Managing Identity Lifecycle in a hybrid landscape using SAP Cloud Platform services
We are beginning to see many business going through transformations and are rapidly adopting cloud solutions. In a multi-vendor hybrid landscape, managing the identity lifecycle for all the users is becoming more crucial. End users expect a seamless experience when navigating between systems and organizations also have to ensure that the right level of access is provided to each user.
SAP Cloud Platform offers several services related to Identity and Access Management (IAM).
- SAP Cloud Platform Identity Authentication service (IAS) supports authentication of users to Cloud solutions.
- SAP Cloud Platform Identity Provisioning service (IPS) supports the provisioning of users and roles in Cloud solutions
- SAP Cloud Identity and Access Governance offers access analysis and helps in performing segregation of Duties (SoD)
All these services are integrated and can be used together to help manage IAM requirements in SAP cloud solutions. Both Identity Authentication and Identity Provisioning service are the core IAM services of SAP Cloud Platform. Its important to note that these services can also support non-SAP solutions. This blog will focus on how to use these services to manage identity lifecycle in a hybrid landscape.
SAP has published a “CIO Guide: Identity Lifecycle in Hybrid Landscapes” on this topic and I would highly recommend to go through this guide to understand the role of each of these services and in particular how they can be used to manage identity lifecycle in a hybrid landscape.
In this blog, I wanted to share my experience with a customer example on how these services were used to help design an architecture. In the below architecture, you can see the usage of Cloud solutions like SuccessFactors, Concur, Analytics Cloud and SAP Cloud Platform Cloud Foundry. Azure Active Directory is the central store where employees are created, and they use Azure credentials to access all SAP solutions.
The authentication flow of the cloud solutions is represented by the green lines in the architecture diagram. IAS acts as a façade. In this architecture, it is used a proxy and delegates the authentication requests to Azure AD. In this setup, you configure each of the Cloud Solution as an application within IAS and do a one-off configuration between IAS and Azure AD (your Corporate Identity Provider). When an end user tries to access any of these solutions, they get challenged with the Azure AD credentials and get authenticated.
User & Role Provisioning
The On-premise SAP Identity Management (SAP IdM) is the leading system which will ensure that users and the corresponding business roles are replicated to all on-premise system and the cloud solutions. For cloud solutions, SAP IdM will leverage IPS to perform this task in the Cloud Solutions. This is represented by the blue lines in the architecture.
As an example, I am going to walk through some security settings in SAP Analytics Cloud. All the Cloud Solutions would have similar capabilities. Below is the Security screen in the Administration section of Analytics Cloud. SAML trust with IAS would need to be setup along with the attribute mapping. This part would take care of the user authentication flow.
Within SAC User Administration, you would need to maintain users and the necessary roles. You could either maintain them manually, import them, automatically create from your corporate IdP after the first login too. However, the approach I have depicted will use IPS to create user identities and assign the corresponding roles to these user identities.
Please note that they are few other ways to achieve this without using IPS. For example, in SAP Analytics Cloud, there is a concept of “Mapping Roles using SAML Attributes” and “Assigning Users to Teams using SAML Attributes”.
This approach is only possible if you have all your users assigned properly to security groups within Azure AD. In my scenario, I didn’t have proper security groups created which would reflect how the users would use SAP solutions and it was not going to be easy to get that fixed.
Similarly, for SAP Cloud Platform Cloud Foundry environment, you will need to use IPS to add user identities and assign the required role collections as shown below.
I hope you found this useful. If you have any questions, please raise a question in the Q&A Forums.