Skip to Content
Technical Articles
Author's profile photo Gergana Tsakova

Hybrid Scenarios with Identity Provisioning Proxy

If your company has complex IT infrastructure and runs both cloud-based and on-premise applications, you might need a component to bring these two “worlds” together. You need a reliable identity and access management solution that can properly handle the relevant identities and their authorizations between all products.

If you use SAP Identity Management (IDM) as an on-premise system, you are at the right place.

The following step-by step hybrid scenario demonstrates how you can load users from a non-SAP cloud system (Microsoft Azure Active Directory) into an SAP on-premise one (SAP Identity Management). You can then manually create new users in IDM, assign them privileges and groups, and provision them back to Azure AD. This way, you can manage your Azure AD users by working only within your IDM system.

Sounds interesting? Let’s go then!

The provider of this proxy solution is called Identity Provisioning, which is a service belonging to  SAP Cloud Identity Services.

 

Prerequisites

  • You have SAP Identity Management 8.0 SP05 or higher.
  • You have a standalone or bundle  productive version of SAP Cloud Identity Services – Identity Provisioning, and have administration rights for your subaccount/tenant.
  • You have access to the proxy systems in the Identity Provisioning admin console. If you don’t see the Proxy Systems tile, create an incident for component BC-IAM-IPS to request it.
  • You have credentials for Microsoft Azure Portal, and your user has the directory role Global administrator.

Now, let’s dive into the hybrid scenario!

 

I. Register an OAuth client and subscribe for the IPS proxy application 

Go to the SAP BTP cockpit: https://account.hana.ondemand.com/cockpit

If your region is not in Europe, configure your URL accordingly. See: Regions and Hosts

  1. Navigate to Security → OAuth.
  2. Choose Clients → Register New Client.
  3. From the Subscription combo box, select <provider_subaccount>/ipsproxy. For example:  a3a5c3a5c/ipsproxy
  4. From the Authorization Grant combo box, select Client Credentials.
  5. In the Secret field, enter a password (client secret). Note: Remember this OAuth secret as you’ll need it later, for the repository configuration in SAP Identity Management!
  6. Copy/paste and save (in a notepad) the generated Client ID. You’ll need that later, too.

  1. From the left-side navigation, choose Applications → Subscriptions.
  2. Under the Java Applications section, choose ipsproxy.

  1. From the left-side navigation, choose Roles.
  2. You have to assign the newly created OAuth client to your IPS_PROXY_USER role. Choose Assign and enter oauth_client_<client_ID>, where <client_ID> is the one from step 6.

  1. Go back to your subaccount.
  2. Navigate to Services → Identity Provisioning.
  3. Choose Go to Service. That opens the Identity Provisioning user interface.

 

II. Configure the proxy system in the Identity Provisioning UI

  1. The Identity Provisioning admin console is open.
  2. Choose Proxy Systems, and then +Add.
  3. From the Type dropdown, select Microsoft Azure Active Directory.

  1. Enter a name for your Azure AD system. NOTE: If you want to export the system in CSV format and import it later in IDM as a SCIM repository, the system name must be no longer than 6 symbols, and should contain only capital letters and dashes (_). For our scenario, we’ll use this export/import functionality, thus we’ll name the system AZURE1.
  2. Open the Properties tab to configure the connection settings the following way: 
Type
Enter: HTTP   
URL
Enter: https://graph.microsoft.com     
ProxyType
Enter: Internet  
Authentication
Enter: BasicAuthentication 
User
Enter the application ID registered in your Azure AD subscription (see the Prerequisites section at the beginning of this blog post).
Password
Enter the secret key associated to your app registration.
aad.domain.name
Enter a verified domain name from the corresponding Azure AD tenant. On this domain, you will perform the provisioning operations. To learn more, see Microsoft: Manage domain names.
OAuth2TokenServiceURL

Enter: https://login.microsoftonline.com/{your_domain}/oauth2/token

where {your_domain} is the one you have set in property aad.domain.name.

oauth.resource.name
Enter: https://graph.microsoft.com 
ips.trace.failed.entity.content
Enter: false  
aad.group.member.attributes

(Optional property)

It defines the attributes of a group member to be read by the Identity Provisioning. By default, it always reads the type and the id of a member.

If you prefer the Identity Provisioning to read additional attributes, you can add them as a single or a comma-separated value. For example:

  • If you want to read the e-mails too, enter:
     aad.group.member.attributes=mail

This will read a member’s type, ID and e-mail.

 

  • If you want to read multiple additional attributes, enter:
     aad.group.member.attributes=mail,mobilePhone,displayName

This will read a member’s type, ID, e-mail, phone and display name.

  1. Save your changes.
  2. Configure the transformations, if needed.
  3. Now, export your newly created proxy system. Choose ExportCSV format.

 

III. Import the proxy system in IDM as a SCIM repository and load the Azure AD users

  1. Log on to your SAP Identity Management system.
  2. Open the System Configuration tab in the Administration UI and choose Import.
  3. Import the AZURE1.csv file as a SCIM repository.
  4. Manually add your AUTH_USER and AUTH_PASSWORD. (These are your Client ID and secret, from procedure I, steps 5 and 6.)
  5. Save your changes.
  6. Open the Jobs tab and choose Run Now to start an initial load.

Once you run the SCIM – Initial Load job, the SCIM connector loads the Azure AD users to IDM, according to the mapping between the two systems.

 

IV. Create a new user in IDM and provision it to Azure AD

  1. In the SAP Identity Management UI, select the Manage tab.
  2. The search filter Show: Person is selected by default. If you choose Go, the table will display all existing users, including the ones loaded from your Azure AD system.

If you want to view only the Azure AD users, change the filter to Show: Privilege, enter PRIV:AZURE1:ONLY and choose Go. This privilege is automatically assigned to all Azure AD users in IDM.

  1. To create a new Azure AD user in IDM, click Create.
    • Choose Identity → Create Identity →  Choose Task.
    • In the Create Identity UI, enter the required data for the new Azure AD user.
    • Click Save.

  1. Go back to the Manage tab and search for your new user.
  2. Select the user and click Choose Task.
  3. Select Identity → Assign Privileges, Roles and Groups → Choose Task.

  1. In the Assigned Roles and Privileges tab, search for PRIV:AZURE1:ONLY.
  2. Select it and choose Add.
  3. Specify the direct validity assignment and choose again Add.
  4. In the Assigned Groups tab, search for an existing Azure AD group.
  5. Select it and choose Add.
  6. Save you changes.

The new user is successfully created, and a new job automatically starts. It will provision this user to your Azure AD. You can check the job status in SAP IDM Developer Studio → Job Log.

 

V. Check your User in Azure AD

  1. Log on to Microsoft Azure Active Directory with your account.
  2. Go to Azure Active Directory → Users and Groups → All users.
  3. You should see the newly created user in the list.
  4. Select the user to check its details, as well as its group membership.

This way you can create, update or delete as many users as you need.

 

Future Identity Lifecycle

If you later make changes in Azure AD (e.g. add new users, update or delete existing ones), you need to run a new Initial Load job in IDM for these changes to be reflected in IDM.

 

Now, you try it out! : )

 

Assigned Tags

      16 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Shunji Yamada
      Shunji Yamada

      Hi Gergana,

       

      It is very good, can we also assign any "security group" to azure AD user from IDM?

      Author's profile photo Gergana Tsakova
      Gergana Tsakova
      Blog Post Author

      Hi Shunji,

      I apologize for the belated answer!

      Yes, you can assign security groups to Azure AD users. You just have to enable this functionality in the Identity Provisioning. To do this:

      1. Open the Identity Provisioning UI.
      2. Select your Azure AD proxy system -> Write Transformation.
      3. In the “group” section, modify the following attribute mapping (just change false to true):

                   {
                       “constant”: true,
                       “targetPath”: “$.securityEnabled”,
                       “scope”: “createEntity”
                  },

      FYI, the Identity Provisioning uses the following MS Graph API for group creation:

      https://docs.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0 

       

      Best regards,  Gergana

      Author's profile photo Sandeep Veerareddy
      Sandeep Veerareddy

      Hi Gergana,

      Thanks for this blog. Very informative. In addition to connectivity with SAP IDM can SAP Cloud Platform Identity Provisioning be connected to other identity management solutions e.g. CA? We use CA idM and looking for options to automate access provisioning onto SAP IBP.

      Alternatively, can the Cloud Platform Identity Provisioning be integrated with SAP GRC system to enable access provisioning? I have not seen much documentation or resources around this integration

       

      Thanks

      Sandeep Veerareddy

      Author's profile photo Plaban Sahoo
      Plaban Sahoo

      Hi Gergana,

      Could you please suggest if IPS alone can provision to on-premise systems, i.e without using IDM

      Regards

      Plaban

       

      Author's profile photo Gergana Tsakova
      Gergana Tsakova
      Blog Post Author

      Hi Plaban,

      I'm sorry for the late reply!

      Yes, IPS can provision from any of these Source Systems to the following Target Systems. The on-premise target systems are:

      NOTE:  Bear in mind that there is a difference in the number and type of provided IPS systems - depending on your IPS tenant type (Standalone or Bundle).

      Best regards,

      Gergana

      Author's profile photo Atul Pavade
      Atul Pavade

      Thanks a lot Gergana,  this is very detailed blog. I'm trying to only read from MS Azure AD and provision in IDM which will in turn provision users in SAP On premise system. I'm stuck at place, where proxy system needs to be extracted as CSV. I'm getting only a JSON as output. Could you please advise ?

      Author's profile photo Gergana Tsakova
      Gergana Tsakova
      Blog Post Author

      Hi Atul,

      The IPS hybrid scenario involves 1 system plus IDM. This particular system (in your case - MS Azure AD)  should be used as a proxy system, and I believe you have added and configured it as a source in the IPS admin console. Thus - the only export format you see is JSON.

      So my advice is: Create a new MS Azure system in IPS - of type Proxy,  add all the configuration properties again, and then extract it as a CSV file. Basically  - just follow all the steps from sections I, II, and III.

      After these steps are complete, to which SAP on-premise system you want to provision all the MS Azure users (that you have loaded in IDM)?

      For your information, you can see all available SAP connectors supported by IDM under this section:  Connecting SAP Systems   Setting up the Landscape  

      Let me know if I can help you further!

      Best regards,

      Gergana

      Author's profile photo Atul Pavade
      Atul Pavade

      Hi Gergana,

       

      Yes, MS AZURE AD is my proxy and SAP IDM is Target which we have already connected to several on premise SAP ABAP systems.
      MS AZURE AD is added as proxy, but I have performed step 1. Register an OAuth client and subscribe for the IPS proxy application after step 2. Configure the proxy system in the Identity Provisioning UI. I thought that may have caused the issue, hence I have dropped Proxy system and added MS AZURE AD as Proxy again, but no luck.

       

      One Change I noticed between your instructions and what I see is,  in my case -  "Step1.3 From the Subscription combo box, select <provider_subaccount>/proxy. For example:  a3a5c3a5c/proxy."

      But this is what I see - "sapiam/ipsproxy" , and not the subaccount name.

      Author's profile photo Gergana Tsakova
      Gergana Tsakova
      Blog Post Author

      Hi Atul,

      You were right! It turns out that the CSV option has been temporarily removed from the Export function. But it will be returned with the new IPS release. This should happen by the end of this week or sometime next week, the latest. I hope this delay is not critical for you and your scenarios!

      Regarding the OAuth client - the Subscription step was outdated, so I corrected it. Yes, it should be <provider_subaccount>/ipsproxy. In your case -  sapiam/ipsproxy.

      Author's profile photo Atul Pavade
      Atul Pavade

      Thanks Gergana, that clarifies the issue.

      I had raised OSS  and reached out to Max Attention, as this is little urgent for us. I hope to rollback the functionality is already made aware to the product team. Thanks again for taking time out to respond.

      Author's profile photo Suhani Chamankar Deloitte IDAM
      Suhani Chamankar Deloitte IDAM

      Does this document illustrate MS Azure as a target or as a source? What steps to follow if I need to integrate MS Azure as a source system?

      Author's profile photo Gergana Tsakova
      Gergana Tsakova
      Blog Post Author

      Hi Suhani,

      This blog post illustrates MS Azure as a proxy system.

      If you want to use it as a source, see: Microsoft Azure Active Directory (Source System)

      Best regards,

      Gergana

      Author's profile photo Manoj Amin
      Manoj Amin

      Hi Gergana,

      Can I create user/change user/assign Group from custom script using API  in Cloud Identity Services? If yes, how ? I am not sure how to create Oauth 2 Client in IAS so I can test it with POSTMAN Client.

      Author's profile photo Ivelina Kiryakova
      Ivelina Kiryakova

      Hi Manoj,

      Can you add more details on the scenario you want to execute?

      On the Oauth client question - if your IPS is running on Neo environment, you create the OAuth client in SAP BTP cockpit. If your IPS is running on SAP Cloud Identity Infrastructure, you create a technical user (of type System) in IAS and configure authentication with certificate or client secret, see How Proxy Systems Work

      Best regards,

      Ivelina

      Author's profile photo Manoj Amin
      Manoj Amin

      Ivelina,

      I was able to do some progress on creating user by utilizing https://api.sap.com/api/IdDS_SCIM to IAS but still I do not see any option to assign group to user using same API. Any idea on how can i assign group to user in IAS using API ?

      Author's profile photo Ivelina Kiryakova
      Ivelina Kiryakova

      Hi Manoj,

      You cannot assign a group to a user using API. You can assign a user to a group. Please, see API Reference | Identity Directory Service | SAP Business Accelerator Hub.

       

      Best regards,

      Ivelina