Technical Articles
Integrate SAP Cloud Identity Provisioning Service with SAP Build Work Zone, standard edition for federation of business content
You may have seen an option in SAP Build Work Zone, standard edition to connect Work Zone to SAP Cloud Identity Provisioning Service (IPS). Did you ever wonder what this option was for and how it can be used when federating content from remote content providers into SAP Build Work Zone, standard edition?
When you click the Connect button it does couple things:
- It will provision an SAP Cloud Identity Provisioning tenant if you don’t already have one.
- Add target connectors in SAP Cloud Identity Provisioning Service to allow provisioning to SAP Build Work Zone standard edition.
If you see an error or are stuck in the connecting state, check to make sure prerequisites required for this integration are met. The prerequisites are documented in the help guide. Furthermore, it may still be possible to proceed even if the screen above shows an error message. The main thing we require is access to SAP Cloud Identity Provisioning tenant that has SAP Build Work Zone, standard edition available as a target system for provisioning. If either of these is not true for your case, log a support ticket under EP-WZ-PRV component.
To see how this integration can be used we need to setup a remote content provider for SAP Build Work Zone, standard edition. For this blog, I am using SAP BTP ABAP Environment as the content provider and setup the integration using the steps documented in this tutorial. When adding the content provider in Work Zone make sure “Use the Identity Provisioning service to provision user authorizations” option is enabled. This is not covered in the tutorial but is required for the scenario I am covering in this blog. Make note of the ID (eg. Tutorial) specified for your content provider as it’s also required later on when setting up SAP Build Work Zone as a target system in SAP Cloud Identity Provisioning Service.
In my SAP BTP ABAP environment, I’ve exposed a few business roles to the BTP environment. For eg, the TRAINWORKZONE role is marked Exposed to SAP BTP.
The TRAINWORKZONE roles has access to Communication Management application.
The exposed roles show up in SAP Build Work Zone standard edition and can be assigned to site to provide access to users. As you can see in the screenshot, besides the TRAINWORKZONE role I’ve exposed few additional roles as well. Each back-end role provides access to certain business apps to users that are assigned those roles in the back-end system.
What you will notice is that these roles will not be visible as role collections in your SAP BTP subaccount so there won’t be an option to assign them to users through the BTP Cockpit. This is expected since we enabled the “Use the Identity Provisioning service to provision user authorizations” option when adding SAP BTP ABAP environment as a content provider in SAP Build Work Zone. You may be wondering than how do I control what applications users can see SAP Build Work Zone site?
To accomplish this we will need to setup Identity Provisioning service to read users and their roles from SAP BTP ABAP environment and provision to SAP Build Work Zone Standard Edition. This process will ensure that users that access the Work Zone site can only see applications that they are authorized to use in the BTP ABAP environment.
Let’s look at the process to do just that.
Prepare SAP BTP ABAP Environment for use with SAP Cloud Identity Provisioning Service
- Log into your SAP BTP ABAP Environment and search for Maintain Communication Users and access the application.
- Click New and create a new communication user. Specify a User Name, Description, and Password. Click Create.
- Access Communication Systems.
- Click New and specify a System ID and System Name and click Create.
- Specify a value for Host Name to match your IAS tenant hostname. For eg. xxxxxxx.accounts.ondemand.com
- Click + under Users for Inbound Communication.
- Select the Communication user created earlier and click OK.
- Save your Communication System.
- Access Communication Arrangements.
- Click New and choose the value help icon to open up the list of available communication scenarios.
- Search for SAP_COM_0193 and select it from the list. This communication scenario is relevant for Identity Provisioning integration.
- Specify a name for the arrangement and click Create.
- Use the value help icon and select the Communication System created earlier. The User Name for inbound communication should automatically populate. Save your configuration.
- Make note of the API-URL as this is required to setup SAP BTP ABAP environment as the source system in SAP Cloud Identity Provisioning Service.
Add BTP ABAP Environment as Source System in SAP Cloud Identity Provisioning Service
- Access your SAP Cloud Identity Services – Identity Provisioning (IPS) tenant.
- Click on Source Systems.
- Click Add.
- Specify the following and click Save:
- Type: SAP BTP ABAP Environment
- System Name: <name of your choice>
- Click Properties. You will see a list of pre-created properties.
- Click Add to add new properties. Use the Standard option for non-sensitive properties and Credential option for password fields.
- Add the additional properties below and click Save. Take a look at the help guide for the complete list of properties that are possible with SAP BTP ABAP Environment as a source system.
- Type: HTTP
- ProxyType: Internet
- URL: <API-URL copied from Communication Arrangement>
- Authentication: BasicAuthentication
- User: <Communication User create in SAP BTP ABAP Environment>
- Password: <Communication User password>
- Log into your SAP BTP Subaccount where you have a subscription to SAP Build Work Zone Standard Edition.
- Click Instances and Subscriptions and create and click the Create button.
- Select SAP Build Work Zone, standard edition and choose standard instance plan.
- Choose your Space and specify an Instance Name.
- Click Next couple times and click Create.
- Select the newly created instance and click Create to create a new service key.
- Specify a Service Key Name and click Create.
- Click the key name.
- Make note of the following fields:
- endpoints.portal-service
- uaa.clientid
- uaa.clientsecret
- uaa.url
Setup SAP Build Work Zone as Target System in SAP Cloud Identity Provisioning Service
- Access your SAP Cloud Identity Services – Identity Provisioning (IPS) tenant.
- Click the Target System icon and click Add.
- Specify the following and click Save:
- Type: SAP Build Work Zone, standard edition
- System Name: <name of your choice>
- Source System: <your SAP BTP ABAP environment source system created earlier>
- Under Properties, add the additional properties below and click Save. Take a look at the help guide for the complete list of properties that are possible with SAP Build Work Zone, standard edition as a target system.
-
- Type: HTTP
- ProxyType: Internet
- URL: <endpoints.portal-service copied earlier>
- OAuth2TokenServiceURL: <uaa.url. Add /oauth/token at the end >
- Authentication: BasicAuthentication
- User: <uaa.clientid>.
- Password: <uaa.clientsecret>
- cflp.providerId: <ID of content provider in Work Zone>
-
Run the provisioning job
- Access your SAP Cloud Identity Services – Identity Provisioning (IPS) tenant.
- Click the Source System icon and click Add.
- Select the SAP BTP ABAP environment source system created earlier.
- Click the Run Now button.
- Click Identity Provisioning >> Job Logs and select the job. Confirm the job executes successfully and provision users and groups to SAP Build Work Zone.
Note that their is no user interface in SAP Build Work Zone, standard edition to visualize the users and groups that were provisioned by SAP Cloud Identity Provisioning Service.
Enjoy!
Hi Harjeet, great blog to follow along! Thank you.
Maybe you have a solution for the following case...
S/4OP - IPS - WorkZone standard (used for content federation. Now the transformation from S4OP target system does not contain the groups just the users. I wonder how I can achieve the retrieval of the groups in order to get the LP content shown. Any suggestions?
Best Regards,
Florian
It's likely because the Cloud Connector setup doesn't expose PRGN_ROLE_GETLIST resource. Check your RFC system in the Cloud connector and add the function to the allow list.
thx Harjeet, i missed that one
Hi Harjeet
I have set up S/4OP ->IPS ->BWZ Standard Edition user/role sync but when I logon build workzone site with test user, no catalogs/pages/spaces are presented.
When I initially set up it was working for about 1 week, after I made some backend changes to the role and user and rerun the provisioning job, it does not (skipped) update the user/group in BWZ, I took out the transformation script which skips the update and rerun the provisioning job, then the update failed - yes I know in your help page, it says update is not supported, only delete and create.
ok then I tried to work on how to delete the user in BWZ and recreat. I delete the user in S/4HANA OP, end dated it, rerun the read/re-sync job in IPS, nothing get reported in the job log.
With nothing else to try, I then went to delete the content provider in BWZ and recreated it back, I observed that each time I do this, the first read/re-sync job in IPS then goes successful. But even after that when I logon build workzone site with test user, no catalogs/pages/spaces are presented.
And as you said there is nowhere I can see user and roles assignment in Build Work Zone standard edition to troubleshoot any further myself.
I am basically stuck at the moment, please help if you can. Also keen to understand how should this whole solution work in reality when there will be frequent user->role assignment change and apps->role assignment change in the backend if "officially" the update function is not supported by IPS->BWZ integration.
Many Thanks GavinPlease contact me directly via email.