD. (These are your Client ID and secret, from procedure I, steps 5 and 6.)
- Save your changes.
- Open the Jobs tab and choose Run Now to start an initial load.
Once you run the SCIM – Initial Load job, the SCIM connector loads the Azure AD users to IDM, according to the mapping between the two systems.
IV. Create a new user in IDM and provision it to Azure AD
- In the SAP Identity Management UI, select the Manage tab.
- The search filter Show: Person is selected by default. If you choose Go, the table will display all existing users, including the ones loaded from your Azure AD system.
If you want to view only the Azure AD users, change the filter to Show: Privilege, enter PRIV:AZURE1:ONLY and choose Go. This privilege is automatically assigned to all Azure AD users in IDM.
- To create a new Azure AD user in IDM, click Create.
- Choose Identity → Create Identity → Choose Task.
- In the Create Identity UI, enter the required data for the new Azure AD user.
- Click Save.
- Go back to the Manage tab and search for your new user.
- Select the user and click Choose Task.
- Select Identity → Assign Privileges, Roles and Groups → Choose Task.
- In the Assigned Roles and Privileges tab, search for PRIV:AZURE1:ONLY.
- Select it and choose Add.
- Specify the direct validity assignment and choose again Add.
- In the Assigned Groups tab, search for an existing Azure AD group.
- Select it and choose Add.
- Save you changes.
The new user is successfully created, and a new job automatically starts. It will provision this user to your Azure AD. You can check the job status in SAP IDM Developer Studio → Job Log.
V. Check your User in Azure AD
- Log on to Microsoft Azure Active Directory with your account.
- Go to Azure Active Directory → Users and Groups → All users.
- You should see the newly created user in the list.
- Select the user to check its details, as well as its group membership.
This way you can create, update or delete as many users as you need.
Future Identity Lifecycle
If you later make changes in Azure AD (e.g. add new users, update or delete existing ones), you need to run a new Initial Load job in IDM for these changes to be reflected in IDM.
Now, you try it out! : )
Hi Gergana,
It is very good, can we also assign any "security group" to azure AD user from IDM?
Hi Shunji,
I apologize for the belated answer!
Yes, you can assign security groups to Azure AD users. You just have to enable this functionality in the Identity Provisioning. To do this:
{
“constant”: true,
“targetPath”: “$.securityEnabled”,
“scope”: “createEntity”
},
FYI, the Identity Provisioning uses the following MS Graph API for group creation:
https://docs.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0
Best regards, Gergana
Hi Gergana,
Thanks for this blog. Very informative. In addition to connectivity with SAP IDM can SAP Cloud Platform Identity Provisioning be connected to other identity management solutions e.g. CA? We use CA idM and looking for options to automate access provisioning onto SAP IBP.
Alternatively, can the Cloud Platform Identity Provisioning be integrated with SAP GRC system to enable access provisioning? I have not seen much documentation or resources around this integration
Thanks
Sandeep Veerareddy
Hi Gergana,
Could you please suggest if IPS alone can provision to on-premise systems, i.e without using IDM
Regards
Plaban
Hi Plaban,
I'm sorry for the late reply!
Yes, IPS can provision from any of these Source Systems to the following Target Systems. The on-premise target systems are:
NOTE: Bear in mind that there is a difference in the number and type of provided IPS systems - depending on your IPS tenant type (Standalone or Bundle).
Best regards,
Gergana
Thanks a lot Gergana, this is very detailed blog. I'm trying to only read from MS Azure AD and provision in IDM which will in turn provision users in SAP On premise system. I'm stuck at place, where proxy system needs to be extracted as CSV. I'm getting only a JSON as output. Could you please advise ?
Hi Atul,
The IPS hybrid scenario involves 1 system plus IDM. This particular system (in your case - MS Azure AD) should be used as a proxy system, and I believe you have added and configured it as a source in the IPS admin console. Thus - the only export format you see is JSON.
So my advice is: Create a new MS Azure system in IPS - of type Proxy, add all the configuration properties again, and then extract it as a CSV file. Basically - just follow all the steps from sections I, II, and III.
After these steps are complete, to which SAP on-premise system you want to provision all the MS Azure users (that you have loaded in IDM)?
For your information, you can see all available SAP connectors supported by IDM under this section: Connecting SAP Systems > Setting up the Landscape
Let me know if I can help you further!
Best regards,
Gergana
Hi Gergana,
Yes, MS AZURE AD is my proxy and SAP IDM is Target which we have already connected to several on premise SAP ABAP systems.
MS AZURE AD is added as proxy, but I have performed step 1. Register an OAuth client and subscribe for the IPS proxy application after step 2. Configure the proxy system in the Identity Provisioning UI. I thought that may have caused the issue, hence I have dropped Proxy system and added MS AZURE AD as Proxy again, but no luck.
One Change I noticed between your instructions and what I see is, in my case - "Step1.3 From the Subscription combo box, select <provider_subaccount>/proxy. For example: a3a5c3a5c/proxy."
But this is what I see - "sapiam/ipsproxy" , and not the subaccount name.
Hi Atul,
You were right! It turns out that the CSV option has been temporarily removed from the Export function. But it will be returned with the new IPS release. This should happen by the end of this week or sometime next week, the latest. I hope this delay is not critical for you and your scenarios!
Regarding the OAuth client - the Subscription step was outdated, so I corrected it. Yes, it should be <provider_subaccount>/ipsproxy. In your case - sapiam/ipsproxy.
Thanks Gergana, that clarifies the issue.
I had raised OSS and reached out to Max Attention, as this is little urgent for us. I hope to rollback the functionality is already made aware to the product team. Thanks again for taking time out to respond.
Does this document illustrate MS Azure as a target or as a source? What steps to follow if I need to integrate MS Azure as a source system?
Hi Suhani,
This blog post illustrates MS Azure as a proxy system.
If you want to use it as a source, see: Microsoft Azure Active Directory (Source System)
Best regards,
Gergana
Hi Gergana,
Can I create user/change user/assign Group from custom script using API in Cloud Identity Services? If yes, how ? I am not sure how to create Oauth 2 Client in IAS so I can test it with POSTMAN Client.
Hi Manoj,
Can you add more details on the scenario you want to execute?
On the Oauth client question - if your IPS is running on Neo environment, you create the OAuth client in SAP BTP cockpit. If your IPS is running on SAP Cloud Identity Infrastructure, you create a technical user (of type System) in IAS and configure authentication with certificate or client secret, see How Proxy Systems Work
Best regards,
Ivelina
Ivelina,
I was able to do some progress on creating user by utilizing https://api.sap.com/api/IdDS_SCIM to IAS but still I do not see any option to assign group to user using same API. Any idea on how can i assign group to user in IAS using API ?
Hi Manoj,
You cannot assign a group to a user using API. You can assign a user to a group. Please, see API Reference | Identity Directory Service | SAP Business Accelerator Hub.
Best regards,
Ivelina