Skip to Content
Technical Articles
Author's profile photo Marko Sommer

Evolving Identity Authentication and Identity Provisioning into SAP Cloud Identity Services

My colleague Matthias introduced in his recent blog that the SAP Cloud Platform Identity Authentication service (IAS) and the SAP Cloud Platform Provisioning service (IPS) will be combined to SAP Cloud Identity Services. In this blog, I would like to shed some more light into this strategy and future plans.

Combining the two existing cloud services – Identity Authentication and Identity Provisioning: is this just a new name or is it more?
It is indeed far more than just a new branding: a holistic identity access management is a core part of SAP’s efforts to deliver integrated solutions for the Intelligent Enterprise. Combining the two services in fact means a re-platforming of Identity Provisioning and delivering it in the same infrastructure as that of Identity Authentication. From license perspective IAS and IPS will remain two independent products, but technically they will be a pair of services that are delivered jointly.

And we will even go beyond just re-platforming the Identity Provisioning service. We see a growing demand for an easier integration of cloud solutions when it comes to system-to-system communication. As of today, a variety of protocols and token formats are established to secure such communication that range from basic authentication, certificates, oAuth- and SAML bearer tokens. Different secure stores and authorities for issuing the respective tokens are used which makes it difficult to establish and protect such integration scenarios. We see a significant potential to reduce efforts for establishing secure communications.

For those reasons SAP Cloud Identity Services shall evolve into a one-stop-shop when it comes to identity access management and securing system-to-system communication by providing means for:

  • Authentication
  • Identity Federation and Single Sign-On
  • Central User Store
  • Identity provisioning
  • oAuth Token Service
  • Certificate Service

SAP Cloud Identity Services – future components & integration capabilities

The Identity Authentication service provides authentication, single sign-on and identity federation. It also supports advanced authentication mechanisms such as multi-factor authentication, and support for SAML and OpenID Connect (OIDC) protocol. The current user store of IAS will be extended with the capabilities of the Identity Directory service (IdDS) to offer a combined, extendable user store and a new set of SCIM APIs.
The Identity Provisioning service will contribute identity lifecycle management as part of a single tenant instance.

Beyond that we envision better support for protection of system-to-system communication. We are working on a concept that will allow forwarding of the authentication token, that is issued by IAS, from one system to another. This will enable principal propagation without the need for point-to-point trust configuration for all systems that are involved in a certain business process.

For integration scenarios that require principle propagation, we also plan to provide an oAuth token service as part of the SAP Cloud Identity Services. As an alternative – for integration scenarios without the need for principal propagation – we plan to offer a certificate service that can issue X.509 tokens for secure authentication. Developers and administrators will then be able to select the security protocol of their choice for protection of service-based communication.  .

SAP Cloud Identity Services – protecting system-to-system communication (future capabilities)

 

Finally, I want to mention that the area of SAP Cloud Identity Access Governance (IAG) with access request processes, segregation of duty checks and firefighter functionality will stay separate and not be a part of the SAP Cloud Identity Services. We see this as a separate, valuable product for our business applications. IAG will continue to integrate with IPS for user provisioning to SAP Cloud solutions.

Conclusion

With SAP Cloud Identity Services customers will benefit from a simpler system landscape with IAS & IPS running on the same platform. User management will be simplified with a unified IAS & IdDS user store. Finally in the future we will provide extended capabilities to secure system-to-system communication.

Links

SAP Cloud Identity Services: https://community.sap.com/topics/cloud-identity-services

Assigned tags

      22 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Fabiano Rosa
      Fabiano Rosa

      Hi Marko,

      Thanks for sharing this high-level overview about the future of SAP IAS and SAP IPS. Could you also share the roadmap with the new features and capabilities that SAP is planning to add in these products?

      Regards,

      Fabiano Rosa

       

      Author's profile photo Marko Sommer
      Marko Sommer
      Blog Post Author

      Hi Fabiano,
      fair question on the roadmaps for IAS and IPS. Due to internal reasons we did not provide roadmaps last year. But we are working on making our planning externally available via the SAP Roadmap Explorer https://roadmaps.sap.com/. Sometime in Q3 you should be able to see functions and feature planning for IAS & IPS there.
      Marko

      Author's profile photo Florian Georg Furtmüller
      Florian Georg Furtmüller

      Dear Marko,

      Seems Q3/2020 could not be achieved by SAP related to roadmap(s) for SAP CIS especially for IPS or do you have news on this?

      Would be nice to get more information related to IPS as well CIS as feature bundle as well as future prospects.

      Thank you, Florian Furtmüller

      Author's profile photo Marko Sommer
      Marko Sommer
      Blog Post Author

      Hi Florian
      indeed, but we're getting closer. I expect the first chunk of roadmap items to be released by next week. Hopefully by end of October we have the current IAS and IPS planning available in the Roadmap Explorer https://roadmaps.sap.com/

      Kind regards, Marko

      Author's profile photo Christian Happel
      Christian Happel

      Great to see these two services merging again!

      Author's profile photo Gaveesh D Prasad
      Gaveesh D Prasad

      Hello Marko,

      Great read indeed.

      Just a question on SAP Cloud Platform - Identity Access Governance. Would not this also belongs to the Identity Access Management Solution? Would not this be covered by the SAP Cloud Identity Services?

      Best regards,

      Gaveesh

      Author's profile photo Dirk Olderdissen
      Dirk Olderdissen

      Hi Gaveesh,

      from a general concept level, I also feel that Identity Access services (Authentication&Authorization) clearly belongs to governing their usage (access governance).

      From the practical perspective, I found the Access Governance topic to be very demanding on customers in setup & maintenance – you kind of need to make the control system aware of the meaning of your roles – very work intensive.

      In the end, not every customer cares for or needs access governance – so combining this into one product looks at least to me more like a complication then an added value.

      Cheers,
      Dirk

      Author's profile photo Andreas Hartmann
      Andreas Hartmann

      Hi Marko,

      thanks for sharing the info.

      I have some questions regarding existing tenants and configurations.

      If we have Authentication and Provisioning tenants in place right now, how will be the process to merge these different tenants?

      From which time one will there be these one box tenants available?

      Thanks!

      Regards,

      Andreas

      Author's profile photo Marko Sommer
      Marko Sommer
      Blog Post Author

      Hi Andreas,

      existing IAS and IPS tenants will not be affected with the new tenant model but it applies only for new instances to be delivered.
      There is currently no migration planned for existing IPS tenants - at least for the initial phase.

      These new 'one box' tenants are planned to be available in Q3 (2020 🙂 )
      In fact we already have internal test versions, yet for general availability some minor topics (e.g.order fulfillment) are under investigation.

      Regards, Marko

      P.S.: although it all looks fine internally, please be aware that forward-looking statements are subject to various risks and uncertainties that might cause delays in final availability dates. .

      Author's profile photo Sumit Luis
      Sumit Luis

      Hi Marko,

      We have just taken delivery of a new S/4HANA Cloud tenant but the bundle came with a separate instance/tenant each for the Identity Provisioning and Identity Authentication. Just reading the comment above it was meant to all be in the one box in Q3-2020, have plans changed here?

      Thank you

      Sumit

      Author's profile photo Marko Sommer
      Marko Sommer
      Blog Post Author

      Indeed, it happens that our planned timelines sometimes change. Unfortunately almost always towards a later shipment...
      The team is currently targeting end of Q1 (this year) as the time for availability of common IAS/IPS tenant on the same infrastructure for net new customers.

      Best regards, Marko

      Author's profile photo Carsten Olt
      Carsten Olt

      Cool, looking forward to it 👨‍💻:)

      Author's profile photo Waldemar Brill
      Waldemar Brill

      Hi Marko,

      can you confirm that the new "one-box" tenant is deliverd to the customers now. Thanks.

      Regards

      Waldemar

      Author's profile photo Manuel Xiccato
      Manuel Xiccato

      Hi Marko,

      is (or would be in the future) the new SAP Cloud Identity Service also available as a trial environment?

      Thank you so much!

      Manuel

      Author's profile photo Marko Sommer
      Marko Sommer
      Blog Post Author

      Hi Manuel,

      indeed a trial environment would be appreciated so that one can easily get some hands-on experience. It was in fact just recently discussed whether are going to offer trial instances but we did not get a go for it. Will take it up again as a proposal beginning of next year.

      Thanks for the request, Marko

      Author's profile photo Waldemar Brill
      Waldemar Brill

      Hello Marko,

      in the SAP Store "SAP Cloud Identity Services" can be purchased solely. Does it behave like a "standalone" version in this case without any target restrictions?

      So would it be possible to use it for user provisioning to S/4 HANA OnPremise (target!), which is not possible for the bundled versions.

      Regards

      Waldemar

      Author's profile photo Carsten Olt
      Carsten Olt

      Hi Waldemar,

      excellent question that often comes up.

      Based on our latest state of knowledge, the Identity Services (here in particular the IPS) are only delivered as a bundled version. Customers who want to provision ABAP or S/4HANA as a target, therefore, need an old standalone tenant (which no longer available from SAP).

      Alternatively, if customers purchase the SAP Cloud Identity Access Governance (IAG) they have access to the full list of Identity Provisioning connectors which is kind of equal to the standalone IPS. Also, they can use SAP IDM and provision S/4HANA via a proxy-system connector.

      Cheers Colt

      Author's profile photo Waldemar Brill
      Waldemar Brill

      Hi Carsten,

      I see that I got a bundled "SAP Cloud Identity Services" version when I purchase an SAP SaaS application, e.g. S/4 HANA Cloud.

      But why does SAP offer "SAP Cloud Identity Services" separately in the SAP Store? What exactly will we get here? Bundled (with restriction to something?) or standalone (no restrictions)? I do not find any information to this.

       

      Regards

      Waldemar

      Author's profile photo Carsten Olt
      Carsten Olt

      🤔hmm.. I see... hope that Marko can provide some information...

      Author's profile photo Marko Sommer
      Marko Sommer
      Blog Post Author

      Hi Waldemar,

      indeed Identity Provisioning service is only offered as a bundle version any more. The full version was removed from the price list, since Identity Provisioning is targeting identity lifecycle management for SAP cloud products. The only option to receive a full version is by licensing Identity Access Governance.

      Why do we still offer Identity Services in the SAP Store?  Well the default model is that we grant every customer one productive and one non-productive IAS-tenant in order to establish single sign-on by default. For IPS it is similar to have a central instance for identity lifecycle management. These two default tenants are offered free of charge. If a customer - for whatever reason - would like to have additional tenants then these are subject to be licensed via the SAP Store.
      What you will receive is an additional IAS tenant. IPS is still not yet available as common tenant with IAS; once this will be the case the plan is to offer the IPS bundle version as part of it.

      Regards, Marko

      Author's profile photo Renzo Pluister
      Renzo Pluister

      Hi

      Is it possible to use other ID systems instead of IAS/IPS and still be able to use People Stories or later external Learning users?

      Author's profile photo Marko Sommer
      Marko Sommer
      Blog Post Author

      Hi Renzo,

      if this question is about SuccessFactors LMS, then IAS/IPS the SuccessFactors IdP and/or local user management and authentication in LMS is still the default. We just had a pilot phase for the integration with LMS. It is planned to introduce integration with IAS and IPS in the second half of this year. You may have a look at https://community.successfactors.com/t5/Learning-Resources-Blog/Learning-Native-Login-Deprecation-Begins-Within-First-Half-2021/ba-p/225723

      BR, Marko