Skip to Content
Technical Articles

Using Identity Authentication and Provisioning service to provision users in SAP ABAP system – Part 1

Managing user identities especially in the self-registration scenarios can be a daunting task especially when you have Cloud and on-premise solutions. Thanks to SAP Cloud Platform Identity Provisioning service. I was earlier discussing about this topic with one of my colleagues Stefan Moller when I discovered there is a capability within SAP Cloud Platform Identity Authentication service to trigger a job in Identity Provisioning service whenever a user gets created or updated in real-time within the Identity Authentication service.

For those who are new to this topic, Identity Authentication service (IAS) is an Identity Provider based on SAML2.0 and can be used to store users or connect with existing corporate Identity Providers. Identity Provisioning service (IPS) is a service on SAP Cloud Platform which helps in managing and provisioning user identities and their roles in Cloud solutions. I had earlier posted a blog “Provision users & roles using HCP Identity Provisioning service” on how to use IPS service to provision user and roles to an SAP ABAP system which is on-premise.

The scenario which I am working on involves users to self-register and create their identities in IAS. The registered users need to be immediately made available in the respective on-premise SAP ABAP system. I cannot schedule any job for this as the users who self-register would immediately obtain access and start using apps on the SAP Cloud Platform. Since these apps are connected to the backend SAP system, we need to ensure that a user record exists for these self-registered users.

IAS comes with in-built capabilities to setup registration forms which can be accessed by anyone. Its easy to turn on and setup the entire user registration flow. You can read more about it in SAP Help.

I have also posted a blog on how to gain more flexibility by building you own HTML5 form to act as a registration form which routes the requests to workflow approvals before the user identity gets created in IAS –  “Implementing a user self-registration scenario using Workflow and Business rules in SAP Cloud Platform

 

In this scenario, I have users who will self-register and gain access to apps on SAP Cloiud Platform which in turn connect to the respective backend SAP system. Hence, its important that the user records exist in the backend SAP system when the self-registered users access the apps in a Portal site.

For demonstration, I am using a SAP Cloud Platform trial account which comes with IPS. I already have an IAS service which I will use for demonstration here. Below are the steps you would require to achieve this.

Configuring Identity Provisioning service

 

Launch the IPS service in your trial account.

Create a source system of type “SAP Cloud Platform Identity Authentication”.

In the transformation, I have just left the default settings. You can tweak it according to your requirements. I am pasting the whole JSON transformation for your reference.

{
    "user": {
        "mappings": [
            {
                "sourcePath": "$.id",
                "targetVariable": "entityIdSourceSystem"
            },
            {
                "sourcePath": "$.schemas",
                "preserveArrayWithSingleElement": true,
                "targetPath": "$.schemas"
            },
            {
                "sourcePath": "$.userName",
                "optional": true,
                "targetPath": "$.userName"
            },
            {
                "sourcePath": "$.name.givenName",
                "optional": true,
                "targetPath": "$.name.givenName"
            },
            {
                "sourcePath": "$.name.middleName",
                "optional": true,
                "targetPath": "$.name.middleName"
            },
            {
                "sourcePath": "$.name.familyName",
                "optional": true,
                "targetPath": "$.name.familyName"
            },
            {
                "sourcePath": "$.name.honorificPrefix",
                "optional": true,
                "targetPath": "$.name.honorificPrefix"
            },
            {
                "sourcePath": "$.emails[*].value",
                "preserveArrayWithSingleElement": true,
                "targetPath": "$.emails[?(@.value)]"
            },
            {
                "sourcePath": "$.active",
                "targetPath": "$.active"
            },
            {
                "sourcePath": "$.userType",
                "optional": true,
                "targetPath": "$.userType"
            },
            {
                "sourcePath": "$.addresses",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.addresses"
            },
            {
                "sourcePath": "$.locale",
                "optional": true,
                "targetPath": "$.locale"
            },
            {
                "sourcePath": "$.phoneNumbers",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.phoneNumbers"
            },
            {
                "sourcePath": "$.timeZone",
                "optional": true,
                "targetPath": "$.timezone"
            },
            {
                "sourcePath": "$.displayName",
                "optional": true,
                "targetPath": "$.displayName"
            },
            {
                "ignore": true,
                "sourcePath": "$.sourceSystemId",
                "targetPath": "$.sourceSystemId"
            },
            {
                "sourcePath": "$.groups",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.groups"
            },
            {
                "targetPath": "$.groups[*].display",
                "type": "remove"
            },
            {
                "condition": "$.displayName EMPTY true",
                "targetPath": "$.displayName",
                "type": "remove"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']"
            },
            {
                "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']",
                "optional": true,
                "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']"
            },
            {
                "sourcePath": "$.company",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']"
            }
        ]
    },
    "group": {
        "ignore": true,
        "mappings": [
            {
                "sourcePath": "$.id",
                "targetVariable": "entityIdSourceSystem"
            },
            {
                "constant": "urn:ietf:params:scim:schemas:core:2.0:Group",
                "targetPath": "$.schemas[0]"
            },
            {
                "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']",
                "targetPath": "$.displayName"
            },
            {
                "sourcePath": "$.members",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.members"
            },
            {
                "constant": "urn:sap:cloud:scim:schemas:extension:custom:2.0:Group",
                "targetPath": "$.schemas[1]"
            },
            {
                "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']",
                "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']"
            },
            {
                "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']",
                "optional": true,
                "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']"
            }
        ]
    }
}

In the Properties tab, provide the connection details to IAS. In my example below, the IAS tenant name is ias01. Notice that I have provided a SYSTEM user as T000032. You can create a system user in IAS under Administrators menu.

Create a target system on type SAP Application Server ABAP. You will need to provide a destination name. I have provided S4H as an example.

I have used the sample transformation provided in the SAP Help.You can copy paste it into the transformation. Note that the sample transformation generates a random password for the user in the SAP ABAP system. If you would like to set a default password, you something like the below:

{
                “targetPath”: “$.PASSWORD.BAPIPWD”,
                “scope”: “createEntity”,
                “constant”: “Pass1234”
}

In the properties tab, I have just maintained the property ips.trace.failed.entity.content as false.

Maintaining Cloud Platform Destinations and Cloud Connector configuration

 

A destination of type RFC has been maintained in the SAP Cloud Platform cockpit. The properties need to be maintained as per the documentation in SAP Help.

I have also maintained the RFC connections to the respective backend SAP ABAP system in the Cloud Connector and  added access to set of Function Modules. All of these are documented in SAP Help.

 

Jump to Part 2 to continue with the configuration of IAS service and testing the E2E flow.

 

 

Be the first to leave a comment
You must be Logged on to comment or reply to a post.