SAP CPQ SCIM API’s – Sync Users from your Identity Management
Automating user sync from active directory to application is an important and time–saving process. It is a process that allows users to easily access applications by securely logging in and providing authentication. Without automation, users would have to manually enter their credentials into each application they need access to.
Active Directory (AD) is the heart of user identity management. It is an important component of the Windows–based network infrastructure, allowing users to authenticate and access resources of the network. By using AD, organizations can store user information in one location, allowing for easy access and management.
The process of automating user sync from active directory to application involves two major steps. First, the application must be configured to use the AD user credentials for authentication. This is done by setting up the appropriate user access policies and permissions. Second, the AD user accounts must be synchronized with the application. This is done by configuring the application to regularly pull the user information from AD.
SAP CPQ SCIM API enables you to manage users and their group assignments. If the SAP CPQ users are centrally managed in an external system, such as SAP Identity Authentication Service, this API can be used to integrate with the external system for user provisioning.
The System for Cross-domain Identity Management (SCIM) specifications are designed to make identity management in cloud-based applications and services easier. This API is based on the SCIM protocol (RFC7644) which makes integration easier when SAP CPQ is integrated with other SCIM-compliant systems.
According to the flow described below, when a new user is onboarded to the organisation, user details will be created in IDM first, and once the access policy is updated, the user will sync to the appropriate application right away. This eliminates the need to create each individual application manually. Also if user is left the organisation, user details will sync right away, so user cannot access the application at all.. so this eliminates the manual process as well.
Administrators can access SCIM APIs via basic authorization. However, if the Access Rights feature is enabled for the tenant (Enable Access Rights toggle switch is turned on in ), the system performs additional authorization check:
If you don’t see this in your CPQ domain, Kindly raise a Support ticket to request to enable Access Rights option
Step 2 – API Documentation
SAP CPQ SCIM v2 API for Users & Groups
List of available SCIM API endpoints for CRUD ( Create , Read, Update and Delete) operations to perform
Step 3 – Play locally with all the endpoints to understand better
Step 4 : Through your Identity Directory Management solution, you may automatically schedule tasks to synchronize the users.
Watch out for the next blog – Automate User Sync from SAP IPS to SAP CPQ
This is good for an AD integration... what if we have IAS/IPS, what differs.... I guess its IPS to push the users then?
Thank you for the consideration.
Thanks for reading the blog and your valuable feedback:)
I'm already writing another blog for IAS/IPS Integration steps for User Sync. I would be publishing the blog by next week and surely will send you the link.