Xiting E-Book SAP Cloud Identity Services | Overview, best practices and typical use cases | 1

Overview, best practices and

typical use cases

www.xiting.com
XITING | SAP SECURITY SIMPLIFIED
 SAP Cloud Identity Services | Overview, best practices and typical use cases

Tabel of Contents

Introduction ���������������������������������������������������������������������������������������������������������������������������������� 1

SAP Cloud Identity Authentication Service (IAS) ���������������������������������������������������������������������� 4

SAP Identity Directory Service (IdDS) ���������������������������������������������������������������������������������������� 6

SAP Cloud Identity Provisioning Service (IPS) �������������������������������������������������������������������������� 7

Integration with existing IDM solutions ������������������������������������������������������������������������������������ 9

Our recommendations (Key Takeaways) �������������������������������������������������������������������������������� 10

About the Author ������������������������������������������������������������������������������������������������������������������������ 11

About Xiting �������������������������������������������������������������������������������������������������������������������������������� 12

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 1

Introduction
SAP Cloud Identity Services is a set of services within SAP Business Technology Platform
(SAP BTP) that allows for seamless integration of identity and access management (IAM)
between systems. The main goal is to provide a secure and seamless single sign-on (SSO)
experience across systems.

This eBook serves as a condensed overview of SAP Cloud Identity Services and is designed
for solution architects, project managers, SAP consultants, and IDM administrators who
want to gain a quick understanding of the essentials of the service. Additionally, it includes
Xiting best practices for the service and outlines the common use cases for the solution.

SAP Cloud Identity Services provides a standard for authentication and user administration
as core services of SAP BTP. It allows for the centralization of user identities to ensure
secure access to all applications within the SAP cloud universe and automate user
administration.

In a constantly growing hybrid SAP landscape, it is crucial to manage and consolidate all
identities in one place. SAP Cloud Identity Services supports industry standards like SCIM,
SAML 2.0, OAuth2, and OpenID Connect, which allows for flexible deployment scenarios
and integration options into existing IAM systems in a multi-vendor landscape.

Overall, SAP Cloud Identity Services provides a foundation for secure and efficient IAM
integration between systems, which is essential for every SAP organization today.

SAP Cloud Identity (SCI) services are public cloud services provided by SAP, available in
various regions globally. These services consist of two primary components: Identity
Authentication (IAS) and Identity Provisioning (IPS), which are essential building blocks
for IAM in hybrid SAP landscapes. Both components are built on the same technology
stack and are included in many SaaS solutions offered by SAP SE or available as a bundle.

SAP Cloud Business Applications

SAP Cloud Identity Services (BTP & SaaS)

Authentication &
Single Sign-On
SAML 2.0 SAP S/4HANA
OpenID Connect
SAP Ariba SAP BTP
End User
Identity SCIM SAP Concur SAP Enable Now
Authentication SAP C/4HANA SAP Analytics Cloud
Identity Lifecycle
Management SAP SuccessFactors
IdDS Identity
Delegated SAML 2.0 Provisioning ...
Authentication OpenID Connect

SCIM

SAP IDM 8.0

Corporate Existing User Store

Identity Provider (AD/Azure/LDAP...)

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 2

IAS provides authentication services, including secure single sign-on, multi-factor

authentication, and social media authentication. IPS, on the other hand, is responsible
for provisioning user identities to various SAP applications that have their user store.

Together they enable organizations to streamline IAM processes and improve the user
experience by providing a single sign-on experience across systems while ensuring
data security. Additionally, these services are built with the flexibility to integrate with
existing IAM systems, making them a valuable addition to any SAP organization looking
to enhance their IAM capabilities.

The SAP Cloud Identity Authentication Service (IAS) represents a central identity
provider. Here all SAP cloud applications are connected to consolidate trust management.
The aim of this approach is to standardize the onboarding of additional SAP cloud
applications. This simplifies the entire onboarding process for new SAP applications.
For user authentication IAS uses common standards such as Security Assertion Markup
Language 2.0 (SAML 2.0) and OpenID Connect to provide ID-Federation.

The SAP Cloud Identity Provisioning Service (IPS) is used to provision user identities
from a specific source system to the Identity Directory service based on preferences and
filter rules. This component ensures the ID lifecycle.

The Identity Directory Service (IdDS) is used by the two services IAS and IPS as a
user database in the SAP cloud environment. Using a group concept customers can
automate the provision of users and groups to SAP cloud applications. Changes such as
the creation of a new employee, adjustments to user data and group assignments or the
deactivation of an account are detected and automatically implemented based on jobs
running in scheduled intervals.

Identity Authentication Identity Directory Identity Provisioning

IAS
■ Serves as the main identity
provider for SAP cloud and
on-premises applications.
■ Consolidates and automates
trust management.
■ Standardizes the onboarding
process of new SAP cloud
applications.
■ Supports common standards
like SAML 2.0 and OpenID
Connect.
■ Can be easily connected to
the existing identity provider
supporting proxy-mode and
identity federation scenarios.
IdDS
■ Central user database used
by the SAP cloud services IAS
and IPS
■ Foundation for identity
lifecycle.
■ SCIM 2.0 REST API to support
programmable access.
■ Supports 20 custom schemas
with 20 custom attributes
each.
■ User persistency essential for
many features and SAP cloud
applications, including SAP
SuccessFactors and SAP Task
Center.
■ Owns attributes like the SAP
Global User ID and can be
enriched with attributes from
other source systems.
IPS
■ ID lifecycle for cloud-based
SAP applications.
■ Integrates with SAP Identity
Management for hybrid
landscapes and non-SAP IDM
solutions.
■ Supports the industry-
standard protocol SCIM.
■ Dedicated connectors for
most important applications -
normalizes system interfaces
to the SCIM standard.
■ Provides a powerful JSON
transformation framework.
■ Has no feature parity and
does not aim to replace IDM
solutions.

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 3

Benefits of using SAP Cloud Identity Services include:

1. Centralized identity management: SAP Cloud Identity Services provide a central

repository for managing user identities, which makes it easier to manage access rights
and privileges across multiple systems.

2. Improved efficiency: By using the Identity Directory (IdDS) as a central repository for
all SAP user identities, organizations can reduce administrative overhead and automate
processes. All users are stored in a central location without having to manage and update
user identities in each service.

3. Single sign-on: By storing user identities in the identity directory, you can enable single
sign-on (SSO) for users across different SAP applications and services. This provides a
seamless and secure user experience, as users only need to sign in once to access all the
SAP services they need.

4. Integration with other systems: By persisting user identities in the identity directory,
you can more easily integrate SAP services with other systems, such as authentication
providers, security information and event management (SIEM) tools, and identity
management solutions. This reduces the risk of errors or inconsistencies.

5. Improved user experience: The SAP Global User ID (UUID) makes it easier for users to
access multiple systems with a single sign-on, providing a more seamless and efficient
experience.

6. Improved governance: SAP Cloud Identity Services combined with other services such
as SAP Cloud Identity Access Governance (IAG), provide tools and capabilities for auditing
and reporting on user access, helping organizations to meet regulatory and compliance
requirements.

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 4

SAP Cloud Identity Authentication Service

(IAS)
The Identity Authentication service is a crucial component of the SAP cloud, serving
as the central identity provider for all SAP applications. It primarily uses the Security
Assertion Markup Language 2.0 and OpenID Connect standards. When implementing
single sign-on (SSO) and multi-factor authentication (MFA), the existing SAML identity
provider of a company is important. For SAP BTP and all SAP SaaS applications in the
cloud, as well as for on-premises applications like SAP Fiori, the SAP Cloud Identity
Authentication Service (SAP IAS) is used as the central SAML identity provider.

To ensure consistency across all systems (DEV, QAS, PRD), it is recommended to attach the
productive SAP IAS tenant to all of them, while operating a second IAS for sandboxes and
test systems. The SAML endpoint URLs, signature certificates, and SAML configuration
parameters are exchanged via metadata (XML file) generated on both sides between
service providers (SAP SaaS solution or SAP BTP or on-premises S/4HANA systems) and
the SAP IAS. In some cases, such as when using multi-cloud subaccounts in SAP BTP, the
SAML trust is automatically established. The SAP IAS is responsible for issuing the SAML
or ID tokens with the necessary NameID attributes and other claims.

In most cases, SAP IAS is integrated with a customer‘s existing SAML identity provider
as an IDP proxy to provide a seamless user experience with single sign-on (SSO). Simply
put, by using the „proxy mode“ in SAP IAS, you can authenticate users for all SAP
applications using your company‘s existing SAML identity provider. SAP IAS acts as a
mediator between the SAP application and the company‘s identity provider, forwarding
authentication requests and receiving authorization through a SAML assertion.

This approach provides users with access to cloud-based applications without the need
to create new login credentials. Additionally, SAP IAS offers an „identity federation“
feature that adds extra layers of security and provides supplementary user data, which
is independent of the customer‘s identity provider.

As a result, the customer only needs to integrate their IAS tenant with their existing IDP
one time. This integration is accomplished through identity federation between the two
IDPs, enabling all relevant user and identity information, including attributes from both
(Azure) Active Directory and SAP IAS, to be considered.

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 5

In a typical customer landscape, there are two user stores to distinguish between B2E
(Business-to-Employee) and B2B (Business-to-Business) scenarios:

■ IAS: Local Identities Directory (for External | Guests | Customers | Test users |
Developers)

■ Corporate User Store: For example, the Azure AD tenant (synchronized via AAD
Connect with users from the Active Directory Forest)

In this structure, the SAP IAS acts as the main identity provider for all SAP applications and
serves as a broker between the two user stores mentioned above. With the „Conditional
Authentication“ function, SAP IAS provides a rule set that can be used to control which
identity provider is used for certain applications, thereby enabling conditional access
based on various criteria.

This authentication concept ultimately enables SSO for all (http) applications across all
devices. In the cloud, where partner and B2B scenarios are necessary in addition to
employee access, multi-factor authentication (MFA) is a critical requirement for IT security.
This approach allows for not only employees but also the integration of external users,
such as guest accounts, to have access with MFA capabilities.

Note: To ensure a future-proof setup, the SAP IAS should be used as the central IDP for all
SAP applications and connected to the existing IDP.

For more information, please have a look at this blog.

Further details can also be found in our eBook.

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 6

SAP Identity Directory Service (IdDS)

The Identity Directory is a critical component of the SAP cloud services IAS and IPS,
serving as the central user database. By storing all user and group information, it
streamlines the user lifecycle process and forms the foundation for integrating SAP cloud
applications. Acting as the single source of truth, it generates crucial attributes like the
SAP Global User ID for accessing SAP (cloud) applications. Moreover, it can be enriched
with attributes from other source systems, resulting in a centralized user identity that
can be used to access the entire SAP cloud ecosystem.

Using its SCIM 2.0 REST API, the Identity Directory allows for the programmable access
of various resources such as users, groups, and customer schemas. Data is not only
visible through APIs, but also in the user interface of the Identity Authentication service
itself. Under User Management and User Groups, the data is sourced directly from the
Identity Directory.

The Identity Directory is essential for many new features and SAP cloud applications,
including SAP SuccessFactors, SAP Task Center, and SAP Identity Access Governance. For
instance, SAP Task Center relies on the user‘s Unique Universal Identifier generated during
creation in the Identity Directory to accurately map tasks to specific SAP solutions. The
SCIM 2.0 API allows for access to the Identity Directory and the creation of custom schemas
and attributes. Users, groups, and group assignments can be programmatically accessed
and modified, with a maximum of 20 custom schemas with 20 custom attributes each.

Once users are added to the Identity Directory, the Identity Provisioning service takes
over the task of provisioning these users to SAP applications with their own user stores.
By having all user information stored in a central location, the Identity Provisioning
service can efficiently manage the provisioning and de-provisioning of users across
multiple SAP applications.

Ultimately, the centralized storage of user data provided by the Identity Directory and
Identity Provisioning service greatly simplifies the management of user lifecycles, while
also enhancing security and compliance for SAP applications.

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 7

SAP Cloud Identity Provisioning Service (IPS)

The Identity Provisioning Service (IPS) offers automated provisioning of users,
groups, and permissions for various SAP cloud solutions. It comes equipped with
multiple connectors that are regularly updated by SAP, and its basic configuration makes
integration a breeze. IPS normalizes system interfaces to the SCIM standard, with JSON
transformation frameworks allowing for customization of data fields to be transferred.

While manual identity management can be done, this is typically only used when a
limited number of SAP cloud applications have been introduced initially. IPS offers a
more efficient and reliable solution for managing identities in larger and more complex
SAP landscapes.

The complexity and importance of identity lifecycle management increases as more

processes and applications are outsourced to the cloud. In a mature SAP landscape, it is
crucial to manage all identities in a single aggregated user-provisioning endpoint. Without
automation, manual administration of user accounts in multiple applications becomes
a time-consuming task. Therefore, automating at least some of the processes becomes
necessary, especially if no workflow-supported identity management processes need to
be implemented in the first step.

The SAP IPS provides a solution to automate the identity lifecycle process. It can bring
users from one or multiple user stores (source systems) to different target systems,
making it possible to provide and keep identities up to date in SAP cloud applications. To
achieve this, the IPS uses the System for Cross-Domain Identity Management (SCIM), an
industry-standard for provisioning.

1 2 3
Source IPS Target
The System for
Cross-domain Identity
Read Write Management (SCIM)
(Azure) Active Transformation Transformation specification is designed
IPS IAS
Directory | to manage user identity
IdDS in Cloud-based
SFSF |...
applications and
servises in a standard-
ized way which enables
SAP Cloud Identity Services Identity Provisioning interoperability,
security, and scalability.
Source Target
The underlying concept
Read Write of SCIM 2.0 is based ona
Transformation Transformation common user schema,
IAS IPS BTP | SaaS group schema, and an
extension model which
IdDS ... are exchanges via an
HTTP-based protocol.

4 5 6

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 8

The hiring process typically commences by creating personnel master data records in
the HCM system. Based on this data, user accounts and employee-related information
are created and consolidated at a central location, usually the (Azure) Active Directory.

In a straightforward scenario (without other IDM solutions involved), SAP IPS is

responsible for bringing the relevant user identities from the source system(s) such as
(Azure) Active Directory or SuccessFactors into the Identity Directory, which serves as a
foundation for both IPS and IAS.

By employing a suitable group concept, the provisioning of users and groups from the
Identity Directory to the corresponding SAP cloud applications can be automated. Any
changes, such as new employee creation, user data or group assignments modifications,
or account deactivation, are handled through IPS and automatically executed at
scheduled intervals. This ensures that new identities are generated, or existing ones
are deactivated, with the changes reflected in connected cloud or on-premises SAP
applications as needed.

In essence, the Provisioning Service (IPS) streamlines the task of keeping identities
current across the SAP cloud application landscape. Ideally, it utilizes the IdDS as the
data foundation, with the SCIM standard playing a pivotal role in the process.

Note: To help SAP companies implement a future-proof foundation for managing access and
identities in the SAP cloud universe in a simple and standardized way, our new Xiting QuickStart
Implementation Service can be interesting. It includes a fixed scope that incorporates
common best practices and provides immediate benefits and basic user authentication and
provisioning capabilities in the SAP cloud universe.

QuickStart Implementation for SAP Cloud Identity Services

LONG-LASTING BENEFITS
■ QuickStart Implementation package gets you
up and running fast
■ A configured solution that matches your
business needs
■ Our experts answer your individual questions
based on their extensive knowledge
■ A clear strategy and well-established foundation
to integrate your further (SAP-Cloud) applications
■ The service comprises templated approaches
including best practices and leverages the
experience from previous projects
■ A predetermined budget and scope allow you to
plan accordingly
■ A well-established central hub responsible for
trust, user authentication and provisioning
covering your SAP cloud application landscape
■ Integration with your SAML Identity Provider to
leverage existing authentication processes and
SSO capabilities
■ Automation of your user lifecycle processes for
your SAP cloud applications and reduction of
errors and manual efforts
■ Use of job-triggered SCIM-based provisioning of
users, groups and authorization role assignments
■ Allows flexible SAML NameID format and claims
configuration for your SAP applications
(AuthN and AuthZ)
■ Coverage of security recommendations such
as conditional and risk-based authentication
including MFA and FIDO2 support
■ Usable in scenarios even without having an
SAP IDM or 3rd Party IDM solution in place

THE SAP CLOUD IDENTITY SERVICES CONSIST OF TWO MAIN COMPONENTS:

SAP Cloud Identity Authentication (IAS) SAP Cloud Identity Provisioning (IPS)

■ Best practice configuration and determination
of your IAS tenant model
■ Integration with your existing SAML Identity
Provider (ADFS, Azure, Okta, …)
■ Creation of two cloud or on-prem SAP
applications in your IAS (SAML trust)
■ Best practice configuration and determination
of your IPS tenant model
■ Connection of your central system such as AD,
Azure or an HCM as a source system for user
distribution
■ Set-up of a lightweight user group concept to
manage ID Lifecycle and authentication

QuickStart Implementation
■ Job-triggered provisioning of users and groups
for two SAP cloud applications
Xiting

(SAP BTP & SaaS)

for SAP Cloud Identity Services

5 days Do you have more specific requirements?

Ask for a customized package!

START YOUR JOURNEY TO THE
SAP CLOUD WORLD
In a hybrid SAP landscape, the coordination of
access to the different applications is a must and
requires smooth, efficient and centralized user and
authentication management. Benefit from Xiting’s best
practices and fixed-price quick implementation service.
Our Xiting QuickStart Implementation package is
the fastest way to get your organization set up for
SAP Cloud Identity Services. It includes a fixed scope
of services that provides immediate benefits and basic
capabilities for user authentication and provisioning.
This is a core requirement for all integration and/or
extension scenarios when it comes to SAP BTP and
SaaS applications.
TYPICAL CHALLENGES ■ Integrate your existing third-party or SAP
IDM system to support business roles and
■ You want to establish a future-proof foundation Remote workflow-based provisioning
supporting the transition of your existing
user lifecycle processes toward the ■ Integrate with additional source systems to
SAP-Cloud universe enrich your user identities with additional
■ You want to automate and optimize your user attributes like from HCM/SFSF
lifecycle process using standard tools Fixed price ■ Develop custom authorization concepts for
■ You have to onboard additional SaaS applications your SaaS and BTP applications
such as SAP Analytics Cloud, SAP Integrated
Business Planning, SAP Ariba, and more
■ You need more transparency in the complex For further information:
hybrid architecture cloud-services@xiting.com
■ You need integration with your Active Directory, www.xiting.com
Azure AD or third-party identity providers
QuickStart Implementation for SAP Cloud Identity Services © 2022 Xiting. All rights reserved

This service is geared towards small and medium-sized businesses that do not yet have
an identity management system (IDM) in place and still want to automate their user
provisioning and ID lifecycle processes with simple jobs. For more details, take a look at our
flyer on the Xiting QuickStart Implementation Service.

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 9

Integration with existing IDM solutions

The simplified approach mentioned earlier is just one of several options for managing
identities. With an Identity Management System (IDM) from SAP or another vendor,
numerous integration scenarios can be implemented.

Even with an existing IDM solution, SAP IPS is often necessary as part of the SCI. It
can serve as a centralized SCIM interface for various SAP cloud systems. Using an IPS
connector, any SAP solution supported via IPS can be operated as a SCIM proxy system,
even if the remote SAP cloud systems do not have a SCIM API. If a customer is using a non-
SAP identity management solution, they can easily integrate with the SAP landscape by
storing their users in the Identity Directory and utilizing automatic user provisioning with
Identity Provisioning. This requires only one connection point, making the integration
process much simpler.

By combining SAP Cloud Identity Services with existing identity management systems
(on-premises or cloud), SAP companies can achieve even more flexibility. For example,
in the scenario outlined here, SAP IDM 8.0 can bring users and groups into the Identity
Directory using SCIM. It’s responsible for initially loading all connected systems using
connectors and providing these identities to the SCI to use as a proxy for provisioning
users and permission assignments to cloud applications. SAP IDM 8.0 ensures the
accuracy and consistency of user data and allows for centralized, workflow-supported
administration of all identities in a hybrid SAP environment:

Hybrid Identity & Access Management with Single Sign-On Check out this blog for
Integration with a central SAP Identity Management solution other integration scenarios

SAP Cloud Identity

Services Corporate Identity
SAML 2.0 Provider (Azure | Auth request sent
Identity Authentication (IAS) OpenID Connect to corp. IdP (AAD)
ADFS | Okta | ...) via SP IAS in Identity provisioning to the
between. SCI persistency layer (the
Identity Directory Identity Directory is
IdDS
(shared by IAS+IPS) After successful performed from the (SAP)
Login to corp. IdP IDM which is in charge of
user will receive the correctness and
token for SSO End User / consistency of user data,
SCIM 2.0 log-in to all SAP as well as centrally
Event or job
SAP BTP applications Client triggering the creation/
driven user Global/Subaccount(s) modification and deletion
& role of the identities.
provisioning
Identity Provisioning (IPS) SCIM 2.0
via IDM / IPS iOS Recommendation:
Proxy Replicate the users and
System SAP Saas groups of the SCI (via IPS)
Definition applications from (SAP) IDM. Utilize the
IPS for provisioning
Event driven user & role
HTTP Android between (SAP) IDM and the
provisioning via IDM / IPS
Proxy System definition RFC SAP Cloud applications and
use the SAP Identity
Management 8 and GRC
SAP On-Premise Windows ACcess Control for the
Customer Systems on-premise flows (CIRM)

SAP IDM 8.0 Connectors

Desktop
3rd Party
(others
IAM solution 3rd Party (Non-SAP)
solutions)
Systems
CIRM

Authentication flow
SAP CHM | SAP GRC
Provisioning flow

Note: SAP Cloud Identity (SCI) is highly recommended for managing user identities and
access to SAP applications. Customers can opt for other Identity Management (IDM) solutions,
including on-premises or cloud-based ones, according to their needs. However, using SCI
alongside other IDMs is suggested for seamless integration, centralized identity management,
enhanced security and compliance, and lower administrative overhead.

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 10

Our recommendations (Key Takeaways)

In summary, we would like to share some Xiting best practices with you:

■ Consolidate your identities to central SAP Cloud Identity Services tenants

■ Integrate your leading source systems via SAP IPS to read and enrich identity
information and persist all required user attributes (and group assignments) for all
SAP cloud applications in the Identity Directory

■ Automate SCIM-based provisioning and management of your identities for all SAP
cloud applications with SAP IPS

■ Integrate your existing IDM solution with the SCI to establish a workflow-driven hybrid
IAM scenario

■ Integrate all SAP SaaS applications and SAP BTP accounts with your IAS tenants to
centralize trust-management across the many SAML service providers

■ Simplify SAML Name ID and claims management for all SAP applications

■ Delegate and centralize authentication for all SAP applications to your corporate
identity provider and use identity federation

■ Use existing security features and policies, authentication processes including single
sign-on and multi-factor authentication

The Xiting IAM team specializes in identity and access management in hybrid SAP
environments. This is becoming increasingly crucial in many SAP companies that are
adopting SAP‘s cloud applications strategy. The team‘s consultants focus on managing
identities, from onboarding to offboarding, and improving authentication processes
and access authorizations. Our holistic consulting approach helps customers automate
identity lifecycle management and maintain the convenience of single sign-on, while
also ensuring compliance with authorization policies.

Our team comprises seasoned SAP IDM consultants and in-house developers who can
provide extensive coverage of various SAP security topics using proprietary tools. Our
consulting teams are split into two subject areas, namely SAP Identity Management
that features SAP Identity Management 8.0, our Fiori-UIs (XIFI), our solution Xiting
Central Workflows (XCW), and secure authentication with MFA & SSO that encompasses
ID lifecycle management and cloud security using SAP Cloud Identity Services and
SAP Single Sign-On 3.0 or the new SAP Secure Login Service for SAP GUI.

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 11

About the Author

Carsten Olt
Managing SAP Security Consultant | SAP Trainer
Secure Authentication | SSO | Cloud Security Services

Carsten Olt has been working as a Managing SAP

Security Consultant since 2016, responsible for Secure
Authentication & SSO and SAP Cloud Security Services
at Xiting in Germany. As a member of the IAM team, he
is also a team leader who conveys the company‘s goals
and strategies to employees and has organizational
responsibility.

With a security-minded approach, Carsten has

international project and IT security experience in many
industries. He has been working in IT-Security since
2001, specializing in SAP security since 2010. He is a
subject matter expert for SAP Single Sign-On 3.0 and
a trainer for the WDESSO course. His current focus is
on supporting customers in solving authentication and
security challenges within hybrid SAP landscapes, as well
as designing and implementing holistic authentication
concepts. Carsten is an ISACA CISA and a former MCP and
RHCE with an ISP background, and he looks at security
from different angles. He also translates between SAP
and IT security vocabulary.

Carsten has in-depth experience in multi-vendor

architectures and MSFT/Azure components, dealing
with all the requirements concerning SAML 2.0, OAuth,
OpenID Connect, SCIM, X.509 CBA & PKI, MFA, SAP
SSO, and Secure Network Communications, Kerberos/
SPNEGO, data security and encryption, as well as digital
signatures.

Carsten is experienced in SAP on-premises components

such as S/4HANA, ABAP, and Java, as well as security
solutions like SSO 3.0. Since 2019, he has focused on
SAP-Cloudified environments, specifically the SAP
Cloud Identity Services and SAP BTP, as well as SaaS
integrations concerning IAM. He deals with hybrid SAP
security in conjunction with Azure Active Directory,
ADDS, ADFS, ADCS, Reverse Proxies/WAF, SAP Web
Dispatcher, SAP Cloud Connector, third-party products,
and infrastructure components.

Email: colt@xiting.com
LinkedIn: linkedin.com/in/carsten-olt-cisa-935a00b6

XITING | SAP SECURITY SIMPLIFIED

 SAP Cloud Identity Services | Overview, best practices and typical use cases | 12

About Xiting
Xiting is a global leader in SAP Security and a highly specialized SAP solution provider for
Authorization Management, Access Governance, Identity Access Management, Security
Monitoring, and Cyber Security. The SAP-certified solution, the Xiting Authorizations
Management Suite (XAMS), enables SAP customers to automate and simplify time-
consuming tasks related to S/4HANA migrations, role design, maintenance and testing,
securing custom ABAP code, security monitoring, identity consolidation, single and
cross-system segregation of duties, and security audits.

Some of the most successful companies in the world use the XAMS to significantly
lower costs and improve the efficiency of processes that keep SAP systems secure and
operational. Xiting also offers nearshore SAP security support services for a variety of
authorizations and controls tasks.

XITING GmbH
Obere Ringstraße 17
79859 Schluchsee
Germany
Tel: +49 7656 8999 002

info@xiting.com
www.xiting.com

XITING | SAP SECURITY SIMPLIFIED

 info@xiting.com
www.xiting.com
© 2023 Xiting. All rights reserved.