Skip to Content
Product Information
Author's profile photo Sonia Petrescu

SAP Cloud Identity Services – Identity Directory

Let’s recap what are the SAP Cloud Identity Services

The SAP Cloud Identity Services are the default SAP cloud services for authentication and user/group provisioning.

Several SAP integrations revolve around the usage of SAP Cloud Identity Services and their number is expected to increase. One of the biggest gains being the delivery of ready-to-use and secure cloud solutions from SAP. This does not hold true only for the Recruit to Retire business process, although this is the most obvious case.

SAP Cloud Identity Services

 

As previously announced by my colleagues Marko Sommer  and Matthias Kaempfer  in previous blogs (links here and here), the Identity Authentication service (IAS) and Identity Provisioning service (IPS) evolved into SAP Cloud Identity Services, integrated now through the common Identity Directory.

What exactly is the Identity Directory?

The Identity Directory is the central component for persisting users and groups inside the SAP Cloud Identity Services. Coming from outside the SAP landscape, it represents the central point of truth for users that have or will have access to SAP cloud applications. Its SCIM 2.0 REST API allows you to programmatically access the resources (user, groups and customer schemas) inside the directory, but more to this in the sections below.

The functionality of the Local Identity Directory that some of you used with the standalone Identity Provisioning tenants has been enhanced and shifted meanwhile to the present Identity Directory inside the SAP Cloud Identity Services.

Unlike the Local Identity Directory, the data stored in the Identity Directory is not only visible at API level but also in the UI of the Identity Authentication service itself. The data stored under User Management and User Groups is actually the Identity Directory data.

User persistency in the SAP Cloud Identity Services

For some new features, the SAP Cloud Identity Services user persistency is mandatory and an automated integration with SAP SuccessFactors is already in place. Other well-known SAP cloud applications that require user persistency are SAP Task Center and SAP Identity Access Governance.

SAP Task Center offers a single-entry point for business users to access tasks coming from specific SAP solutions, called SAP task provider.  Therefore, it is necessary that the users can be correctly identified in all these solutions otherwise the tasks cannot be correctly mapped. For this, SAP Task Center relies on the user Unique Universal Identifier that is generated in the Identity Directory.

The User Unique Universal Identifier

One of the user attributes that is created upon user persistency in Identity Directory is the User Unique Universal Identifier (UUID). For the time being its value is automatically generated and cannot be changed, but this is subject to change in the future. This attribute is immutable and can be used as a federation identifier  or as a correlation attribute in a landscape that lacks such an immutable and unique attribute. The SAP Task Center functionality depends on this attribute for the correct identification of tasks for the users.

Here is a sequence of steps that is to be followed in landscapes where the usage of the UUID for the user identification in the SAP landscape is necessary (the premise is that there is a Corporate Identity Provider used in this scenario) :

1. Identity Federation –  “Use Identity Authentication user store” IAS Leading for attributes sent to the application with the option to amend corporate IdP attributes

Corporate%20Identity%20Providers%20settings

Corporate Identity Providers settings

 

2. SAML Assertion Attributes – add the User UUID to the list

Applications%20settings

Applications settings

 

3. SAML Default Attributes – the token can be enhanced with attributes from IAS and/or from the Corporate IdP

Applications%20settings

Applications settings

 

4. SAML Default Attributes – the token can be enhanced with attributes from IAS and/or from the Corporate IdP

Applications%20settings

Applications settings

 

How does one access and use the Identity Directory?

Besides the Identity Authentication user interface, one has two methods of managing the data inside the Identity Directory:

Only tenant administrators with specific authorizations can access the Identity Directory.

Speaking about the data in the Identity Directory, it is important to know, that it is not only possible to view the predefined schemas but also to define own custom schemas with own attributes. This facilitates for example, the extension of the user resource with new attributes and values. One can have up to 20 custom schemas per tenant, each schema having a maximum of 20 attributes.  The multivalued attributes (type complex) allow 20 sub-attributes.

The usage of the Identity Directory is meant to simplify how the customers are connecting to our SAP SaaS applications, by using it as a central point of truth for the SAP cloud environment.

Customer landscape integration with the SAP Cloud Identity Services

After the users are brought here, the Identity Provisioning service takes care of user provisioning to SAP applications that have an own user store. This will save you the effort of creating point to point connections. There are already automatic scenario deployments that ensure that the users are correctly distributes to SAP target systems, with minimum administrative effort. One such scenario is the integration between SAP SuccessFactors and People Analytics.  Furthermore, once the users are centrally stored, it is easier to ensure an end of user lifecycle.

What is the connection to the SAP ID Service?

The Identity Directory must not be confused with the SAP ID service, which is SAP’s own instance of the SAP Cloud Identity service.

The SAP ID service is:

  • SAP managed
  • designed for interactions with SAP such as: BTP entitlements, support tickets, community postings
  • does not allowed customer specific configurations such as Multi Factor Authentication, hence making its usage restrictive for scenarios that go beyond trial accounts

Key Takeaways

The Identity Directory represents the central point of truth for users that have or will have access to SAP cloud applications. It allows flexibility through the possibility of defining own customer schemas.

Storing users centrally in the Identity Directory not only simplifies the process of ensuring a proper user lifecycle, but also lays the foundation for integration with the SAP Cloud Identity Access Governance and SAP Task Center.

The integration with SAP’s Identity Management system is standard and brings many benefits as outlined in the Identity Lifecycle Blog Post series: Identity Lifecycle: SAP Reference Architecture for Identity Access Management – Part 1

For the customers using non-SAP identity management solution, storing the users in Identity Directory and afterwards leveraging automatic user provisioning with Identity Provisioning represent an easy integration with the SAP landscape as only one connection point is necessary. The one to the SAP Cloud Identity Services.

 

Related Information sources

SAP Cloud Identity Services

CIO Guide: Identity Lifecycle in Hybrid Landscapes

System Integration Guide for SAP Cloud Identity Services and SAP Task Center

SAP Task Center

Manage Deleted Entities in the SAP Cloud Identity Services – Identity Provisioning

SAP Cloud Identity Access Governance – Setting Up User Authentication and Access

System for Cross-domain Identity Management: Core Schema

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Todor Petrov
      Todor Petrov

      Hi Sonia,

      wonderful blog as always. Thank you for it.

      One question related to the Identity Directory remains though - why not all attributes that are visible in the IAS User Management UI are in the respective API. One example - > Company relationship.

      Also from the looks of it, the Business API Hub is not pointing to the latest API of Identity Directory, where new field was added recently for the P user attribute.

      BR,

      Todor

      Author's profile photo Sonia Petrescu
      Sonia Petrescu
      Blog Post Author

      Hello Todor,

       

      sorry for the late reply here. The documentation on the SAP Business Hub was meanwhile updated.

      We are working on harmonising the UI with the API for the rest of the attributes as well.

       

      Kind Regards,

      Sonia

       

      Author's profile photo Carsten Olt
      Carsten Olt

      Hello Sonja,

      thanks for providing this blog about the Identity Directory with some examples where the UUID and in general user persistence within IAS seems to be mandatory. Often this is a topic that needs to be discussed with the customer in IAS & Corp. IDP Proxy scenarios.

      Are there any further information where the UUID is currently (or will be) used in the SAP cloud ecosystem?

      Cheers Carsten

      Author's profile photo Sonia Petrescu
      Sonia Petrescu
      Blog Post Author

      Hy Carsten,

      sorry for the late reply here. Please have a look at the Global User ID in Integration Scenarios documentation.

      Kind Regards,

      Sonia