Skip to Content
Technical Articles

Evolving Identity Authentication and Identity Provisioning into SAP Cloud Identity Services

My colleague Matthias introduced in his recent blog that the SAP Cloud Platform Identity Authentication service (IAS) and the SAP Cloud Platform Provisioning service (IPS) will be combined to SAP Cloud Identity Services. In this blog, I would like to shed some more light into this strategy and future plans.

Combining the two existing cloud services – Identity Authentication and Identity Provisioning: is this just a new name or is it more?
It is indeed far more than just a new branding: a holistic identity access management is a core part of SAP’s efforts to deliver integrated solutions for the Intelligent Enterprise. Combining the two services in fact means a re-platforming of Identity Provisioning and delivering it in the same infrastructure as that of Identity Authentication. From license perspective IAS and IPS will remain two independent products, but technically they will be a pair of services that are delivered jointly.

And we will even go beyond just re-platforming the Identity Provisioning service. We see a growing demand for an easier integration of cloud solutions when it comes to system-to-system communication. As of today, a variety of protocols and token formats are established to secure such communication that range from basic authentication, certificates, oAuth- and SAML bearer tokens. Different secure stores and authorities for issuing the respective tokens are used which makes it difficult to establish and protect such integration scenarios. We see a significant potential to reduce efforts for establishing secure communications.

For those reasons SAP Cloud Identity Services shall evolve into a one-stop-shop when it comes to identity access management and securing system-to-system communication by providing means for:

  • Authentication
  • Identity Federation and Single Sign-On
  • Central User Store
  • Identity provisioning
  • oAuth Token Service
  • Certificate Service

SAP Cloud Identity Services – future components & integration capabilities

The Identity Authentication service provides authentication, single sign-on and identity federation. It also supports advanced authentication mechanisms such as multi-factor authentication, and support for SAML and OpenID Connect (OIDC) protocol. The current user store of IAS will be extended with the capabilities of the Identity Directory service (IdDS) to offer a combined, extendable user store and a new set of SCIM APIs.
The Identity Provisioning service will contribute identity lifecycle management as part of a single tenant instance.

Beyond that we envision better support for protection of system-to-system communication. We are working on a concept that will allow forwarding of the authentication token, that is issued by IAS, from one system to another. This will enable principal propagation without the need for point-to-point trust configuration for all systems that are involved in a certain business process.

For integration scenarios that require principle propagation, we also plan to provide an oAuth token service as part of the SAP Cloud Identity Services. As an alternative – for integration scenarios without the need for principal propagation – we plan to offer a certificate service that can issue X.509 tokens for secure authentication. Developers and administrators will then be able to select the security protocol of their choice for protection of service-based communication.  .

SAP Cloud Identity Services – protecting system-to-system communication (future capabilities)


Finally, I want to mention that the area of SAP Cloud Identity Access Governance (IAG) with access request processes, segregation of duty checks and firefighter functionality will stay separate and not be a part of the SAP Cloud Identity Services. We see this as a separate, valuable product for our business applications. IAG will continue to integrate with IPS for user provisioning to SAP Cloud solutions.


With SAP Cloud Identity Services customers will benefit from a simpler system landscape with IAS & IPS running on the same platform. User management will be simplified with a unified IAS & IdDS user store. Finally in the future we will provide extended capabilities to secure system-to-system communication.


SAP Cloud Identity Services:

You must be Logged on to comment or reply to a post.
  • Hi Marko,

    Thanks for sharing this high-level overview about the future of SAP IAS and SAP IPS. Could you also share the roadmap with the new features and capabilities that SAP is planning to add in these products?


    Fabiano Rosa


    • Hi Fabiano,
      fair question on the roadmaps for IAS and IPS. Due to internal reasons we did not provide roadmaps last year. But we are working on making our planning externally available via the SAP Roadmap Explorer Sometime in Q3 you should be able to see functions and feature planning for IAS & IPS there.

      • Dear Marko,

        Seems Q3/2020 could not be achieved by SAP related to roadmap(s) for SAP CIS especially for IPS or do you have news on this?

        Would be nice to get more information related to IPS as well CIS as feature bundle as well as future prospects.

        Thank you, Florian Furtmüller

        • Hi Florian
          indeed, but we're getting closer. I expect the first chunk of roadmap items to be released by next week. Hopefully by end of October we have the current IAS and IPS planning available in the Roadmap Explorer

          Kind regards, Marko

  • Hello Marko,

    Great read indeed.

    Just a question on SAP Cloud Platform - Identity Access Governance. Would not this also belongs to the Identity Access Management Solution? Would not this be covered by the SAP Cloud Identity Services?

    Best regards,


    • Hi Gaveesh,

      from a general concept level, I also feel that Identity Access services (Authentication&Authorization) clearly belongs to governing their usage (access governance).

      From the practical perspective, I found the Access Governance topic to be very demanding on customers in setup & maintenance – you kind of need to make the control system aware of the meaning of your roles – very work intensive.

      In the end, not every customer cares for or needs access governance – so combining this into one product looks at least to me more like a complication then an added value.


  • Hi Marko,

    thanks for sharing the info.

    I have some questions regarding existing tenants and configurations.

    If we have Authentication and Provisioning tenants in place right now, how will be the process to merge these different tenants?

    From which time one will there be these one box tenants available?




  • Hi Andreas,

    existing IAS and IPS tenants will not be affected with the new tenant model but it applies only for new instances to be delivered.
    There is currently no migration planned for existing IPS tenants - at least for the initial phase.

    These new 'one box' tenants are planned to be available in Q3 (2020 🙂 )
    In fact we already have internal test versions, yet for general availability some minor topics (e.g.order fulfillment) are under investigation.

    Regards, Marko

    P.S.: although it all looks fine internally, please be aware that forward-looking statements are subject to various risks and uncertainties that might cause delays in final availability dates. .

    • Hi Marko,

      We have just taken delivery of a new S/4HANA Cloud tenant but the bundle came with a separate instance/tenant each for the Identity Provisioning and Identity Authentication. Just reading the comment above it was meant to all be in the one box in Q3-2020, have plans changed here?

      Thank you


      • Indeed, it happens that our planned timelines sometimes change. Unfortunately almost always towards a later shipment...
        The team is currently targeting end of Q1 (this year) as the time for availability of common IAS/IPS tenant on the same infrastructure for net new customers.

        Best regards, Marko

    • Hi Manuel,

      indeed a trial environment would be appreciated so that one can easily get some hands-on experience. It was in fact just recently discussed whether are going to offer trial instances but we did not get a go for it. Will take it up again as a proposal beginning of next year.

      Thanks for the request, Marko

  • Hello Marko,

    in the SAP Store "SAP Cloud Identity Services" can be purchased solely. Does it behave like a "standalone" version in this case without any target restrictions?

    So would it be possible to use it for user provisioning to S/4 HANA OnPremise (target!), which is not possible for the bundled versions.



    • Hi Waldemar,

      excellent question that often comes up.

      Based on our latest state of knowledge, the Identity Services (here in particular the IPS) are only delivered as a bundled version. Customers who want to provision ABAP or S/4HANA as a target, therefore, need an old standalone tenant (which no longer available from SAP).

      Alternatively, if customers purchase the SAP Cloud Identity Access Governance (IAG) they have access to the full list of Identity Provisioning connectors which is kind of equal to the standalone IPS. Also, they can use SAP IDM and provision S/4HANA via a proxy-system connector.

      Cheers Colt

      • Hi Carsten,

        I see that I got a bundled "SAP Cloud Identity Services" version when I purchase an SAP SaaS application, e.g. S/4 HANA Cloud.

        But why does SAP offer "SAP Cloud Identity Services" separately in the SAP Store? What exactly will we get here? Bundled (with restriction to something?) or standalone (no restrictions)? I do not find any information to this.