Skip to Content
Technical Articles
Author's profile photo Yogananda Muthaiah

SAP CPQ SCIM API’s – Sync Users from your Identity Management

Dear All


Automating user sync from active directory to application is an important and timesaving process. It is a process that allows users to easily access applications by securely logging in and providing authentication. Without automation, users would have to manually enter their credentials into each application they need access to.

Active Directory (AD) is the heart of user identity management. It is an important component of the Windowsbased network infrastructure, allowing users to authenticate and access resources of the network. By using AD, organizations can store user information in one location, allowing for easy access and management.

The process of automating user sync from active directory to application involves two major steps. First, the application must be configured to use the AD user credentials for authentication. This is done by setting up the appropriate user access policies and permissions. Second, the AD user accounts must be synchronized with the application. This is done by configuring the application to regularly pull the user information from AD.

SAP CPQ SCIM API enables you to manage users and their group assignments. If the SAP CPQ users are centrally managed in an external system, such as SAP Identity Authentication Service, this API can be used to integrate with the external system for user provisioning.

The System for Cross-domain Identity Management (SCIM) specifications are designed to make identity management in cloud-based applications and services easier. This API is based on the SCIM protocol (RFC7644) which makes integration easier when SAP CPQ is integrated with other SCIM-compliant systems.

According to the flow described below, when a new user is onboarded to the organisation, user details will be created in IDM first, and once the access policy is updated, the user will sync to the appropriate application right away. This eliminates the need to create each individual application manually.  Also if user is left the organisation, user details will sync right away, so user cannot access the application at all.. so this eliminates the manual process as well.

Step 1

Administrators can access SCIM APIs via basic authorization. However, if the Access Rights feature is enabled for the tenant (Enable Access Rights toggle switch is turned on in SetupUsersAccess Rights), the system performs additional authorization check:

Note :
If you don’t see this in your CPQ domain, Kindly raise a Support ticket to request to enable Access Rights option

Step 2 –  API Documentation

SAP CPQ SCIM v2 API for Users & Groups

List of available SCIM API endpoints for CRUD ( Create , Read, Update and Delete) operations to perform

Step 3 –  Play locally with all the endpoints to understand better

GET Users

GET Groups

Step 4 :  Through your Identity Directory Management solution, you may automatically schedule tasks to synchronize the users.


Watch out for the next blog – Automate User Sync from SAP IPS to SAP CPQ


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Wallace Henry
      Wallace Henry

      This is good for an AD integration... what if we have IAS/IPS, what differs.... I guess its IPS to push the users then?

      Thank you for the consideration.


      Author's profile photo Yogananda Muthaiah
      Yogananda Muthaiah
      Blog Post Author

      Wallace Henry

      Thanks for reading the blog and your valuable feedback:)

      I'm already writing another blog for IAS/IPS Integration steps for User Sync. I would be publishing the blog by next week and surely will send you the link.