Skip to Content
Technical Articles

Hybrid Scenarios with Identity Provisioning Proxy

If your company has complex IT infrastructure and runs both cloud-based and on-premise applications, you might need a component to bring these two “worlds” together. You need a reliable identity and access management solution that can properly handle the relevant identities and their authorizations between all products.

If you use SAP Identity Management (IDM) as an on-premise system, you are at the right place.

The following step-by step hybrid scenario demonstrates how you can load users from a non-SAP cloud system (Microsoft Azure Active Directory) into an SAP on-premise one (SAP Identity Management). You can then manually create new users in IDM, assign them privileges and groups, and provision them back to Azure AD. This way, you can manage your Azure AD users by working only within your IDM system.

Sounds interesting? Let’s go then!

The provider of this proxy solution is called Identity Provisioning, which is an SAP Cloud Platform service.

 

Prerequisites

  • You have SAP Identity Management 8.0 SP05 or higher.
  • You have a productive standalone SAP Cloud Platform Identity Provisioning and have administration rights for your subaccount.
  • You have access to the proxy systems in the Identity Provisioning UI. If you don’t see the Proxy Systems tile, create an incident for component BC-IAM-IPS to request it.
  • You have credentials for Microsoft Azure Portal, and your user has the directory role Global administrator.

Now, let’s dive into the hybrid scenario!

 

I. Register an OAuth client and subscribe for the IPS proxy application 

Go to the SAP Cloud Platform cockpit: https://account.hana.ondemand.com/cockpit

If your region is not in Europe, configure your URL accordingly. See: Regions and Hosts

  1. Navigate to Security → OAuth.
  2. Choose Clients → Register New Client.
  3. From the Subscription combo box, select <provider_subaccount>/proxy. For example:  a3a5c3a5c/proxy
  4. From the Authorization Grant combo box, select Client Credentials.
  5. In the Secret field, enter a password (client secret). Note: Remember this OAuth secret as you’ll need it later, for the repository configuration in SAP Identity Management!
  6. Copy/paste and save (in a notepad) the generated Client ID. You’ll need that later, too.

  1. From the left-side navigation, choose Applications → Subscriptions.
  2. Under the Java Applications section, choose ipsproxy.

  1. From the left-side navigation, choose Roles.
  2. You have to assign the newly created OAuth client to your IPS_PROXY_USER role. Choose Assign and enter oauth_client_<client_ID>, where <client_ID> is the one from step 6.

  1. Go back to your subaccount.
  2. Navigate to Services → Identity Provisioning.
  3. Choose Go to Service. That opens the Identity Provisioning UI.

 

II. Configure the proxy system in the Identity Provisioning UI

  1. The Identity Provisioning UI is open.
  2. Choose Proxy Systems, and then +Add.
  3. From the Type dropdown, select Microsoft Azure Active Directory.

  1. Enter a name for your Azure AD system. NOTE: If you want to export the system in CSV format and import it later in IDM as a SCIM repository, the system name must be no longer than 6 symbols, and should contain only capital letters and dashes (_). For our scenario, we’ll use this export/import functionality, thus we’ll name the system AZURE1.
  2. Open the Properties tab to configure the connection settings the following way: 
Type
Enter: HTTP   
URL
Enter: https://graph.microsoft.com     
ProxyType
Enter: Internet  
Authentication
Enter: BasicAuthentication 
User
Enter the application ID registered in your Azure AD subscription (see the Prerequisites section at the beginning of this blog post).
Password
Enter the secret key associated to your app registration.
aad.domain.name
Enter a verified domain name from the corresponding Azure AD tenant. On this domain, you will perform the provisioning operations. To learn more, see Microsoft: Manage domain names.
OAuth2TokenServiceURL

Enter: https://login.microsoftonline.com/{your_domain}/oauth2/token

where {your_domain} is the one you have set in property aad.domain.name.

oauth.resource.name
Enter: https://graph.microsoft.com 
ips.trace.failed.entity.content
Enter: false  
aad.group.member.attributes

(Optional property)

It defines the attributes of a group member to be read by the Identity Provisioning. By default, it always reads the type and the id of a member.

If you prefer the Identity Provisioning to read additional attributes, you can add them as a single or a comma-separated value. For example:

  • If you want to read the e-mails too, enter:
     aad.group.member.attributes=mail

This will read a member’s type, ID and e-mail.

 

  • If you want to read multiple additional attributes, enter:
     aad.group.member.attributes=mail,mobilePhone,displayName

This will read a member’s type, ID, e-mail, phone and display name.

  1. Save your changes.
  2. Configure the transformations, if needed.
  3. Now, export your newly created proxy system. Choose ExportCSV format.

 

III. Import the proxy system in IDM as a SCIM repository and load the Azure AD users

  1. Log on to your SAP Identity Management system.
  2. Open the System Configuration tab in the Administration UI and choose Import.
  3. Import the AZURE1.csv file as a SCIM repository.
  4. Manually add your AUTH_USER and AUTH_PASSWORD. (These are your Client ID and secret, from procedure I, steps 5 and 6.)
  5. Save your changes.
  6. Open the Jobs tab and choose Run Now to start an initial load.

Once you run the “SCIM – Initial Load” job, the SCIM connector loads the Azure AD users to IDM, according to the mapping between the two systems.

 

IV. Create a new user in IDM and provision it to Azure AD

  1. In the SAP Identity Management UI, select the Manage tab.
  2. The search filter Show: Person is selected by default. If you choose Go, the table will display all existing users, including the ones loaded from your Azure AD system.

If you want to view only the Azure AD users, change the filter to Show: Privilege, enter PRIV:AZURE1:ONLY and choose Go. This privilege is automatically assigned to all Azure AD users in IDM.

  1. To create a new Azure AD user in IDM, click Create.
    • Choose Identity → Create Identity →  Choose Task.
    • In the Create Identity UI, enter the required data for the new Azure AD user.
    • Click Save.

  1. Go back to the Manage tab and search for your new user.
  2. Select the user and click Choose Task.
  3. Select Identity → Assign Privileges, Roles and Groups → Choose Task.

  1. In the Assigned Roles and Privileges tab, search for PRIV:AZURE1:ONLY.
  2. Select it and choose Add.
  3. Specify the direct validity assignment and choose again Add.
  4. In the Assigned Groups tab, search for an existing Azure AD group.
  5. Select it and choose Add.
  6. Save you changes.

If the new user is successfully created, a new job will automatically start. It will provision this user to your Azure AD. You can check the job status in SAP IDM Developer Studio → Job Log.

 

V. Check your User in Azure AD

  1. Log on to Microsoft Azure Active Directory with your account.
  2. Go to Azure Active Directory → Users and Groups → All users.
  3. You should see the newly created user in the list.
  4. Select the user to check its details, as well as its group membership.

This way you can create, update or delete in as many users as you want.

 

Future Identity Lifecycle

If you later make changes in Azure AD (e.g. add new users, update or delete existing ones), you need to run a new Initial Load job in IDM for these changes to be reflected in IDM.

 

Now, you try it out! : )

 

3 Comments
You must be Logged on to comment or reply to a post.
    • Hi Shunji,

      I apologize for the belated answer!

      Yes, you can assign security groups to Azure AD users. You just have to enable this functionality in the Identity Provisioning. To do this:

      1. Open the Identity Provisioning UI.
      2. Select your Azure AD proxy system -> Write Transformation.
      3. In the “group” section, modify the following attribute mapping (just change false to true):

                   {
                       “constant”: true,
                       “targetPath”: “$.securityEnabled”,
                       “scope”: “createEntity”
                  },

      FYI, the Identity Provisioning uses the following MS Graph API for group creation:

      https://docs.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0 

       

      Best regards,  Gergana

  • Hi Gergana,

    Thanks for this blog. Very informative. In addition to connectivity with SAP IDM can SAP Cloud Platform Identity Provisioning be connected to other identity management solutions e.g. CA? We use CA idM and looking for options to automate access provisioning onto SAP IBP.

    Alternatively, can the Cloud Platform Identity Provisioning be integrated with SAP GRC system to enable access provisioning? I have not seen much documentation or resources around this integration

     

    Thanks

    Sandeep Veerareddy