Technical Articles
Know more about SAP IAS SCIM APIs – Latest
Dear All,
This article is mainly for partners and customers who wants to automate internal & external users sync (on-boarding) to SAP IAS by using the below SCIM APIs from your external system or applications. I have listed out all the examples for you to understand..
This below flow makes you understand to automate Users Sync from any of your 3rd party applications, so once user is on-boarded they would get appropriate access to SAP Applications
Note :SAP Cloud Identity Services offers standard user provisioning sync through SAP IPS for user sync process with SCIM 2.0 |
IAS SCIM REST API provides developers to Create & Manage users, groups and custom schemas in the cloud.
For more information, see the latest SCIM API Documentation: Identity Directory SCIM REST API
.
The identity directory provides a System for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups and custom schema)
API Documentation for SAP IAS is available under SAP Cloud Identity Services
Get’s Started
Read Users
### https://api.sap.com/api/IdDS_SCIM/resource Identity Directory Service
GET https://<iastenant>.accounts.ondemand.com/scim/Users
Content-Type: application/scim+json
Authorization: Basic @{{token}}
This is how you compare 2 different results from Deprecated API endpoint vs latest API endpoint
Filter Method
#### Filter on userName
GET https://<iastenant>.accounts.ondemand.com/scim/Users?filter=userName eq "sapscaadmin@sap.com"
Authorization: Basic @{{token}}
Another example using sub filter on Json value
#### Filter on emails.value
GET https://<iastenant>.accounts.ondemand.com/scim/Users?filter=emails.value eq "sapscaadmin@sap.com"
Authorization: Basic @{{token}}
Another example to filter Users based on count and Index
### https://api.sap.com/api/IdDS_SCIM/resource Identity Directory Service
GET https://<iastenant>.accounts.ondemand.com/scim/Users?startIndex=2&count=5
Content-Type: application/scim+json
Authorization: Basic @{{token}}
Create User
###
POST https://<iastenant>.accounts.ondemand.com/scim/Users
Content-Type: application/scim+json
Authorization: Basic @{{token}}
{
"emails": [
{
"primary": true,
"value": "abc@domain.com"
}
],
"active":"True",
"name": {
"familyName": "Muthaiah",
"givenName": "Yogananda"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "yoga"
}
Delete a User
#### Delete the user
DELETE https://<iastenant>.accounts.ondemand.com/scim/Users/280b8446-7ce2-4a91-b6a0-18777d1ffea2
Authorization: Basic @{{token}}
id refers Users GUID
Read Groups
###
GET https://<iastenant>.accounts.ondemand.com/scim/Groups
Content-Type: application/scim+json
Authorization: Basic @{{token}}
Create Groups
###
POST https://<iastenant>.accounts.ondemand.com/scim/Groups
Content-Type: application/scim+json
Authorization: Basic @{{token}}
{
"displayName": "New group name",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group",
"urn:sap:cloud:scim:schemas:extension:custom:2.0:Group"
]
}
Assign Group to a User
###
PATCH https://<iastenant>.accounts.ondemand.com/scim/Groups/e26f6138-c382-4be5-addb-459186030f6e
Content-Type: application/scim+json
Authorization: Basic @{{token}}
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "add",
"path": "members",
"value": [
{
"display": "yoga",
"value": "280b8446-7ce2-4a91-b6a0-18777d1ffea2"
}
]
}
]
}
Hi Yogananda Muthaiah
I've been having difficulties configuring this API in a freestyle application. I am studying this part and I followed the following steps:
Create a destination:
Creation of destination.
Obs: In "URL" is tentant of IAS is red and client on "User".
Add on routes of xs-app.json:
Add route
For testing, I included on ui5-local.yaml in fiori-tools-proxy:
Local proxy
After those steps i try to make a call by ajax:
Ajax Call
Results:
Call
Can you help me understand where I'm going wrong?
Kefren Conceição
Did you try to test with your credentials - IAS SCIM API through postman ? Did it work ? I am assuming you don't have Administrator role for your userid.
Yogananda Muthaiah
Yes, I tried using the "Client ID" and the "Client Secret", in the postman works fine. And I have de Administrator role.
I see in your screenshot - you have updated with Basic Authentication but it must be OAuth if you're tested with Client ID and Client Secret
I tried this way, but I don't know where to find the Token url.
Yogananda Muthaiah I tried combine two more tutorials to consume IAS API by Destination Service.
Integrate the REST API via Destination Service:
https://help.sap.com/docs/CP_FORMS_BY_ADOBE/dcbea777ceb3411cb10500a1a392273e/051d651b628c496c86bd1d4f95d718fc.html
In this tutorial, he creates a credential key for the instance created through the API.
Then create the application and use a destination service for the application in the MTA.
It declares that it is needed in the HTML module, and puts a destination route that will be created below.
After the application is deployed, it goes inside the destination service and creates the destination using the credentials created in the first step, giving the same name as the one placed in the route above.
IAS Instance and Key:
IAS Destination Service:
Destination route on xs-app.json:
Destination created inside of Destination Service:
Declare the proxy inside of ui5-local.yaml to consume in the test locally.
Try to consume the service:
I create the IAS Instance Service watching the microlearning:
https://microlearning.opensap.com/media/Cloud+Identity+Services+Identity+Authentication+-+SAP+Business+Technology+Platform/1_59dk7598
I thank you in advance for your willingness to contribute to my technical growth and continuous improvement. In the scenario I mentioned above, I still can't consume the IAS API.
Hi Kefren Conceição
I am not sure on how you're integrating with using BTP Extensions.. Were you able to make a successful IAS SCIM API's through postman ?? If yes, then it works the same way in BTP Destinations as well
I've never seen destination make direct requests, the postman examples are just for testing the APIs. All tutorials and documentation configure the domain in destination and in the AJAX call specify which entity and filters.
Hi Yogananda,
Thanks for sharing this information.
Do you know if the SCIM API be used to read the employee's manager from source systems such as Okta or Workday and update them on iAS user management?
Regards,
Subbu Iyer
Subbu Iyer Yes, you can make use of it.
Hi Yogananda,
We are trying to integrate Identity Provisioning (IPS) with Okta using SCIM to read users from Okta using the OAuth Client Credentials flow. Apparently, Okta requires a private_key_jwt authentication method for this integration which is not supported by IPS. I raised an incident with SAP and they confirmed that this scenario is not supported. So does it mean that we cannot use SCIM APIs with Okta from IPS?
Regards,
Subbu Iyer
Hi Subbu Iyer ,
We are also looking to do provisioning with Okta. Were you able to get this to work?
Thanks,
Lalitha
Hello Lalitha,
We did not go ahead with the solution because the Okta server needed the private_jwt authentication method with OAuth. We went back to provisioning from Azure AD after SAP released a new functionality to retrieve managers in Azure.
Regards,
Subbu Iyer
Hi,
How does the automated email work with the above payload when trying to create a new user? I have set the active flag to true. But I do not receive any email from IAS to register my account. Could you please help me if I need to enter any other properties when passing the create payload?
thanks and Regards,
supreetha bhat
We are trying to incorporate this into some applications to perform inquiry, on-boarding, and maintenance on users for several applications and services we have developed.
Even using https://<tenant>.accounts.ondemand.com/service/scim/Users/{userid}
tenant and userid are well known to us.
What group rights are needed to use the API?
We are always getting 401 - Not Authorized.
Even though using a User credentials that has rights to use the Admin Console for Cloud Identity Services that can maintain / lookup users or groups for our tenant configuration we are being blocked with User Not authorized via Try Out.
Hi Yoga,
Thanks for the detailed blog. Earlier version of SAP IAS API, We are able to update the password for the user using put service and making the user password as productive password.
I am not able to see any replacement of the password field in new SCIM API services. So what could be the reason.
So I have 2 questions with respect mass password reset for few users.
As I mentioned in earlier version, We are able to set the password of the user while creation or updating the user. How we will achieve in new one? we use to do with the help of collection runner in Postman.
{
"userName": "",
"id": "{{PID}}",
"name": {
"givenName": "tcs",
"familyName": "performance.{{SID}}",
"middleName": "performance.{{SID}}",
"honorificPrefix": ""
},
"emails": [{
"value": "performance.{{SID}}@tcs.com"
}],
"department": "",
"password": "Welocme@1",
"passwordStatus": "enabled",
"mailVerified": "true",
}
What is the replacement of password in new IAS API.
https://help.sap.com/docs/identity-authentication/identity-authentication/migrating-identity-authentication-scim-rest-api-to-identity-directory-service-api?locale=en-USstate%3DPRODUCTIONversion%3DCloud
Password Attribute
Thanks and Regards
Zameer Ahamad