Skip to Content
Product Information
Author's profile photo Saumitra Deshmukh

Understanding the Initial Login and Identity Setup for S/4HANA Cloud (Public)

Hello Everyone,

Recently we have seen a lot of queries and posts regarding the Initial Logins and the Identity Setup for S/4HANA Cloud Essential Edition where Consultants/Partners and Customers are eager to know more about the Identity and initial login for the S/4HANA Cloud Essential systems. I will try to illustrate and simplify the concept in the most basic way and also provide a one-stop-shop for all the available resources like accelerators, blog posts and videos combined related to this topic.

Following you will see two approaches to understand this process:

1) Micro-Learning Video – For viewers wanting a quick glance or revise on the concept of Initial Login & Identity Setup for S/4HANA Cloud Essentials (9 mins watch)

2) Detailed Blog – For viewers wanting to go through the concept in detail and correlate the associated steps in detail for each item explained (15 mins read)

Micro-learning Video –

Detailed Blog-

Now to start with, it is of utmost importance to understand about the types of systems you will receive and its purpose as a part of your S/4HANA Cloud Implementation journey.

1) Starter System – This system is the first system in sequence you will receive after you decide to start with S/4HANA Cloud Essentials journey. This system is pre-configured with SAP Best Practices and Demo Data for evaluation purpose. The same system and it’s configurations is used extensively for the Fit-to-Standard workshops. The validity of the Starter System is only 30 days after you receive the Production System

2) Quality System – This system is the Quality Assurance System and will be requested from the the Starter system. The main objective of this system is to perform configurations and different types of testing which are required for business processes intended to operate one’s business. This system is utilized to preform configuration sprints and to transport required design to be moved into the upcoming Production System. The validity of this system remains as long as customer owns the Solution subscription along with Production system

3) Production System – This is the Customer’s productive environment where the intended business operations are performed. This system is requested from the Quality system over designated phases as per Activate Roadmap and contains configurations confirmed from the Quality Systems. The validity of this system remains as long as customer owns the Solution subscription.

The SAP Cloud Platform Identity Authentication Service

With an understanding of the types of systems and it’s usage, now we proceed to understand how the initial login works into these systems and how the identity is setup. Please make a note that for S/4HANA Cloud Essentials, the default authentication and identity service is provided by SAP Cloud Platform Identity Authentication Service (IAS). This is the central entry point (entry login page) for all the key business users to login into the S/4HANA Cloud Essential Systems (may it be Starter/Quality or Production System). What we understand as systems in S/4HANA Cloud essentials world are known as tenants in the SAP Cloud Platform Identity Authentication Service world, hence not to get confused if one says logging into Quality Tenant instead of Quality System.

Having said this, we need to note down that each type of system mentioned above is mapped with IAS tenant application. The starter and the Quality is mapped with one IAS tenant and Production is mapped to a separate IAS tenant. So every customer will have two IAS tenants upon receiving all types of systems. The SAP Cloud Platform Identity Authentication Service is provided in built for S/4HANA Cloud Essential contracts and holds no separate license/subscription.

Tip: In case the customer already owns another cloud solution whose identity and authentication is mapped with the SAP Cloud Platform Identity Authentication Service, the S/4HANA Cloud Essential systems will automatically check and map the S/4HANA Cloud Essential Systems with the already existing SAP Cloud Platform Identity Authentication Service tenants accordingly.

What is Initial Login?

As the customer/partner moves ahead with the S/4HANA Cloud Essentials implementation journey as per the Activate Roadmap, it is essential to understand the on-boarding procedure. Initial Login is the starting point for the further on-boarding journey. Every customer will have to maintain an IT Contact Person as a key and mandatory contact for the customer with a valid and working email ID. It is of prime importance to have an individual email ID valid, up to date and in working condition to receive emails on time or it might delay the overall project duration. This contact will be the front runner of receiving all the required confidential as well as general communications with respect to the S/4HANA Cloud implementation journey for initial logins. This contact will be receiving the initial login mails per system and is also responsible to initiate the on-boarding journey. For every system being provisioned, there are 3 emails this contact will receive ->

1) Initial Technical User Name and System URL Details -> This is a user who can login to the S/4HANA Cloud essentials directly with the URL provided in the same mail

2) Initial Password of the technical user -> This is strictly a confidential password only received by the IT contact person to login to the S/4HANA Cloud System directly using the provided technical user name

3) Admin Access to the SAP Cloud Platform Identity Authentication Service -> A mail with details about the identity provider setup over the SAP Cloud Platform with admin access is sent to the same IT contact person

Tip: The initial technical user is meant only for temporary use. It is highly recommended creating the employee and business user for the administrator. This business user can then create further employees and their respective business users, once the realize phase is reached. User name, e-mail address, and other available attributes related to the user have to be identical in the SAP S/4HANA Cloud system and in your corporate identity provider.

OBJECTIVE: The ultimate objective of the initial login and identity setup is to create admin business users and additional business users with relevant business roles in S/4HANA Cloud Essential Systems. Once this is done, the next step is to trigger those users for activation emails from SCP IAS in order for them to login into the S/4HANA Cloud Essential systems. Thing to note here is that default authentication identity for S/4HANA Cloud Essentials is setup on SCP IAS.

In the user onboarding and identity setup journey you will broadly come across below types of users depending on their functions:

  • Initial Technical User/IT Contact Person – Temporary user who receives the login mails and is responsible for creating the Business users with Administrator roles in S/4HANA Cloud Systems and create further SCP IAS admins
  • Administrator Business User – The administrator has very technical tasks related to setting up the system for all other users. For example, responsibility for creating users, assigning roles and authorizations to users, setting up connections between SAP S/4HANA Cloud and other software is part of the administrator’s tasks etc.
  • Configuration Expert User- The configuration expert is responsible for adjusting SAP S/4HANA Cloud to the company-specific requirements, for example, by using the Configure Your Solution app
  • Business Key & End User – The business key and end users are users in the company who fulfill the business processes, tasks of a particular department and may or may not be directly related to the implementation depending on their business roles and catalogs
  • Other Users – There are other users too like communication, developer, print users etc. who fulfill functions like integrations, extensions, output management etc. for the business solution depending on the requirement of the company’s business processes

WORKFLOW : Below illustrated is the workflow sequentially how user onboarding is performed across multiple systems:

A] Administrator User Creation in the Systems

Tip: The SCP IAS initial admin has an option to create multiple administrators after logging into the SCP IAS Admin Console. This is illustrated in the help.sap.com documentation – Add Administrators

Steps 1, 2, 3 and 4 are documented in the help.sap.com documentation in the below links:

Steps 5, 6 and 7 are documented in the help.sap.com documentation in the below link:

 

B] Additional Business User Creation in the Systems

Step 1, 2 and 3 are documented in the help.sap.com documentation in the below link:

Step 4 and 5 are documented in the help.sap.com documentation in the below link:

NOTE: There is an exception in the Q system during the Preset Phase where an additional step of creating Configuration Expert User and Role is required to start with the initial configurations. Here the The configuration expert will receive a registration e-mail to access your SAP S/4HANA Cloud system.

The configuration user has to complete the initial setup of the quality system. Once the initial setup is complete and the quality system is active, you can create the administrator business user.The steps are mentioned in the help.sap.com documentation -> Creating the Preset Configuration User (Quality System Only)

You can find all the details regarding the complete on-boarding process and setting up on identity in the below links:

 

Thanks,

Saumi

Assigned Tags

      16 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Varun Agarwal
      Varun Agarwal

      Thanks for sharing this information !

      Author's profile photo Cristian Amy
      Cristian Amy

      Hello Saumitra. Very valuable post!! However I cannot see the Micro Learning Video and I´m already logged in.

      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh
      Blog Post Author

      Hi Cristian Amy : Can you try again... it usually takes a while for the video to load and start... or maybe it is buffering. I am able to see the video.

      Author's profile photo Cristian Amy
      Cristian Amy

      Not yet.. Look at the screen! There is a kind of permission stuff.

      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh
      Blog Post Author

      Not sure why exactly this is happening. Can you please check if you are able to access the video in this link - https://s4hanacloud.community.sap/groups/yIaphhgIuqVwH1ZooyoZnf/documents/ebEWUWLYF3gLK8OpFgjVKf/video_viewer.

      Thanks,

      Saumi

      Author's profile photo Cristian Amy
      Cristian Amy

      Saumitra Deshmukh I could finally watch the video!! Thanks a lot!!

      Author's profile photo Lucian Marian
      Lucian Marian

      Hi Saumitra,

      the links to the help portal are broken now. Try to replace the release no (2002.500 ) with "latest" and they should be valid for future updates.

      Regards,

      Lucian

      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh
      Blog Post Author

      Done! Thanks a lot for notifying this Lucian Marian 🙂

      Author's profile photo Marissa Ren
      Marissa Ren

      It's a very useful blog!!

      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh
      Blog Post Author

      Thanks Marissa Ren

      Author's profile photo Shreyanka Shetty
      Shreyanka Shetty

      Great Blog! very informative.

      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh
      Blog Post Author

      Thanks Shreyanka Shetty

      Author's profile photo Sunil Yadav
      Sunil Yadav

      Thanks for sharing an informative blog for Identity Access Management.

      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh
      Blog Post Author

      Thanks Sunil Yadav

      Author's profile photo Johannes Bacher
      Johannes Bacher

      Dear Saumi,

      thank you for this blog - I have an urgent question related to this.

      We have a partner demo tenant for S4HC, and we have an IAS tenant. All worked fine when provisioned by SAP.

      Then our basis people tried to configure authentication using our locel ADFS, they added this corporate IDP etc... but it did not work.

      However, then they deleted the application (S/4HC demo tenant) in the IAS to see the effect.

      Then they added it again (using all same parameters) but still we cannot login to our S4HC tenant.

      So the question is: Where is the mapping (that you also mention in your blog) between the S4HC tenant and the IAS tenant defined?

      How does the S4HC tenant know where to forward the authentication request?

      We need to know this because obviously this is broken in our tenants currently.

      thank you,

      Johannes

       

       

       

      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh
      Blog Post Author

      Hi Johannes Bacher : Thanks for the question, but I won't be able to help out with your case unless I understand the scenario fully and it is unlikely that we can discuss technical details here. Hence, I would request you to check out the documentation available in the Product help - https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US and if still you have doubts or errors which is prohibiting with the authentications or redirecting the user requests, I would request you to login a ticket to the SAP Support - BC-IAM-IDS.

       

      Thanks,

      Saumi