Skip to Content
Technical Articles
Author's profile photo Murali Shanmugham

Managing Identity Lifecycle in a hybrid landscape using SAP Cloud Platform services

We are beginning to see many business going through transformations and are rapidly adopting cloud solutions. In a multi-vendor hybrid landscape, managing the identity lifecycle for all the users is becoming more crucial. End users expect a seamless experience when navigating between systems and organizations also have to ensure that the right level of access is provided to each user.

SAP Cloud Platform offers several services related to Identity and Access Management (IAM).

  • SAP Cloud Platform Identity Authentication service (IAS) supports authentication of users to Cloud solutions.
  • SAP Cloud Platform Identity Provisioning service (IPS) supports the provisioning of users and roles in Cloud solutions
  • SAP Cloud Identity and Access Governance offers access analysis and helps in performing segregation of Duties (SoD)

All these services are integrated and can be used together to help manage IAM requirements in SAP cloud solutions. Both Identity Authentication and Identity Provisioning service are the core IAM services of SAP Cloud Platform. Its important to note that these services can also support non-SAP solutions. This blog will focus on how to use these services to manage identity lifecycle in a hybrid landscape.

SAP has published a “CIO Guide: Identity Lifecycle in Hybrid Landscapes” on this topic and I would highly recommend to go through this guide to understand the role of each of these services and in particular how they can be used to manage identity lifecycle in a hybrid landscape.

In this blog, I wanted to share my experience with a customer example on how these services were used to help design an architecture. In the below architecture, you can see the usage of Cloud solutions like SuccessFactors, Concur, Analytics Cloud and SAP Cloud Platform Cloud Foundry.  Azure Active Directory is the central store where employees are created, and they use Azure credentials to access all SAP solutions.

Authentication Flow

The authentication flow of the cloud solutions is represented by the green lines in the architecture diagram. IAS acts as a façade. In this architecture, it is used a proxy and delegates the authentication requests to Azure AD. In this setup, you configure each of the Cloud Solution as an application within IAS and do a one-off configuration between IAS and Azure AD (your Corporate Identity Provider).  When an end user tries to access any of these solutions, they get challenged with the Azure AD credentials and get authenticated.

User & Role Provisioning

The On-premise SAP Identity Management (SAP IdM) is the leading system which will ensure that users and the corresponding business roles are replicated to all on-premise system and the cloud solutions. For cloud solutions, SAP IdM will leverage IPS to perform this task in the Cloud Solutions. This is represented by the blue lines in the architecture.

As an example, I am going to walk through some security settings in SAP Analytics Cloud. All the Cloud Solutions would have similar capabilities. Below is the Security screen in the Administration section of Analytics Cloud. SAML trust with IAS would need to be setup along with the attribute mapping. This part would take care of the user authentication flow.

Within SAC User Administration, you would need to maintain users and the necessary roles. You could either maintain them manually, import them, automatically create from your corporate IdP after the first login too. However, the approach I have depicted will use IPS to create user identities and assign the corresponding roles to these user identities.

Please note that they are few other ways to achieve this without using IPS. For example, in SAP Analytics Cloud, there is a concept of “Mapping Roles using SAML Attributes” and “Assigning Users to Teams using SAML Attributes”.


This approach is only possible if you have all your users assigned properly to security groups within Azure AD. In my scenario, I didn’t have proper security groups created which would reflect how the users would use SAP solutions and it was not going to be easy to get that fixed.

Similarly, for SAP Cloud Platform Cloud Foundry environment, you will need to use IPS to add user identities and assign the required role collections as shown below.

I hope you found this useful. If you have any questions, please raise a question in the Q&A Forums.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Binson Varikkasseril Abraham
      Binson Varikkasseril Abraham

      Hi Murali Shanmugham

      Do you know whether IPS now support provisioning into CF to assign role collections? If this is supported  whats the type of "Target" system in IPS?



      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Binson,

      SAP HANA XS Advanced UAA Server would be the type of target system.

      Author's profile photo Todor Petrov
      Todor Petrov

      Hi Murali,

      In your diagram there is a line between IPS and Ariba.

      As far as I know there is no ready-to-run connector between IPS and Ariba. How did you connect those?



      Author's profile photo Murali Shanmugham
      Murali Shanmugham
      Blog Post Author

      Hi Todor,

      Thanks for pointing it out. That was an error on my side as I got mixed up with Concur and Ariba. I have corrected it now.

      Out of curiosity, I reached out to Product experts to find out what options are available for Ariba and I was told its either manual or file based API approach.

      Author's profile photo Ravi Joseph
      Ravi Joseph

      Dear Murali,


      Thank you very much for this informative blog. Will it be possible to provide the sequence of the architecture?



      Author's profile photo Chenyang Xiong
      Chenyang Xiong

      Hi Murali,


      Thanks for sharing the knowledge.  I have a few comments.


      1. Why SAP Identity Authentication service is required in the diagram? As Azure AD itself is an identity provider?
      2. Can you share more information on how SAP on premise IDM is integrated with Identity Provisioning Service?



      Author's profile photo Plaban Sahoo
      Plaban Sahoo

      Hi Chenyang,

      IDM 8 supports SAML2 connections. IPS needs to be configured as a SAML connector by getting the export SAML config. file from BTP/IAS.




      Author's profile photo Per Hultgren
      Per Hultgren


      the link to the document "CIO Guide: Identity Lifecycle in Hybrid Landscapes" is corrupt. Can you please update with a working link?


      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Hi Per, The document is being reworked.

      Author's profile photo Mateo Suite
      Mateo Suite

      Murali Shanmugham very good blog.

      Based on what you explained, I understand that for the authentication to applications running on SAP BTP something as follows could be implemented.

      - Crete the users and roles in Identity Management and replicate those to Azure AD with the proper SAML Groups.

      - Mapping in SaP BTP Roles Templates and Azure AD Groups.

      -  Configure IAS to proxy the authentication to Azure AD.

      With this, we wouldn't have the need to replicate users to SAP BTP or IAS, am I right?





      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Yes, that’s right