Skip to Content
Technical Articles

Evolving Identity Authentication and Identity Provisioning into SAP Cloud Identity Services

My colleague Matthias introduced in his recent blog that the SAP Cloud Platform Identity Authentication service (IAS) and the SAP Cloud Platform Provisioning service (IPS) will be combined to SAP Cloud Identity Services. In this blog, I would like to shed some more light into this strategy and future plans.

Combining the two existing cloud services – Identity Authentication and Identity Provisioning: is this just a new name or is it more?
It is indeed far more than just a new branding: a holistic identity access management is a core part of SAP’s efforts to deliver integrated solutions for the Intelligent Enterprise. Combining the two services in fact means a re-platforming of Identity Provisioning and delivering it in the same infrastructure as that of Identity Authentication. From license perspective IAS and IPS will remain two independent products, but technically they will be a pair of services that are delivered jointly.

And we will even go beyond just re-platforming the Identity Provisioning service. We see a growing demand for an easier integration of cloud solutions when it comes to system-to-system communication. As of today, a variety of protocols and token formats are established to secure such communication that range from basic authentication, certificates, oAuth- and SAML bearer tokens. Different secure stores and authorities for issuing the respective tokens are used which makes it difficult to establish and protect such integration scenarios. We see a significant potential to reduce efforts for establishing secure communications.

For those reasons SAP Cloud Identity Services shall evolve into a one-stop-shop when it comes to identity access management and securing system-to-system communication by providing means for:

  • Authentication
  • Identity Federation and Single Sign-On
  • Central User Store
  • Identity provisioning
  • oAuth Token Service
  • Certificate Service

SAP Cloud Identity Services – future components & integration capabilities

The Identity Authentication service provides authentication, single sign-on and identity federation. It also supports advanced authentication mechanisms such as multi-factor authentication, and support for SAML and OpenID Connect (OIDC) protocol. The current user store of IAS will be extended with the capabilities of the Identity Directory service (IdDS) to offer a combined, extendable user store and a new set of SCIM APIs.
The Identity Provisioning service will contribute identity lifecycle management as part of a single tenant instance.

Beyond that we envision better support for protection of system-to-system communication. We are working on a concept that will allow forwarding of the authentication token, that is issued by IAS, from one system to another. This will enable principal propagation without the need for point-to-point trust configuration for all systems that are involved in a certain business process.

For integration scenarios that require principle propagation, we also plan to provide an oAuth token service as part of the SAP Cloud Identity Services. As an alternative – for integration scenarios without the need for principal propagation – we plan to offer a certificate service that can issue X.509 tokens for secure authentication. Developers and administrators will then be able to select the security protocol of their choice for protection of service-based communication.  .

SAP Cloud Identity Services – protecting system-to-system communication (future capabilities)

 

Finally, I want to mention that the area of SAP Cloud Identity Access Governance (IAG) with access request processes, segregation of duty checks and firefighter functionality will stay separate and not be a part of the SAP Cloud Identity Services. We see this as a separate, valuable product for our business applications. IAG will continue to integrate with IPS for user provisioning to SAP Cloud solutions.

Conclusion

With SAP Cloud Identity Services customers will benefit from a simpler system landscape with IAS & IPS running on the same platform. User management will be simplified with a unified IAS & IdDS user store. Finally in the future we will provide extended capabilities to secure system-to-system communication.

Links

SAP Cloud Identity Services: https://community.sap.com/topics/cloud-identity-services

7 Comments
You must be Logged on to comment or reply to a post.
  • Hi Marko,

    Thanks for sharing this high-level overview about the future of SAP IAS and SAP IPS. Could you also share the roadmap with the new features and capabilities that SAP is planning to add in these products?

    Regards,

    Fabiano Rosa

     

    • Hi Fabiano,
      fair question on the roadmaps for IAS and IPS. Due to internal reasons we did not provide roadmaps last year. But we are working on making our planning externally available via the SAP Roadmap Explorer https://roadmaps.sap.com/. Sometime in Q3 you should be able to see functions and feature planning for IAS & IPS there.
      Marko

  • Hello Marko,

    Great read indeed.

    Just a question on SAP Cloud Platform – Identity Access Governance. Would not this also belongs to the Identity Access Management Solution? Would not this be covered by the SAP Cloud Identity Services?

    Best regards,

    Gaveesh

    • Hi Gaveesh,

      from a general concept level, I also feel that Identity Access services (Authentication&Authorization) clearly belongs to governing their usage (access governance).

      From the practical perspective, I found the Access Governance topic to be very demanding on customers in setup & maintenance – you kind of need to make the control system aware of the meaning of your roles – very work intensive.

      In the end, not every customer cares for or needs access governance – so combining this into one product looks at least to me more like a complication then an added value.

      Cheers,
      Dirk

  • Hi Marko,

    thanks for sharing the info.

    I have some questions regarding existing tenants and configurations.

    If we have Authentication and Provisioning tenants in place right now, how will be the process to merge these different tenants?

    From which time one will there be these one box tenants available?

    Thanks!

    Regards,

    Andreas

  • Hi Andreas,

    existing IAS and IPS tenants will not be affected with the new tenant model but it applies only for new instances to be delivered.
    There is currently no migration planned for existing IPS tenants – at least for the initial phase.

    These new ‘one box’ tenants are planned to be available in Q3 (2020 🙂 )
    In fact we already have internal test versions, yet for general availability some minor topics (e.g.order fulfillment) are under investigation.

    Regards, Marko

    P.S.: although it all looks fine internally, please be aware that forward-looking statements are subject to various risks and uncertainties that might cause delays in final availability dates. .