My colleague Matthias introduced in his recent blog that the SAP Cloud Platform Identity Authentication service (IAS) and the SAP Cloud Platform Provisioning service (IPS) will be combined to SAP Cloud Identity Services. In this blog, I would like to shed some more light into this strategy and future plans.
Combining the two existing cloud services - Identity Authentication and Identity Provisioning: is this just a new name or is it more?
It is indeed far more than just a new branding: a holistic identity access management is a core part of SAP’s efforts to deliver integrated solutions for the Intelligent Enterprise. Combining the two services in fact means a re-platforming of Identity Provisioning and delivering it in the same infrastructure as that of Identity Authentication. From license perspective IAS and IPS will remain two independent products, but technically they will be a pair of services that are delivered jointly.
And we will even go beyond just re-platforming the Identity Provisioning service. We see a growing demand for an easier integration of cloud solutions when it comes to system-to-system communication. As of today, a variety of protocols and token formats are established to secure such communication that range from basic authentication, certificates, oAuth- and SAML bearer tokens. Different secure stores and authorities for issuing the respective tokens are used which makes it difficult to establish and protect such integration scenarios. We see a significant potential to reduce efforts for establishing secure communications.
For those reasons SAP Cloud Identity Services shall evolve into a one-stop-shop when it comes to identity access management and securing system-to-system communication by providing means for:
The Identity Authentication service provides authentication, single sign-on and identity federation. It also supports advanced authentication mechanisms such as multi-factor authentication, and support for SAML and OpenID Connect (OIDC) protocol. The current user store of IAS will be extended with the capabilities of the Identity Directory service (IdDS) to offer a combined, extendable user store and a new set of SCIM APIs.
The Identity Provisioning service will contribute identity lifecycle management as part of a single tenant instance.
Beyond that we envision better support for protection of system-to-system communication. We are working on a concept that will allow forwarding of the authentication token, that is issued by IAS, from one system to another. This will enable principal propagation without the need for point-to-point trust configuration for all systems that are involved in a certain business process.
For integration scenarios that require principle propagation, we also plan to provide an oAuth token service as part of the SAP Cloud Identity Services. As an alternative - for integration scenarios without the need for principal propagation - we plan to offer a certificate service that can issue X.509 tokens for secure authentication. Developers and administrators will then be able to select the security protocol of their choice for protection of service-based communication. .
Finally, I want to mention that the area of SAP Cloud Identity Access Governance (IAG) with access request processes, segregation of duty checks and firefighter functionality will stay separate and not be a part of the SAP Cloud Identity Services. We see this as a separate, valuable product for our business applications. IAG will continue to integrate with IPS for user provisioning to SAP Cloud solutions.
Conclusion
With SAP Cloud Identity Services customers will benefit from a simpler system landscape with IAS & IPS running on the same platform. User management will be simplified with a unified IAS & IdDS user store. Finally in the future we will provide extended capabilities to secure system-to-system communication.
Links
SAP Cloud Identity Services: https://community.sap.com/topics/cloud-identity-services
Combining the two existing cloud services - Identity Authentication and Identity Provisioning: is this just a new name or is it more?
It is indeed far more than just a new branding: a holistic identity access management is a core part of SAP’s efforts to deliver integrated solutions for the Intelligent Enterprise. Combining the two services in fact means a re-platforming of Identity Provisioning and delivering it in the same infrastructure as that of Identity Authentication. From license perspective IAS and IPS will remain two independent products, but technically they will be a pair of services that are delivered jointly.
And we will even go beyond just re-platforming the Identity Provisioning service. We see a growing demand for an easier integration of cloud solutions when it comes to system-to-system communication. As of today, a variety of protocols and token formats are established to secure such communication that range from basic authentication, certificates, oAuth- and SAML bearer tokens. Different secure stores and authorities for issuing the respective tokens are used which makes it difficult to establish and protect such integration scenarios. We see a significant potential to reduce efforts for establishing secure communications.
For those reasons SAP Cloud Identity Services shall evolve into a one-stop-shop when it comes to identity access management and securing system-to-system communication by providing means for:
- Authentication
- Identity Federation and Single Sign-On
- Central User Store
- Identity provisioning
- oAuth Token Service
- Certificate Service
SAP Cloud Identity Services - future components & integration capabilities
The Identity Authentication service provides authentication, single sign-on and identity federation. It also supports advanced authentication mechanisms such as multi-factor authentication, and support for SAML and OpenID Connect (OIDC) protocol. The current user store of IAS will be extended with the capabilities of the Identity Directory service (IdDS) to offer a combined, extendable user store and a new set of SCIM APIs.
The Identity Provisioning service will contribute identity lifecycle management as part of a single tenant instance.
Beyond that we envision better support for protection of system-to-system communication. We are working on a concept that will allow forwarding of the authentication token, that is issued by IAS, from one system to another. This will enable principal propagation without the need for point-to-point trust configuration for all systems that are involved in a certain business process.
For integration scenarios that require principle propagation, we also plan to provide an oAuth token service as part of the SAP Cloud Identity Services. As an alternative - for integration scenarios without the need for principal propagation - we plan to offer a certificate service that can issue X.509 tokens for secure authentication. Developers and administrators will then be able to select the security protocol of their choice for protection of service-based communication. .
SAP Cloud Identity Services – protecting system-to-system communication (future capabilities)
Finally, I want to mention that the area of SAP Cloud Identity Access Governance (IAG) with access request processes, segregation of duty checks and firefighter functionality will stay separate and not be a part of the SAP Cloud Identity Services. We see this as a separate, valuable product for our business applications. IAG will continue to integrate with IPS for user provisioning to SAP Cloud solutions.
Conclusion
With SAP Cloud Identity Services customers will benefit from a simpler system landscape with IAS & IPS running on the same platform. User management will be simplified with a unified IAS & IdDS user store. Finally in the future we will provide extended capabilities to secure system-to-system communication.
Links
SAP Cloud Identity Services: https://community.sap.com/topics/cloud-identity-services
- SAP Managed Tags:
23 Comments
