Академический Документы
Профессиональный Документы
Культура Документы
www.xiting.com
XITING | SAP SECURITY SIMPLIFIED
SAP Cloud Identity Services | Overview, best practices and typical use cases
Tabel of Contents
Introduction ���������������������������������������������������������������������������������������������������������������������������������� 1
Introduction
SAP Cloud Identity Services is a set of services within SAP Business Technology Platform
(SAP BTP) that allows for seamless integration of identity and access management (IAM)
between systems. The main goal is to provide a secure and seamless single sign-on (SSO)
experience across systems.
This eBook serves as a condensed overview of SAP Cloud Identity Services and is designed
for solution architects, project managers, SAP consultants, and IDM administrators who
want to gain a quick understanding of the essentials of the service. Additionally, it includes
Xiting best practices for the service and outlines the common use cases for the solution.
SAP Cloud Identity Services provides a standard for authentication and user administration
as core services of SAP BTP. It allows for the centralization of user identities to ensure
secure access to all applications within the SAP cloud universe and automate user
administration.
In a constantly growing hybrid SAP landscape, it is crucial to manage and consolidate all
identities in one place. SAP Cloud Identity Services supports industry standards like SCIM,
SAML 2.0, OAuth2, and OpenID Connect, which allows for flexible deployment scenarios
and integration options into existing IAM systems in a multi-vendor landscape.
Overall, SAP Cloud Identity Services provides a foundation for secure and efficient IAM
integration between systems, which is essential for every SAP organization today.
SAP Cloud Identity (SCI) services are public cloud services provided by SAP, available in
various regions globally. These services consist of two primary components: Identity
Authentication (IAS) and Identity Provisioning (IPS), which are essential building blocks
for IAM in hybrid SAP landscapes. Both components are built on the same technology
stack and are included in many SaaS solutions offered by SAP SE or available as a bundle.
Authentication &
Single Sign-On
SAML 2.0 SAP S/4HANA
OpenID Connect
SAP Ariba SAP BTP
End User
Identity SCIM SAP Concur SAP Enable Now
Authentication SAP C/4HANA SAP Analytics Cloud
Identity Lifecycle
Management SAP SuccessFactors
IdDS Identity
Delegated SAML 2.0 Provisioning ...
Authentication OpenID Connect
SCIM
Together they enable organizations to streamline IAM processes and improve the user
experience by providing a single sign-on experience across systems while ensuring
data security. Additionally, these services are built with the flexibility to integrate with
existing IAM systems, making them a valuable addition to any SAP organization looking
to enhance their IAM capabilities.
The SAP Cloud Identity Authentication Service (IAS) represents a central identity
provider. Here all SAP cloud applications are connected to consolidate trust management.
The aim of this approach is to standardize the onboarding of additional SAP cloud
applications. This simplifies the entire onboarding process for new SAP applications.
For user authentication IAS uses common standards such as Security Assertion Markup
Language 2.0 (SAML 2.0) and OpenID Connect to provide ID-Federation.
The SAP Cloud Identity Provisioning Service (IPS) is used to provision user identities
from a specific source system to the Identity Directory service based on preferences and
filter rules. This component ensures the ID lifecycle.
The Identity Directory Service (IdDS) is used by the two services IAS and IPS as a
user database in the SAP cloud environment. Using a group concept customers can
automate the provision of users and groups to SAP cloud applications. Changes such as
the creation of a new employee, adjustments to user data and group assignments or the
deactivation of an account are detected and automatically implemented based on jobs
running in scheduled intervals.
2. Improved efficiency: By using the Identity Directory (IdDS) as a central repository for
all SAP user identities, organizations can reduce administrative overhead and automate
processes. All users are stored in a central location without having to manage and update
user identities in each service.
3. Single sign-on: By storing user identities in the identity directory, you can enable single
sign-on (SSO) for users across different SAP applications and services. This provides a
seamless and secure user experience, as users only need to sign in once to access all the
SAP services they need.
4. Integration with other systems: By persisting user identities in the identity directory,
you can more easily integrate SAP services with other systems, such as authentication
providers, security information and event management (SIEM) tools, and identity
management solutions. This reduces the risk of errors or inconsistencies.
5. Improved user experience: The SAP Global User ID (UUID) makes it easier for users to
access multiple systems with a single sign-on, providing a more seamless and efficient
experience.
6. Improved governance: SAP Cloud Identity Services combined with other services such
as SAP Cloud Identity Access Governance (IAG), provide tools and capabilities for auditing
and reporting on user access, helping organizations to meet regulatory and compliance
requirements.
To ensure consistency across all systems (DEV, QAS, PRD), it is recommended to attach the
productive SAP IAS tenant to all of them, while operating a second IAS for sandboxes and
test systems. The SAML endpoint URLs, signature certificates, and SAML configuration
parameters are exchanged via metadata (XML file) generated on both sides between
service providers (SAP SaaS solution or SAP BTP or on-premises S/4HANA systems) and
the SAP IAS. In some cases, such as when using multi-cloud subaccounts in SAP BTP, the
SAML trust is automatically established. The SAP IAS is responsible for issuing the SAML
or ID tokens with the necessary NameID attributes and other claims.
In most cases, SAP IAS is integrated with a customer‘s existing SAML identity provider
as an IDP proxy to provide a seamless user experience with single sign-on (SSO). Simply
put, by using the „proxy mode“ in SAP IAS, you can authenticate users for all SAP
applications using your company‘s existing SAML identity provider. SAP IAS acts as a
mediator between the SAP application and the company‘s identity provider, forwarding
authentication requests and receiving authorization through a SAML assertion.
This approach provides users with access to cloud-based applications without the need
to create new login credentials. Additionally, SAP IAS offers an „identity federation“
feature that adds extra layers of security and provides supplementary user data, which
is independent of the customer‘s identity provider.
As a result, the customer only needs to integrate their IAS tenant with their existing IDP
one time. This integration is accomplished through identity federation between the two
IDPs, enabling all relevant user and identity information, including attributes from both
(Azure) Active Directory and SAP IAS, to be considered.
In a typical customer landscape, there are two user stores to distinguish between B2E
(Business-to-Employee) and B2B (Business-to-Business) scenarios:
■ IAS: Local Identities Directory (for External | Guests | Customers | Test users |
Developers)
■ Corporate User Store: For example, the Azure AD tenant (synchronized via AAD
Connect with users from the Active Directory Forest)
In this structure, the SAP IAS acts as the main identity provider for all SAP applications and
serves as a broker between the two user stores mentioned above. With the „Conditional
Authentication“ function, SAP IAS provides a rule set that can be used to control which
identity provider is used for certain applications, thereby enabling conditional access
based on various criteria.
This authentication concept ultimately enables SSO for all (http) applications across all
devices. In the cloud, where partner and B2B scenarios are necessary in addition to
employee access, multi-factor authentication (MFA) is a critical requirement for IT security.
This approach allows for not only employees but also the integration of external users,
such as guest accounts, to have access with MFA capabilities.
Note: To ensure a future-proof setup, the SAP IAS should be used as the central IDP for all
SAP applications and connected to the existing IDP.
Using its SCIM 2.0 REST API, the Identity Directory allows for the programmable access
of various resources such as users, groups, and customer schemas. Data is not only
visible through APIs, but also in the user interface of the Identity Authentication service
itself. Under User Management and User Groups, the data is sourced directly from the
Identity Directory.
The Identity Directory is essential for many new features and SAP cloud applications,
including SAP SuccessFactors, SAP Task Center, and SAP Identity Access Governance. For
instance, SAP Task Center relies on the user‘s Unique Universal Identifier generated during
creation in the Identity Directory to accurately map tasks to specific SAP solutions. The
SCIM 2.0 API allows for access to the Identity Directory and the creation of custom schemas
and attributes. Users, groups, and group assignments can be programmatically accessed
and modified, with a maximum of 20 custom schemas with 20 custom attributes each.
Once users are added to the Identity Directory, the Identity Provisioning service takes
over the task of provisioning these users to SAP applications with their own user stores.
By having all user information stored in a central location, the Identity Provisioning
service can efficiently manage the provisioning and de-provisioning of users across
multiple SAP applications.
Ultimately, the centralized storage of user data provided by the Identity Directory and
Identity Provisioning service greatly simplifies the management of user lifecycles, while
also enhancing security and compliance for SAP applications.
While manual identity management can be done, this is typically only used when a
limited number of SAP cloud applications have been introduced initially. IPS offers a
more efficient and reliable solution for managing identities in larger and more complex
SAP landscapes.
The SAP IPS provides a solution to automate the identity lifecycle process. It can bring
users from one or multiple user stores (source systems) to different target systems,
making it possible to provide and keep identities up to date in SAP cloud applications. To
achieve this, the IPS uses the System for Cross-Domain Identity Management (SCIM), an
industry-standard for provisioning.
1 2 3
Source IPS Target
The System for
Cross-domain Identity
Read Write Management (SCIM)
(Azure) Active Transformation Transformation specification is designed
IPS IAS
Directory | to manage user identity
IdDS in Cloud-based
SFSF |...
applications and
servises in a standard-
ized way which enables
SAP Cloud Identity Services Identity Provisioning interoperability,
security, and scalability.
Source Target
The underlying concept
Read Write of SCIM 2.0 is based ona
Transformation Transformation common user schema,
IAS IPS BTP | SaaS group schema, and an
extension model which
IdDS ... are exchanges via an
HTTP-based protocol.
4 5 6
The hiring process typically commences by creating personnel master data records in
the HCM system. Based on this data, user accounts and employee-related information
are created and consolidated at a central location, usually the (Azure) Active Directory.
By employing a suitable group concept, the provisioning of users and groups from the
Identity Directory to the corresponding SAP cloud applications can be automated. Any
changes, such as new employee creation, user data or group assignments modifications,
or account deactivation, are handled through IPS and automatically executed at
scheduled intervals. This ensures that new identities are generated, or existing ones
are deactivated, with the changes reflected in connected cloud or on-premises SAP
applications as needed.
In essence, the Provisioning Service (IPS) streamlines the task of keeping identities
current across the SAP cloud application landscape. Ideally, it utilizes the IdDS as the
data foundation, with the SCIM standard playing a pivotal role in the process.
Note: To help SAP companies implement a future-proof foundation for managing access and
identities in the SAP cloud universe in a simple and standardized way, our new Xiting QuickStart
Implementation Service can be interesting. It includes a fixed scope that incorporates
common best practices and provides immediate benefits and basic user authentication and
provisioning capabilities in the SAP cloud universe.
LONG-LASTING BENEFITS
■ QuickStart Implementation package gets you ■ Integration with your SAML Identity Provider to
up and running fast leverage existing authentication processes and
■ A configured solution that matches your SSO capabilities
business needs ■ Automation of your user lifecycle processes for
■ Our experts answer your individual questions your SAP cloud applications and reduction of
based on their extensive knowledge errors and manual efforts
■ A clear strategy and well-established foundation ■ Use of job-triggered SCIM-based provisioning of
to integrate your further (SAP-Cloud) applications users, groups and authorization role assignments
■ The service comprises templated approaches ■ Allows flexible SAML NameID format and claims
including best practices and leverages the configuration for your SAP applications
experience from previous projects (AuthN and AuthZ)
■ A predetermined budget and scope allow you to ■ Coverage of security recommendations such
plan accordingly as conditional and risk-based authentication
■ A well-established central hub responsible for including MFA and FIDO2 support
trust, user authentication and provisioning ■ Usable in scenarios even without having an
covering your SAP cloud application landscape SAP IDM or 3rd Party IDM solution in place
SAP Cloud Identity Authentication (IAS) SAP Cloud Identity Provisioning (IPS)
■ Best practice configuration and determination ■ Best practice configuration and determination
of your IAS tenant model of your IPS tenant model
■ Integration with your existing SAML Identity ■ Connection of your central system such as AD,
Provider (ADFS, Azure, Okta, …) Azure or an HCM as a source system for user
■ Creation of two cloud or on-prem SAP distribution
applications in your IAS (SAML trust) ■ Set-up of a lightweight user group concept to
manage ID Lifecycle and authentication
QuickStart Implementation
■ Job-triggered provisioning of users and groups
for two SAP cloud applications
Xiting
START YOUR JOURNEY TO THE TYPICAL CHALLENGES ■ Integrate your existing third-party or SAP
SAP CLOUD WORLD IDM system to support business roles and
■ You want to establish a future-proof foundation Remote workflow-based provisioning
In a hybrid SAP landscape, the coordination of supporting the transition of your existing
access to the different applications is a must and user lifecycle processes toward the ■ Integrate with additional source systems to
requires smooth, efficient and centralized user and SAP-Cloud universe enrich your user identities with additional
authentication management. Benefit from Xiting’s best ■ You want to automate and optimize your user attributes like from HCM/SFSF
practices and fixed-price quick implementation service. lifecycle process using standard tools Fixed price ■ Develop custom authorization concepts for
■ You have to onboard additional SaaS applications your SaaS and BTP applications
Our Xiting QuickStart Implementation package is such as SAP Analytics Cloud, SAP Integrated
the fastest way to get your organization set up for Business Planning, SAP Ariba, and more
SAP Cloud Identity Services. It includes a fixed scope
■ You need more transparency in the complex For further information:
of services that provides immediate benefits and basic
hybrid architecture cloud-services@xiting.com
capabilities for user authentication and provisioning.
■ You need integration with your Active Directory, www.xiting.com
This is a core requirement for all integration and/or
extension scenarios when it comes to SAP BTP and Azure AD or third-party identity providers
SaaS applications. QuickStart Implementation for SAP Cloud Identity Services © 2022 Xiting. All rights reserved
This service is geared towards small and medium-sized businesses that do not yet have
an identity management system (IDM) in place and still want to automate their user
provisioning and ID lifecycle processes with simple jobs. For more details, take a look at our
flyer on the Xiting QuickStart Implementation Service.
Even with an existing IDM solution, SAP IPS is often necessary as part of the SCI. It
can serve as a centralized SCIM interface for various SAP cloud systems. Using an IPS
connector, any SAP solution supported via IPS can be operated as a SCIM proxy system,
even if the remote SAP cloud systems do not have a SCIM API. If a customer is using a non-
SAP identity management solution, they can easily integrate with the SAP landscape by
storing their users in the Identity Directory and utilizing automatic user provisioning with
Identity Provisioning. This requires only one connection point, making the integration
process much simpler.
By combining SAP Cloud Identity Services with existing identity management systems
(on-premises or cloud), SAP companies can achieve even more flexibility. For example,
in the scenario outlined here, SAP IDM 8.0 can bring users and groups into the Identity
Directory using SCIM. It’s responsible for initially loading all connected systems using
connectors and providing these identities to the SCI to use as a proxy for provisioning
users and permission assignments to cloud applications. SAP IDM 8.0 ensures the
accuracy and consistency of user data and allows for centralized, workflow-supported
administration of all identities in a hybrid SAP environment:
Hybrid Identity & Access Management with Single Sign-On Check out this blog for
Integration with a central SAP Identity Management solution other integration scenarios
Authentication flow
SAP CHM | SAP GRC
Provisioning flow
Note: SAP Cloud Identity (SCI) is highly recommended for managing user identities and
access to SAP applications. Customers can opt for other Identity Management (IDM) solutions,
including on-premises or cloud-based ones, according to their needs. However, using SCI
alongside other IDMs is suggested for seamless integration, centralized identity management,
enhanced security and compliance, and lower administrative overhead.
■ Integrate your leading source systems via SAP IPS to read and enrich identity
information and persist all required user attributes (and group assignments) for all
SAP cloud applications in the Identity Directory
■ Automate SCIM-based provisioning and management of your identities for all SAP
cloud applications with SAP IPS
■ Integrate your existing IDM solution with the SCI to establish a workflow-driven hybrid
IAM scenario
■ Integrate all SAP SaaS applications and SAP BTP accounts with your IAS tenants to
centralize trust-management across the many SAML service providers
■ Simplify SAML Name ID and claims management for all SAP applications
■ Delegate and centralize authentication for all SAP applications to your corporate
identity provider and use identity federation
■ Use existing security features and policies, authentication processes including single
sign-on and multi-factor authentication
The Xiting IAM team specializes in identity and access management in hybrid SAP
environments. This is becoming increasingly crucial in many SAP companies that are
adopting SAP‘s cloud applications strategy. The team‘s consultants focus on managing
identities, from onboarding to offboarding, and improving authentication processes
and access authorizations. Our holistic consulting approach helps customers automate
identity lifecycle management and maintain the convenience of single sign-on, while
also ensuring compliance with authorization policies.
Our team comprises seasoned SAP IDM consultants and in-house developers who can
provide extensive coverage of various SAP security topics using proprietary tools. Our
consulting teams are split into two subject areas, namely SAP Identity Management
that features SAP Identity Management 8.0, our Fiori-UIs (XIFI), our solution Xiting
Central Workflows (XCW), and secure authentication with MFA & SSO that encompasses
ID lifecycle management and cloud security using SAP Cloud Identity Services and
SAP Single Sign-On 3.0 or the new SAP Secure Login Service for SAP GUI.
Email: colt@xiting.com
LinkedIn: linkedin.com/in/carsten-olt-cisa-935a00b6
About Xiting
Xiting is a global leader in SAP Security and a highly specialized SAP solution provider for
Authorization Management, Access Governance, Identity Access Management, Security
Monitoring, and Cyber Security. The SAP-certified solution, the Xiting Authorizations
Management Suite (XAMS), enables SAP customers to automate and simplify time-
consuming tasks related to S/4HANA migrations, role design, maintenance and testing,
securing custom ABAP code, security monitoring, identity consolidation, single and
cross-system segregation of duties, and security audits.
Some of the most successful companies in the world use the XAMS to significantly
lower costs and improve the efficiency of processes that keep SAP systems secure and
operational. Xiting also offers nearshore SAP security support services for a variety of
authorizations and controls tasks.
XITING GmbH
Obere Ringstraße 17
79859 Schluchsee
Germany
Tel: +49 7656 8999 002
info@xiting.com
www.xiting.com