The Role of SAP IAS/IPS in the context of RISE with SAP
IAS/IPS stands for “Identity Authentication Service” and “Identity Provisioning Service”.
During the customer engagement activities as my daily job, lots of customers ask “what is IAS/IPS and what is the relationship between SAP Business Technology Platform (SAP BTP)?”. And usually coming next is “can you or SAP tell me how do I find my IAS/IPS tenant?”. Finally after getting clear about above quesitons, naturally the question “how do I make use of IAS/IPS?” will come in mind. These questions are pretty common if you are new to IAS/IPS and lost into SAP’s massive solutions (I had the same learning journey before). So today I want to talk about the role of IAS/IPS, especially within the context of Rise with SAP as it is free to use.
What is IAS/IPS?
Before start, I suggest you read this nice blog post to get a bigger picture around security topics within SAP. There you can see Cloud Indentity Service has two parts, Identity Authentication Service and Identity Provisioning Service.
The Identity Authentication Service provides you with controlled cloud-based access to business processes, applications, and data. It simplifies your user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options. Here are some features for IAS,
- Authentication and SSO – choose one of the supported authentication methods to control access to your application, like Form, SPNEGO, Social, or two-factor authentication. Use SAML 2.0 protocol to provide single sign-on. Integrate your application programmatically using authentication via API.
- Configure Risk-Based Authentication – help enforce two-factor authentication based on IP ranges, user groups, user type, or authentication method to manage access to a business application.
- Delegate Authentication – delegate authentication to a 3rd party or on-premise IdP, as default or based on a condition like IdP, e-mail domain, user type or user group, and thus enable SSO across on-premise and the cloud.
- Use API – use SCIM REST API to manage users and groups, invite users, customize end-user UI texts in any language.
So in general it provides a stand-alone, harmonized and central point to connect within SAP Solutions e.g. SAP Successfactors, SAP Business Technology Platform and also can stand as proxy for third party corporate identity providers e.g. Microsoft Azure Active Directory. You can also set up condititional rules for user logons e.g. employees using Corporate Identity Provider A, customers using Corporate Identity Provider B and partners using Corporate Identity Provider C, depending on their email address domains, user groups or even IP range.
As a simple example where IAS serves as the corporate identity provider, I logon SAP Integration Suite located on my SAP BTP trial account and you can see there are two “sign in with” options. The second one is the default one, which you will ususally use even you are not aware of IAS at all after you got your SAP BTP account. The first one is an aditional custom identity provider provided via my IAS tenant.
It’s common in real world Microsoft Azure Active Directory serves as the custom corporate provider. In such case, there is a very nice video illustrating the step-by-step tutorial. I successfully established the trust between Microsoft Azure Active Directory and my SAP BTP trial account using my IAS tenant as proxy.
Usually the IAS tenant address follows the url patern like https://best-run.accounts.ondemand.com/admin. And here is what a typical IAS teant looks like for its homepage when you logon to it,
Identity Provisioning Service manages identity lifecycle processes for cloud and on-premise systems.The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their authorizations to various cloud and on-premise business applications.
Here are some features for IPS,
- User and Group Provisioning – Provision users and groups between multiple supported cloud and on-premise systems, both SAP and non-SAP.
- User and Group Filtering – Configure default transformations or filtering properties to control what data to be provisioned and what to be skipped.
- Full and Delta Read Mode – Run a provisioning job in full mode to read all entities from a source system, or in delta read mode – to read only the modified data.
- Job Logging – View and export job logs from the Identity Provisioning administration console. Logs display details about the job status and the provisioned entities.
- Notifications – Subscribe to a source system to receive notifications for the status of provisioning jobs.
There is a video illustrating how to provsion users from Microsoft Azure Active Directory as source system to SAP ABAP on premise as target system, using IPS. Another example: If a company with HR-driven identity policy uses SAP SuccessFactors, they would like for every new employee created in SAP SuccessFactors to automatically have a user in Identity Authentication, so they can access SAP S/4HANA cloud.
Since IAS and IPS are bundled together as SAP Cloud Identity Service, you can just direclty add “/ips” to your IAS tenant url e.g. https://best-run.accounts.ondemand.com/ips. And here is what a typical IPS tenant looks like for a homepage when you logon to it,
As a summary, here is a overal picture showing SAP Cloud Identity Service.
As a good real use example, please refer to this fantasitic blog post written by my colleague Murali where IAS/IPS are both used to configure SAP BTP’s another service called SAP Work Zone. And if you want to dig into more details of IAS/IPS I recommend you refer to this blog post for a deeper insight.
Why will I use it?
I know there are already sigle sign-on options directly to SAP S/4 HANA private version within Rise with SAP, without IAS/IPS. Please check this blog post for more details. It’s fine if your company only interacts with this single S/4 HANA private version without IAS/IPS. However, SAP’s strategy is to deliver its cloud solutions pre-configured with Identity Authentication. This also means that you can authenticate against these SAP cloud solutions only via Identity Authentication service. So, if you have other SAP cloud solutions such as SAP Successfactors, SAP S/4 HANA public cloud, SAP Integrated Business Planning (IBP), etc then IAS/IPS is essential for you to have a seemless and secure access to such SAP cloud applications.
But you can still use 3rd-party identity provider via IAS as a proxy. You can easily configure it centrally against IAS. The advantage is SAP can deliver preconfigured applications, which is required by most customers – and you can still integrate your 3rd party solution. Another benefit is there’s only one integration point into the SAP security cloud world.
OK, after talking so much about what is IAS/IPS, how can I get a such tenant?
Where is my IAS/IPS tenant?
We know that Rise with SAP contains essential components as following,
- SAP S/4 HANA with Deployment Model of Choice (Public or Private)
- SAP Business Network
- SAP Business Process Intelligence
- SAP Custom Code Migration App, SAP Readiness Check, SAP Learning Hub
- SAP Business Technology Platform
and where is IAS/IPS? The answer is IAS/IPS is now a free service within SAP BTP and you need to create one. But please notice here, you may already purchase other SAP solutions e.g. SAP SuccessFactors and it may also trigger IAS/IPS tenant so you don’t need to manually create within SAP BTP. Because Identity Authentication provides one productive tenant and one test tenant per customer, regardless of the number of contracts signed in which Identity Authentication is included or bundled. But if customers want to achieve an “additional” tenant out of whatever the reason e.g. out of legal comliance, they have to pay for it. Additional productive or test tenants beyond the initial ones must be purchased separately. To purchase additional tenants, go to SAP Store and place your order. If you can’t place your order, submit a Request Support ticket. This offical help document gives a very clear description on the teanant model and there you can clearly see the IAS/IPS tenant comes either from SAP BTP or from SAP cloud solutions as a bundled component. This “Is SAP Cloud Identity Services for free?” also explains well on the topic.
But how can I know I already have one? There is a magic link you can use here https://iamtenants.accounts.cloud.sap/. You need to authenticate with your S user ID (using SAP ID Service), and after successful authentication, it brings you the list to show the SAP Cloud Identity Services tenants belonging to your customer ID. There you can also find out which tenant is a production one and who is admin for the IAS/IPS tenant. Please refer to this blog post for more details. If you cannot find any, then you have to create one within SAP BTP as mentioned in the beginning. The process is also quite easy and you can follow this blog post. I suggest you start with section “Assignments and Entitlements”.
You will finally get an IAS/IPS tenant free to use.
How do I make use of IAS/IPS?
As mentioned, there are lots of blog posts written by experts from SAP security team and I just read through some of them and post the information which I belive useful for Rise with SAP customers. Now let’s recap the key takeaways.
- SAP’s strategy is to deliver its cloud solutions pre-configured with identity authentication and IAS/IPS is the strategic central point for authentication for any SAP cloud application.
- You can easily embed third party identity provider e.g. Azue ADFS into IAS which stands for a proxy
- You can either get the free IAS/IPS tenants one for productive and one for test, either as a bundled component from SAP cloud solution e.g. SAP SuccessFactors, or from SAP BTP as a self service.
Again, you can also find all other blog posts written by SAP experts under the tag “Identity Authentication” and under the tag “Identity Provision” . You are welcome to leave comments or ask quesions as always.