GRC Integration with SAP Analytics Cloud Using IAG Bridge Concept
As explained in my previous blog of “IAG Integration with ARIBA” the steps required to complete End to End Integration of GRC IAG Bridge to any target cloud application is 5 step process. The Step 3 to 5 will follow the same configuration with minor tweaks depending on Cloud Applications.
The first step of any integration is to integrate SAP Cloud Identity Access Governance and Target cloud application, here I will talk about integration of IAG with SAP Analytic Cloud.
Before we start going into details of it we have to understand that all IAG integration can be broadly defined as two types:
- Using Identity Provisioning Service : Some Cloud application like SAC can not directly connects to IAG ,In these integration scenarios we have to use IPS Connectivity as well to perform provisioning.
- Direct IAG : Most of the IAG integration scenarios can directly integrate with IAG without IPS.
To understand more about IPS we need to understand what is IAG Bundle Licensing.
SAP Cloud Identity Access Governance is available as a cloud bundle solution. It includes two other services – Identity Provisioning and Identity Authentication that are essential for successfully configuring the product.
Identity Authentication service : To manage access to applications belonging to SAP Cloud Identity Access Governance, it is important to authenticate users. The Identity Authentication service simplifies the access as you can choose from various authentication mechanisms, single sign-on, on-premise integration, and self-service options. For more details, see What is Identity Authentication?
Identity Provisioning service : You use this service to provision users and groups for connecting various target cloud applications to SAP Cloud Identity Access Governance.
Follow the steps listed below to build the URL :
- Go to the Identity Provisioning launchpad and log on with your S-user.
- Double-check your user is Admin by choosing any tile in your Identity Provisioning launchpad.
- Double-check that you have the tile Proxy Systems available in the Identity Provisioning launchpad.
Complete the integration process for SAP Cloud Identity Access Governance and SAP Analytic Cloud.
- Configure SAP Analytic Cloud System – Add OAuth Client
Follow the path in SAP Analytic Cloud System ->Administration-> App Integration-> Oauth Client
*Make a note of OAuth Client ID it will be used in later configuration.
**Make a note of Secret it will be used in later configuration.
- Setup in OAuth Client IPS subaccount in SAP BTP cockpit
- Open your subaccount in SAP BTP cockpit. (The display name of the subaccount starts with SAP_BUNDLE.)
- Register a new OAuth client for the subscription to the ipsproxy application. Depending on your Identity Provisioning tenant and perform below steps
- Go to Security OAuth Clients.
- Choose Register New Client.
- From the Subscription combo box, select <provider_subaccount>/ipsproxy.
- From the Authorization Grant combo box, select Client Credentials.
- In the Secret field, enter a password (client secret)and remember it. You will need it later, for the repository configuration in the external system.
- Copy/paste and save (in a notepad) the generated Client ID You will need it later, too.
Assign role IPS_PROXY_USER to the OAuth client. Depending on your Identity Provisioning tenant (Bundle), do the following:
- From the left-side navigation, choose Subscriptions.
- Under the Java Applications section, choose ipsproxy.
- From the left-side navigation, choose Roles.
- Choose Assign and enter oauth_client_<client_ID>.
- For <client_ID>, enter the one you have saved in the previous main step and here it will be UserID
The second step of any integration, In the SAP Cloud Identity Access Governance launchpad, sync the repository data from target app to the IAG repository.
Configuring a Connection from SAP Cloud Identity Access Governance to Identity Provisioning(IPS_PROXY)
- Add Proxy system (SAC) in IPS
- Login to IPS, Select Proxy system and add new system
- Maintain properties, follow below URL for properties in IPS proxy system (Bundle Licensing) start from Step 4: SAC System Proxy Properties
Add System (SAC) in IAG
- Create a system for SAP Analytics Cloud. For System Type, select SAP Analytics Cloud.
- In the SCP Destination field, enter the name of the IPS destination created in for the SAP IAG for Identity Provisioning.
- Add External System ID as the Last URL number you get when you add proxy system in IPS.
After completing the above steps will you be able to bring data from SAC system to IAG.
Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance or https://answers.sap.com/tags/01200615320800000796