Identity Lifecycle: SAP Reference Architecture for Identity Access Management – Part 2
Hybrid integration with SAP Identity Management
What is it, what is the intention and what is in for you?
With the SAP’s Integration Plan in the Cloud distinct suite qualities were introduced. Those suite qualities are getting more important for the whole SAP portfolio. You as a customer get end-2-end automated solutions across different applications aligned with the business processes. Capabilities which belong to multiple applications are defined in those suite qualities centrally like the topic security and identity management.
In this blog post series we want to share the recommended architectures which offer you options to adapt the IES design for identity access management (IAM). Still this blog post will not be able to provide answers for all questions around how to setup IAM in a certain landscape. The intention is rather to provide food for thought for what to take into account.
We will concentrate on employee related integration scenarios (B2E).
How can you benefit from the integrated master data and identity flows?
Scenario 2 – Hybrid setup with SAP Identity Management
The SAP apps in this scope are:
- SAP Success Factors (Employee Central)
- SAP Master Data Integration and SAP Master Data Orchestration
- SAP Cloud Identity Services
- SAP Business Technology Platform (SAP BTP)
- SAP Identity Management (or a 3rd party identity management solution)
A very common setup for SAP SaaS/PaaS applications is the usage of an identity management system mainly for account/authorization management for SAP on premises and/or SaaS/PaaS solutions. In this blog post I will describe it with the SAP Identity Management.
Let’s assume in your case the SAP landscape grows and you want to benefit from automated Hire2Retire flows. How can you move (near) to the reference architecture?
For the identity lifecycle the way to the reference architecture contains mainly the setup of the SAP Cloud Identity Services in between the identity management (on-premises) and the SAP applications.
In this example you have already SAP Identity Management as your solution to provision access to your landscape and you want to benefit from the automation of the greenfield cloud architecture for Identity Access Management. The determination of the access and workflows to assign authorizations have been set up already in your SAP Identity Management. This blog post describes how you can make use of the more and more integrated SAP SaaS/PaaS solutions for the Intelligent Enterprise with your investments into SAP Identity Management.
First of all: SAP Identity Management can be the leading system in this flow. To benefit from workforce-person to identity conversions and in regard of the creation of the User UUID in the SAP Cloud Identity Services the flow contains a two-way integration between SAP Identity Management (since SP08 PL10) and the SAP Cloud Identity – Directory Service (IdDS).
SAP Identity Management can get via this interface the identity. The identity management then use your local rules to trigger your current user provisioning. This interface allows to amend attributes into the Directory Service for example: In case your SAP Identity Management creates a logon-name which is used in Non-SAP and SAP-ABAP based systems. The identity management should write it back as login name to the Directory Service too. This way it can be used especially in the authentication flows (please check Markos blog posts for this topic too).
How can you get there now?
The 1st step:
- Setup the SAP Cloud Identity Services (Identity Authentication Service, Identity Provisioning Service, Identity Directory Service). Request an instance e.g., via the SAP BTP in a subaccount or check first if you probably got the SAP Cloud Identity Services already via one of the SAP SaaS applications.
- Configure the SAP Cloud Identity Services – Identity Authentication to use the existing non-SAP identity management as a corporate identity provider for authentication.
- The recommendation is also to enable the identity federation within the Identity Authentication by using the Identity Directory service as store for the Identity Authentication service, allowing only stored users to login and to enable an application specific configuration – with those options you will have a very flexible setup from the start and new features might not work in a proxy setup without users in Identity Authentication.
- Setup the SAP Master Data Integration to distribute the master data from your source systems e.g., SAP Success Factors to the client applications like S/4HANA or the SAP Cloud Identity Services.
The 2nd step:
- Replicate the users. With SAP Identity Management you get connectors to read the identities from the Cloud Identity Services with the User UUID as immutable identifier. In case your SAP Identity Management creates the identities – it gets the UUID during creation from the Cloud Identity Services.
- Non-SAP identity management solutions typically send the e-mail address as an identifier. Please keep in mind that e-mail addresses are mutable, and this can create trace and audit issues over the identity lifecycle because they are mutable. You can use the User UUID instead.
- If you are using a self-defined identifier in your (non-)SAP identity management solution also for the SAP landscape, please make sure that it can be provisioned to the SAP Cloud Identity Services to the identities to allow a mapping for the existing applications.
- The SAP Cloud Identity Services – Identity Provisioning will replicate the workforce person from the Master Data Integration service into the SAP Cloud Identity Services to create the identity.
- For a proper integration to your existing (non-)SAP identity management solution, you should consider a synchronization of the identities which typically amend attributes like a custom identifier created by the (non-)SAP identity management solution. The offered protocol for the Identity Directory Service is SCIM.
The 3rd step:
- Configure your SAP Cloud Identity Services for authentication.
- The vision is that more SAP applications offer an automated way to onboard to the SAP Cloud Identity Services, but today those steps have to be done manually for many apps.
- For SAP BTP applications, the preferred way is OpenID Connect, which can be easily done by the “establish trust” button in each subaccount. For other applications please follow the guides how to onboard via SAML2 or OpenID Connect.
- New applications can benefit from the template approach for both identity replication via Identity Provisioning and the authentication flow via the Identity Authentication service.
- For applications which require a replication, the SAP Cloud Identity Services – Identity Provisioning needs to be setup with at least one source (the Identity Authentication service) and one or multiple target applications. For this, the Identity Provisioning service comes with configuration templates to make the setup easier.
- Depending on the SAP application, you might need the identity replication via the Identity Provisioning service. The replication might need adjustments in case of your self-defined identifier.
After configuring the SAP Cloud Identity Services your user flow automatically replicates from SAP SuccessFactors to the SAP Cloud Identity Services. Finally, the SAP Cloud Identity Services to the target applications. It is possible for (non-)SAP identity managements to synchronize (bi-directional) with the SAP Cloud Identity Services as integration-point.
This flow is a reference which offers variances for your landscape
For your particular landscape you might have a different integration of source-systems to your SAP Identity Management system which cannot, or only with high effort, be replaced by the flow with the Master Data Integration Service. In such cases the Cloud Identity Services could work as secondary systems behind your leading Identity Management system. It is planned that we will share a separate blog post for such scenarios. But please keep in mind that the Cloud Identity Services still own important features like the User UUID which have to be synchronised back as attribute to the leading solution. With SAP Identity Management 8 Service Pack 8 PL10 (SAP-Note 3047993) the internal schema offers the load of the attribute from the Cloud Identity Services and the distribution of the User UUID to your on-premises SAP S/4HANA.
Figure 5 IAM reference architecture: hybrid integration with SAP Identity Management (SAP cross architecture, technology & innovation)
- Seamless central master data distribution.
- Central identity flow.
- Additional applications can be easily amended.
- SAP SaaS user management by the Cloud Identity Services, leading system for identities is the SAP Identity Management.
- Benefit from the SAP specific templates and simple integrations between SAP SaaS/PaaS and the SAP Cloud Identity Services.
- Benefit from the extended features of the SAP Identity Management in an integrated scenario.
- Possible 3rd party app management with SAP Identity Management.
- More complex scenario compared to a “cloud driven” Identity Lifecycle but also more possibilities for customization with SAP Identity Management.
- This scenario is recommended for your landscape if you have existing (non-)SAP identity management which you want to still use as leading instance, but you also want to benefit from the One Domain Model integration.
- This scenario is also recommended for your landscape in case you need custom identity flows which SAP Identity Management offer as leading instance. SAP Identity Management offers also the management of 3rd party solutions.
- Manage SAP SaaS/PaaS applications with the SAP Cloud Identity Services.
What we will share next
We are planning to release multiple reference architectures based on this structure. The next one – how can you leverage your existing SAP Access Control landscape (on-premises) for a hybrid IAM landscape using the Intelligent Enterprise reference architectures and how to leverage your existing HCM (or 3rd party HR) integration with SAP Identity Management to get near to the reference architecture.
Please also read the corresponding blog posts:
- Identity Lifecycle – integrated master-mata and identity flows
- Single Sign-On: SAP Reference Architecture for Identity Access Management
- Identity Lifecycle – SAP HCM or 3rd-party-HCM as employee source (planned)