Skip to Content
Technical Articles
Author's profile photo Yogananda Muthaiah

Know more about SAP IAS SCIM APIs – Latest

Dear All,

This article is mainly for partners and customers who wants to automate internal & external users sync (on-boarding) to SAP IAS by using the below SCIM APIs from your external system or applications. I have listed out all the examples for you to understand..

This below flow makes you understand to automate Users Sync from any of your 3rd party applications, so once user is on-boarded they would get appropriate access to SAP Applications

Note :

SAP Cloud Identity Services offers standard user provisioning sync through SAP IPS for user sync process with SCIM 2.0

IAS SCIM REST API provides developers to Create & Manage users, groups and custom schemas in the cloud.

For more information, see the latest SCIM API Documentation: Identity Directory SCIM REST APIInformation published on SAP site.

The identity directory provides a System for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups and custom schema)

API Documentation for SAP IAS is available under SAP Cloud Identity Services

Get’s Started


Read Users

###  https://api.sap.com/api/IdDS_SCIM/resource Identity Directory Service
GET https://<iastenant>.accounts.ondemand.com/scim/Users
Content-Type: application/scim+json
Authorization: Basic @{{token}}

This is how you compare 2 different results from Deprecated API endpoint vs latest API endpoint


Filter Method

#### Filter on userName 
GET https://<iastenant>.accounts.ondemand.com/scim/Users?filter=userName eq "sapscaadmin@sap.com"
Authorization: Basic @{{token}}

Another example using sub filter on Json value

#### Filter on emails.value
GET https://<iastenant>.accounts.ondemand.com/scim/Users?filter=emails.value eq "sapscaadmin@sap.com"
Authorization: Basic @{{token}}

Another example to filter Users based on count and Index

###  https://api.sap.com/api/IdDS_SCIM/resource Identity Directory Service
GET https://<iastenant>.accounts.ondemand.com/scim/Users?startIndex=2&count=5
Content-Type: application/scim+json
Authorization: Basic @{{token}}


Create User

###
POST https://<iastenant>.accounts.ondemand.com/scim/Users
Content-Type: application/scim+json
Authorization: Basic @{{token}}

{
  "emails": [
    {
      "primary": true,
      "value": "abc@domain.com"
    }
  ],
  "active":"True",
  "name": {
    "familyName": "Muthaiah",
    "givenName": "Yogananda"
  },
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "userName": "yoga"
}


Delete a User

#### Delete the user
DELETE https://<iastenant>.accounts.ondemand.com/scim/Users/280b8446-7ce2-4a91-b6a0-18777d1ffea2
Authorization: Basic @{{token}}

id refers Users GUID


Read Groups

###
GET https://<iastenant>.accounts.ondemand.com/scim/Groups
Content-Type: application/scim+json
Authorization: Basic @{{token}}


Create Groups

###
POST https://<iastenant>.accounts.ondemand.com/scim/Groups
Content-Type: application/scim+json
Authorization: Basic @{{token}}

{
  "displayName": "New group name",
  "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group",
        "urn:sap:cloud:scim:schemas:extension:custom:2.0:Group"
      ]
}


Assign Group to a User

###
PATCH https://<iastenant>.accounts.ondemand.com/scim/Groups/e26f6138-c382-4be5-addb-459186030f6e
Content-Type: application/scim+json
Authorization: Basic @{{token}}

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "add",
      "path": "members",
      "value": [
        {
          "display": "yoga",
          "value": "280b8446-7ce2-4a91-b6a0-18777d1ffea2"
        }
      ]
    }
  ]
}

Assigned Tags

      17 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Kéfren Cezar Conceição
      Kéfren Cezar Conceição

      Hi Yogananda Muthaiah

      I've been having difficulties configuring this API in a freestyle application. I am studying this part and I followed the following steps:

      Create a destination:
      Creation%20of%20destination.Creation of destination.

      Obs: In "URL" is tentant of IAS is red and client on "User".

      Add on routes of xs-app.json:
      Add%20route
      Add route

      For testing, I included on ui5-local.yaml in fiori-tools-proxy:
      Local%20proxy
      Local proxy

      After those steps i try to make a call by ajax:
      Ajax%20CallAjax Call

      Results:
      ChamadaCall

      Can you help me understand where I'm going wrong?

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Kefren Conceição

      Did you try to test with your credentials - IAS SCIM API through postman ? Did it work ? I am assuming you don't have Administrator role for your userid.

      Author's profile photo Kéfren Cezar Conceição
      Kéfren Cezar Conceição

      Yogananda Muthaiah

      Yes, I tried using the "Client ID" and the "Client Secret", in the postman works fine. And I have de Administrator role.

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      I see in your screenshot - you have updated with Basic Authentication but it must be OAuth if you're tested with Client ID and Client Secret

      Author's profile photo Kéfren Cezar Conceição
      Kéfren Cezar Conceição

      I tried this way, but I don't know where to find the Token url.

      Author's profile photo Kéfren Cezar Conceição
      Kéfren Cezar Conceição

      Yogananda Muthaiah   I tried combine two more tutorials to consume IAS API by Destination Service.

      Integrate the REST API via Destination Service:

      https://help.sap.com/docs/CP_FORMS_BY_ADOBE/dcbea777ceb3411cb10500a1a392273e/051d651b628c496c86bd1d4f95d718fc.html

      In this tutorial, he creates a credential key for the instance created through the API.
      Then create the application and use a destination service for the application in the MTA.

      It declares that it is needed in the HTML module, and puts a destination route that will be created below.

      After the application is deployed, it goes inside the destination service and creates the destination using the credentials created in the first step, giving the same name as the one placed in the route above.

      IAS Instance and Key:

      IAS Destination Service:

      Destination route on xs-app.json:

      Destination created inside of Destination Service:


      Declare the proxy inside of  ui5-local.yaml to consume in the test locally.

      Try to consume the service:

      I create the IAS Instance Service watching the microlearning:

      https://microlearning.opensap.com/media/Cloud+Identity+Services+Identity+Authentication+-+SAP+Business+Technology+Platform/1_59dk7598

      I thank you in advance for your willingness to contribute to my technical growth and continuous improvement. In the scenario I mentioned above, I still can't consume the IAS API.

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Hi Kefren Conceição

      I am not sure on how you're integrating with using BTP Extensions..  Were you able to make a successful IAS SCIM API's through postman  ?? If yes, then it works the same way in BTP Destinations as well

      Author's profile photo Kéfren Cezar Conceição
      Kéfren Cezar Conceição

      I've never seen destination make direct requests, the postman examples are just for testing the APIs. All tutorials and documentation configure the domain in destination and in the AJAX call specify which entity and filters.

      Author's profile photo Subbu Iyer
      Subbu Iyer

      Hi Yogananda,

      Thanks for sharing this information.

      Do you know if the SCIM API be used to read the employee's manager from source systems such as Okta or Workday and update them on iAS user management?

      Regards,

      Subbu Iyer

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Subbu Iyer Yes, you can make use of it.

      Author's profile photo Subbu Iyer
      Subbu Iyer

      Hi Yogananda,

      We are trying to integrate Identity Provisioning (IPS) with Okta using SCIM to read users from Okta using the OAuth Client Credentials flow. Apparently, Okta requires a private_key_jwt authentication method for this integration which is not supported by IPS. I raised an incident with SAP and they confirmed that this scenario is not supported. So does it mean that we cannot use SCIM APIs with Okta from IPS?

       

      Regards,

      Subbu Iyer

      Author's profile photo Lalitha Lakshmi Janakiram
      Lalitha Lakshmi Janakiram

      Hi Subbu Iyer ,

       

      We are also looking to do provisioning with Okta. Were you able to get this to work?

       

      Thanks,

      Lalitha

      Author's profile photo Subbu Iyer
      Subbu Iyer

      Hello Lalitha,

      We did not go ahead with the solution because the Okta server needed the private_jwt authentication method with OAuth. We went back to provisioning from Azure AD after SAP released a new functionality to retrieve managers in Azure.

      Regards,

      Subbu Iyer

      Author's profile photo supreetha Bhat
      supreetha Bhat

      Hi,

      How does the automated email work with the above payload when trying to create a new user? I have set the active flag to true. But I do not receive any email from IAS to register my account. Could you please help me if I need to enter any other properties when passing the create payload?

       

      thanks and Regards,

      supreetha bhat

      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author
      This is related to SCIM APIs. you will have to trigger it from other API (IDS - Identity Directory Service) for sending email for user.
      Author's profile photo Mike Colegrove
      Mike Colegrove

      We are trying to incorporate this into some applications to perform inquiry, on-boarding, and  maintenance on users for several applications and services we have developed.

       

      Even using https://<tenant>.accounts.ondemand.com/service/scim/Users/{userid}

      tenant and userid are well known to us.

       

      What group rights are needed to use the API?

       

      We are always getting 401 - Not Authorized.

      Even though using a User credentials that has rights to use the Admin Console for Cloud Identity Services that can maintain / lookup users or groups for our tenant configuration we are being blocked with User Not authorized via Try Out.

       

      Author's profile photo Zameer Ahamad
      Zameer Ahamad

      Hi Yoga,

      Thanks for the detailed blog. Earlier version of SAP IAS API, We are able to update the password for the user using put service and making the user password as productive password.

       

      I am not able to see any replacement of the password field in new SCIM API services. So what could be the reason.

      So I have 2 questions with respect mass password reset for few users.

      As I mentioned in earlier version, We are able to set the password of the user while creation or updating the user. How we will achieve in new one? we use to do with the help of collection runner in Postman.

       

      {

          "userName""",

          "id""{{PID}}",

          "name": {

              "givenName""tcs",

              "familyName""performance.{{SID}}",

              "middleName""performance.{{SID}}",

              "honorificPrefix"""

          },

          "emails": [{

              "value""performance.{{SID}}@tcs.com"

          }],

          "department""",

          "password""Welocme@1",

       

          "passwordStatus""enabled"

       

          "mailVerified""true"

       

      }

      What is the replacement of password in new IAS API.

      https://help.sap.com/docs/identity-authentication/identity-authentication/migrating-identity-authentication-scim-rest-api-to-identity-directory-service-api?locale=en-USstate%3DPRODUCTIONversion%3DCloud

      Password%20Attribute

      Password Attribute

      Thanks and Regards

      Zameer Ahamad