When it comes to Identity we are truly spoilt for choices
With so many Identity solutions from SAP for on-premise and Cloud applications it can be a daunting task to understand what goes where. Should you use SAP IDM, or SAP GRC (I just found out that SAP GRC not only provisions access but Users too!), or SAP IAS and SAP IPS, or perhaps a third-party app. Read on to find out.
This blog post is to be read in conjunction with the parent post SAP SuccessFactors Integrations – Bidirectional Identity Integration with Microsoft Azure Active Directory and IDP SAP SuccessFactors Integration Patterns – Bidirectional Identity Integration with Microsoft Azure Active Directory authored by a bunch of fun loving SuccessFactors and integration minds. What made this an amazing endeavour is all of us came from different consulting houses and worked selflessly for the greater good…of course virtually over phone calls and conferences! The world needs more collaboration, and this is a great platform for collaborating.
A word of Thanks
To start things off here is a word of thanks to all those who made it possible. A friend, philosopher, guide Chris Paine recommends to introduce yourself and your partner/s in crime at the start of your presentation instead of waiting till the credits roll. That way the audience knows who you are, and they have your contact details from the outset. That is not an incentive to leave the hall early!
So thank you SAP and Microsoft for bringing to market your solutions and letting us express our thoughts. Gerald Reinhard and Anoop Garg for facilitating this initiative, and the rest of my co-authors Amit Taur, Chris Paine, Himadri Chakraborty, Rupesh Kumar for making this possible. It was my pleasure collaborating with you all for over 6 months, and I would really relish the opportunity to do it again!
Last but definitely not the least – thank you Smitha Kondajji for promoting IDPs and motivating us.
The Big Picture
Think of an enterprise level architecture where you have a few SAP on-premise applications like SAP ECC, SAP CRM etc., both SAP Cloud applications – SAP SuccessFactors, SAP Ariba to name a couple, and non-SAP SaaS third-party SaaS like Slack, Jira, non-SAP business systems etc. Over a period of time as the organisation has grown organically so too have Identity and Access Management applications. From raising a ticket with the IT Helpdesk to create a new User in multiple systems we now have SAP IDM for on-premise SAP systems, potentially SAP GRC to manage access rights (roles and authorisations), SAP IAS if you have SuccessFactors as it is necessary for Internal Career Site etc.
The IDP takes you a historical journey on how the IDAM solution has evolved over time, to understand and appreciate how things are in today’s world in the cloud one should go back to see how they once worked. It provides a recommendations matrix on when to use which pattern based on an organisation’s landscape, and covers complex topics such as Global Assignment and Concurrent Employment, and when is the “right time” to send your Employee data over to AD.
Microsoft’s Active Directory is largely seen as the de facto (on-premise) Identity Provider for most clients or at least those who run Microsoft and there are a few of them. Most SAP SuccessFactors consultants are familiar with the Productized Integration to integrate SAP SuccessFactors Employee data on Hire, Termination with Microsoft Active Directory. Click HERE for details.
It does the job well if your requirements are only to send Employee data on Hire i.e. create the User in Microsoft AD, and to Disable the said User account on Termination. But most organisations want more than just a Create and Disable of User. Clients want job changes to flow through as that might mean varying privileges to downstream applications. And everybody wants a write back of the User ID (the windows log in id which is the Username in SF) and email ID and perhaps a landline (remember those?) and other attributes such as building location, floor etc. (we will be out of COVID-19 one day or wont we).
With the recent capabilities offered by Microsoft’s Azure Active Directory we have a solution that addressed most of these gaps.
With Azure AD Provisioning Service, the process can be split into two parts. The customer can continue to use Cloud Integration (referred to as SAP Integration Suite in the IDP) to query the Employee data from SAP SuccessFactors and write to MS Active Directory, thereby retaining the as-is flow of data from SuccessFactors to AD. They can use MS Azure AD Provisioning Service for the
writeback of attributes from Active Directory to SAP SuccessFactors. Both the flows can run independently of one another. Therefore, the end-to-end flow will be as follows –
- SIS will query SAP SuccessFactors for new hires / rehires / terminations, then send the data to MS Active Directory
- MS Active Directory will create the User and fabricate the Username, Email ID, Business Phone etc.
- MS Active Directory will write back these attributes to MS Azure AD
- MS Azure AD will then write back to Azure AD Provisioning Service
- MS Azure AD Provisioning Service will update the worker data in SAP SuccessFactors
For an e2e narrative of the solution please refer to Automated user provisioning from SAP SuccessFactors is now GA – Microsoft Tech Community.
On that note I shall leave you with a reference architecture that showcases some of the moving bits. We have most if not all kinds of systems covered. Of course, the centre of the piece are SAP SuccessFactors and Microsoft Azure Active Directory, ably supported by SAP and non-SAP systems both on-premise and Cloud and multiple IDAM technologies. This just goes to show that there can be a place for all (to borrow a line from @sufw).
Happy reading everybody. We look forward to welcoming your thoughts, questions etc.
Fig. 1 – Reference Architecture
I hope that this blog offers you a teaser on some of the features the IDP deep dives into. Both Customers and Partners have been eagerly waiting for them for a long time. With time we are confident the functionality will only be more enriched to cater to other needs.
If you have any questions or comments please do not hesitate to reach out to any of the authors. We are more than happy to take your questions, comments, feedback. Remember, we have come a long way in Bidirectional Identity Integration with Microsoft Azure Active Directory as it stands today, this would not have been possible if it had not been for a vociferous community!
Finally, here are a couple of blogs in the SAP SuccessFactors Partner Delivery Community and the SAP SuccessFactors Community posted by Gerald Reinhard for your kind perusal –