IPS: Availability of system connectors
This is quick informational post based on a recent conversation about SAP Identity Provisioning Service (IPS) and “unavailable” connector bundles. In short: if your IPS tenant is missing a connector, check out the available connectors on the new IPS tenant on the SAP Identity Service Infrastructure.
About me (disclaimer)
In my role at SAP, I help our customers to wrap their heads around the security of SAP Cloud Products. As I am doing that in a presales capacity for many years, I have been part of many deals, discussion and architecture talks. But as I am NOT a consultant who tinkers with those SAP Systems every day, I can and will not provide any type of recommendations. All of my writings are purely my own opinion. So you need to read the respective sources and documents that I may have interpreted (wrongly) and come up with your own educated decisions.
Identity Provisioning Service (IPS)
The IPS is part of the SAP Identity Services (IAS+IPS). It does transport User Identities and their assigned roles from one system to an other. In order to do that, IPS does bring a bunch of so called connectors and it also exposes a SCIM interface.
IPS does have a bit of a history and in consequence there are two flavors available. The main differentiating factor is the infrastructure they are deployed upon which can be
- BTP NEO
- SAP Identity Services Infrastructure
IPS tenant on BTP NEO
These IPS tenants are deployed as a BTP NEO service. That means handling them should be mostly like any other BTP NEO service. e.g. Login via Cloud Cockpit, rights assignment etc.
The connectors of these tenants are tied to the so called “Bundles”. And you will most likely already have experienced what the documentation is describing
“… if your bundle tenant is running on SAP BTP, Neo environment, a limited number of connectors are enabled by default.”
So depending on what SAP Cloud Service your company has signed up for, this or that bundle will be applicable and with that the “bundle connectors” will be more or less available to you. As the various bundles have been created with different scenarios in mind and some intended bundles never got to see the light of day, there have been “a few” cases where customers might have gotten stuck with being unable to get a connector.
IPS on SAP Identity Services Infrastructure (new)
As part of evolving the IAS & IPS into the SAP Cloud Identity Services, any newly provisioned IPS tenant is deployed on the SAP Cloud Identity Services Infrastructure since March 15th 2022.
The (new) IPS tenants bring most of the available system connectors out of the box right away. Let`s look at this particular part of the documentation (as of 02/26/2023) below. If you read carefully, it says all connectors are available just not those listed in this table.
How do I find out if my IPS tenant is “New” or still on BTP NEO?
You might want to try the IAMTENANTS interface. That system should give you a list of all your available IAS & IPS tenants and when they have been created. The creation date is a very good indicator of what IPS deployment type you are facing – anything deployed after March 15th 2022 should be a IPS tenant on SAP Cloud Identity Infrastructure. And thus should contain most of the connectors right away.
You can also check if you can access the IPS tenant like any other BTP NEO service. If yes, you obviously got a BTP NEO IPS tenant.
IPS tenants with this service URL syntax should be on the new infrastructure
How to get access to all those bundle connectors in my IPS?
You could consider migrating your existing IPS Neo tenant to the SAP Identity Service infrastructure. Please read the documentation carefully and do not trigger a migration lightly. Remember the good old mantra “never touch a running system”.
There are still connectors missing in my IPS?
Revisit the documentation if connector you are missing is not officially excluded.
Then check in the connector documentation if this particular connector might only be available in an IPS Stand Alone Tenant. An IPS Stand Alone tenant is currently only commercially available as part of SAP Identity Access Governance.
And unfortunately, not all SAP Cloud Systems are yet integrated with IPS. You might want to check with the respective product sources and road maps about potential plans to support IPS.
Where can I find the IPS SCIM API? [New 2023-03-07]
This is a bit hidden in plain sight within the IPS docs. Check out the IPS Proxy functionality. This so called IPS proxy does expose the SCIM API in the IPS service (here SCIM Endpoint). So if you got a system that can trigger outbound SCIM call, you can use this IPS proxy to push and pull user data into the various supported SAP Systems.
Why is there no SCIM target connector? [New 2023-03-07]
First we got to keep in mind that IPS is a cloud service. That means, when ever this service is used, it will incur costs on our SAP side. Then there is Dev/Ops, support and maintenance that needs to be taken care of as well.
With the decision to include IPS with every SAP Cloud product (aka no extra license costs for IPS), the commercial IPS version (IPS stand alone tenant) has become unavailable. The operational costs for IPS are now covered by SAP. But that means, SAP has good reasons to control those costs and make sure the use case has a SAP product focus.
With this move, the focus of IPS shifted from a sellable “stand alone” product to an enabler of SAP Cloud Solutions. So this previous IPS capability to include 3rd party SCIM destinations has become obsolete as there is simply no one there to pay for that party any more.
And if you look into the market of cloud based identity provisioning systems, I guess there will be no free offering to integrate one 3rd party to an other 3rd party for free, right? If there is, people are welcome to use it.
If you want to license SAP Identity Access Governance, that happens to bring a SCIM destination (via IPS Stand Alone tenant functionality), please reach out to your local SAP sales representative. I guess that explains who pays for that particular SCIM destination party 🙂
- BTP: SAP Business Technology Platform
- BTP NEO: SAP Business Technology Platform NEO
- IAS: SAP Cloud Identity Services – Identity Authentication
- IPS: SAP Cloud Identity Services – Identity Provisioning
- aka: Also known as – auch bekannt als
- SCIM: System for Cross-domain Identity Management
- SAP: Systemanalyse Programmentwicklung
Thanks for the above blog. I must admit understanding nuances of SAP IPS and IAS licensing is difficult for customer.
In above table for SAP Cloud Infrastructure tenants, it says SCIM as a target tenant is not supported. So, at this stage customers cannot do provisioning to SCIM supported system using IPS unless they have SAP IAG license which supports all target systems - Is that correct?
Hi Priyank, yes - the bundled IPS does not support SCIM destinations unless they are SAP Systems. The purpose of the bundled IPS is to enable SAP Cloud Services but not to provide a free tool for 3rd party integrations. I did add a Q&A topic to my blog that covers this aspect.
Thanks Dirk for your response. Much appreciated
It's just incomprehensible to me that I have to buy IGA to get the SCIM connector. SCIM is the standard par excellence for provisioning. That SAP demands extra money for this is just sad.
well, there is no free lunch. 🙂
I did add a Q&A topic to my blog that covers this aspect.