Skip to Content
Technical Articles

Setup of User Provisioning from SAP Marketing Cloud to SAP Identity Authentication Service

This blog post will explain how to use the SAP Identity Provisioning Service (IPS) to automatically provision users from SAP Marketing Cloud (SMC) Standard, Professional and Enterprise Edition to SAP Identity Authentication Service (IAS).

Setup in SAP Marketing Cloud

The following steps show the setup in an SMC 1908 system with screenshots. You find the official documentation here.

  1. Logon to your SMC system with a user that has access to the communication management business catalog. Open the tile “Communication Arrangements”.
  2. Create a new communication arrangement. In the popup select Scenario SAP_COM_0193 for SAP Cloud Platform Identity Provisioning Integration and define an own arrangement name:
  3. Create a new Communication system. On the popup that occurs you can freely define a system ID, e.g. IPS_SYSTEM, and a system name.
  4. Enter the host name of your IPS services as host name. Afterwards press the + button on the Users for Inbound Communication section:
  5. On the upcoming popup choose New User. Enter IPS_USER as User Name and choose a description as well as a password. You can let the system propose a password. In this case keep the password for later configuration. Save the new user and accept the popup from before. Your new user is now shown in the Users for Inbound Communication section.

Setup SMC in IPS

The following steps show the setup in an IPS system 2019 with screenshots. You find the official documentation here. If you are missing the IPS, create a support ticket to component BC-IAM-IPS (Identity Provisioning). Explain that you have purchased an SAP Marketing Cloud Standard, Professional or Enterprise Edition and you require Identity Provisioning tenants.

  1. Logon to your IPS system. Open the tile “Source Systems”.
  2. Create a new source system. Save the following coding as json file and upload the file under Define from File. In the coding you will have to exchange <<SMC Host Name>> with your SAP Marketing Cloud Host Name. If you have named the communication user not IPS_USER in your SMC system, you also must exchange the user name.
    {
      "connectorType": "MARKETING_CLOUD",
      "accessMode": "READ",
      "name": "SAP Marketing Cloud",
      "state": "ENABLED",
      "properties": {
        "Type": "HTTP",
        "User": "IPS_USER",
        "Authentication": "BasicAuthentication",
        "ips.date.variable.format": "yyyy-MM-dd",
        "marketing.cloud.skip.read.archived": "true",
        "ProxyType": "Internet",
        "ips.trace.failed.entity.content": "false",
        "URL": "https://<<SMC Host Name>>-api.s4hana.ondemand.com"
      },
      "encryptedProperties": {
        "Password": null
      }
    }
    

    After the upload the Properties Tab shows a red mark:

    Switch to the properties tab and enter the password for the user IPS_USER which you have defined in the SMC system.

  3. Save your system.

Setup in SAP Identity Authentication Service

  1. Follow the steps in the SAP IAS documentation regarding adding a system as administrator. Choose Set Password as authentication method and keep the password you maintain for later configuration. When you save your system, you see the internal system user name next to the Set Password Authentication. Keep this user name also for later configuration:
  2. If you want to inform your users automatically via email that their user was activated in IAS system and that they can now logon to the application to setup a password, you need to set your SMC system as trusted domain as explained here. You can skip this, if you enabled your IAS system to use another logon mechanism like Kerberos Authentication.

Setup IAS in IPS

The following steps show the setup in an IPS system 2019 with screenshots. You find the official documentation here.

  1. Logon to your IPS system. Open the tile “Target Systems”.
  2. Create a new target system. Save the following coding as json file and upload the file under Define from File. In the coding you will have to exchange <<IAS Host Name>> with your SAP Identity Authentication Service Host Name.
    {
      "connectorType": "SAP_CLOUD_IDENTITY",
      "accessMode": "WRITE",
      "relatedSystems": [
        "SAP Marketing Cloud"
      ],
      "name": "SAP Identity Authentication Service",
      "state": "ENABLED",
      "properties": {
        "Type": "HTTP",
        "User": null,
        "Authentication": "BasicAuthentication",
        "ProxyType": "Internet",
        "ips.trace.failed.entity.content": "true",
        "URL": "<<IAS Host Name>>"
      },
      "encryptedProperties": {
        "Password": null
      }
    }
    

    After the upload the Properties Tab shows a red mark:

    Switch to the properties tab and enter the system user name for the IPS from your IAS system and the password which you have defined in the IAS system for IPS.

    Save your system.

  3. If you want your users to logon with password and be redirected from the password activation page to your SMC system instead of the IAS profile page, you must add the following code to your transformation:
    ,     
    {
      "constant": "https://<<SMC Host Name>>.s4hana.ondemand.com",
      "targetPath": "$.targetUrl",
      "scope": "createEntity"
    }
    

    After the following coding:

    {
       "sourcePath": "$.timezone",
       "optional": true,
       "targetPath": "$.timeZone"
    }
    

    Moreover, you need to change the constant for target path sendEmail from false to true in this coding part:

    {
       "constant": "true",
       "targetPath": "$.sendMail",
       "scope": "createEntity"
    }
    

Setup Job for User Provisioning

To start the user provisioning from SAP Marketing Cloud to SAP Identity Authentication Service you now need to setup a job for your source system as described here.

 

When you have setup the job, you can start creating business users in SMC. The users will be provisioned to IAS when your job is executed, and new business users will get an email notification about their activated user.

2 Comments
You must be Logged on to comment or reply to a post.
  • Hi Eileen,

    Thanks for the Blog, it was very usefull and informative . Can you pls help us with information on scenario where c4c,IDP and Marketing cloud are involved. User created in Marketing cloud will be replicated to IDP, can user created in IDP will be replicated to C4C also via provising service (IPS). Secondly, if we have license for IDP, will IPS comes with it or is IPS a new license.Pls suggest.

     

    Regards,

    Seshu

    • Hi Seshu,

      IPS for provisioning user from Marketing Cloud to IDP is included in Marketing Standard, Professional and Enterprise Edition. For all other scenarios you need an own IPS standalone license. IPS and IDP are separate products. With an IPS standalone license you can provision users to C4C. Documentation can be found here.

      Best regards,

      Eileen