Skip to Content
Technical Articles

Using Identity Authentication and Provisioning service to provision users in SAP ABAP system – Part 2

This blog is a continuation of the first part “Using Identity Authentication and Provisioning service to provision users in SAP ABAP system – Part 1“. In section, we will focus on the configurations required for Identity Authentication service and test and E2E flow.

Configuring Identity Authentication Service

 

We would also need to configure IAS service as it needs to send a trigger to IPS service whenever a user is created or updated in IAS.

Add a new target system as “Identity Provisioning” in the User Provisioning menu of IAS.

There are two sections which need to be maintained.

  1. The SCIM URL

https://ipstrialsaphcpips-XXXXtrial.hanatrial.ondemand.com/ips/api/v1/systems/<GUID ID> /entities/user

You can find the SCIM URL by navigating to the Subscriptions menu and select the Identity Provisioning service.

Select the first URL (which does not have .int. within the URL). Copy this URL and add /api/v1/systems/<GUID ID>/entities/user to form the required SCIM URL.

It should be in the below format

https://ipstrialsaphcpips-XXXXtrial.hanatrial.ondemand.com/ips/api/v1/systems/<GUID ID> /entities/user

Now you must be wondering where to get this GUID ID in the SCIM URL. Navigate to the IAS Source system in IPS and copy it from the URL. Wish there was a better way of getting this GUID ID.

2. Authentication Configuration

For the Authentications details, navigate to oAuth menu and create a new oAuth client. Ensure that the subscription selected is “saphcpips/ipstrial”. Select the Authorization grant as “Client Credentials” provide a secret. You will need to provide the client ID and secret in the Authentication Configuration section.

For the oAuth URL, navigate to the Branding tab and use the Token Endpoint.

Test the E2E Flow

 

Now its time to test the flow. You can setup a registration form and create a user. However, for demonstration, I am going to select a particular user and trigger this user creating in SAP system (as I don’t want all the IAS users to go into my SAP system). Only thing to note when using a Self-registration form is that, you need come up with a way of populating the “Logon User” attribute in the Target system transformation (may be last name followed by first letter of first name) as you would need to provide this for the SAP system to create a user in SU01.

For demonstration, I have created a user called Jack Sparrow with Logon name “SPARROWJ”

I can select the user and click on “Provision Users” to manually trigger the user creation.

You should get a message that “1 users provisioned”. It should be singular 🙂

I can now navigate to my SAP ABAP system to verify that the user SPARROWJ has been created in real-time.

All the attributes selected in the transformation, would be populated in the SAP system

 

Be the first to leave a comment
You must be Logged on to comment or reply to a post.