PUBLIC
2018-06-19
SAP Cloud Platform Identity Provisioning Service
Content
1 SAP Cloud Platform Identity Provisioning Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31.1 What's New for Identity Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Release Notes – 2017. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Release Notes – 2016. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.2 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201.3 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Access the Identity Provisioning (Trial). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Purchase the Identity Provisioning (Standalone). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Purchase the Identity Provisioning (Bundles). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
1.4 Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Transformations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Manage Jobs and Job Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Manage Job Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102Access Audit Logs (Bundles). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Manage Authorizations (Bundles). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104Reset Identity Provisioning Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
1.5 Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Source Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Target Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Proxy Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Local Identity Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Hybrid Scenario: SAP Identity Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
1.6 Identity Directory (Beta). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248Enabling Identity Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Managing Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Requesting Audit Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
1.7 Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Customer Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281Authentication and Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283Job Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
1.8 Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
2 P U B L I CSAP Cloud Platform Identity Provisioning Service
Content
1 SAP Cloud Platform Identity Provisioning Service
Get Started What's New
Overview [page 20]
Getting Started [page 22]
Release Notes – 2018 [page 4]
Release Notes – 2017 [page 6]
Release Notes – 2016 [page 17]
Scenarios Resources
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 3
Local Identity Directory [page 243]
SAP Analytics Cloud (Beta) [page 163]
SAP Application Server ABAP [page 114]
SAP Cloud Platform Identity Authentication [page 156]
SAP Cloud Platform Java/HTML5 Apps [page 154]
SAP Document Center [page 179]
SAP HANA Database (Beta) [page 172]
SAP Hybris Cloud for Customer [page 165]
Hybrid Scenario: SAP Identity Management [page 246]
SAP Jam [page 181]
SAP SuccessFactors [page 120]
Concur [page 193]
CloudFoundry UAA Server [page 201]
Microsoft Active Directory [page 145]
Microsoft Azure Active Directory [page 204]
Google G Suite [page 185]
SSH Server (Beta) [page 197]
SCIM System [page 190]
LDAP Server [page 133]
Identity Directory (Beta) [page 248]
Operations [page 32]
Security [page 280]
Support [page 288]
Video
Disclaimer
Legal Disclosure
Copyright and Trademarks
1.1 What's New for Identity Provisioning
Archive [page 6]
4 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
25 May 2018 – Identity Provisioning
New
Audit logs (bundle accounts)
You can now access audit logs to track changes made in your Identity Provisioning account. See: Access Audit Logs (Bundles) [page 103]
New
Bundle scenarios (documentation)
As you know, Identity Provisioning can be consumed either as a standalone service or as part of another product – SAP Jam and SAP SuccessFactors. Now you can learn more about these "bundle" cases. See:
Purchase the Identity Provisioning (Bundles) [page 29]
Access the Identity Provisioning (Bundles) [page 30]
Manage Authorizations (Bundles) [page 104]
5 March 2018 – Identity Provisioning
New
Subaccounts
You can enable the Identity Provisioning service on a certain number of subaccounts for your global account. This information is now available in the Support section of the service user interface.
To learn more, see: Support [page 288]
Change
JSON functions
The manipulateDate function can now convert Unix Time Stamp date format (integer number) into standard Java ones (like YYYY-MM-DD). That means, if the source system stores a date as a number of milliseconds, after the transformations this number will be converted and written in the target system as a date in a human readable format.
See: JSON Functions [page 47] → manipulateDate
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 5
14 February 2018 – Identity Provisioning
New
Properties
Two new properties help you control the notification e-mails sent when a provisioning job fails:
● ips.job.notification.ignored.consecutive.failures● ips.job.notification.repeat.on.failure
Find them on page: List of Properties [page 67]
See also: Manage Job Notifications [page 102]
Archived Release Notes
● 2017 [page 6]● 2016 [page 17]
1.1.1 Release Notes – 2017
Date Function Type of Change Description
2017 – 12 – 28 SAP Analytics Cloud (beta) New A new provisioning system is available for both reading and writing entities.
See: SAP Analytics Cloud (Beta) [page 163]
6 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Date Function Type of Change Description
Properties New Four new properties have been created, as follows:
● SSH properties for reading users and groups in SSH Server (Beta) source systems: ssh.read.groups.command and ssh.read.users.command
● SCIM properties, currently applicable only to SAP Analytics Cloud (Beta) source systems: scim.api.csrf.protection and csrf.token.path
See: List of Properties [page 67]
SSH Server (beta) Enhancement You can now use the SSH Server (Beta) connector for both reading and writing entities.
See: SSH Server (Beta) [page 197]
SAP Hybris Cloud for Customer
Enhancement SAP Hybris C4C connector has a new API, which requires a new transformation in the Identity Provisioning UI. You can either use the old transformation (which is default), or replace it with the new one, configuring two additional properties.
See: SAP Hybris Cloud for Customer [page 165]
2017 – 11 – 24 Job logs New You can now export job execution logs.
See: Manage Jobs and Job Logs [page 98]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 7
Date Function Type of Change Description
2017 – 11 – 09 Properties New A new SCIM property, scim.group.members.additional.attributes, allows you to request additional attributes while reading groups from an Identity Authentication source system.
Find this property on page: List of Properties [page 67]
Job logs New You can set a retention period (7, 14 or 30 days) for your provisioning job logs. By default, your logs are kept for 7 days.
See: Manage Jobs and Job Logs [page 98]
Identity Authentication (system)
Enhancement You can now read and write groups in the Identity Authentication system using SCIM API. Previously, you could provision users and groups only through the Identity Authentication UI.
See: SAP Cloud Platform Identity Authentication [page 156]
8 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Date Function Type of Change Description
2017 – 10 – 18 Target systems (beta) New The following new target systems (connectors) are available in the Identity Provisioning UI:
● SSH Server (Beta) [page 197]– It helps you execute bash scripts through SSH connection. The configuration allows you to attach separate scripts per entity lifecycle callback (such as user create, group update, and so on).
● SAP HANA Database (Beta) [page 172] – It helps you connect to an SAP HANA Database that is installed on a remote system (cloud or on-premise). You can reach its JDBC SQL port either directly or via an SSH tunnel. Once you access this port, you can provision entities (users and user assignments). You have to configure this target connector according to the location where SAP HANA Database is installed. Cases:○ Installed on-prem
ise – you need to configure an SSH tunnel and the Cloud Connector control access.
○ Installed on SAP Cloud Platform (Neo) – you can make a direct connection.
○ Installed on SAP Cloud Platform (Cloud Foundry) – you have to open an
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 9
Date Function Type of Change Description
SSH tunnel to a running application container. You also need the Space Developer role, and have to configure a security group that allows the applications in this space to access the JDBC SQL port.
RememberAs these connectors are still in beta state, we recommend that you do not use them in enterprise accounts.
Job notifications Enhancement You can now receive e-mail notifications for successful provisioning jobs that have previously failed.
See: Manage Job Notifications [page 102]
2017 – 09 – 25 Identity Directory (beta service)
New Identity Directory is a beta service in SAP Cloud Platform cockpit and depends on the Identity Provisioning service. It provides organizations with a directory for securely storing and managing users and groups in SAP Cloud Platform.
See: Identity Directory (Beta) [page 248]
Local Identity Directory (system)
New You can use the Identity Directory as your local source or target system.
See: Local Identity Directory [page 243]
10 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Date Function Type of Change Description
Value mappings New A new JSON expression, valueMapping, allows multiple entity attributes from a source system to be mapped to a single custom attribute in the target. For example, you can take user attributes country + city and map them to a target attribute timezone.
See: JSON Expressions [page 38] → valueMapping
Target SCIM systems Enhancement As you know, in a target system you can disable (deactivate) entities if they are deleted in the source system, or if there is a condition for them not to be read anymore. For this aim, you need to use the deleteEntity scope in the default target system transformations.
Now you can disable such entities in generic SCIM systems which don't support PATCH operations. To do this, use the new system property scim.support.patch.operation, setting it to false.
Find this property on page: List of Properties [page 67]
See also: JSON Expressions [page 38] → deleteEntity
2017 – 09 – 07 SAP Document Center New You can now use SAP Document Center as a target system to provision users from other systems. See: SAP Document Center [page 179]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 11
Date Function Type of Change Description
2017 – 08 – 10 Properties New Use the following new properties to retry entity operations (create, update, delete) that have failed due to timeout or rate limit:
● ips.failed.request.retry.attempts
● ips.failed.request.retry.attempts.interval
Find these properties on page: List of Properties [page 67]
Target systems Enhancement Google G Suite and Microsoft Azure AD now support writing both users and groups. See:
● Google G Suite [page 185]
● Microsoft Azure Active Directory [page 204]
2017 – 07 – 26 Hybrid scenario Enhancement You can now export a created proxy system and then import it as a SCIM repository in SAP Identity Management. See:
● Hybrid Scenario: SAP Identity Management [page 246]
● Export and Import Systems [page 63]
Concur system Enhancement Concur offers three types of edition sites. The Identity Provisioning service supports the Standard one, which allows you to provision users without grouping them into organization units.
If your Concur site requires grouping of users, you need to add some extra JSON code lines into your target transformation. To learn how, see: Concur [page 193]
12 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Date Function Type of Change Description
2017 – 07 – 07 Hybrid scenario New You can now provision entities from a cloud to an on-premise system (and the other way around) without making a direct connection between them. For this aim, you can use a proxy system. See: Hybrid Scenario: SAP Identity Management [page 246]
NoteCurrently, this hybrid scenario is only applicable to SAP Identity Management, used as the on-premise system.
Source systems Enhancement Concur and Google G Suite, which you could previously use only as target systems, are now available also as sources. Available operations:
● Concur supports reading and writing users.
● Google G Suite supports reading and writing users, as well as reading groups.
2017 – 06 – 19 Custom HTTP headers New You can pass additional information with the HTTP requests.
See: List of Properties [page 67] → ips.http.header.<header_name>
2017 – 05 – 31 Skip operations New If you want the provisioning job to not execute create or delete operations on entities of a certain type, use the skipOperations scope.
See: JSON Expressions [page 38] → skipOperations
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 13
Date Function Type of Change Description
Log personal content New Choose whether to enable or disable logging of personal data for provisioned entities.
See: List of Properties [page 67] → ips.trace.failed.entity.content
2017 – 05 – 05 deleteEntity New If an entity is no longer existing or read from the source system, and you want to not delete it but only change its status in the target system, set the deleteEntity scope.
See: JSON Expressions [page 38] → deleteEntity
Job notifications New You can now subscribe to receive e-mail notifications about provisioning jobs that finish with error.
See: Manage Job Notifications [page 102]
14 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Date Function Type of Change Description
SCIM properties Enhancement You can use the following SCIM properties to search for particular entities:
● scim.user.filter (source systems) – the service will read only the users matching a set filter expression.
● scim.user.unique.attribute (target systems) – if the service tries to recreate an existing user, this property will find the user by a specific attribute, and will only update it.
● scim.group.unique.attribute (target systems) – if the service tries to recreate an existing group, this property will find the group by a specific attribute, and will only update it.
See: SCIM System [page 190]
2017 – 04 – 03 Source/Target system New A new system, Microsoft Azure Active Directory, has been added to the Identity Provisioning user interface. You can use Azure AD as both a source and a target system for provisioning users.
See: Microsoft Azure Active Directory [page 204]
Delta read Enhancement You can now optimize the amount of data retrieved from SCIM and Identity Authentication source systems, during a provisioning job.
See: Full and Delta Read [page 96]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 15
Date Function Type of Change Description
2017 – 02 – 23 Entity deletion New For previously existing and provisioned entities, if they have been recently deleted from the source system, you can now decide whether to delete them from the target system or not.
See: Manage Deleted Entities [page 95].
2017 – 02 – 09 Combo box controls New ● When adding or editing a system, you no longer need to manually enter the destination but you can select it from a combo box.
● When adding or editing a target system, you no longer need to manually enter a string of source systems. You can now select the relevant one(s) from a combo box.
See: Systems [page 56]
Delta read New You can now optimize the amount of data retrieved from Microsoft AD and SAP SuccessFactors source systems during a provisioning job.
See: Full and Delta Read [page 96]
2017 – 01 – 19 Import and export New You can now import and export source and target systems.
See: Systems [page 56]
16 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Date Function Type of Change Description
Trial use Announcement You can now test the trial version of the Identity Provisioning service. To open the user interface, go to the Services section in the SAP Cloud Platform cockpit.
See: Access the Identity Provisioning (Trial) [page 23]
Related Information
Release Notes – 2016 [page 17]
1.1.2 Release Notes – 2016
Date Function Type of Change Description
2016 – 12 – 21 User interface New You can now access the Identity Provisioning service as a separate HTML5 application. To open the user interface, go to the Services section in SAP Cloud Platform cockpit.
See: Access the Identity Provisioning (Standalone) [page 26]
Source system New A new source system, LDAP Server, has been added to the Identity Provisioning user interface.
See: LDAP Server [page 133]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 17
Date Function Type of Change Description
2016 – 11 – 23 Target system New A new target system, CloudFoundry UAA Server, has been added to the Identity Provisioning user interface. You can use this system to write identity and authorization data, such as user accounts and groups.
See: CloudFoundry UAA Server [page 201]
Transformations Enhancement Three additional features are now available:
● ignore - this expression allows you to disable parts of the transformation mapping during provisioning
● createEntity - you can set this scope to an entity's attribute to ensure that it is only processed during creation.
● randomPassword - a function for generating random passwords, using standard and special characters.
See: Manage Transformations [page 37]
Entities Enhancement You can now provision ABAP roles and transform them as SCIM groups in a target system.
See: SAP Application Server ABAP [page 114]
2016 – 11 – 09 Source system New A new source system, SCIM System, has been added to the Identity Provisioning user interface. You can use this system to provision identity and authorization data.
See: SCIM System [page 190]
18 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Date Function Type of Change Description
2016 – 10 – 26 Transformations New New functions are available for transformations of all source and target systems.
See: Manage Transformations [page 37]
Target systems New You can use the following target systems to read provisioned identity data:
● Google G Suite [page 185]
● Concur [page 193]
2016 – 10 – 12 Job Execution Details Enhancement The function Job Execution Details has now been enhanced to help you investigate any failed entities.
See: Manage Jobs and Job Logs [page 98]
Target system New A new target system, SAP Cloud Platform Java/HTML5 Apps, has been added to the Identity Provisioning user interface. You can use this system to read identity data.
See: SAP Cloud Platform Java/HTML5 Apps [page 154]
2016 – 09 – 15 Identity Provisioning (service)
New SAP Cloud Platform Identity Provisioning service allows customers to provision the centrally managed identities and their access across the enterprise.
See: Overview [page 20]
Identity Provisioning (UI) New In SAP Cloud Identity Administration Console, there is a new section – Identity Provisioning. Its purpose is to provide easy provisioning of users, groups and other entities between heterogeneous systems.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 19
Date Function Type of Change Description
Source systems New You can use the following source systems to provision identity and authorization data:
● SAP Application Server ABAP [page 114]
● Microsoft Active Directory [page 145]
● SAP SuccessFactors [page 120]
● SAP Cloud Platform Identity Authentication [page 156]
Target systems New You can use the following target systems to write identity data:
● SAP Cloud Platform Identity Authentication [page 156]
● SAP Hybris Cloud for Customer [page 165]
● SCIM System [page 190]● SAP Jam [page 181]
1.2 Overview
SAP Cloud Platform Identity Provisioning service (in short, Identity Provisioning service) offers a comprehensive approach to identity lifecycle management in the cloud, enabling a high level of security. This cloud service allows customers to provision centrally managed identities and their access across the enterprise. It delivers an intuitive cloud environment for identity lifecycle management that is convenient to use and maintain.
Software Capabilities
● The Identity Provisioning is delivered as a service on SAP Cloud Platform (in short, the platform) and offers a simple identity lifecycle management for heterogeneous system landscapes.
● The automation of identity lifecycle management enables the instant roll-out of updates for user accounts, groups and business roles, and dynamically updated authorizations, based on your business needs.
● The Identity Provisioning service offers a quick setup of new business applications with user accounts and authorizations. It can provision users to the Identity Authentication service, helping companies to easily enable strong authentication for their business solutions.
20 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Technical System Landscape
As it's delivered on the platform, the Identity Provisioning service requires some settings (properties) to be configured – either in the SAP Cloud Platform cockpit or in the Identity Provisioning service user interface.
You can use the following system categories for identity provisioning goals:
● Source – this is usually the existing corporate user store of the company (like the central user administration (CUA) of AS ABAP or Microsoft Active Directory), which can be a cloud or an on-premise system.
● Target – this is the cloud system that you want to populate with entities from your source system.● Proxy – this is a special connector used for "hybrid" scenarios. You can provision entities from a cloud to an
on-premise system (and the other way around) without making a direct connection between them. First, you need to run an initial load of entities from the cloud to the on-premise system, and then the proxy connector executes provisioning operations (read, create, update, etc.) requested by the on-premise system.
When setting up these systems in the Identity Provisioning service user interface, you can choose from the available system types. You also have the option to extend the transformation logic, defined for your source, target, or proxy system, and adjust it to your business needs. Besides running the initial provisioning of entities (users, groups, roles), you can also schedule jobs to run the provisioning on a regular basis, in order to automate the provisioning process and keep the target system up to date.
Supported Systems
The Identity Provisioning service supports the following system types:
Source Systems Target Systems Proxy Systems
SAP Jam SAP Jam SAP Jam
SAP Cloud Platform Identity Authentication
SAP Cloud Platform Identity Authentication
SAP Cloud Platform Identity Authentication
SAP Analytics Cloud (Beta) SAP Analytics Cloud (Beta) SAP Analytics Cloud (Beta)
Microsoft Azure Active Directory Microsoft Azure Active Directory Microsoft Azure Active Directory
Local Identity Directory Local Identity Directory Local Identity Directory
Google G Suite Google G Suite Google G Suite
Concur Concur Concur
SCIM SCIM SCIM
SAP SuccessFactors SAP Cloud Platform Java/HTML5 Apps
SAP Application Server ABAP SAP Hybris Cloud for Customer
Microsoft Active Directory SAP HANA Database (Beta)
LDAP Server SAP Document Center
CloudFoundry UAA Server
SSH Server (Beta)
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 21
TipProxy systems support both reading and writing entities.
For every supported system, there is a specific default transformation logic, which you can adapt to your company business rules.
To find the systems you need for your provisioning scenarios and learn how to configure them, see: Scenarios [page 106]
How to use the service?
To configure the Identity Provisioning service and start provisioning entities from a source to a target system, you have to:
1. (Optional) Create a destination in SAP Cloud Platform cockpit.2. Set up a source, target or a proxy system in the Identity Provisioning user interface.3. Add the necessary properties to configure the connection between the systems.4. Define your transformation logic (or leave the default one as is).5. Run a provisioning job.6. (Optional) View the job logs.
Related Information
Video: SAP Cloud Platform Identity Provisioning
1.3 Getting Started
Before you start using the Identity Provisioning service, you need to complete the steps below. You can choose whether to only try it out for testing purposes, or purchase it to use it productively.
Trial Use
To try out the Identity Provisioning service for testing purposes, you need to have a SAP Cloud Platform trial account. Then, you can access the Identity Provisioning service from the platform cockpit.
See: Access the Identity Provisioning (Trial) [page 23]
22 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Productive Use
You can purchase the Identity Provisioning service as a standalone product, or obtain it as part of а bundle solution (SAP Jam or SAP SuccessFactors). To learn how to do it, see:
● Purchase the Identity Provisioning (Standalone) [page 25]● Purchase the Identity Provisioning (Bundles) [page 29]
1.3.1 Access the Identity Provisioning (Trial)
This page helps you to obtain a trial version of the Identity Provisioning service to test its features and resources.
Prerequisites
You have a trial account for SAP Cloud Platform. For more information, see Get a Free Trial Account.
Context
The trial subscription of the Identity Provisioning service is limited to non-productive testing, evaluation, and provisioning of identities. Bear in mind the following restrictions:
● Your are granted a trial period of 30 days.● You can add only one source system for reading identities.● You can add only one target system for writing identities.● You can read a maximum of 50 identities from the source system.● The maximum job execution time is 2 minutes.● You cannot schedule jobs.
Procedure
1. Log on to the SAP Cloud Platform cockpit: https://account.hanatrial.ondemand.com.
For more information, see Cloud Cockpit.2. Choose Neo Trial. The Overview section is displayed by default.
3. If you go to the navigation area and open Applications Subscriptions , your trial account should be subscribed to the following provider applications:○ Java application (ipstrial), with URL: https://ipstrialsaphcpips-
<your_trial_account>.hanatrial.ondemand.com/ips○ HTML5 application (ipstrial), with URL: https://ipstrial-
<your_trial_account>.dispatcher.hanatrial.ondemand.com.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 23
4. Go again to the navigation area and choose Services.5. From the Security section, choose the Identity Provisioning tile.6. The default status of the service is Not enabled. Choose Enable to make it available for work.7. (Optional) You can also select additional users from your company and assign them administrator
permissions. To do this, proceed as follows:1. Choose the Configure Service.2. On the left-side menu, choose Roles.
The first table shows that the IPS_ADMIN role is assigned to you by default.3. Go to the second table and choose the Assign tab.4. Enter the user ID of the additional corporate user. For example, p123456789 (case insensitive). You can
add as many additional users as you need.5. Choose Assign. The relevant user ID is added to the second table. The IPS_ADMIN role is now assigned to
this user.8. From the breadcrumbs path, choose Identity Provisioning and then click Go to Service.9. The Identity Provisioning UI opens as an independent HTML5 application. The Home section should display
the following tiles: Source Systems, Target Systems, and Job Logs.
The user interface looks like this:
NoteSecure communication is provided between this HTML5 application and the SAP Cloud Platform cockpit, realized by principal propagation. This process is automatically enabled by a back-end script. For more information, see Principal Propagation.
24 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Next Steps
You can ask questions or share feedback about your experience with the trial version of the Identity Provisioning service. For more information, see Support [page 288].
Related Information
System Types and Configurations [page 57]Add System [page 59]
1.3.2 Purchase the Identity Provisioning (Standalone)
Context
You can purchase the Identity Provisioning service as a standalone product. If you don't have an SAP Cloud Platform global account, you will obtain one when you get the Identity Provisioning service. If you already have a global account, purchase the Identity Provisioning service and consume it with your existing account.
Procedure
1. Order a monthly subscription to the Identity Provisioning service.1. Choose your commercial model. See: SAP Cloud Platform Pricing Options2. Choose your package, according to your region(s) and number of users. See: SAP Cloud Platform Identity
Provisioning: Pricing Overview
If you need help and more availability details, check with your SAP sales representative.2. After you purchase a subscription for the Identity Provisioning tenant, you'll receive an e-mail. It contains a link
to your Identity Provisioning global account in SAP Cloud Platform cockpit.3. Confirm the registration of your first user. This user will receive administration rights for the tenant.4. (Optional) Install and configure Cloud Connector. You will need it later to create system mappings for your
source systems. For more information, see SAP Cloud Connector.
NoteYou only need this if you want to provision entities from LDAP-based systems and AS ABAP.
5. (Optional) In the platform cockpit, enable Beta Features for your subaccount. For more information, see Using Beta Features in Subaccounts.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 25
NoteYou only need this if you want to use the local identity directory for provisioning and managing users. See: Identity Directory (Beta) [page 248]
Next Steps
You can now open the Identity Provisioning user interface to start working with the service. See: Access the Identity Provisioning (Standalone) [page 26]
1.3.2.1 Access the Identity Provisioning (Standalone)
This page helps you to obtain a productive Identity Provisioning service as a standalone product.
Prerequisites
Order a monthly subscription for the Identity Provisioning service. See: Purchase the Identity Provisioning (Standalone) [page 25]
Context
You can access the Identity Provisioning service as an HTML5 application and perform the system provisioning tasks you need.
Procedure
1. Open the SAP Cloud Platform cockpit. The Overview section is displayed by default.
For more information, see Cloud Cockpit and Regions and Hosts.2. Select your region and then – your global account.
NoteFor the next steps, we recommend that you create two subaccounts. Here is why:
○ This will prevent configuration conflicts and will help you independently work with the Identity Provisioning service.
26 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
○ Use the first subaccount for test purposes only, to see how the service works. For example, you can configure internal systems and run jobs to provision fake entities. If a job fail, this will not affect your real entities and productive systems.
○ When your systems are correctly configured and jobs run successfully, you can then open the Identity Provisioning UI at your second subaccount to execute productive scenarios. To avoid double work, export the existing configured systems from your test subaccount and import them in your productive one.
For more information, see Creating Subaccounts and Export and Import Systems [page 63].
3. Create and save your subaccounts. They appear in the Subaccounts list.4. Select a subaccount to open it.
5. If you go to the navigation area and open Applications Subscriptions , your subaccount should be subscribed to the following provider applications:
○ Java application (ips), with URL: https://ips<provider_account>-<consumer_subaccount>.<region_host>/ips
○ Java application (ipsproxy), with URL: https://ipsproxy<provider_account>-<consumer_account>.<region_host>/ipsproxy
○ HTML5 application (ips), with URL: https://ips-<consumer_account>.<region_host>6. In the navigation area, choose Services, and then go to the Security section.7. Open the Identity Provisioning Service tile.8. The default status of the service is Not enabled. Choose Enable to make it available for work.9. (Optional) You can assign administrator permissions to additional users from your company. To do this,
proceed as follows:1. Choose Configure Service.2. On the left-side menu, choose Roles.
The first table shows that the IPS_ADMIN role is assigned to you by default.3. Go to the second table and choose the Assign tab.4. Enter the user ID of the additional corporate user. For example, P123456789 (case insensitive). You can
add as many additional users as you need.5. Choose Assign. The relevant user ID is added to the second table. The IPS_ADMIN role is now assigned to
this user.10. From the breadcrumbs path, choose Identity Provisioning and then click Go to Service.11. The Identity Provisioning UI opens as an independent HTML5 application. The Home section should display
the following tiles: Source Systems, Target Systems, and Job Logs.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 27
The user interface looks like this:
NoteSecure communication is provided between this HTML5 application and the SAP Cloud Platform cockpit, realized by principal propagation. This process is automatically enabled by a back-end script. For more information, see Principal Propagation.
12. You can also use proxy systems. To enable them for your account, create an incident to component BC-IAM-IPS.
When we enable this feature for you, an extra tile Proxy Systems will appear in your user interface.
Next Steps
In case of issues during your work with the Identity Provisioning service, you can create an incident. You can also ask a question in the SAP Community. For more information, see Support [page 288].
Related Information
Add System [page 59]System Types and Configurations [page 57]
28 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
1.3.3 Purchase the Identity Provisioning (Bundles)
When you purchase an SAP Jam or SAP SuccessFactors license, you also get Identity Authentication and Identity Provisioning along with it. In some cases, you may not obtain them initially, thus need to explicitly request them by raising a ticket (incident). Find your case on this page.
Your license contains Identity Provisioning
NoteRelevant only to SAP Jam.
After the successful SAP Jam purchase, you'll receive an e-mail from SAP. According to your contract with SAP, a technical contact person has been chosen as the first user of the Identity Provisioning service, who is granted with Administrator permissions. In the e-mail from SAP you will find the ID of this administrator (their P- or S-user) and their e-mail address. He or she can then access the Identity Provisioning UI with their administrator user credentials.
The e-mail from SAP also contains two URL links you can use to directly access the Identity Provisioning UI. These URLs are related to two different SAP Cloud Platform Identity Provisioning tenants – one of them you can use for testing purposes, and the other one – for productive provisioning configurations and jobs.
Your license does not contain Identity Provisioning
After the successful purchase, if your license includes only the main product, you can request a tenant for the Identity Provisioning service.
NoteYou will not be charged any extra fee as Identity Provisioning service has been officially integrated in the SAP Jam and SAP SuccessFactors licenses.
For more information, see blog post: SAP Jam now comes with the SAP Cloud Platform Identity Provisioning service
You need to create an incident. Read the section relevant to the product your Identity Provisioning belongs to.
SAP Jam
Create an incident to component AP-LM-PRV-RES (Provisioning Restore Point). Explain that you have purchased an SAP Jam product and you require Identity Provisioning tenants. You will receive two URLs, which are related to two different tenants. One of them you can use for testing purposes, and the other one – for productive provisioning configurations and jobs.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 29
You already have Identity Authentication (a mandatory service), which enables you to log in and authenticate in the Identity Provisioning UI and within SAP Cloud Platform.
SAP SuccessFactors
Create an incident to component BC-IAM-IPS (Identity Provisioning).
Explain that you have purchased an SAP SuccessFactors product and you require Identity Provisioning tenants. Again, you will receive two URLs, which are related to two different tenants. One of them you can use for testing purposes, and the other one – for productive provisioning configurations and jobs.
You will also obtain Identity Authentication (a mandatory service), which enables you to log in and authenticate in the Identity Provisioning UI and within SAP Cloud Platform.
Related Information
Access the Identity Provisioning (Bundles) [page 30]
1.3.3.1 Access the Identity Provisioning (Bundles)
This page helps you to access the user interface of the Identity Provisioning service, when it's "bundled" as part of a SAP Jam or SAP SuccessFactors license.
Prerequisites
Purchase a SAP Jam license, which includes the Identity Provisioning service. See: Purchase the Identity Provisioning (Bundles) [page 29]
Context
You access the Identity Provisioning service as an HTML5 application and can then perform the provisioning tasks you need.
Bundle accounts can only use a restricted list of source and target systems. Below are the system types available to you.
● SAP Jam○ Source systems: Microsoft Active Directory and Identity Authentication○ Target systems: SAP Jam and Identity Authentication
30 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
● SAP SuccessFactors○ Source systems: SAP SuccessFactors○ Target systems: Identity Authentication
Procedure
1. Open the testing or productive URL you have received (either from the contract e-mail or from the incident you have created). The URL has the following pattern:
https://ips-<consumer_account>.dispatcher.<region_host>/webapp/index.html2. Log into the Identity Provisioning UI with your administration credentials.
NoteIf you are not the first user of the Identity Provisioning but the administrator has granted you permissions, you can log into the UI with your corporate credentials. To learn how to grant permissions, see: Manage Authorizations (Bundles) [page 104]
3. The Identity Provisioning UI opens as an independent HTML5 application. The Home section should display the following tiles: Source Systems, Target Systems, Job Logs, Authorizations, and OAuth.
The user interface looks like this:
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 31
NoteIn both standalone and bundle cases, secure communication is provided between this HTML5 application and the SAP Cloud Platform cockpit, realized by principal propagation. Unlike the standalone case however, with your bundle account you obtain the Identity Provisioning service as software as a service. That means, we provide you with a global SAP Cloud Platform account, and you don't need to operate in the platform cockpit.
Next Steps
In case of issues during your work with the Identity Provisioning service, you can create an incident. You can also ask a question in the SAP Community. For more information, see Support [page 288].
Related Information
Manage Authorizations (Bundles) [page 104]Access Audit Logs (Bundles) [page 103]Add System [page 59]
1.4 Operations
Learn how you, as an administrator, can set up the Identity Provisioning service so that entities from a source system are easily transferred to a target system.
The Identity Provisioning service ensures the synchronization of the entities between two systems:
● Source – the system, where the company is currently managing the corporate identities;● Target – the system that needs to be populated with corporate users and other entities.
Before triggering provisioning, make sure that you have performed the required setup. For more information, see Getting Started [page 22].
This section describes how you can configure the required provisioning entities in order to ensure proper synchronization between source and target systems. You can also use proxy systems.
You can perform the following operations:
● Set up source, target and proxy systems.● Define mapping rules between the data models of sources and targets.● Provision entities from the source to the target.● Configure the frequency of the provisioning processes.● Run and schedule provisioning jobs.● View, maintain and delete job logs.
32 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
● Provide other users with admin rights for your tenant in order to let them operate the Identity Provisioning service from their subaccounts.
Related Information
Systems [page 56]Manage Properties [page 94]Manage Transformations [page 37]Manage Job Notifications [page 102]Manage Jobs and Job Logs [page 98]Reset Identity Provisioning Configuration [page 105]
1.4.1 Transformations
Maintain the transformation logic, which corresponds to the structure and logic of your systems.
What is a JSON transformation?
For every system supported by the Identity Provisioning service, there is an initial (default) transformation logic. You can see it on the Transformations tab when you create a new system, after saving it. You can adjust the transformation mapping rules to reflect the current setup of entities from the source or target system.
How it works
The default transformation reads everything from the source system and returns a JSON structure, similar to the one of the source system. The administrator of the Identity Provisioning service can change this by adapting the transformation logic to read only the entities that should be provisioned to the target system. This filter can speed up the processing of the entities and their provisioning to the target system.
Related Information
Transformation Types [page 34]Transformation Examples [page 35]Manage Transformations [page 37]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 33
1.4.1.1 Transformation Types
Learn about the types of JSON transformations needed for the provisioning jobs.
Context
Two types of transformations occur before the provisioning of entities:
● Read Transformation – from the source system to the provisioning framework. It reads the data in the source system and transfers it to an intermediate JSON data in the provisioning framework. The reading of entities from the source system can be complete (full read) or partial (delta read). For more information, see Full and Delta Read [page 96].
● Write Transformation – from the provisioning framework to the target system. It prepares the data to be written to the target system.
Both transformations result in JSON data.
Every supported system holds and requires specific JSON data. To convert the source JSON data to an intermediate JSON version (which can be used for transformation to a supported target system), the Identity Provisioning administrator can use the suggested JSON transformation logic on the Transformations tab, and adapt it to the required transformation.
NoteAll transformations from the source systems transform their specific JSON data to intermediate JSON data according to the System for Cross-domain Identity Management (SCIM) specifications.
ExampleIf the source JSON data contains the attribute name, the read transformation converts this attribute to name23 in the intermediate JSON data. Then, the write transformation should use the attribute name23 (instead of name) as sourcePath attribute.
Related Information
Manage Transformations [page 37]
34 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
JSON Expressions [page 38]JSON Functions [page 47]
1.4.1.2 Transformation Examples
Below are a few examples of JSON data from the source system, after the intermediate transformation, and after the transformation to a chosen target system.
ExampleSource JSON data (from Microsoft Active Directory)
{ "sAMAccountName": ["jsmith"], "mail": ["[email protected]"], "givenName": ["John"], "sn": ["Smith"], "memberOf": ["group1"], "memberOf_2": ["group21", "group22"], "memberOf_3": ["group31", "group32", "group33"] }
ExampleRead Transformation (for the intermediate JSON Data)
{ "mappings": [ { "targetPath": "$.id", "sourceVariable": "entityIdTargetSystem" }, { "targetVariable": "entityIdSourceSystem", "targetPath": "$.userName", "sourcePath": "$.sAMAccountName[0]" }, { "targetPath": "$.schemas[0]", "constant": "urn:ietf:params:scim:api:messages:2.0:User" }, { "targetPath": "$.emails[0].value", "sourcePath": "$.mail[0]" }, { "targetPath": "$.emails[0].primary", "constant": "true" }, { "targetPath": "$.emails[0].type", "constant": "work" }, { "targetPath": "$.name.givenName", "sourcePath": "$.givenName[0]" },
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 35
{ "targetPath": "$.name.familyName", "sourcePath": "$.sn[0]" }, { "targetPath": "$.groups[?(@.value)]", "sourcePath": "$.memberOf", "preserveArrayWithSingleElement": true }, { "targetPath": "$.groups_2[?(@.value)]", "sourcePath": "$.memberOf_2[?(@ != 'group21')]", "preserveArrayWithSingleElement": true }, { "targetPath": "$.groups_3[?(@.value)]", "sourcePath": "$.memberOf_3", "preserveArrayWithSingleElement": true }, { "targetPath": "$.groups_4[?(@.value)]", "sourcePath": "$.memberOf_4", "optional": true, "preserveArrayWithSingleElement": true } ) { "mappings": [ {] "targetPath": "$.id",} "sourceVariable": "entityIdTargetSystem" }, { "targetVariable": "entityIdSourceSystem", "targetPath": "$.userName", "sourcePath": "$.sAMAccountName[0]
ExampleWrite Transformation (for target system Identity Authentication)
{ "schemas": [ "urn:ietf:params:scim:api:messages:2.0:User" ], "id": "P000100", "userName": "jsmith", "name": { "familyName": "Smith", "givenName": "John" }, "emails": [ { "value": "[email protected]", "primary": "true", "type": "work" } ], "groups": [ { "value": "group1" } ], "groups_2": [
36 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
{ "value": "group22" } ], "groups_3": [ { "value": "group31" }, { "value": "group32" }, { "value": "group33" } ] }
Every write transformation has to consider the source system details delivered with the read transformation.
For example, if the source JSON data contains the name attribute, the read transformation converts this attribute to name23 in the intermediate JSON data. Then, the write transformation will use the name23 attribute as sourcePath instead of name.
Related Information
Manage Transformations [page 37]
1.4.1.3 Manage Transformations
You can edit the default JSON transformation logic. It appears when you create a new system in the Identity Provisioning UI and save it for the first time.
Prerequisites
You have added a system (source, target, or proxy) in the Identity Provisioning user interface. To learn how, see Add System [page 59].
Context
The transformation logic for every supported system is specific. You can find the default one in the Identity Provisioning user interface. To learn how to modify the transformations, follow the steps below
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 37
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. From the UI home page, choose a tile – Source Systems, Target Systems, or Proxy Systems.3. Select a system from the left panel and go to the Transformations tab. The default transformation logic is
displayed.
4. To modify it, choose Edit in the bottom right corner.5. Make your changes and save the configuration.
Related Information
Transformation Types [page 34]JSON Expressions [page 38]
1.4.1.4 JSON Expressions
The transformation logic is based on JSON path expressions. The order of the JSON path expressions in the file is decisive for how the transformation is executed. The transformation is performed in the sequence defined in the transformation logic.
There is a different transformation logic for every entity (users, groups, roles).
Below are some of the expressions you can use:
Basic Transformation
Takes the attributes as defined in the source system and transfers them unchanged in the resulting JSON data. No changes are made.
Example
{ "sourcePath": "$", "targetPath": "$" },
38 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
sourcePath and targetPath
● Expression sourcePath denotes the path to an attribute in the source JSON data (could be the source system JSON data or the intermediate JSON data).
● Expression targetPath denotes the path where the attribute should be stored in the target JSON data (could be the intermediate JSON data or the target system JSON data).
Example
{ "targetPath": "$.name.familyName", "sourcePath": "$.sn[0]" },
type
The type of action to be performed in the mapping. Its values can be set or remove.
● The set type maps an attribute from the source system to an attribute in the target JSON data. If no type is defined, "type": "set" is used by default.
Example
{ "type": "set", "targetPath": "$.groups" }
● The remove type deletes an attribute during transformation. This attribute is not present in the target JSON data.
Example
{ "type": "remove", "targetPath": "$.groups" }
condition
A condition can be set on various levels, for example for the whole entry type or for a mapping entry.
Example
{ "condition": "($.emails.length() > 0) && ($.name.familyName EMPTY false)",
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 39
"mappings": [ { "sourcePath": "$", "targetPath": "$" }, … }
Example
{ "mappings": [ … { "condition": "$.memberOf contains 'group1'", "constant": "NewDisplayName", "targetPath": "$.displayName" } ] }
ignore
Use the ignore expression if you prefer parts of the transformation to not be taken into consideration (during provisioning). Similar to condition, you can set ignore on various levels - for a whole entry type (user, role) or for a particular mapping entry. This is applicable for both source and target systems.
Example "group": { "ignore": true, "mappings": [ { "sourcePath": "$.sAMAccountName[0]", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.displayName" },...
Example "user": { "mappings": [ { "ignore": true, "sourcePath": "$.sAMAccountName[0]", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.userName"
40 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
},...
constant
Set a constant if the target system requires attributes that are not defined in the source system.
You can also use schemas to organize and combine multiple constants.
Example
{ "targetPath": "$.emails[0].type", "constant": "work" },
createEntity
You can set a scope for an entity attribute – based on its lifecycle – so that it is only processed during creation. To do this, tag the entity attribute with the createEntity scope in the system transformation. Transformation mappings without scope are always processed.
NoteCurrently, the createEntity scope is only applicable for entities created in target systems.
ExampleThe following mapping provides an initial password when a user is created.
{ "user": { "mappings": [ { "scope": "createEntity", "targetPath": "$.Password", "constant": "Initial1" } ] }, ...
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 41
deleteEntity
If an entity has been deleted from the source system or has been set a condition for it not to be read anymore, this entity can "stay" in the target system for the following reasons:
1. The target system does not support deletion of entities.2. You do not want to delete it but only temporary disable/deactivate it.3. You want to neither delete it, nor deactivate it but only remove its permissions, or exclude it from some
corporate groups.
If you have to fulfill some of these scenarios for an entity, use the deleteEntity scope. It prevents from deleting the entity from the target system as only updating its status instead. Also, bear in mind the following:
● For the affected entity, all transformation mappings that do not contain this scope will be ignored.● If a condition exists on entity type level, it will be ignored as well.● Use this scope for SCIM systems, as well as Concur, Microsoft Azure AD, Identity Authentication, and SAP Jam.
Examples:
ExampleConcur: The following mapping disables the user account:
{ "user": { "mappings": [ { "scope": "deleteEntity", "constant": "US", "targetPath": "$.Custom21" }, { "scope": "deleteEntity", "constant": "", "targetPath": "$.Password" }, { "scope": "deleteEntity", "constant": "DEFAULT", "targetPath": "$.LedgerCode" }, { "constant": "N", "targetPath": "$.Active", "scope": "deleteEntity" },...
ExampleMicrosoft Azure AD: The following mapping disables the user account:
{ "user": { "mappings": [ { "constant": false "targetPath": "$.accountEnabled",
42 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"scope": "deleteEntity", },...
ExampleIdentity Authentication: The following mapping disables the user account, as well as unassigns it from all groups it used to belong to:
{ "user": { "mappings": [ { "constant": false, "targetPath": "$.active" "scope": "deleteEntity" }, { "constant": [], "targetPath": "$.corporateGroups", "scope": "deleteEntity" }, { "constant": [], "targetPath": "$.groups", "scope": "deleteEntity" },...
ExampleSAP Jam: The following mapping disables the user account:
"user": { "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id", "scope": "deleteEntity" }, { "constant": false, "targetPath": "$.active", "scope": "deleteEntity" },...
skipOperations
If you want the provisioning job to not execute operations on entities of a certain type, use the skipOperations expression. You can apply it when you need to avoid creating or deleting entities. You can use skipOperations only in target system transformations.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 43
Sample CodeThe following transformation does not allow creating and deleting users in the target system:
{ "user": { "skipOperations": [ "create", "delete" ], "mappings": [ {
Even if it's set to skip the create operation, the Identity Provisioning service will still try to update new entities by their IDs. To get and retrieve these IDs, you can add the following JSON code to your target system transformation. If an entity with a retrieved ID does not exist in the target system, it will neither be created, nor updated.
Sample CodeJSON code for retrieving group IDs:
"user": { "mappings": [ { "sourcePath": "$.userName", "targetVariable": "entityIdTargetSystem" }, { "sourcePath": "$.userName", "targetPath": "$.id" },...
valueMapping
The valueMapping plays the role of a special condition that allows multiple entity attributes (read from the source system) to be mapped to a single target attribute.
For example, you can set a mapping condition for user attributes country and locality. After the provisioning job, their values will be mapped to a new attribute – timezone. The example below demonstrates this case with country=Bulgaria and locality=Sofia. Their values correspond to: timezone=Europe/Sofia
Sample CodeJSON code for mapping user timezone:
"user": { "mappings": { "sourcePath": "$", "targetPath": "$" }, { "targetPath": "$.timezone", "type": "valueMapping", "sourcePaths": [
44 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"$.addresses[0].country", "$.addresses[0].locality"], "valueMappings": [{ "key": ["BG", "Sofia"], "mappedValue": "Europe/Sofia"}] } },...
1.4.1.5 System Variables
System variables specify particular attributes of the read and written entities. They help you map attributes between source and target transformations so that the entities are provisioned correctly to the target systems.
Variable Definition & Example Mandatory in <systems>
entityIdSourceSystem Mandatory for every read transformation (in source and proxy systems). It specifies which attribute of a read entity to be considered as a unique ID in the source system.
Sample Code
{ "targetVariable": "entityIdSourceSystem", "sourcePath": "$.name" }
● Source systems● Proxy systems
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 45
Variable Definition & Example Mandatory in <systems>
entityIdTargetSystem Mandatory for every write transformation (in target and proxy systems). It specifies which attribute of a written entity to be considered as a unique ID in the target system. This variable is defined by the target system according to the system response during entity creation, or is read from the Identity Provisioning database during entity modification or deletion.
Sample Code
{ "scope": "deleteEntity", "sourceVariable": "entityIdTargetSystem", "targetVariable": "entityIdTargetSystem", "functions": [ { "type": "decode", "algorithm": "base32", "skipPadding": true }, { "type": "toString" } ] }
● Target systems● Proxy systems
entityBaseLocation Mandatory only for read transformations in proxy systems. It contains the proxy application URL featuring the entity type endpoint:
https://ipsproxy<proxy_provider_account>-<consumer_account>.<neo_landscape>:443/ipsproxy/api/v1/scim/<system_ID>/Users
Sample Code
{ "sourceVariable": "entityBaseLocation", "targetVariable": "entityLocationSourceSystem", "targetPath": "$.meta.location", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ]}
Proxy systems
46 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Variable Definition & Example Mandatory in <systems>
entityLocationSourceSystem
Mandatory only for read transformations in proxy systems. It contains the proxy application URL featuring the SCIM 2.0 resource endpoint for an entity:
https://ipsproxy<proxy_provider_account>-<consumer_account>.<neo_landscape>:443/ipsproxy/api/v1/scim/<system_ID>/Users/<user_ID>
Sample Code
"sourceVariable": "entityBaseLocation", "targetVariable": "entityLocationSourceSystem", "targetPath": "$.meta.location", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ]}
Proxy systems
(Optional)
currentDate
An optional variable, which contains the current date, in format: yyyy-MM-dd HH:mm:ss.SSS
Sample Code
{ "targetPath": "$.PersonalDetails.ValidityPeriod.StartDate", "sourceVariable": "currentDate", "functions": [ { "type": "manipulateDate", "targetDateFormat": "yyyy-MM-dd" } ]}
All systems
1.4.1.6 JSON Functions
The JSON functions are used in entity transformations, and are included as mappings. A transformation function uses the value provided in sourcePath to generate the value for targetPath. The type of parameters can be String, Integer, Boolean, Null, or an attribute.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 47
concatString
This function concatenates a string with a prefix or a suffix.
Parameters
Required Optional
type prefix
suffix
Example { "user": { "mappings": [ { "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.userName", "functions": [ { "type": "concatString", "prefix": "ips_", "suffix": 123 } ... }
manipulateDate
This function converts one date format into another after JSON transformations. Use cases:
● A Java date format can be converted into another Java date format.Example: "2018–02–28 11:00:00.000" to "02/28/2018"
● A date format based on Unix Time Stamp can be converted into a Java one. That means, if the source system stores a date as a number of milliseconds, after the transformations this number will be converted and written in the target system as a human readable date.Example: "Date(1519809649123–0240)" to "2018–02–28 UTC+1"
NoteBear in mind the following restrictions about Unix Time Stamp format:
○ It is mainly applicable for SAP SuccessFactors connectors.○ If the source date format contains a timezone (GMT, EST, ACT, etc.), after converting from Unix Time
Stamp, the date will be displayed as a UTC offset.○ During calculation, the timezone is ignored – the milliseconds are converted to a "pure" date. The
timezone is displayed (as UTC offset) but not taken into account.
The manipulateDate function supports the following operations:
48 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
● (Java) Incrementing the date by the "+" sign or when there is no sign● (Java) Decrementing the date by the "–" sign● (Unix Time Stamp) Converting a number of milliseconds into a human readable date
Parameters
Required Optional
type sourceDateFormat
targetDateFormat
years
months
days
hours
minutes
seconds
ExampleReads and writes the current date in standard Java date format
{ "targetPath": "$.EmployeeType.ValidityPeriod.StartDate", "sourceVariable": "currentDate", "functions": [ { "type": "manipulateDate", "targetDateFormat" : "yyyy-MM-dd'T'HH:mm:ss'Z'", "sourceDateFormat" : "MM/DD/YYYY", "years": "months": /*You can also, for example, increment the date with 3 days and 2 hours */ "days": "3" "hours": "+2" "minutes": "seconds": } ... }
ExampleReads a given date in Unix Time Stamp format (in milliseconds) and writes the converted value in the target system as a standard Java date format
{ "targetPath": "$.EmployeeType.ValidityPeriod.StartDate", "sourcePath": "$date", "functions": [ {
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 49
"type": "manipulateDate", "sourceDateFormat": "Date(milliseconds)" "targetDateFormat": "yyyy-MM-dd" } ...}
randomPassword
This function generates a random password. It picks characters from four character sets - digits, lowercase letters, uppercase letters, and special symbols. The default set of special symbols contains the following characters: {~ ! @ # $ % ^ & * ( ) _ +
Bear in mind the following tips:
● The password length must be supplied along with the number of characters from each set. If a value “0” is supplied for a given parameter, no characters will be picked from the corresponding character set.
● If the summed up number of characters (from all sets) exceeds the total password length, the function execution will result in error.
● If the summed up number of characters (from all sets) is less than the total password length, the remaining characters will be randomly picked from all character sets.
● A custom character set is supplied by the specialSymbols parameter.● If a custom set of special symbols is supplied, the parameter minimumNumberOfSpecialSymbols cannot
have a value of “0”.
NoteThe randomPassword function does not require sourcePath, sourceVariable, or constant to be specified in the mapping.
Parameters
Required Optional
type specialSymbols
passwordLength
minimumNumberOfLowercaseLetters
minimumNumberOfUppercaseLetters
minimumNumberOfDigits
minimumNumberOfSpecialSymbols
Example { "user": {
50 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"mappings": [ { "targetPath": "$.password", "functions": [ { "type": "randomPassword", "passwordLength": 16, "minimumNumberOfLowercaseLetters": 4, "minimumNumberOfUppercaseLetters": 4, "minimumNumberOfDigits": 4, "minimumNumberOfSpecialSymbols": 4, "specialSymbols": ",.<>/?~`!@#" } ...}
replaceString
This function replaces each substring of given string that matches the provided target string with the string in replacement.
Parameters
Required Optional
type
target
replacement
Example { "user": { "mappings": [ { "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.userName", "functions": [ { "type": "replaceString", "target": "iag", "replacement": "ips" } ... }
replaceFirstString
This function replaces the first substring of a given string that matches the provided regex with the string in replacement.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 51
Parameters
Required Optional
type
regex
replacement
Example { "user": { "mappings": [ { "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.userName", "functions": [ { "type": "replaceFirstString", "regex": "14\\d{1}", "replacement": 123 } ... }
replaceLastString
This function replaces the last substring of a given string that matches the provided regex with the string in replacement.
Parameters
Required Optional
type
regex
replacement
Example { "user": { "mappings": [ { "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.userName", "functions": [ { "type": "replaceLastString", "regex": "14\\d{1}",
52 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"replacement": 123 } ... }
replaceAllString
This function replaces each substring of the given string that matches the provided regex with the string in replacement.
Parameters
Required Optional
type
regex
replacement
Example { "user": { "mappings": [ { "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.userName", "functions": [ { "type": "replaceAllString", "regex": "14\\d{1}", "replacement": 123 } ... }
resolveEntityIds
This function resolves the value of a source system attribute to an existing back-end key in the target system. For example, it can resolve the value of a source system member attribute to the ID of an existing SCIM resource that represents this member in a SCIM target system.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 53
Parameters
Required Optional
entityType
Default value: user
Example { "sourcePath": "$.member", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "entityType": "group" "type": "resolveEntityIds" } ...}
substring
This function returns a string if endIndex is not provided. It begins at the specified beginIndex and extends either to the character at index endIndex - 1 or to the end of this string.
Parameters
Required Optional
type endIndex
beginIndex
Example { "user": { "mappings": [ { "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.userName", "functions": [ { "type": "substring", "beginIndex": 3, "endIndex": "5" } ... }
54 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
toUpperCaseString
This function converts all the characters in the given string to upper case, using the provided locale, or if nothing defined – English.
Parameters
Required Optional
type locale
Example { "user": { "mappings": [ { "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.userName", "functions": [ { "type": "toUpperCaseString", "locale": "en_EN" } ... }
toLowerCaseString
This function converts all the characters in the given string to lower case, using the provided locale, or if nothing defined – English.
Parameters
Required Optional
type locale
Example
{ "user": { "mappings": [ { "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.userName", "functions": [ { "type": "toLowerCaseString", "locale": "en_EN" } ... }
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 55
1.4.2 Systems
This section describes how to operate with source, target, and proxy systems from the user interface of the Identity Provisioning service.
Prerequisites
● (Optional) You have configured destinations in SAP Cloud Platform cockpit for the source and target systems that you want to use for the provisioning of entities. For more information, see Creating HTTP Destinations.
● You have accessed the user interface of the service. For more information, see:Access the Identity Provisioning (Standalone) [page 26]Access the Identity Provisioning (Trial) [page 23]
Context
From the user interface of the Identity Provisioning service, you can perform the following operations:
● Add, edit and delete systems – you can add new and configure existing source and target systems.● Enable and disable systems – to use a system for provisioning purposes, its status has to be Enabled. When
you add a new system, it is enabled by default. If one of your added systems is configured and you currently do not need it, but would like to use it later, you can disable it.
● Export and import systems – if you have added and configured a system and you need to add another one of the same type without manually entering all data again, you can export the existing one. Then just import it back, giving it a different name. The new system will appear in the list and all configurations and transformations will be kept.
For more information about each system type and the configuration steps required for the operations below, see System Types and Configurations [page 57].
Related Information
Add System [page 59]Edit System [page 62]Delete System [page 62]Enable and Disable Systems [page 63]Export and Import Systems [page 63]
56 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
1.4.2.1 System Types and Configurations
This section defines the three types of systems you can use for provisioning identities – source, target, and proxy.
Source Systems
A source system is the connector used for reading entities (users, groups, roles). Source systems can be on-premise or cloud-based, SAP or non-SAP, and usually represent the corporate user store where identities are currently maintained. The Identity Provisioning service reads the entities from the source system and creates or updates them in the relevant target ones. The provisioning is triggered from the Jobs tab of a source system.
Target Systems
A target system is the connector used for writing (provisioning) entities. Target systems are usually clouds, where the Identity Provisioning service creates or updates the entities taken from the source system.
Proxy Systems
A proxy system is a special connector used for "hybrid" scenarios. That means, you can provision entities from a cloud to an on-premise system (and the other way around) without making a direct connection between them. To achieve this, the Identity Provisioning service uses a proxy system that executes provisioning operations (create, update, delete, etc.) requested by the on-premise system.
Restriction● Currently, this scenario is only applicable to SAP Identity Management, used as the on-premise system.
See: Hybrid Scenario: SAP Identity Management [page 246]● The Proxy Systems tile is not available for bundle accounts but only for productive, standalone Identity
Provisioning service.● This tile is not displayed by default in the user interface. If you need it for hybrid scenarios, create an
incident to component BC-IAM-IPS to request the Proxy Systems tile.
To provide communication between SAP Identity Management and the back-end system, the proxy application uses a SCIM 2.0 protocol. A system can act as a proxy if it supports both read and write operations. To check the list of system types that support this role, see: Proxy Systems [page 209]
How a proxy system works:
1. The Identity Provisioning service exposes the back-end system as a "proxy".2. SAP Identity Management regards the proxy system as its back-end system.3. The entities (users) exposed by the back-end system are mapped to SCIM 2.0 entities, if possible. If not
possible, the SCIM standard provides a mechanism to define a new resource type with the appropriate schema. You can use the custom resource type to map the back-end entities. See: SCIM Resources
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 57
System Configuration Details
The system types have similar Identity Provisioning user interface. Below are the details you need to provide when setting up a source, target, or proxy system:
Tab / Field Description
Details Type (Mandatory) The type of the source or target system. You can select a particular system from the drop-down list.
Details System Name (Mandatory) The name of the source or target system configuration. This name will be displayed in the job log and other reports.
Details Destination Name (Optional) The name of the destination configuration for the system. You define it in the Destinations editor in SAP Cloud Platform cockpit. For more information, see Creating HTTP Destinations.
NoteThis field is only mandatory for ABAP systems.
Details Description (Optional) Enter a meaningful description. It will help you easily distinguish your systems in the list later.
Details Source Systems NoteThis field is only available for target systems.
(Optional) The name or list of names of the source systems that the entities should be read from and transferred to this target system. The list can contain one or more source system names, separated by comma (,).
If no source system is specified in this field, the target system receives entities from all source systems configured in the Source Systems tile for the customer tenant.
Transformations The initial transformation logic is created when saving the source or target system. Every system has specific JSON requirements - these are data models for the entities that have to be synchronized using the Identity Provisioning service. Transformations are settings that represent the logic used to convert or filter the entities data taken from the source before sending it to the target system. Transformations also define how the different attributes of the entities should be mapped. The Identity Provisioning service offers default transformation settings per system, which can be additionally configured. For more information, see: Manage Transformations [page 37]
58 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Tab / Field Description
Properties (Optional) You can set properties for the source or target systems. This helps you filtering the data taken from the source system, or to apply a filter to the data before writing it into the target system.
These properties overwrite the properties set in the Additional
Properties section in SAP Cloud Platform cockpit
Destinations . For more information, see: Creating HTTP Destinations
JobsNote
This tab is only available for source systems. It appears once you have successfully configured the source system.
From the Jobs tab, you can start or schedule the provisioning job, or resynchronize the data in the target system if changes are made in the source system. For more information, see: Manage Jobs and Job Logs [page 98]
Related Information
Scenarios [page 106]
1.4.2.2 Add System
This topic explains how to add source, target and proxy systems to the Identity Provisioning UI.
Context
In order to provision entities (users, groups, roles) from one system to another across your enterprise, you first need to add and configure these systems as source and target connectors in the Identity Provisioning user interface.
Follow the procedure below.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 59
Procedure
1. From the UI home page, choose a tile – Source Systems, Target Systems, or Proxy Systems.
2. Choose the Add button situated at the bottom of the left-hand panel.3. From the Type combo box, select the system type you want to use.4. Add a name for your system. Make sure it does not duplicate another system's name in the UI.5. (Optional) If you have previously created a destination in SAP Cloud Platform cockpit, select it from the
Destination Name combo box. This destination should specify the URL and all the connection settings needed for your identity provisioning jobs. The combo-box list contains only destinations relevant to the chosen system type.
RestrictionDestinations are mandatory for SAP Application Server ABAP source systems.
6. If you have skipped the Destination Name field, you can open the Properties tab to enter all the properties, needed for your provisioning scenario. For more information, see Manage Properties [page 94].
NoteIf you leave both the Destination Name field and the Properties tab empty, no actual identity provisioning will be performed.
7. (Optional) Enter a description. It will help you to easily distinguish your systems in the list later on.8. (Target systems only) When you create a target system, you can add the source systems whose data you want
to read and provision. To do this, select the ones you need from the Source Systems combo box.
NoteIf you had previously added a string of source systems manually (before the new combo box control took place), and some of these source systems had incorrect names, the UI will show you an error message. To correct this inconsistency, edit and save the new target system configuration.
9. You can modify your default system transformation, if needed.10. Save your changes. The new system appears in the panel.
Next Steps
After you added your systems and run some jobs, the Identity Provisioning UI should look like the ones below (but with different numbers):
● Trial Identity Provisioning:
60 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
● Standalone Identity Provisioning:
● Bundled Identity Provisioning:(picture)
Related Information
Manage Properties [page 94]Manage Transformations [page 37]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 61
1.4.2.3 Edit System
This topic explains how you can edit source and target systems in the Identity Provisioning UI.
Context
Procedure
1. From the UI home page, choose a tile – Source Systems, Target Systems, or Proxy Systems.2. From the list on the left, select a system.3. Choose the tab you want to edit (Details, Transformations, Properties).
4. Choose the Edit button and make the relevant configurations.5. Save your changes.
Related Information
Manage Properties [page 94]Manage Transformations [page 37]
1.4.2.4 Delete System
This topic explains how you can delete source and target systems in the Identity Provisioning UI.
Context
Procedure
1. From the UI home page, choose a tile – Source Systems, Target Systems, or Proxy Systems.2. From the list on the left, select a system.
62 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
3. Choose the icon at the top of the left-hand panel.
4. At the bottom of the left-hand panel, choose the Delete button.5. In the dialog box, confirm with OK.6. Save your changes. The system disappears from the panel.
1.4.2.5 Enable and Disable Systems
This topic explains how you can enable and disable source and target systems in the Identity Provisioning UI.
Context
To use a system for provisioning purposes, its status has to be Enabled. When you add a new system, it is enabled by default. If one of your added systems is configured and you currently do not need it, but would like to use it later, you can disable it.
Procedure
1. From the UI home page, choose a tile – Source Systems, Target Systems, or Proxy Systems.2. From the list on the left, select a system.
3. Choose the icon at the top of the left-hand panel.
○ If the system is currently disabled, choose the Enable button and confirm with OK.
○ If the system is currently enabled, choose the Disable button and confirm with OK.4. Save your changes.
1.4.2.6 Export and Import Systems
This topic explains how you can export and import source, target and proxy systems in the Identity Provisioning UI.
Context
If you have added and configured a system, you can export it for further use. The export function comes handy to you in the following use cases:
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 63
● You need another system of the same type but with slightly different setup, and you don't want to manually enter all data and configuration properties all over again.
● You need to reuse an existing system in the Identity Provisioning UI but for another subaccount.
Procedure
Export a System
1. From the UI home page, choose a section: Source Systems, Target Systems, or Proxy Systems2. From the list on the left, select the system you want to export.
3. Choose the Export button.4. The exported system configuration depends on your scenario. If your system is a source or a target one, it will
be exported as a JSON file. If it's a proxy one, you have two options:○ Select JSON format – the system configuration will be exported as a .json file, which you can later import
back in the Identity Provisioning UI.○ Select CSV format – the system configuration will be exported as a .csv file, which you can later import in
the SAP Identity Management UI as a SCIM repository.5. Save the file on your local file system.
Import a System
1. From the UI home page, choose a section: Source Systems, Target Systems, or Proxy Systems
2. Choose the Add button.
3. In section Define from File, choose the Browse button.4. Browse and select the file with system configuration you need on your local file system. You can import files
with extension .json as well as files with no extension.
NoteTo ensure your import is successful, check that the preconfigured system has mapping transformations in the compatible JSON format, and that the system information corresponds to the fields of the Details editor.
5. The system configuration is displayed in the Details editor. You can also see the imported transformations and properties of this system in the respective UI tabs.
6. Change the System Name, otherwise an error message will appear warning you that a system with this name already exists.
7. If needed, make additional configurations. For example, enter password(s) for authentication.8. Save your changes. The new system appears in the list on the left.
64 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
CautionYou cannot export a target system and import it back as a source, or the other way around.
1.4.3 Properties
You need to set mandatory properties to configure the connection between your source and target systems.
For your system provisioning goals, you can set properties in two places:
● SAP Cloud Platform cockpit: Destinations● Identity Provisioning UI: Source Systems or Target Systems → Properties
NoteIf the same properties exist in both the Destinations editor (in the cockpit) and in the Properties tab (in the Identity Provisioning UI), the values set in the Properties tab are taken with higher priority.
Properties can help you filter which entities and entity attributes are read from the source system or written to the target system. According to their usability, properties can be categorized as follows:
Standard System Properties
Each source or target system supports specific types of properties. For example:
Example:
AS ABAP System (source) Concur System (target)
jco.client.r3name=PSE
jco.destination.peak_limit=10
jco.destination.pool_capacity=5
sf.page.size=100
sf.user.filter=firstName John
sf.user.attributes=email
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 65
Default System Properties
These properties depend on the particular connector type. They exist in the transformations by default. It is possible to delete some of them but this may cause a loss of provisioned data. Example:
Example:
LDAP Server (source)
ldap.group.object.class=groupOfNames
ldap.user.object.class=inetOrgPerson
ldap.attribute.user.mobile=mobile
ldap.group.filter=<empty>
ldap.user.filter=<empty>
Parameterized System Transformations
They use parameters taken from the system property sets. The parameters consist of a unique key and a value. Like the standard properties, they can be configured in the system's Properties tab, and/or in the system's destination properties (in the platform cockpit). When one parameter exists in both property sets, the system's properties have priority over the system's destination properties. In the JSON data, the unique key of one of these parameters is surrounded by the percent symbol (%). During the transformation evaluation, each occurrence of %<...>% is replaced by the corresponding parameter's value. Parameter references without a value are left unchanged. For example:
Example:
LDAP parameters - list LDAP parameters - mapping transformation
ldap.attribute.user.mail=mail
ldap.attribute.user.givenName=givenName
ldap.attribute.user.groups=memberOf
Sample Code /* LDAP Server (source) system: */ { "sourcePath": "$.%ldap.attribute.user.mail%[0]", "targetPath": "$.emails[0].value", "optional": true }, { "sourcePath": "$.%ldap.attribute.user.givenName%[0]", "targetPath": "$.name.givenName", "optional": true },
NOTE: Nested parameters are not supported.
66 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Related Information
List of Properties [page 67]Manage Properties [page 94]
1.4.3.1 List of Properties
On this page you can find all the available properties to use in the Identity Provisioning service. You can filter them by system type name, "All Systems", by a word or only part of it.
Name Description Values System Type
Relevance
System Role
Type Protocol type for making a connection
Possible values:
● HTTP● LDAP● RFC
All systems All
URL URL needed to make an HTTP(S) connection to an on-premise system or a cloud service
http(s)://<host><port>
All HTTP systems All
ProxyType Proxy type required for HTTP connection
Possible values:
● Internet● OnPremise
All HTTP systems All
Authentication Authentication type required for HTTP connection
Possible values:
● NoAuthentication● BasicAuthentica
tion● ClientCertifica
teAuthentication
All HTTP systems All
User It represents:
● User name – used in standard destinations
● Client ID – used for access token retrieval in OAuth HTTP destinations
<text_string> All HTTP systems All
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 67
Name Description Values System Type
Relevance
System Role
Password It represents:
● Password – used in standard destinations
● Client secret key – used for access token retrieval in OAuth HTTP destinations
<encrypted_string>
All HTTP systems All
abap.user.filter Filter that gets any user name that starts with a given letter. Case sensitive.
Example: abap.user.filter = ^A.*
This filter returns all user names that start with capital A.
AS ABAP Source
abap.role.filter Filter that provisions any role that starts with a given word/string. Case insensitive.
Example: abap.role.filter = (?i)^order.*
This filter provisions all roles that start with order.
AS ABAP Source
c4c.api.version The version of the SAP Hybris C4C API you use.
Possible values:
● 1● 2
By default, the Identity Provisioning service uses version 1.
SAP Hybris Cloud for Customer
Target
68 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
c4c.custom.namespace.<prefix> Note
Only relevant to API v.2.
The Identity Provisioning service uses a single predefined namespace for all attributes. However, you can provision entities by defining your own (custom) namespaces for some attributes. For this purpose, you have to:
1. Specify a namespace using this property.
2. Set the custom namespace in the JSON transformation.
For more information, see: SAP Hybris Cloud for Customer [page 165]
<prefix>The value of this property is the namespace URI. For , enter the prefix of the custom XML namespace (for example, a123).
Example for setting the whole property:
c4c.custom.namespace.a123=http://sap.com/xi/AP/CustomerExtension/ABC/A123XX
SAP Hybris Cloud for Customer
Target
ips.delete.existedbefore.entities
If some of the previously provisioned entities are later deleted from the source system, you can control whether to also delete them from the target or not. To allow entity deletion in the target system, set this property to true.
For more information, see Manage Deleted Entities [page 95].
Possible values:
● true● false
Default value: false
All systems ● Target● Proxy
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 69
Name Description Values System Type
Relevance
System Role
ips.failed.request.retry.attempts
If an entity operation (create, update, delete) fails due to a timeout or rate limit, you can specify a number of retries for this operation. Use this property to set the number of retries.
TipRate limit is the controlled rate of requests sent to a system. Some systems implement rate limit to avoid overloading and performance issues.
Default value: 2 All systems All
ips.failed.request.retry.attempts.interval
Specify a time interval (in seconds) between the retries, in case an operation fails due to timeout or rate limit.
This property is related to ips.failed.request.retry.attempts.
Default value: 30 All systems All
70 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
ips.job.notification.repeat.on.failure
If you set this property to true, you will receive notification e-mails every time a job fails. To stop and control the notifications, set it to false (default value).
This property has priority over ips.job.notification.ignored.consecutive.failures.
For more information, see: Manage Job Notifications [page 102]
Possible values:
● true● false
Default value: false
That means, when a job fails, you'll receive only once a notification e-mail with subject Provisioning Running (or Finished) with Error...
All Systems Source
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 71
Name Description Values System Type
Relevance
System Role
ips.job.notification.ignored.consecutive.failures
If you have activated notifications for your source system and a provisioning job fails, you'll receive a notification e-mail with subject Provisioning Running (or Finished) with Error. With this property, you can control the consecutive notifications.
NoteYou'll receive consecutive notifications only if you set ips.job.notification.repeat.on.failure to true.
Example: If you set ips.job.notification.ignored.consecutive.failures = 3 and the job is constantly failing, the first three times you'll not receive a notification. On the fourth job fail, you will receive one notification e-mail. No subsequent e-mails will be sent by the service until the first successful run of the job.
For more information, see: Manage Job Notifications [page 102]
Default value: 0
That means, a notification e-mail is sent after the first job fail.
All systems Source
72 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
ips.trace.failed.entity.content
If a provisioning job repeatedly fails and you need problem investigation, you can enable logging and tracing for the personal data of your provisioned entities. To do this, set this property to true.
If the property is not set, in the logs you see: content = <hidden content>
Possible values:
● true● false
Default value: false
All systems Source
ips.http.header.<header_name>
Use this property to pass additional information with the HTTP requests.
The provisioning system may override your custom HTTP headers, if specific header settings are implemented in the system.
Example for authorization header:
ips.http.header.authorization = Basic VDAwdfhjgHGSzmfnNA==
NoteIf you provide credentials for the provisioning system, this property will not take effect. Its value (token) will be overridden by the token generated by the system implementation.
All HTTP systems Source
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 73
Name Description Values System Type
Relevance
System Role
ips.delta.read If this property is enabled, every time a provisioning job is started, it does not retrieve the entire amount of source system data but only the last changed entities.
For more information, see Full and Delta Read [page 96].
Possible values:
● enabled● disabled
Use it in the following systems:
● SCIM● Microsoft AD● SAP SuccessFac
tors● Identity Authenti
cation
All
ips.full.read.force.count
If your system (connector) works in delta read mode, it's recommended to enforce full reads from time to time. To achieve this, set this property to an integer number.
For more information, see Full and Delta Read [page 96].
Example: 10
This value results in alternating full reads after every 10 delta reads are performed.
Use it in the following systems:
● SCIM● Microsoft AD● SAP SuccessFac
tors● Identity Authenti
cation
All
OAuth2TokenServiceURL
If you need to make OAuth authentication to the system, enter the URL to the access token provider service.
<access_token_URL>
● CloudFoundry UAA Server
● SAP Cloud Platform
● Microsoft Azure AD
● Google G Suite● SAP Jam● SCIM
● Target● Proxy
jco.client.user Enter the user for AS ABAP.
AS ABAP Source
jco.client.passwd
Enter the password for the AS ABAP user.
AS ABAP Source
jco.client.ashost
Enter the virtual host entry that you have configured in the Cloud connector → Access Control configuration.
Example: abapserver.hana.cloud
AS ABAP Source
74 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
jco.client.client
Enter the client to be used in the ABAP system. Valid format is a three-digit number.
Example: 001 AS ABAP Source
jco.client.r3name
Enter the three-character system ID of the ABAP system to be addressed.
Example: WPE AS ABAP Source
jco.client.sysnr Enter the "system number" of the ABAP system.
Example: 42 AS ABAP Source
jco.destination.peak_limit
Represents the maximum number of active connections that can simultaneously be created for a destination.
Example: 10 AS ABAP Source
jco.destination.pool_capacity
Represents the maximum number of idle connections kept open by the destination.
Example: 5 AS ABAP Source
jco.client.mshost
Represents the message server host to be used.
AS ABAP Source
X-ConsumerKey Enter the Concur access token needed for the connection.
Concur ● Target● Proxy
jwt.subject Enter the Google G Suite user on behalf of which the Google Directory API is called.
Google G Suite ● Target● Proxy
jwt.scope Enter space-separated Google Directory API authorization scopes.
Google G Suite ● Target● Proxy
ldap.url URL needed to make an LDAP connection to an on-premise system or a cloud service
ldap://<host><port>
● LDAP Server● Microsoft AD
Source
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 75
Name Description Values System Type
Relevance
System Role
ldap.proxyType Proxy type for the LDAP connection
OnPremise ● LDAP Server● Microsoft AD
Source
ldap.authentication
Authentication type for the LDAP connection
BasicAuthentication ● LDAP Server● Microsoft AD
Source
ldap.user User name for the LDAP Server
<text_string> ● LDAP Server● Microsoft AD
Source
ldap.password Password for the LDAP Server user
<encrypted_string>
● LDAP Server● Microsoft AD
Source
ldap.group.path Enter the complete path to a group or groups in the LDAP Server.
● LDAP Server● Microsoft AD
Source
ldap.user.path Enter the complete path to the users in the LDAP Server.
● LDAP Server● Microsoft AD
Source
ldap.user.attributes
Shows which user attributes from the source system to be included in the LDAP search result (and respectively, in the intermediate JSON data). Separate the attributes by comma (,).
If nothing is set, all attributes are included.
● LDAP Server● Microsoft AD
Source
ldap.group.attributes
Shows which group attributes from the source system to be included in the LDAP search result (and respectively, in the intermediate JSON data).
If nothing is set, all attributes are included.
● LDAP Server● Microsoft AD
Source
ldap.user.object.class
Criteria for user. In the intermediate JSON data, the following LDAP filter is used: (objectClass=user)
Default value: user ● LDAP Server● Microsoft AD
Source
76 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
ldap.group.object.class
Criteria for group. In the intermediate JSON data the following LDAP filter is used: (objectClass=group)
Default value: group ● LDAP Server● Microsoft AD
Source
ldap.group.uniquename.attribute
By default, the memberOf array in the source JSON data contains the CN part of the complete distinguished name of the groups to which the entity belongs. The administrator can change this default behavior and specify an attribute name to be used instead of CN.
Note● Any group
which does not have the attribute specified, will not be part of the resulting memberOf JSON array.
● Any group which does not match the ldap.group.path property, will not be part of the resulting memberOf JSON array
Example: ldap.group.uniquename.attribute=displayName
This will produce a memberOf array which contains the displayName attribute value of the groups to which the entity belongs.
● LDAP Server● Microsoft AD
Source
ldap.member.uniquename.attribute
Determines the value of the member attribute of groups in the intermediate JSON data.
Possible values:
● cn● distinguished
Name
Default value: cn
● LDAP Server● Microsoft AD
Source
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 77
Name Description Values System Type
Relevance
System Role
ldap.user.filter You can optimize the search by excluding certain users. For example, (cn=1234*) returns only users with a CN starting with 1234.
This filter is empty by default. That means: "If the property is not specified, search for everything."
● LDAP Server● Microsoft AD
Source
ldap.group.filter
You can optimize the search by excluding certain groups.
This filter is empty by default. That means: "If the property is not specified, search for everything."
● LDAP Server● Microsoft AD
Source
ldap.page.size Use this property to configure the paging. That means, the number of entities to be read from the LDAP server at once.
Default value: 100
NoteIt is not recommended to exceed 1000.
● LDAP Server● Microsoft AD
Source
concur.page.size Use this property to configure the paging. That means, the number of entities to be read from Concur at once.
Default value: 100
NoteThe maximum allowed number is 100.
Concur Source
gsuite.page.size Use this property to configure the paging. That means, the number of entities to be read from Google G Suite at once.
Default value: 100
NoteThe maximum allowed number is 500.
Google G Suite Source
78 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
gsuite.get.deleted
This property determines whether recently deleted entities should be read.
NoteYou can apply this property only for users. For groups it will be ignored.
Possible values:
● true● false
Default value: false
Google G Suite Source
gsuite.domain This property determines whether entities from a particular domain should be read.
Example: myaccount.ondemand.com
Google G Suite Source
gsuite.customer.id
This property determines whether entities for a particular customer ID to be read. This property takes precedence over gsuite.domain.
<customer_ID_number>
For more information, see Google G Suite API: User Accounts .
Google G Suite Source
com.sun.jndi.ldap.read.timeout
Use this property if you want to specify the read timeout (in milliseconds) for an LDAP connection.
Example: 5000
This value causes the LDAP service provider to abort the read attempt if the server does not respond within 5 seconds.
● LDAP Server● Microsoft AD
Source
com.sun.jndi.ldap.connect.timeout
Use this property if you want to set the timeout (in milliseconds) for connecting to the LDAP server.
Example: 500
This value causes the LDAP service provider to abort the connection attempt if a connection cannot be established in half a second.
● LDAP Server● Microsoft AD
Source
oauth.resource.name
Enter the URL to the Microsoft Graph.
https://graph.microsoft.com
Microsoft Azure AD All
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 79
Name Description Values System Type
Relevance
System Role
aad.domain.name Enter one of the verified domain names from the corresponding Azure AD tenant.
Microsoft Azure AD All
csrf.token.path Path added to the URL to retrieve the CSRF token. The property is automatically added in the system, with default value: /api/v1/scim/Users?count=1
Default value: /api/v1/scim/Users?count=1
SAP Analytics Cloud (Beta)
All
scim.api.csrf.protection
Specifies whether to fetch a CSRF token when sending requests to the system. The property is automatically added in the system, with default value: enabled
Possible values:
● enabled● disabled
Default value: enabled
SAP Analytics Cloud (Beta)
All
scim.user.filter When specified, only those users matching the filter expression will be read.
Example:
name.familyName eq "Smith" and addresses.country eq "US"
SCIM Source
scim.content.type
Makes the connector send the specified value for the Content-Type HTTP header. This is needed because a SCIM system could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header.
Example: application/json
If the property is not specified, the default value is taken: application/scim+json
SCIM ● Target● Proxy
80 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
scim.user.unique.attribute
If the service tries to create a user that already exists in the target system, the creation will fail. In this case, the existing user only needs to be updated. This user can be found via search, based on an attribute (default or specific).
To make the search filter by a specific attribute, specify this attribute as a value for the scim.user.unique.attribute property.
If the property is not specified, the search will be done by the default attribute: userName
SCIM ● Target● Proxy
scim.group.unique.attribute
If the service tries to create a group that already exists in the target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific).
To make the search filter by a specific attribute, specify this attribute as a value for the scim.group.unique.attribute property.
If the property is not specified, the search is done by the default attribute: displayName
SCIM ● Target● Proxy
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 81
Name Description Values System Type
Relevance
System Role
scim.group.members.additional.attributes
Defines additional attributes you can request from an Identity Authentication source system when reading groups.
If you read groups through REST API, use the GET request. Add the additional attributes (coma-separated) as a value of the URL parameter membersAdditionalAttributes.
A coma-separated list of attribute names. You can add the following attributes:
● emails● userName● displayName● urn:ietf:par
ams:scim:schemas:extension:enterprise:2.0:User:employeeNumber
Identity Authentication Source
scim.include.if.match.wildcard.header
Makes the connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by a SCIM system for entity versioning.
Possible values:
● true● false
Default value: false
SCIM ● Target● Proxy
82 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
scim.support.patch.operation
If an entity has been deleted from the source system, or there is a condition for it not to be read anymore, it can still "stay" in the target system (it will be only disabled). For this purpose, you need to use the deleteEntity scope. For more information, see JSON Expressions [page 38].
If your target system is SCIM-based and it doesn't support PATCH operations, you need to also use the scim.support.patch.operation property, setting it to false.
NoteIf your SCIM system supports PATCH operation, you don't need this property. Or you can set it to true.
Possible values:
● true● false
Default value: true
SCIM ● Target● Proxy
AuthType Enter the type of authentication used for access token retrieval for OAuth HTTP destinations.
Possible values:
● Basic● Form
Default value: Basic
SCIM Both
CloudConnectorLocationId
Relevant when the ProxyType property is set to OnPremise. Use it only if your SAP Cloud Platform account uses more than one Cloud Connector.
Integer number ● SSH Server (Beta)● SAP HANA Data
base (Beta)
● Target● Proxy
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 83
Name Description Values System Type
Relevance
System Role
hana.jdbc.db.user
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.db.password
(Credential) SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.db.host
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.db.port
30015 SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.access.type
There are three types of SAP HANA access:
● direct – It requires only hana.jdbc.db.* properties
● ssh.tunnel – it requires hana.jdbc.db.* and hana.jdbc.ssh.tunnel.* properties.
● cf.app.ssh.tunnel – It requires hana.jdbc.ssh.tunnel.cf.* properties to establish an SSH tunnel to the Cloud Foundry application, from which to access the JDBC SQL port of SAP HANA.
● direct● ssh.tunnel● cf.app.ssh.tunnel
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.username
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.host
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.port
22 SAP HANA Database (Beta)
● Target● Proxy
84 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
hana.jdbc.ssh.tunnel.auth.type
Supported SSH authentication types:
● key● pwd● otp● key+otp● key+pwd● pwd+otp● key+pwd+otp
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.cf.api.url
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.cf.oauth.token.url
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.cf.org
This is the Cloud Foundry organization.
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.cf.space
This is the Cloud Foundry space.
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.cf.app
This is the Cloud Foundry application to which the SAP HANA Database (Beta) system opens an SSH tunnel. For more information, see: Cloud Foundry: Accessing Apps with SSH
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.cf.app.instance
This is the instance number of the Cloud Foundry application.
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.cf.username
This is the Cloud Foundry user. It has the role Developer for the space where the application is deployed.
SAP HANA Database (Beta)
● Target● Proxy
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 85
Name Description Values System Type
Relevance
System Role
hana.jdbc.ssh.tunnel.cf.password
(Credential) The password for property hana.jdbc.ssh.tunnel.cf.username
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.password
(Credential) Taken into account only if the authentication type includes pwd. That means any of the following:
● hana.jdbc.ssh.tunnel.auth.type = pwd
● hana.jdbc.ssh.tunnel.auth.type = pwd+otp
● hana.jdbc.ssh.tunnel.auth.type = key+pwd
● hana.jdbc.ssh.tunnel.auth.type = key+pwd+otp
SAP HANA Database (Beta)
● Target● Proxy
86 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
hana.jdbc.ssh.tunnel.totp.secret.key
(Credential) Taken into account only if the authentication type includes otp. That means any of the following:
● hana.jdbc.ssh.tunnel.auth.type = otp
● hana.jdbc.ssh.tunnel.auth.type = key+otp
● hana.jdbc.ssh.tunnel.auth.type = pwd+otp
● hana.jdbc.ssh.tunnel.auth.type = key+pwd+otp
SAP HANA Database (Beta)
● Target● Proxy
hana.jdbc.ssh.tunnel.private.key
(Credential) Taken into account only if the authentication type includes key. That means any of the following:
● hana.jdbc.ssh.tunnel.auth.type = key
● hana.jdbc.ssh.tunnel.auth.type = key+pwd
● hana.jdbc.ssh.tunnel.auth.type = key+otp
● hana.jdbc.ssh.tunnel.auth.type = key+pwd+otp
SAP HANA Database (Beta)
● Target● Proxy
ssh.read.users.command
Path to the bash command you need to execute to read users.
SSH Server (Beta) Source
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 87
Name Description Values System Type
Relevance
System Role
ssh.create.user.command
Path to the bash command you need to execute to create a user.
SSH Server (Beta) ● Target● Proxy
ssh.update.user.command
Path to the bash command you need to execute to update a user.
SSH Server (Beta) ● Target● Proxy
ssh.delete.user.command
Path to the bash command you need to execute to delete a user.
SSH Server (Beta) ● Target● Proxy
ssh.read.groups.command
Path to the bash command you need to execute to read groups.
SSH Server (Beta) Source
ssh.create.group.command
Path to the bash command you need to execute to create a group.
SSH Server (Beta) ● Target● Proxy
ssh.update.group.command
Path to the bash command you need to execute to update a group.
SSH Server (Beta) ● Target● Proxy
ssh.delete.group.command
Path to the bash command you need to execute to delete a group.
SSH Server (Beta) ● Target● Proxy
ssh.create.user.command.exit.code.already.exists
An exit code number SSH Server (Beta) ● Target● Proxy
ssh.update.user.command.exit.code.not.found
An exit code number SSH Server (Beta) ● Target● Proxy
ssh.delete.user.command.exit.code.not.found
An exit code number SSH Server (Beta) ● Target● Proxy
ssh.create.group.command.exit.code.already.exists
An exit code number SSH Server (Beta) ● Target● Proxy
88 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
ssh.update.group.command.exit.code.not.found
An exit code number SSH Server (Beta) ● Target● Proxy
ssh.delete.group.command.exit.code.not.found
An exit code number SSH Server (Beta) ● Target● Proxy
ssh.auth.type Supported SSH authentication types:
● key● pwd● otp● key+otp● key+pwd● pwd+otp● key+pwd+otp
SSH Server (Beta) ● Target● Proxy
ssh.host SSH Server (Beta) ● Target● Proxy
ssh.port 22 SSH Server (Beta) ● Target● Proxy
ssh.username SSH Server (Beta) ● Target● Proxy
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 89
Name Description Values System Type
Relevance
System Role
ssh.password (Credential) Taken into account only if the authentication type includes pwd. That means any of the. That means any of the following:. That means any of the. That means any of the following: following:
● hana.jdbc.ssh.tunnel.auth.type f = pwd
● hana.jdbc.ssh.tunnel.auth.type = pwd+otp
● hana.jdbc.ssh.tunnel.auth.type = key+pwd
● hana.jdbc.ssh.tunnel.auth.type = key+pwd+otp
SSH Server (Beta) ● Target● Proxy
ssh.totp.secret.key
(Credential) Taken into account only if the authentication type includes otp
● hana.jdbc.ssh.tunnel.auth.type = otp
● hana.jdbc.ssh.tunnel.auth.type = key+otp
● hana.jdbc.ssh.tunnel.auth.type = pwd+otp
● hana.jdbc.ssh.tunnel.auth.type = key+pwd+otp
SSH Server (Beta) ● Target● Proxy
90 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
ssh.private.key (Credential) Taken into account only if the authentication type includes key. That means any of the following:
● hana.jdbc.ssh.tunnel.auth.type = key
● hana.jdbc.ssh.tunnel.auth.type = key+pwd
● hana.jdbc.ssh.tunnel.auth.type = key+otp
● hana.jdbc.ssh.tunnel.auth.type = key+pwd+otp
SSH Server (Beta) ● Target● Proxy
ssh.private.key.type
The format of SSH private key.
Possible values:
● ssh-rsa● ssh-dsa
Default value: ssh-rsa
SSH Server (Beta) ● Target● Proxy
scim.users.search.filter
Use this property to specify a search filter when retrieving users from the target system. A user is retrieved if creating a new user fails (when it already exists in the target system).
SAP Jam All
sf.page.size Defines the page size. Default value: 100 SAP SuccessFactors Source
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 91
Name Description Values System Type
Relevance
System Role
sf.user.filter This property takes values as described in the OData version 2syntax, except any statements with attribute lastModifiedDateTime.
CautionAttribute lastModifiedDateTime is used internally by the Identity Provisioning service, for calculating the delta load from the SAP SuccessFactors system. You must not use it in custom filter statements.
Example value: division eq 'Manufacturing (MANU)'
RestrictionYou can only use attributes supported as filterable by the SAP SuccessFactors HCM Suite OData API. Here are some of these filterable attributes: firstName, lastName, department, division, jobCode, location, status, userId, username.
SAP SuccessFactors Source
sf.user.attributes
This is a string representing the comma-separated list of user attributes that have to be loaded from the SAP SuccessFactors system.
Default value: all
Example: username, firstName, lastName, email, lastModifiedDateTime
CautionIf you decide to set this property for only reading some of the user attributes, make sure the attribute lastModifiedDateTime will be always read; otherwise, the provisioning from SuccessFactors will fail.
SAP SuccessFactors Source
92 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Name Description Values System Type
Relevance
System Role
sf.user.attributes.expand
This property is related to sf.user.attributes.
Default value: all
Example: If you need the username attribute to be read as well, enter the following configuration in the Properties tab:
sf.user.attributes =
username,firstName,lastName,manager/username
sf.user.attributes.expand = manager
SAP SuccessFactors Source
RemoteSystemID NoteOnly relevant to API v.1.
Enter the system instance ID, configured for the communication system setting in the SAP Hybris C4C system.
Example: IPS SAP Hybris Cloud for Customer
Target
RecipientPartyID NoteOnly relevant to API v.2.
Enter the recipient system name.
Example: 0011SAP SAP Hybris Cloud for Customer
Target
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 93
Name Description Values System Type
Relevance
System Role
SenderPartyID NoteOnly relevant to API v.2.
Enter the name of the sender system name. It's equal to the value of property RemoteSystemID from API v.1.
Example: IPSSAP Hybris Cloud for Customer
Target
TrustAll If this property is set to true, the server certificate will not be checked for SSL connections.
CautionUse TrustAll only for testing purposes (not in productive scenarios) as the SSL server certificate is not verified, and thus the server is not authenticated.
Possible values:
● true● false
Default value: false
All systems All
1.4.3.2 Manage Properties
You can add, delete and modify properties for a system in the Identity Provisioning UI.
Prerequisites
You have added a system (source, target, or proxy) in the Identity Provisioning user interface. To learn how, see Add System [page 59].
94 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. From the UI home page, choose a tile – Source Systems, Target Systems, or Proxy Systems.3. Select a system from the left panel and go to the Properties tab.
4. To modify the current properties, choose Edit in the bottom right corner.5. Make your changes and save the configuration.
Related Information
List of Properties [page 67]Scenarios [page 106]
1.4.3.3 Manage Deleted Entities
In this topic, you can learn about the behavior (logic) of the provisioning jobs, regarding deleted entities, before and after the update of the Identity Provisioning service.
Behavior, before the update on 23.02.2017
When full-read mode is set, a provisioning job provisions all entities from the source system to the target one and updates their status. If a source system entity that has been already provisioned to the target system is later deleted from the source, it will be deleted from the target as well.
Behavior, after the update on 23.02.2017
When full-read mode is set, a provisioning job provisions and updates the entities according to the following use cases:
● Entities, provisioned before the update of Identity ProvisioningIf an entity has existed in both the source and the target system, and now you delete it from the source, the new provisioning job will delete it from the target as well.
NoteIn this case, you cannot control the deletion of entities in the target system.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 95
● Entities, provisioned after the update of Identity ProvisioningIf an entity existed in both the source and the target system, and now you delete it from the source, the new provisioning job will recognize it as "previously existed" and will not delete it from the target system. However, if you want these entities to be deleted, open the relevant target system, and on the Properties tab, enter the following property: ips.delete.existedbefore.entities = true
NoteThe default value is false, which means none of the "recognized" entities will be deleted from the target system.
Related Information
Full and Delta Read [page 96]Scenarios [page 106]
1.4.3.4 Full and Delta Read
Context
When you set up your systems and start a scheduled provisioning task, the standard behavior of the process reads all the entities from the source system. This mode prevents data loss and always keeps your target system synchronized with the source. However, it may take a long time for every job to be executed.
Delta read is a concept for optimizing the amount of data retrieved from the source system. Delta read is much faster, but sometimes might have limitations. In order for a source system to support delta read mode, its API should allow the implementation of this feature. There must be an attribute associated with each entity, properly maintained by the system when the entity is changed (created, updated or deleted) and exposed for query operations. For example, the Microsoft Active Directory source system uses the uSNChanged attribute. For more information, see Microsoft: Polling for Changes Using USNChanged .
The main difference between delta and full read is:
● Delta read – only modified data is read from the source system.● Full read – all entities are read and checked every time for provisioning to the target system(s).
To keep source and target systems completely synchronized, you can use the Resync type of provisioning job.
TipWe recommend that you enforce full reads from time to time if the connector is in delta read mode. To achieve this, you need to set up the following source system property: ips.full.read.force.count. For example,
96 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
ips.full.read.force.count=10 will result in alternating full reads after every 10 delta reads are performed. This property only impacts scheduled runs; manually triggered runs are ignored.
Below are listed all source systems that currently support delta read mode.
Microsoft Active Directory
The default mode is full read. You can switch to delta read, if you set up the relevant property: ips.delta.read=enabled. Bear in mind the following specifics and limitations:
● In order to have a notion for any deleted objects in delta read mode, the Active Directory Recycle Bin optional feature must be enabled. For more information, see Microsoft: Enable Active Directory Recycle Bin .
● Make sure that the service user, which is used in the AD destination, has a Domain Admin role, otherwise the connector will not be able to extract any data from the recycle bin.
● Due to the linked attributes concept of AD, there is a limitation in the Microsoft Active Directory read connector, when performing in delta read mode. We recommend that you enforce full reads periodically in order to avoid data loss. For more information, see Microsoft: Linked Attributes .
● You need to set limitations about which particular attributes to be read. For this purpose, set the properties ldap.user.attributes and ldap.group.attributes and add uSNChanged to the attributes list. Otherwise, the provisioning job will run in full read mode.
● If an entity is moved outside the base path (another directory context), the connector will not recognize this change during delta read.
SAP SuccessFactors
The default mode is delta read mode. You can switch to full read, if you set up the relevant property: ips.delta.read=disabled
SCIM and Identity Authentication Systems
The default mode for these systems is full read. You can switch to delta read, if you set up the relevant property: ips.delta.read=enabled.
For delta read of resources (users and groups), bear in mind the following API requirements:
● The system API should return lastModified, which is a sub-attribute of the meta attribute. The lastModified sub-attribute denotes the most recent date and time when the resource details were updated at the service provider. For more information, see SCIM: Common Attributes .
● The system API has to also support filtering by the lastModified attribute, and the system should support the gt operator in filter expressions. For more information, see SCIM: Filtering .
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 97
Related Information
SAP SuccessFactors [page 120]SCIM System [page 190]Microsoft Active Directory [page 145]SAP Cloud Platform Identity Authentication [page 156]
1.4.4 Manage Jobs and Job Logs
You can start and stop the provisioning of entities, and then view and maintain the logs of the provisioning jobs.
Prerequisites
● You have opened the user interface of the Identity Provisioning service. For more information, see:Access the Identity Provisioning (Standalone) [page 26]Access the Identity Provisioning (Trial) [page 23]
● You have enabled and set up a source system. For more information, see: Enable and Disable Systems [page 63]
Run a Provisioning Job
1. Open the enabled source system and choose the Jobs tab.2. There are two job types:
○ Read Job – run a provisioning job (start, schedule or resume it)○ Resync Job – resynchronize the data in the target system if the source one has been changed.
The following table shows the operations you can perform on the Jobs tab:
Job Operations
Job Type Operation Description
Read Job Run Now Starts a read job immediately. The job reads all entities from the source system and provisions them to the target one.
If there have been changes in the target system, they are not affected by the read job. A read job checks only for changes in the source system.
98 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Job Type Operation Description
Schedule Schedules how often a read job to be run. The number must be larger than 30 (minutes). This option sets the time period but does not start the job to run regularly.
After you set a schedule period, the job starts automatically after 1 minute. When the job is finished, it will start again after the number of minutes you have set.
RememberBefore schedule a job, make sure it's not been paused. Otherwise, the job will not be executed. (See the Resume/Pause row below.)
Resume/Pause To pause a manually started or a scheduled job, press Pause.
To continue a paused job, press Resume. Always resume a job before starting it again manually or by a schedule!
Resync Job Run Now Starts a resynchronization job immediately. This job reads all users in the source system and overwrites all entities in the target system.
If there have been changes in the target system, they are overwritten with the information from the source system. After running a resynchronization job, the entity data in the source and the target system becomes the same.
Stop a Provisioning Job
1. From the main menu, choose section Job Logs.
2. To stop a running provisioning job, choose the Stop Job button in the Action column.
View Job Logs
1. From the main menu, choose section Job Logs.2. You see the list of all executed jobs and details about them.
Job Execution Logs
Column Name Details
Source System The source system that the job was triggered for.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 99
Column Name Details
Job Type The job type can be READ or RESYNC.
Trigger Type The triggering type for the job. It can be immediate (if triggered with Run Now) or repeat (for a scheduled job).
Status The status of the job. It can be Success, Finished with Error, Running, or Running with Error.
Start Time The date, time, and timezone in UTC format when the job is started.
End Time The date, time, and timezone in UTC format when the job is finished.
Action From this column, you can stop a running provisioning job.
3. To see more details about a specific job, click the relevant table row. The following information appears in a new screen:○ <System_name> – Shows the system name and the details from the previous screen.○ Error Message – If the job finishes with errors, you can see the error message in this field.○ Statistics – Shows details about the entities handled.○ Failed Entities – In case of failed entities, in this section you can find additional information about the first
few failed entities.
Job Statistics
Column Name Details
Entity Type of the handled entity
System Name of the source, target, or proxy system
Action Action executed on the system. It can be Read or Write.
Read Number of read entities
Created Number of created entities
Updated Number of updated entities
Deleted Number of deleted entities
Skipped Number of skipped entities. For example, an entity can be skipped if it could not be provisioned due to missing transformation logic for its entity type, or if a condition in the transformation logic is not fulfilled.
Failed Number of entities not handled
100 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Export Job Logs
1. From the main menu, choose section Job Logs.
2. From the upper right corner, choose Export Logs. If the number of logs is too large, the execution logs will be exported in parts. Each part (a ZIP archive) contains 3000 logs, by default.
3. Save all ZIP files on your local file system.
Delete Job Logs
If you don't need your job logs anymore, you can delete them. You can do this manually or automatically (by setting a retention period).
1. From the main menu, choose section Job Logs.
2. From the bottom right corner, choose Delete Logs.
CautionChoosing this button, you will delete the logs for all finished jobs.
If a job is still running though, it will stay along with its logs.
3. You can set a duration of time for which the job logs to be available for monitoring.
1. From the upper right corner, choose Configure job logs settings.2. Set a period (7, 14 or 30 days). Logs which are older than this period will be automatically deleted. By
default, job logs are kept for 7 days.3. If you want to keep the logs longer, you can export them (see the previous section).
Related Information
Systems [page 56]Manage Job Notifications [page 102]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 101
1.4.5 Manage Job Notifications
You can subscribe to receive notification e-mails about the status of your provisioning jobs.
Context
When you subscribe to a source system, you can receive notification e-mails in the following cases:
● You start or schedule a provisioning job and it fails. You'll receive an e-mail with subject Provisioning Running with Error. Source System: <name>. You receive one e-mail per job, after the first failed entity. If more entities fail during this job, no additional e-mails will be sent.
● The failed job has finished. You'll receive an e-mail with subject Provisioning Finished with Error. Source System: <name>. By default, if the same job runs again and keeps failing, no further notifications will be sent to your e-mail. However, you can control the notifications via properties ips.job.notification.ignored.consecutive.failures and ips.job.notification.repeat.on.failure. For more information, see: List of Properties [page 67]
● The job is back to normal (the problem with the failed entities has been resolved). After a new run, the job has successfully finished. You'll receive only one e-mail with subject Provisioning Success. Source System: <name>.
NoteIf you subscribe to a source system, and then run a successful provisioning job, no notification e-mails will be sent.
Procedure
1. From the Identity Provisioning UI home page, choose the Source Systems tile.2. Select the system you need to watch and choose Jobs.3. From the bottom right corner, choose Subscribe.
○ To subscribe yourself, choose Subscribe me.○ To subscribe another user or a group (distribution list), choose Subscribe others. Fill in the required fields
and choose Add.
NoteFrom the Recipients list, you can remove existing subscribers. To do that, go to the Action column and
choose the icon.
4. You can now run or schedule a provisioning job.
5. If you no longer need to be subscribed to a source system, choose Subscribe Unsubscribe me .
102 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Related Information
Manage Jobs and Job Logs [page 98]
1.4.6 Access Audit Logs (Bundles)
You can access audit logs to track changes made in your Identity Provisioning account.
Context
RestrictionThis operation is applicable only for bundle accounts. Currently, the Identity Provisioning is included in the following products:
● SAP Jam● SAP SuccesssFactors
To view the audit logs, you have to first generate Client ID and Client Secret in the Identity Provisioning user interface. Use these credentials to obtain an access token, and then call the audit log retrieval API. Follow the procedure below.
Procedure
1. From the Identity Provisioning UI home page, go to the Security section and choose the OAuth tile.
2. Choose the Create Credentials button.3. Enter a description for your OAuth client or leave the field empty.4. Choose Save. A pop-up with generated credentials appears.
RememberCopy and save the Client Secret as you won't be able to retrieve it later.
5. The Client ID appears in the OAuth table.
NoteYou are only allowed to use a single set of OAuth client credentials. If you want to use another credentials, delete the old ones and generate a new set.
6. Now, use the generated credentials to obtain an access token. To learn how, see Using Platform APIs → 2. Get an OAuth Access Token.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 103
7. Call the audit log retrieval API. To learn how, see Audit Log Retrieval API.
1.4.7 Manage Authorizations (Bundles)
Provide additional users with administration rights for your Identity Provisioning subaccount.
Context
RestrictionThis operation is applicable only for bundle accounts. Currently, the Identity Provisioning is included in the following products:
● SAP Jam● SAP SuccesssFactors
You can provide additional users with administration rights that allow them to access the Identity Provisioning application on your tenant. You can perform this operation directly within the Identity Provisioning user interface. Follow the procedure below.
Procedure
1. From the Identity Provisioning UI home page, go to the Security section and choose the Authorizations tile.
2. Choose Add.3. In the User ID field, enter the ID of a user you want to authorize (for example, p1234567890).
4. (Optional) To distinguish it better in the list of users, enter a human readable name in the Display Name field.5. Now, go to the CONFIGURE AUTHORIZATIONS panel and choose which of the roles to assign to the new user:
104 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Manage Identity Provisioning Manage On-Premise Connections Manage OAuth Clients
If you set this option to ON, the new user will access the Identity Provisioning from your subaccount (the URL you use) – they will be allowed to add and configure systems, run provisioning jobs and view job logs.
If you set this option to ON, the new user will be able to configure Cloud Connector connections to this account. Such connections require credentials, which must have this role.
You can see your currently configured Cloud Connector connections in SAP Cloud Platform cockpit. From the left-
side panel, choose Connections
Cloud Connectors .
For more information, see:
SAP Cloud Platform Cockpit
Cloud Connector: Initial Configuration
If you set this option to ON, the new user will be allowed to register OAuth clients (needed for scenarios that require OAuth credentials).
For more information, see: Register and OAuth Client
6. When you set the relevant roles, choose Save.
Next Steps
Repeat this procedure for every user you want to authorize. You cannot execute the steps for multiple users simultaneously but have to do it "user by user".
Related Information
SAP Jam: IPS and IAS
1.4.8 Reset Identity Provisioning Configuration
Resetting the Identity Provisioning service deletes all systems you have set up, along with the job execution logs.
Context
Be careful with this option. If you reset the Identity Provisioning, you will lose all systems, configurations, subscriptions and scheduled jobs, along with all job execution logs. If you want to use the service again afterward, you will have to set up new systems.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 105
NoteIf you have a bundle account, your created OAuth clients will be deleted too. The same applies to the additional users you have authorized for your Identity Provisioning account.
If you still want to clean up everything, proceed as follows:
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. From the left-side menu, choose the Support section.3. Click the Reset link and confirm with OK.
1.5 Scenarios
The Identity Provisioning service supports various on-premise and cloud systems, which can be implemented as source or target for the provisioned identities. There are technical specifics for every supported system, which you need to consider and implement when setting up the provisioning process and integrating these systems.
The common requirements for all implementation scenarios are:
● (Optional) Create a destination for your source, target, or proxy system in the SAP Cloud Platform cockpit.NOTE: Destinations are only mandatory for SAP ABAP systems.
● Add configuration properties to make connection between the source and the target system.● Use the default transformation logic, suggested by the Identity Provisioning service, or modify it according to
your business needs.
Apart from the common steps relevant to all systems, there are further details described in each scenario. See below the list of scenarios categorized by system type.
Implementation Scenarios (Systems)
Source Systems Target Systems Proxy Systems
SAP Jam SAP Jam SAP Jam
SAP Cloud Platform Identity Authentication
SAP Cloud Platform Identity Authentication
SAP Cloud Platform Identity Authentication
SAP Analytics Cloud (Beta) SAP Analytics Cloud (Beta) SAP Analytics Cloud (Beta)
106 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Source Systems Target Systems Proxy Systems
Microsoft Azure Active Directory Microsoft Azure Active Directory Microsoft Azure Active Directory
Local Identity Directory Local Identity Directory Local Identity Directory
Google G Suite Google G Suite Google G Suite
Concur Concur SSH Server (Beta)
SCIM SCIM SCIM
SAP SuccessFactors SAP Cloud Platform Java/HTML5 Apps
SAP Application Server ABAP SAP Hybris Cloud for Customer
Microsoft Active Directory SAP HANA Database (Beta)
LDAP Server SAP Document Center
CloudFoundry UAA Server
1.5.1 Source Systems
Below this section are all source systems supported by the Identity Provisioning user interface.
A source system is the connector used for reading entities (users, groups, roles). Source systems can be on-premise or cloud-based, SAP or non-SAP, and usually represent the corporate user store where identities are currently maintained. The Identity Provisioning service reads the entities from the source system and creates or updates them in the relevant target ones. The provisioning is triggered from the Jobs tab of a source system.
Source Systems
Concur
Google G Suite
Microsoft Azure Active Directory
SAP Analytics Cloud (Beta)
SAP Cloud Platform Identity Authentication
SAP Jam
SCIM System
SSH Server (Beta)
LDAP Server
Microsoft Active Directory
SAP Application Server ABAP
SAP SuccessFactors
Local Identity Directory
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 107
1.5.1.1 SAP Cloud Platform Identity Authentication
Follow this procedure to set up SAP Cloud Platform Identity Authentication as a source system.
Prerequisites
You have created a technical user in the Identity Authentication service. For more information, see Add System as Administrator.
NoteOn the Identity Authentication service side, the technical users are known as systems.
Details:
● The technical user will call the SCIM REST API of the service.● You must configure the technical user with a password and assign to it the authorization roles Manage Users
and Manage Groups. This way you can create, edit and delete users and groups in the Identity Authentication user store.
Context
The Identity Provisioning service offers a user store in the cloud platform, which could be used as a source system for the Identity Provisioning service.
The user store of the Identity Authentication service can manage different type of users (employees, partners, consumers), as well as groups. The service offers self-services to help companies easily onboard all types of users, and especially external for the company. Once the users are available (self-registered, imported, or manually created) in the Identity Authentication user store, the Identity Provisioning service offers provisioning and policy-based authorization management for them to different target systems.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP Cloud Platform Identity Authentication as a source system. For more information, see Add System [page 59].
3. Choose the Properties tab to configure the connection settings for your system.
108 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Specify the URL of the Identity Authentication service tenant of your company. For example:
https://mytenant.accounts.ondemand.com
ProxyType Enter: Internet
The Identity Authentication service is a cloud solution and is outside of your company on-premise infrastructure.
Authentication Enter: BasicAuthentication
User Enter the technical user name configured for the Identity Authentication service.
Password Enter the password for the Identity Authentication service technical user.
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. (Optional) Configure the transformations.
Transformations are used to map the user attributes from the data model of a source system to the data model of the target system, and the other way around. The Identity Provisioning service offers default transformations when Identity Authentication is used as a source system. The default transformation settings can be displayed under the Transformations tab after saving the initial source or target system configuration.
When Identity Authentication is configured as a source system, the default transformation logic reads all the user attributes from the Identity Authentication user store. The logic is provided by the Identity Authentication SCIM REST API, which then maps the attributes to the internal SCIM representation. For more information, see Identity Authentication service SCIM REST API.
NoteWhen a user is deleted from the Identity Authentication service, the deletion status is considered by it during the read processes. Depending on the offboarding user handling in the target system, a user can be deleted, or can be set to inactive.
Default transformation:
Code Syntax {
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 109
"user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { /* The entityIdSourceSystem is used to store the unique ID of the identity. You should not delete this statement. You can exchange the default attribute ID that is used as source with another one, but make sure the new source attribute is unique. */ "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { /* The id is removed because, by default, it's not necessary for the target systems' API. */ "targetPath": "$.id", "type": "remove" }, { "targetPath": "$.companyRelationship", "type": "remove" }, { "targetPath": "$.passwordStatus", "type": "remove" }, { "targetPath": "$.sourceSystem", "type": "remove" }, { "targetPath": "$.meta", "type": "remove" }, { "targetPath": "$.mailVerified", "type": "remove" }, /* The groups[*]display (this is the display name of the corporate groups) is removed because, by default, it's not necessary for the target systems' API. */ { "targetPath": "$.groups[*].display", "type": "remove" }, { "condition": "$.displayName EMPTY true", "targetPath": "$.displayName", "type": "remove" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']",
110 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"targetPath": "$.displayName" }, { "sourcePath": "$.members", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members" }, { "constant": "urn:sap:cloud:scim:schemas:extension:custom:2.0:Group", "targetPath": "$.schemas[1]" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['decription']", "optional": true, "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['decription']" } ] }}
You can change the default transformation mapping rules depending on your setup of entities in the Identity Authentication. For more information, see Manage Transformations [page 37].
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
Related Information
Identity Authentication: DocumentationIdentity Authentication: SCIM REST API
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 111
1.5.1.2 SAP Analytics Cloud (Beta)
Follow this procedure to set up SAP Analytics Cloud (Beta) as a source system.
Prerequisites
1. In SAP Analytics Cloud, you have enabled a custom SAML Identity Provider, for which User Attribute is set to Custom SAML User Mapping. To learn how, see: Enabling a Custom SAML Identity Provider
2. Add an OAuth client with authorization grant Client Credentials. To learn how, see: Managing OAuth Clients and Trusted Identity Providers
3. Create a user representing the OAuth client. Set its SAML USER MAPPING to be oauth_client_<CLIENT_ID>, where <CLIENT_ID> (case sensitive) matches the OAuth client ID from the previous step. To learn how, see: Creating New Users
NoteIf you don't see a column SAML USER MAPPING, go back to step 1 and make sure you set the attribute right.
4. Assign this user to a role that grants him/her permissions to manage users and teams. To learn how, see: Assigning Roles to UsersList of all standard application roles in SAP Analytics Cloud: Standard Application Roles
Context
After fulfilling the prerequisites, follow the procedure below to add SAP Analytics Cloud (Beta) as a source system to read users and groups.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP Analytic Cloud (Beta) as a source system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
112 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter the URL to your SAP Analytics Cloud system.
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the client ID to retrieve the OAuth access token for SAP Analytics Cloud.
Password Enter the secret key to retrieve the OAuth access token for SAP Analytics Cloud.
OAuth2TokenServiceURL Enter the URL of the access token provider service for your SAP Analytics Cloud instance, in format: https://oauthasservices-<subaccount>.hana.ondemand.com/oauth2/api/v1/token
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Analytic Cloud system. For more information, see Manage Transformations [page 37].
Default transformation:
Code Syntax { "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "targetPath": "$.id", "type": "remove" }, { "targetPath": "$.meta", "type": "remove" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" },
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 113
{ "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "targetPath": "$.id", "type": "remove" }, { "targetPath": "$.meta", "type": "remove" } ] } }
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.1.3 SAP Application Server ABAP
Follow this procedure to set up SAP Application Server ABAP (AS ABAP) as a source system.
Prerequisites
● You have installed the Cloud Connector in your corporate environment and have done the initial configuration. For more information, see SAP Cloud Platform Connector.
● You have credentials of a technical user with read permissions in the AS ABAP client, which plays the role of a user data source. The Identity Provisioning service will use this user to call the ABAP public (business) API: BAPI_USER_GET_DETAIL
● You have the following read-only role, which provides all authorizations for read access to user data: SAP_BC_JSF_COMMUNICATION_RO
114 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Context
SAP Application Server ABAP (AS ABAP) offers a user store and user administration capabilities for maintaining users and their authorizations for AS ABAP applications. You can configure AS ABAP as a source system for your identity provisioning process, in the following cases:
● Use AS ABAP as a central store for the identity data of your business users.● Reuse the permission model, implemented in your AS ABAP client, as a permission model for cloud
applications. For example, you can provision roles and permission assignments to SAP Cloud Platform.
Procedure
1. Add an access control system mapping for AS ABAP in Cloud Connector. This is needed to allow the Identity Provisioning service to access AS ABAP as a back-end system on the intranet. For more information, see Configuring Access Control (RFC).
Go to Cloud To On-Premise Access Control tab and select protocol RFC SNC. Then, expose the following prefixes as accessible resources:
○ PRNG○ BAPI_USER○ PRGN_ROLE_GETLIST○ BAPI_USER_GETLIST○ BAPI_USER_GET_DETAIL
2. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
3. Add SAP Application Server ABAP as a source system. For more information, see Add System [page 59].4. Create a destination for the ABAP system in SAP Cloud Platform cockpit. For more information, see Create
RFC Destinations.
The destination configuration is required by the Identity Provisioning service to find the back-end system to be used for reading data. It also provides the credentials of the technical user, needed for the connection to the ABAP public API. You have to configure the new destination in your SAP Cloud Platform company account.
Below are the fields you have to fill in the cockpit destination before using an AS ABAP client as a source system:
Field/Property Name Value Technical Property Name
Name Enter a destination name. Name
Type Select RFC. Type
User Enter the user for AS ABAP. jco.client.user
Password Enter the password for the AS ABAP user.
jco.client.passwd
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 115
Field/Property Name Value Technical Property Name
jco.client.ashost Provide the virtual host entry that you have configured in the Cloud connector → Access Control configuration.
jco.client.ashost
jco.client.client Provide the client to be used in the ABAP system. Valid format is a three-digit number.
jco.client.client
jco.client.r3name Provide the three-character system ID of the ABAP system to be addressed.
jco.client.r3name
jco.client.sysnr Provide the "system number" of the ABAP system.
jco.client.sysnr
Optional Properties
jco.destination.peak_limit The value represents the maximum number of active connections that can simultaneously be created for a destination. For example: 10
jco.destination.peak_limit
jco.destination.pool_capacity The value represents the maximum number of idle connections kept open by the destination. For example: 5
jco.destination.pool_capacity
jco.client.mshost Represents the message server host to be used.
jco.client.mshost
abap.user.filter Filters user names by a starting letter. Case sensitive.
For example, abap.user.filter = ^A.* gets all user names that start with capital A.
abap.user.filter
abap.role.filter Filters roles by a staring word/string. Case insensitive.
For example, abap.role.filter = (?i)^order.* provisions all roles that start with order.
abap.role.filter
5. (Optional) Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in AS ABAP. For more information, see Manage Transformations [page 37].
When AS ABAP is configured as a source system for the Identity Provisioning service, the ABAP public API (BAPI_USER_GET_DETAIL) is used to retrieve the identity data from the AS ABAP system. During the reading process, the JSON data generated by the Identity Provisioning service, is following the structure of the BAPI_USER_GET_DETAIL export parameters list and tables. Every BAPI table is represented as a JSON array and every BAPI structure is represented as a child JSON object.
Below are some of the statements in the default transformation described in short:
116 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Code Syntax /* The value of entityIdSourceSystem stores the unique ID of the identity. Do not delete this statement! You could exchange the default attribute USERNAME that is used as source with another one, but make sure the new source attribute is unique. */ { "user": { "mappings": [ { "sourcePath": "$.USERNAME", "targetVariable": "entityIdSourceSystem" }, /* The USERNAME attribute is used also as userName value for the internal JSON representation. */ { "sourcePath": "$.USERNAME", "targetPath": "$.userName" }, /* The constant urn:ietf:params:scim:api:messages:2.0:User is required as a value for the schemas definition in the Identity Authentication SCIM REST API. */ { "constant": "urn:ietf:params:scim:api:messages:2.0:User", "targetPath": "$.schemas[0]" }, /* The ADDRESS.E_MAIL attribute is used also as a first array value in the emails JSON array. */ { "sourcePath": "$.ADDRESS.E_MAIL", "optional": true, "targetPath": "$.emails[0].value" }, /* The ADDRESS.FIRSTNAME attribute is used for the name.givenName value in internal JSON representation. */ { "sourcePath": "$.ADDRESS.FIRSTNAME", "optional": true, "targetPath": "$.name.givenName" }, /* The ADDRESS.LASTNAME attribute is used for the name.familyName value in internal JSON representation. */ { "sourcePath": "$.ADDRESS.LASTNAME", "optional": true, "targetPath": "$.name.familyName" }, { "constant": false, "targetPath": "$.active" }, { "condition": "($.ISLOCKED.LOCAL_LOCK != 'L') && ($.ISLOCKED.NO_USER_PW != 'L') && ($.ISLOCKED.GLOB_LOCK != 'L') && ($.ISLOCKED.WRNG_LOGON != 'L')", "constant": true, "targetPath": "$.active" }, /* ACTIVITYGROUPS (SAP ABAP roles) are transformed by default into groups attribute of the SCIM internal representation: */ { "sourcePath": "$.ACTIVITYGROUPS[*].AGR_NAME", "preserveArrayWithSingleElement": true, "optional": true,
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 117
"targetPath": "$.groups[?(@.value)]" } ]}, "group": { "ignore": true, "mappings": [ { "sourcePath": "$.ROLE_NAME", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.ROLE_NAME", "targetPath": "$.displayName" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.USERLIST[*].USERNAME", "preserveArrayWithSingleElement": true, "targetPath": "$.members[?(@.value)]", "optional": true } ] } }
How to transform ABAP roles, assigned to the users in AS ABAP, into corporate groups in the Identity Authentication?
When you configure AS ABAP as a source and Identity Authentication as a target system in the Identity Provisioning service, the default transformations offered by the solution helps you to use the ABAP roles assignment of the users as source data and to create automatically corporate group assignments for the users in the Identity Authentication. When a user is assigned to one or several AS ABAP roles, the technical names of these AS ABAP roles (their attribute name is called AGR_NAME in the AS ABAP systems) will become corporate groups value in the Identity Authentication.
When your account is created in the Identity Authentication, it is also assigned to a single or several corporate groups, with the same names as the names of the AS ABAP roles available for you in the AS ABAP source system.
1. Transforming source data into the intermediate JSON representation.
118 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
The following is an example of how the sample roles, read from the AS ABAP system, will become groups in the intermediate JSON data, as a result from the transformation statement:
Data read from AS ABAP user store Intermediate JSON data
Sample Code …"ACTIVITYGROUPS": [ { "AGR_TEXT": "FICO 03", "AGR_NAME": "ZFICO_03", "FROM_DAT": "27.04.2016", "TO_DAT": "31.12.9999" }, { "AGR_TEXT": "CASH 01", "AGR_NAME": "ZCASH_01", "FROM_DAT": "16.05.2016", "TO_DAT": "31.12.9999" } ]…
Sample Code … "groups":[ { "value": "ZFICO_03" }, { "value": “ZCASH_01” },] …
2. The mapping statement in the default transformation, available when the Identity Authentication service is configured as a target system:
Sample Code { "sourcePath": "$.groups", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.corporateGroups" }
3. The following is an example of how the groups from the intermediate JSON are transformed into corporate groups, using the transformation statement:
Intermediate JSON Data Transformation output result
Sample Code … "groups":[ { "value": "ZFICO_03" }, { "value": “ZCASH_01” },] …
Sample Code … "corporateGroups":[ { "value": "ZFICO_03" }, { "value": “ZCASH_01” },] …
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 119
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.1.4 SAP SuccessFactors
Follow this procedure to set up SAP SuccessFactors as a source system.
Prerequisites
You have created a technical user with permissions to call the SAP SuccessFactors HCM Suite OData API and to export employee data from the SAP SuccessFactors system. You will need the credentials for this user later, when you create a destination for the SAP SuccessFactors system in the SAP Cloud Platform cockpit. For more information, see the Related Information section.
CautionThe Identity Provisioning service does not support the whole OData API but only the User entity.
Context
Companies that manage their employees using SAP SuccessFactors HCM Suite can use SAP Cloud Platform Identity Provisioning service to automatically create accounts for these employees and manage their permissions for the cloud applications. When the hiring process of a new employee is completed in the SAP SuccessFactors HCM solution, a user record with the employee identity data is created in the SAP SuccessFactors system and the Identity Provisioning service can use this data for the identity and authorization provisioning processes.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP SuccessFactors as a source system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
120 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Specify the URL to your SAP SuccessFactors API.
For example: https://apitest.successfactors.com/odata/v2
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the userID of your SAP SuccessFactors technical user in the following format: <user_ID>@<company_ID>
For example: [email protected]
Password Enter the password for your SAP SuccessFactors technical user.
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. (Optional) Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in the source system. The initial transformation logic contains the minimum of required properties for the successful provisioning of the users. If you want to extend the default transformation, use SAP SuccessFactors HCM Suite OData API. For more information about default transformation rules and the transformation process, see Manage Transformations [page 37].
When the SAP SuccessFactors system is configured as a source, the Identity Provisioning service will read all the attributes of the user records supported by the SAP SuccessFactors API.
Below are some of the statements in the default transformation, described in short:
Code Syntax /* The value of entityIdSourceSystem is used to store the unique ID of the identity. You should not delete this statement! You can change the attribute username, configured by default as a source for this target variable, but make sure the new source attribute is also unique. */ { "sourcePath": "$.username", "targetPath": "$.userName", "targetVariable": "entityIdSourceSystem" }, /* The firstName value of the employee is used as name.givenName in the intermediate JSON data. */
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 121
{ "sourcePath": "$.firstName", "targetPath": "$.name.givenName" }, /* The lastName value of the employee is used as name.familyName in the intermediate JSON data. */ { "sourcePath": "$.lastName", "targetPath": "$.name.familyName" }, /* The email attribute is used as a first value for the emails array of the intermediate JSON data. */ { "sourcePath": "$.email", "targetPath": "$.emails[0].value" }, /* The value of urn:ietf:params:scim:schemas:core:2.0:User is configured as a schema for intermediate JSON data. */ { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]"
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
Related Information
URI Conventions (OData Version 2.0)SAP SuccessFactors HCM Suite OData API
1.5.1.5 SAP Jam
Follow this procedure to set up SAP Jam as a source system.
Prerequisites
You get OAuth credentials for SAP Jam. If your SAP Jam tenant is of "SCIM provisioning" type, an OAuth client is automatically created for it, with the name SCIM API Client. To find this client:
1. Go to the SAP Jam admin panel.
122 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
2. Choose Integrations OAuth Clients .3. For SCIM API Client, choose View.4. Save the Key and Secret values – you'll need them later while configuring your SAP Jam provisioning system.
Context
After fulfilling the prerequisites, follow the procedure below to create a source SAP Jam system to read users and groups.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP Jam as a source system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter the URL related to your SAP Jam database, in format: https://<SAP_Jam_landscape>.sapjam.com
Example: https://jam4.sapjam.com
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the OAuth client key, created for your SAP Jam tenant (see Prerequisites).
Password Enter the OAuth client secret, created for your SAP Jam tenant (see Prerequisites).
OAuth2TokenServiceURL Enter the URL of the access token provider service for your SAP Jam instance, in format: https://<SAP_Jam_instance>/api/v1/auth/token
Example: https://jam4.sapjam.com/api/v1/auth/token
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 123
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Jam system. For more information, see Manage Transformations [page 37].
Default transformation:
○ Code Syntax { "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "targetPath": "$.id", "type": "remove" }, { "targetPath": "$.meta", "type": "remove" }, { "targetPath": "$.schemas", "type": "remove" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "condition": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'] EMPTY false", "sourcePath": "$['urn:scim:schemas:extension:enterprise:1.0']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']" }, { "condition": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'] EMPTY false", "targetPath": "$['urn:scim:schemas:extension:enterprise:1.0']", "type": "remove" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, {
124 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "targetPath": "$.id", "type": "remove" }, { "targetPath": "$.meta", "type": "remove" }, { "targetPath": "$.schemas", "type": "remove" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" } ] } }
Next Steps
1. Before starting a provisioning job, you can first subscribe to the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during your jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
RestrictionBear in mind the following limitations for the number of sent requests during a provisioning job:
● The SAP Jam SCIM API allows up to 13,000 requests per hour and up to 200 requests per minute.● The Identity Provisioning service can handle the 200 requests per minute limit. If more requests are sent
during the minute, the service will "wait" until it can execute them.
1.5.1.6 Google G Suite
Follow this procedure to set up Google G Suite as a source system.
Prerequisites
1. Log on to the Google API console (https://console.developers.google.com ) and create a project.
2. Enable the Admin SDK. To do this, go to Dashboard ENABLE API Admin SDK ENABLE .
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 125
3. Create a service account for your project. We recommend that you select Enable G Suite Domain-wide Delegation during the creation. If you skip this option, you can set it later. For more information, see Creating a service account .
4. Then, in the Google admin console (https://admin.google.com ), a user with Super Admin role can delegate domain-wide authority to your service account. This way, it will have access to the Google Admin SDK on behalf of your user. For more information, see Delegating domain-wide authority .
NoteWhen specifying the scopes, the administrator has to enter the following:
https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group
Context
A Google service account with delegated domain-wide authority is required for authentication and authorization of the Identity Provisioning service to G Suite domain. The authentication is based on OAuth 2.0 protocol with JSON Web Token (JWT). The private key for the signature is distributed by Google via one-time downloadable JSON data, which is accessible by the domain administrator. The private key is encoded in PKCS8 format and is in the private_key field of the JSON data. For more information, see JSON Web Token (JWT) .
● When using it as a source system, you can read both users and groups from Google G Suite and provision them to any target system you have added in the Identity Provisioning user interface.
● When using it as a target system, you can write both users and groups, read from any source system you have added in the Identity Provisioning user interface. Google G Suite can automatically create accounts for your users in the Google Cloud Datastore.
The Identity Provisioning service supports user and group operations based on the following Google Directory API. See the table below.
User Operations Group Operations
Create a user Create a group
Retrieve a user Retrieve a group's properties
Update a user Update a group's properties
Delete a user Delete a group
CautionYou can only provision users whose e-mails are from verified domains.
If you have successfully finished with the initial setup (described in the Prerequisites section), continue with the procedure below.
126 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add Google G Suite as a target system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Specify the service URL:
https://www.googleapis.com/admin/directory
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
The authentication type in use is actually OAuth with JWT. But for any provisioning system based on OAuth, BasicAuthentication is used along with the OAuth2TokenServiceURL additional property.
User Enter the service account’s ID. You can take it from the "client_email" field in the JSON data, downloaded during the setup of Google service account.
Password Enter the service account’s private key, which represents a long string in PKCS8 format. You can take it from the "private key" field in the JSON data, downloaded during the setup of Google service account.
OAuth2TokenServiceURL To make OAuth authentication to the Google G Suite system, enter the URL to the access token provider service. For more information, see Using OAuth 2.0 to Access Google APIs .
jwt.subject Enter the Google G Suite user on behalf of which the Google Directory API is called. This user has been assigned the role User Management Admin.
This property corresponds to “sub” claim in JWT being generated during access token request: JWT: "sub" (Subject) Claim
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 127
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
Exemplary Configuration:
Name=MyGGSDestination
URL=https://www.googleapis.com/admin/directory
ProxyType=Internet
Type=HTTP
Authentication=BasicAuthentication
Password=-----BEGIN PRIVATE KEY-----\n123ABCDEFG123456789...
… /123456789ABCDEFG123=\n-----END PRIVATE KEY-----\n
OAuth2TokenServiceURL=https://www.googleapis.com/oauth2/v4/token
# jwt.scope=https://www.googleapis.com/auth/admin.directory.user
4. (Optional) Configure the transformations.
Any source transformation should produce JSON data, which is required by the Google Directory API. See Directory API (Reference): Users .
Transformation principles for the source system integration:
○ Mapping logic – The provisioning framework reads all attributes from the Google G Suite source system and transfers them to the intermediate JSON data, which then tries to create consistent records in the target system, using all the available attributes accepted by the target system API. When a required attribute is missing, the default transformation is designed with a condition that will exclude the inconsistent records.
○ User offboarding – Identity Provisioning service is handling the deletion status of the users. When a user is deleted from Google G Suite, this deletion will be enforced into the target system as well.
Default transformation:
Code Syntax { "user": { "mappings": [ { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.primaryEmail", "targetPath": "$.emails[0].value" }, { "sourcePath": "$.primaryEmail",
128 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"targetPath": "$.userName" }, { "sourcePath": "$.name", "targetPath": "$.name" }, { "constant": true, "targetPath": "$.active" }, { "condition": "$.suspended == true", "constant": false, "targetPath": "$.active" } ] }, "group": { "ignore": true, "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.name", "targetPath": "$.displayName" }, { "sourcePath": "$.members[?((@.type == 'USER') && (@.status == 'ACTIVE'))]", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members" }, { "targetPath": "$.members[*].status", "type": "remove" }, { "constant": "value", "targetPath": "$.members[*].id", "type": "rename" }, { "constant": "display", "targetPath": "$.members[*].email", "type": "rename" }, { "targetPath": "$.members[*].kind", "type": "remove" }, { "targetPath": "$.members[*].etag", "type": "remove" }, { "targetPath": "$.members[*].role", "type": "remove" } ] }
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 129
}
If the displayName attribute in the source system transformation does not provide group e-mails, you can modify the transformation the following ways:
○ Map email to another attribute that contains a unique group e-mail.○ Concatenate the displayName attribute with your domain. For example:
Sample Code { "sourcePath": "$.displayName", "targetPath": "$.email", "scope": "createEntity", "functions": [ { "type": "concatString", "suffix": "@test.myaccount.ondemand.com" } ] }
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.1.7 SCIM System
Follow this procedure to set up a SCIM system as а source system.
Prerequisites
● You have installed the Cloud Connector in your corporate environment and have done the initial configuration. You need this only if the SCIM system is exposed in a private corporate network. For more information, see SAP Cloud Platform Connector.
● You have technical user credentials for a SCIM system, with read/write access permissions, depending on the scenario you want to implement. In case OAuth is used for authentication, client ID and secret are required when creating a destination for access token retrieval.
130 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Context
Procedure
1. (Optional) If the SCIM system is exposed in a private corporate network, add an access control system mapping in Cloud Connector. For more information, see Configuring Access Control (HTTP).
2. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
3. Add SCIM as a source system. For more information, see Add System [page 59].4. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Value
Type Enter: HTTP
URL Specify the service URL. For example:
http://<cloudfoundry_server>.com/api/uaa/
ProxyType Enter Internet or OnPremise.
Authentication Enter: BasicAuthentication
User You can specify one of the following:○ Technical user ID○ Client ID for OAuth HTTP destinations. It is used for re
trieving of the access token.
Password You can enter one of the following:○ Technical user password○ Client secret for OAuth HTTP destinations. It is used for
retrieving of the access token.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 131
Property Name Value
OAuth2TokenServiceURL If you need to make OAuth authentication to the system, enter the URL to the access token provider service for OAuth HTTP destinations.
For example:
https://token-provider.com/api/auth/token
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
5. (Optional) Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your SCIM system. For more information, see Manage Transformations [page 37].
○ Mapping logic – the behavior of the default transformation logic is to read all user attributes from the source SCIM system, and then map them to the internal SCIM representation. It uses entityIdSourceSystem to store the unique ID of the identity. The ID is removed by default, because it is specific for the source system.
○ User offboarding – it depends on the target system API. When a user is deleted from the SCIM system, the deletion status is considered and depends on the user status handling of the target system. The user will be either deleted or set as inactive.
Default transformation:
Code Syntax { "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "targetPath": "$.id", "type": "remove" }, { "targetPath": "$.meta", "type": "remove" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, {
132 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "targetPath": "$.id", "type": "remove" }, { "targetPath": "$.meta", "type": "remove" } ] }}
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.1.8 LDAP Server
Follow this procedure to set up LDAP Server as a source system.
Prerequisites
● You have installed the Cloud Connector in your corporate environment and have done the initial configuration. For more information, see SAP Cloud Platform Connector.
● You have the credentials of a technical user in the LDAP Server, which is used to call the LDAP Server API to read the users and their attributes.
Procedure
1. Add an access control system mapping for the LDAP Server in the Cloud Connector. This is needed to allow the Identity Provisioning service to access the LDAP server as a back-end system on the intranet. For more information, see Configuring Access Control (LDAP).
2. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
3. Add LDAP Server as a source system. For more information, see Add System [page 59].
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 133
4. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: LDAP
ldap.url Specify the destination URL. It must be in the following format:
ldap://<external_host>:<external_port>
ldap.proxyType Enter: OnPremise
ldap.authentication Enter: BasicAuthentication
The authentication type in use is actually OAuth with JWT. But for any provisioning system based on OAuth, BasicAuthentication is used along with the OAuth2TokenServiceURL additional property.
ldap.user Enter the service user name for LDAP Server. This is the user you need to establish the connection and to perform all queries.
ldap.password Enter the password for the LDAP Server user name.
ldap.group.path Enter the complete path to the node containing the groups in the LDAP tree.
ldap.user.path Enter the complete path to the users in LDAP Server.
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
134 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
The LDAP Server source system is created by default with the properties listed below:
Default LDAP Properties
ldap.user.attributes=
ldap.group.attributes=
ldap.user.object.class= inetOrgPerson
ldap.group.object.class= groupOfNames
ldap.group.uniquename.attribute= cn
ldap.member.uniquename.attribute= uid
ldap.user.filter=
ldap.group.filter=
ldap.page.size= 100
ldap.attribute.user.id= uid
ldap.attribute.user.mail= mail
ldap.attribute.user.givenName= givenName
ldap.attribute.user.surname= sn
ldap.attribute.user.groups= memberOf
ldap.attribute.user.mobile= mobile
ldap.attribute.user.telephoneNumber= telephoneNumber
ldap.attribute.group.id= cn
ldap.attribute.group.member= member
NoteThe ldap.attribute.* properties are used in the parameterized default LDAP read transformation.
5. (Optional) Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in LDAP Server. For more information, see Manage Transformations [page 37].
Before the read transformation, the LDAP Server attributes are represented as arrays (single-element arrays, or multi-value arrays separated by comma (,)). After read transformation (in the intermediate JSON data), the attributes are in SCIM format. For more information, see the official documentation for LDAP Server schema attributes in the Related Information section.
NoteWhen a user is deleted from LDAP Server, the deletion status is considered by the Identity Provisioning service during the read processes. Depending on the offboarding handling of the users in the target system, the user can be deleted, or can be set to inactive.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 135
Below are some of the statements in the default transformation, described in short:
Code Syntax { "user": { "mappings": [ /* The value of entityIdSourceSystem is used to store the unique ID of the identity. You should not delete this statement. You could exchange the default attribute, resolved from ldap.attribute.user.id system property (which is used as a source) with another one but make sure the new source attribute is unique as well. */ { "sourcePath": "$.%ldap.attribute.user.id%[0]", "targetVariable": "entityIdSourceSystem" }, /* The value of the attribute resolved from ldap.attribute.user.id system property is used also as userName value for the internal JSON representation. */ { "sourcePath": "$.%ldap.attribute.user.id%[0]", "targetPath": "$.userName" }, /* The constant urn:ietf:params:scim:api:messages:2.0:User is required as a value for the schemas definition in the Identity Authentication service SCIM REST API. */ { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, /* The value of the attribute resolved from ldap.attribute.user.mail system property is used also as a first array value in the emails JSON array. */ { "sourcePath": "$.%ldap.attribute.user.mail%[0]", "targetPath": "$.emails[0].value", "optional": true }, /* The value of the attribute resolved from ldap.attribute.user.givenName system property is used for the name.givenName value in internal JSON representation. */ { "sourcePath": "$.%ldap.attribute.user.givenName%[0]", "targetPath": "$.name.givenName", "optional": true }, /* The value of the attribute resolved from ldap.attribute.user.surname system property is used for the name.familyName value in internal JSON representation. */ { "sourcePath": "$.%ldap.attribute.user.surname%[0]", "targetPath": "$.name.familyName", "optional": true }, /* The attribute resolved from ldap.attribute.user.groups system property is transformed by default into groups attribute of the SCIM internal representation: */ {
136 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"sourcePath": "$.%ldap.attribute.user.groups%[0]", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.groups[?(@.value)]" }, { "sourcePath": "$.%ldap.attribute.user.mobile%[0]", "optional": true, "targetPath": "$.phoneNumbers[0].value" }, { "condition": "$.%ldap.attribute.user.mobile%.length() > 0", "constant": "mobile", "targetPath": "$.phoneNumbers[0].type" }, { "sourcePath": "$.%ldap.attribute.user.telephoneNumber%[0]", "optional": true, "targetPath": "$.phoneNumbers[1].value" }, { "condition": "$.%ldap.attribute.user.telephoneNumber%.length() > 0", "constant": "work", "targetPath": "$.phoneNumbers[1].type" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$.%ldap.attribute.group.id%[0]", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.%ldap.attribute.group.id%[0]", "targetPath": "$.displayName" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.%ldap.attribute.group.member%", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]" } ] }}
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 137
As result of this mapping, this is how the data from LDAP Server looks like before and after the read transformation:
Source JSON Data
(as read from LDAP Server)
Intermediate JSON Data
(as result from the transformation)
Sample Code
... "memberOf": ["SALES_US","SALES_EU"] …
Sample Code
... "groups":[ { "value": "SALES_US" }, { "value": "SALES_EU" },] …
NoteBy default, the cn attribute is returned for every group. The administrator can change this by setting the property ldap.group.uniquename.attribute either in the LDAP Server read system or in the corresponding destination with value the name of the attribute to be used instead. For example: ldap.group.uniquename.attribute=displayName
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
Related Information
Technical DocumentsSetting Timeout for Ldap OperationsConnection Pooling Configuration
138 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
1.5.1.9 Concur
Follow this procedure to set up Concur as a source system.
Prerequisites
● You have created a technical user with administrator permissions that will be used to call the Concur API for creating or updating user account information. For more information, see Concur API: User Account Information .
● You have registered a partner application in your Concur system. You need the administrator permissions to register the application. For more information, see Concur: Registering a Partner Application in Sandbox .
Context
Companies that use Concur for managing and controlling travel expenses, invoices and other can use Identity Provisioning service to automate the identity and access management for the Concur solution. Customers can reuse the identity data from their existing corporate identity stores, such as SAP AS ABAP user store, Microsoft Active Directory, and others. Customers can also reuse data from different SAP cloud users stores like the user data available for their employees in SAP SuccessFactors, or the user data for internal or external users available in the user store of the Identity Authentication service.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add Concur as a source system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter: https://www.concursolutions.com
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 139
Property Name Description & Value
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the user ID of the Concur technical user.
Password Enter the password of the Concur technical user.
X-ConsumerKey Enter the Concur Consumer Key here. For more information, see Concur: Generate an Access Token .
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your Concur source system. For more information, see Manage Transformations [page 37].
Default transformation:
Code Syntax { "user": { "mappings": [ { "sourcePath": "$.LoginID", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem", "functions": [ { "type": "concatString", "prefix": ":" }, { "type": "concatString", "prefix": "$.EmployeeID" } ] }, { "sourcePath": "$.EmployeeID", "targetPath": "$.userName" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.PrimaryEmail", "targetPath": "$.emails[0].value" }, { "sourcePath": "$.FirstName", "optional": true, "targetPath": "$.name.givenName" }, { "sourcePath": "$.LastName", "optional": true,
140 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"targetPath": "$.name.familyName" }, { "sourcePath": "$.CellPhoneNumber", "optional": true, "targetPath": "$.phoneNumbers[0].value" } ] } }
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
Related Information
Concur: Registering a Partner Application in SandboxConcur: Generate an Access TokenConcur API: User Account Information
1.5.1.10 SSH Server (Beta)
Follow this procedure to set up an SSH server (Beta) as a source system.
Prerequisites
● You have credentials for a tenant in SAP Cloud Platform. For more information, see: Accounts● (Optional) You have installed the Cloud Connector in your corporate environment and have done the initial
configuration. You need this only when your SSH server resides in a remote system, outside your Neo environment. For more information, see Cloud Connector.
NoteThis is a beta feature available on SAP Cloud Platform. For more information, see: Using Beta Features in Subaccounts
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 141
Context
SSH Server is a system (connector) in beta state. It helps you execute bash scripts through SSH connection. The configuration allows you to attach separate scripts per entity lifecycle callback (such as user create, group create/update, and so on). This system helps you connect to remote machines via SSH tunnel, with or without use of the Cloud Connector, depending on whether the SSH port is visible or not.
The bash scripts can take as parameters fields that are coming from the entity JSON data. For example: sudo su - vcap /home/myscript.sh $.userName $.email
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SSH Server (Beta) as a source system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Below are listed all available SSH Server properties. Some of them can be mandatory and others – optional, depending on your scenario.
Mandatory Properties
Property Name Description & Value
ProxyType Possible values:
○ Internet – if the SSH port is visible in your Neo environment
○ OnPremise – if the SSH port is not directly accessible, and you have to use the Cloud Connector. You have to configure TCP protocol connection to the SSH host and port (specify the configuration properties ssh.host and ssh.port).
CloudConnectorLocationId Relevant when the proxy type is OnPremise. Use it only if your SAP Cloud Platform account uses more than one Cloud Connector.
ssh.create.user.command Path to the bash command you need to execute to create a user.
142 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Property Name Description & Value
ssh.update.user.command Path to the bash command you need to execute to update a user.
ssh.delete.user.command Path to the bash command you need to execute to delete a user.
ssh.create.group.command Path to the bash command you need to execute to create a group.
ssh.update.group.command Path to the bash command you need to execute to update a group.
ssh.delete.group.command Path to the bash command you need to execute to delete a group.
ssh.create.user.command.exit.code.already.exists
An exit code number
ssh.update.user.command.exit.code.not.found
An exit code number
ssh.delete.user.command.exit.code.not.found
An exit code number
ssh.create.group.command.exit.code.already.exists
An exit code number
ssh.update.group.command.exit.code.not.found
An exit code number
ssh.delete.group.command.exit.code.not.found
An exit code number
ssh.auth.type Supported SSH authentication types:
○ key○ pwd○ otp○ key+otp○ key+pwd○ pwd+otp○ key+pwd+otp
ssh.host
ssh.port 22
ssh.username
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 143
Property Name Description & Value
ssh.password (Credential) Taken into account only if the authentication type includes pwd. That means any of the following:
○ hana.jdbc.ssh.tunnel.auth.type = pwd○ hana.jdbc.ssh.tunnel.auth.type = pwd
+otp○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd+otp
ssh.totp.secret.key (Credential) Taken into account only if the authentication type includes otp. That means any of the following:
○ hana.jdbc.ssh.tunnel.auth.type = otp○ hana.jdbc.ssh.tunnel.auth.type = key+otp○ hana.jdbc.ssh.tunnel.auth.type = pwd
+otp○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd+otp
ssh.private.key.type The type of the SSH private key. Possible values:
○ ssh-rsa○ ssh-dsa
Default value: ssh-rsa
NoteIf you choose ssh-rsa, the key should be in format PKCS #8, non-encrypted.
ssh.private.key (Credential) Taken into account only if the authentication type includes key. That means any of the following:
○ hana.jdbc.ssh.tunnel.auth.type = key○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd○ hana.jdbc.ssh.tunnel.auth.type = key+otp○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd+otp
ssh.read.groups.command Path to the bash command you need to execute to read groups.
ssh.read.users.command Path to the bash command you need to execute to read users.
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. (Optional) Configure the transformations.
144 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
You can change the default transformation mapping rules to reflect your current setup of entities in your SSH Server (Beta) source system. For more information, see Manage Transformations [page 37].
Default transformation:
Code Syntax { "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" } ] } }
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.1.11 Microsoft Active Directory
Follow this procedure to set up Microsoft Active Directory as a source system.
Prerequisites
● You have installed the Cloud Connector in your corporate environment and have done the initial configuration. For more information, see SAP Cloud Platform Connector.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 145
● You have the credentials of a technical user in the Microsoft Active Directory, which is used to call the Microsoft Active Directory API to read the users and their attributes.
Context
You can configure Microsoft Active Directory as a source system to provision groups and permission assignments to cloud systems, such as SAP Cloud Platform.
Procedure
1. Add an access control system mapping for the Microsoft Active Directory in the Cloud Connector. This is needed to allow the Identity Provisioning service to access Microsoft AD as a back-end system on the intranet. For more information, see Configuring Access Control (LDAP).
2. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
3. Add Microsoft Active Directory as a source system. For more information, see Add System [page 59].4. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: LDAP
ldap.url Specify a destination URL. It must be in the following format:
ldap://<ext_host>:<ext_port>
ldap.proxyType Enter: OnPremise
ldap.authentication Enter: BasicAuthentication
ldap.user Enter the service user name for Microsoft Active Directory. This is the user you need to establish the connection and to perform all queries.
ldap.password Enter the password for the Microsoft Active Directory user name.
ldap.group.path Enter the complete path to the node containing the groups in the LDAP tree.
146 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Property Name Description & Value
ldap.user.path Enter the complete path to the users in Microsoft Active Directory.
Example for a destination or a set of properties:
Type= LDAP
Name= MyADDestination
ldap.user= myaduser
ldap.password= *******
ldap.url= ldap://abcd:123
ldap.proxyType= OnPremise
ldap.authentication= BasicAuthentication
ldap.group.path= OU=Groups,OU=IAS,DC=global,DC=corp,DC=mycompany
ldap.user.path= OU=Users,OU=IAS,DC=global,DC=corp,DC=mycompany
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
5. (Optional) Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in Microsoft Active Directory. For more information, see Manage Transformations [page 37].
Before the read transformation, the Microsoft Active Directory attributes are represented as arrays (single-element arrays, or multi-value arrays separated by comma (,)). After read transformation (in the intermediate JSON data), the attributes are in SCIM format. For more information, see the official documentation for Active Directory schema attributes in the Related Information section.
NoteWhen a user is deleted from Microsoft Active Directory, the deletion status is considered by the Identity Provisioning service during the read processes. Depending on the offboarding process of the users in the target system, a user can be deleted or can be set to inactive.
Below are some of the statements in the default transformation, described in short:
Code Syntax /* The entityIdSourceSystem attribute is used to store the unique ID of the identity. You should not delete this statement. You can exchange the default attribute sAMAccountName[0], which is used as a source with another one, but need to make sure the new source attribute will be also unique. The sAMAccountName[0] property is used also as a username for the intermediate JSON data. */
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 147
{ "user": { "mappings": [ { "sourcePath": "$.sAMAccountName[0]", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.userName" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.mail[0]", "optional": true, "targetPath": "$.emails[0].value" }, { "sourcePath": "$.givenName[0]", "optional": true, "targetPath": "$.name.givenName" }, { "sourcePath": "$.sn[0]", "optional": true, "targetPath": "$.name.familyName" }, { "sourcePath": "$.memberOf", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.groups[?(@.value)]" }, { "sourcePath": "$.mobile[0]", "optional": true, "targetPath": "$.phoneNumbers[0].value" }, { "condition": "$.mobile.length() > 0", "constant": "mobile", "targetPath": "$.phoneNumbers[0].type" }, { "sourcePath": "$.telephoneNumber[0]", "optional": true, "targetPath": "$.phoneNumbers[1].value" }, { "condition": "$.telephoneNumber.length() > 0", "constant": "work", "targetPath": "$.phoneNumbers[1].type" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$.sAMAccountName[0]", "targetVariable": "entityIdSourceSystem" },
148 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
{ "sourcePath": "$.sAMAccountName[0]", "targetPath": "$.displayName" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.member", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]" } ] }}
As result of this mapping, that is how the data from Microsoft Active Directory looks like before and after the read transformation:
Source JSON Data
(as read from Microsoft Active Directory)
Intermediate JSON Data
(as a result from the transformation)
Sample Code
... "memberOf": ["SALES_US","SALES_EU"] …
Sample Code
... "groups":[ { "value": "SALES_US" }, { "value": "SALES_EU" },] …
NoteBy default, the cn attribute is returned for every group. The administrator can change this behavior by setting the property ldap.group.uniquename.attribute either in the Microsoft Active Directory read system, or in the corresponding destination with a value the name of the attribute to be used instead. For example: ldap.group.uniquename.attribute=displayName
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 149
Related Information
Technical DocumentsSetting Timeout for Ldap OperationsConnection Pooling Configuration
1.5.1.12 Microsoft Azure Active Directory
Follow this procedure to set up Microsoft Azure Active Directory (in short, Azure AD) as a source system.
Prerequisites
● You have logged on to Microsoft Azure Portal, with credentials for а user with directory role Global administrator. For more information, see Microsoft: Assigning administrator roles in Azure Active Directory
.
● In Azure Active Directory App registrations , you have registered an application with a secret key and permissions (see below) for Microsoft Graph API. These permissions must be consented by an administrator. For more information, see Microsoft Graph permissions reference .
● (Relevant to target systems) Your registered application is assigned the User Account Administrator role. This role allows you to deprovision users. For more information, see MS Azure PowerShell: Add-MsolRoleMember .
NoteIf this role is not assigned, you can only disable users. To do that, set the accountEnabled property to false. For more information, see MS Graph: user resource type
Permissions
Assign the following permissions to your application, according to your scenario:
● Users – User.ReadWrite.All, Directory.AccessAsUser.All● Groups – Group.ReadWrite.All
For more information, see MS Graph: Users and MS Graph: Groups
Context
When using it as a source system, you can read both users and groups from Azure AD and provision them to any target system you have added in the Identity Provisioning user interface (if it supports groups).
If you have successfully finished with the initial setup (described in the Prerequisites section), continue with the procedure below.
150 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add Microsoft Azure Active Directory as a source system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter: https://graph.microsoft.com
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the application ID registered in your Azure AD subscription (see the Prerequisites section).
Password Enter the secret key associated to your app registration.
aad.domain.name Enter one of the verified domain names from the corresponding Azure AD tenant. On this domain, you will perform the provisioning operations. For more information, see Microsoft: Manage domain names .
oauth.resource.name Enter: https://graph.microsoft.com
OAuth2TokenServiceURL Enter: https://login.microsoftonline.com/{your_domain}/oauth2/token, where {your_domain} is the domain name you have set in the aad.domain.name property.
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. (Optional) Configure the transformations.
Default transformation:
Code Syntax { "user": { "condition": "$.userPrincipalName EMPTY false", "mappings": [ { "sourcePath": "$.id",
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 151
"targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.mailNickname", "optional": true, "targetPath": "$.externalId" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.mail", "targetPath": "$.emails[0].value" }, { "sourcePath": "$.userPrincipalName", "targetPath": "$.userName" }, { "sourcePath": "$.displayName", "optional": true, "targetPath": "$.displayName" }, { "sourcePath": "$.givenName", "optional": true, "targetPath": "$.name.givenName" }, { "sourcePath": "$.surname", "optional": true, "targetPath": "$.name.familyName" }, { "sourcePath": "$.mobilePhone", "optional": true, "targetPath": "$.phoneNumbers[0].value" }, { "condition": "$.businessPhones.length() > 0", "constant": "mobile", "targetPath": "$.phoneNumbers[0].type" }, { "sourcePath": "$.businessPhones[0]", "optional": true, "targetPath": "$.phoneNumbers[1].value" }, { "condition": "$.businessPhones.length() > 0", "constant": "work", "targetPath": "$.phoneNumbers[1].type" } ] }, "group": { "ignore": true, "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, {
152 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"sourcePath": "$.mailNickname", "optional": true, "targetPath": "$.externalId" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName" }, { "sourcePath": "$.members", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]" } ] } }
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.2 Target Systems
Below this section are all target systems supported by the Identity Provisioning user interface.
A target system is the connector used for writing (provisioning) entities. Target systems are usually clouds, where the Identity Provisioning service creates or updates the entities taken from the source system.
Target Systems
Concur
Google G Suite
Microsoft Azure Active Directory
SAP Analytics Cloud (Beta)
SAP Cloud Platform Identity Authentication
SAP Jam
SCIM System
SSH Server (Beta)
CloudFoundry UAA Server
SAP Document Center
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 153
Target Systems
SAP HANA Database (Beta)
SAP Hybris Cloud for Customer
SAP Cloud Platform Java/HTML5 Apps
Local Identity Directory
1.5.2.1 SAP Cloud Platform Java/HTML5 Apps
Follow this procedure to set up SAP Cloud Platform as a target system.
Prerequisites
You have created a new platform API OAuth client for the Authorization Management REST API and securely saved the Client ID and Client Secret. You will need them when you have to configure your target system. Make sure you save the client secret as you cannot retrieve it later.
For more information, see Create and OAuth Client.
Context
The Identity Provisioning service helps companies to automatically manage the user-to-groups assignments for Java/HTML5 applications running on the SAP Cloud Platform. For this aim, the service reuses data from an existing for the company user store. For this scenario, SAP Cloud Platform is the target system. The source system can be a solution supported by the Identity Provisioning service with read access for group artifacts.
This provisioning scenario is based on the Authorization Management REST API of the cloud platform. For more information, see Using the Authorization Management REST API.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP Cloud Platform Java/HTML5 Apps as a target system. For more information, see Add System [page 59].
3. Choose the Properties tab to configure the connection settings for your system.
154 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter: https://api.<SAP_CP_host>/authorization/v1/accounts/<SAP_CP_account>
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the Client ID of the new OAuth client created for the Authorization Management API (see the prerequisites).
Password Enter the Client Secret of the new OAuth client created for the Authorization Management API (see the prerequisites).
OAuth2TokenServiceURL Enter: https://api.<SAP_CP_host>/oauth2/apitoken/v1
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. Configure the transformations.
You can change the default transformation mapping rules to reflect the data that is read from the source system. For more information, see Manage Transformations [page 37].
Using the default transformation, all groups that are available in the source system (for the Microsoft Active Directory, consider also the value of parameter ldap.group.path) and their respective members (as identifiers) will be created as groups in the cloud platform account. They will be configured as a target system and will be assigned to the same list of users (as identities) that are available as members for these roles in the source system.
Below are some of the statements in the default transformation, described in short:
Code Syntax { "group": { "mappings": [ /* Attribute entityIdTargetSystem stores the displayName attribute as a unique value of the group. Do not delete this statement! */ { "sourcePath": "$.displayName", "targetVariable": "entityIdTargetSystem" },/* All members of a source group will be transformed, by default, into users for a new group. It will be created in the cloud platform account (the target system) when the JSON data is prepared to be sent to the target system. */ {
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 155
"sourcePath": "$.members[*].value", "optional": true, "targetPath": "$.users" } ] }}
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.2.2 SAP Cloud Platform Identity Authentication
Follow this procedure to set up SAP Cloud Platform Identity Authentication as a target system.
Prerequisites
You have created a technical user in the Identity Authentication service. For more information, see Add System as Administrator.
NoteOn the Identity Authentication service side, the technical users are known as systems.
Details:
● The technical user will call the SCIM REST API of the service.● You must configure the technical user with a password and assign to it the authorization roles Manage Users
and Manage Groups. This way you can create, edit and delete users and groups in the Identity Authentication user store.
Context
The Identity Provisioning service offers a user store in the cloud platform, which could be used as a source or a target system for the Identity Provisioning service.
Using the Identity Provisioning service you can read corporate users from on-premise systems or from cloud systems, and provision these users to the Identity Authentication user store. This way, you can implement secure
156 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
authentication, single sign-on (SSO) or strong authentication, and mobile SSO as a service for the Web and cloud applications of your company.
For example, you can implement two-factor authentication and mobile SSO for SAP SuccessFactors users.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP Cloud Platform Identity Authentication as a target system. For more information, see Add System [page 59].
3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Specify the URL of the Identity Authentication service tenant of your company. For example:
https://mytenant.accounts.ondemand.com
ProxyType Enter: Internet
The Identity Authentication service is a cloud solution and is outside of your company on-premise infrastructure.
Authentication Enter: BasicAuthentication
User Enter the technical user name configured for the Identity Authentication service.
Password Enter the password for the Identity Authentication service technical user.
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. (Optional) Configure the transformations.
Transformations are used to map the user attributes from the data model of a source system to the data model of the target system, and the other way around. The Identity Provisioning service offers default transformations when Identity Authentication is used as a source or target system. The default transformation settings can be displayed under the Transformations tab after saving the initial source or target system configuration.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 157
When Identity Authentication is configured as a target system, the default transformation logic writes all the user attributes in the Identity Authentication user store. The logic is provided by the Identity Authentication SCIM REST API, which then maps the attributes to the internal SCIM representation. For more information, see Identity Authentication service SCIM REST API.
When Identity Authentication is configured as a target system, the default transformation logic:
○ reads all user attributes from the intermediate SCIM representation;○ excludes some of the identity records;○ skips some of the attributes from the identity records.
This way, the transformation logic ensures that the identity data, sent to the Identity Authentication service SCIM REST API, is consistent.
Default transformation:
Code Syntax { "user": { /* Skip the identity records where name.familyName is empty because this data is mandatory for the SCIM REST API of the Identity Authentication service. */ "condition": "($.emails.length() > 0) && ($.name.familyName EMPTY false)", "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { /* The intermediate JSON data for groups is mapped to corporateGroups in the JSON sent to the Identity Authentication, because the corporateGroups is configured as a source system, the default transformation logic reads attribute is the specific representation of corporate groups in the Identity Authentication */ "sourcePath": "$.groups", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.corporateGroups" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" },/* By default, the user is created as active. */ { "constant": true, "targetPath": "$.active" },/* By default, an activation e-mail will not be sent to the user, and thus the user can log on to the application directly. */ { "constant": "false", "targetPath": "$.sendMail", "scope": "createEntity" }, { "constant": "true", "targetPath": "$.mailVerified", "scope": "createEntity"
158 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
}, /* There will be no initial password provided by default. That's why passwordStatus is disabled. */ { "constant": "disabled", "targetPath": "$.passwordStatus", "scope": "createEntity" }, /* The userType attribute accepts different values. The default one is employee. If you set it to public, that means Identity Authentication is the default password store. See the Remember box below for details. */ { "constant": "employee", "targetPath": "$.userType" }, /* The sourceSystem attribute shows the provisioning source of the users. The supported value is 39. That means, a corporate user is provisioned via the SCIM REST API of the Identity Authentication service. See the Remember box below for details. */ { "constant": "39", "targetPath": "$.sourceSystem", "scope": "createEntity" }, { "targetPath": "$.groups", "type": "remove" }, /* The default transformation removes schemas:extension:enterprise because it contains values that are source system dependent and could be invalid for the target system (for example, the manager ID). */ { "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']", "type": "remove" } ] }, /* By default, group is inactive (ignored) but groups are supported. To start provisioning groups, either delete the statement "ignore": true, or set its value to false.*/ "group": { "ignore": true, "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName" }, { "sourcePath": "$.displayName", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "scope": "createEntity", "functions": [ { "type": "replaceAllString", "regex": "[\\s\\p{Punct}]", "replacement": "_" } ]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 159
}, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "optional": true, "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "scope": "createEntity" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']", "optional": true, "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']" }, { "sourcePath": "$.members[*].value", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "type": "resolveEntityIds" } ] } ] }}
You can change the default transformation mapping rules depending on your setup of entities in the Identity Authentication. For more information, see Manage Transformations [page 37].
RememberIf you set $.userType to "public", all passwords will be written by default in the Identity Authentication. Thus, all provisioned users will successfully log in to Identity Authentication target system.
When $.userType is set to "employee", the log-in behavior of the provisioned users depends on whether users have been created with or without a password, and where these passwords are stored. Thus, you need to modify the target transformations accordingly in order for the users to successfully log in to the Identity Authentication console. See the 4 cases in the table below.
160 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Passwords are stored in Corporate User Store
(Cloud Connector scenarios)
Users are created without a password
(SAML proxy scenario)
Passwords are stored in Identity Authentication
(initial password is required)
Passwords are stored in Identity Authentication
(activation e-mail is required)
In this case, users will authenticate by Corporate User Store. This is relevant to scenarios that require integration with Cloud Connector. The source system can be AS ABAP, Microsoft Active Directory, or LDAP.
{ "constant": "enabled", "targetPath": "$.passwordStatus", "scope": "createEntity"},{ "constant": "employee", "targetPath": "$.userType"}, { "constant": "39", "targetPath": "$.sourceSystem", "scope": "createEntity"},
In this case, user authentication will be delegated to Corporate Identity Provider.
In the transformation, change "enabled" to "disabled". Thus, you have:
{ "constant": "disabled", "targetPath": "$.passwordStatus", "scope": "createEntity"},{ "constant": "employee", "targetPath": "$.userType"}, /* Remove this part:{ "constant": "39", "targetPath": "$.sourceSystem", "scope": "createEntity"}, */
In the transformation, change "enabled" to "initial". Thus, you have:
{ "constant": "initial", "targetPath": "$.passwordStatus", "scope": "createEntity"},{ "constant": "initial password defined by customer", "targetPath": "$.password", "scope": "createEntity"},{ "constant": "false", "targetPath": "$.sendMail", "scope": "createEntity"},{ "constant": "true", "targetPath": "$.mailVerified", "scope": "createEntity"},{ "constant": "employee", "targetPath": "$.userType"},/* Remove this part:{ "constant": "39",
In the transformation, change the following lines:
{ "constant": "true", "targetPath": "$.sendMail", "scope": "createEntity"},{ "constant": "false", "targetPath": "$.mailVerified", "scope": "createEntity"},/*Remove this part:{ "constant": true, "targetPath": "$.active"},{ "constant": "enabled", "targetPath": "$.passwordStatus", "scope": "createEntity"},{ "constant": "39", "targetPath": "$.sourceSystem", "scope": "createEntity"}, */
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 161
Passwords are stored in Corporate User Store
(Cloud Connector scenarios)
Users are created without a password
(SAML proxy scenario)
Passwords are stored in Identity Authentication
(initial password is required)
Passwords are stored in Identity Authentication
(activation e-mail is required)
"targetPath": "$.sourceSystem", "scope": "createEntity"}, */
TipIf you don't want to delete the "constant": "39" section (marked in dark red) from the transformation, you can configure the Corporate User Store in the Identity Authentication admin console so as to reuse the corporate passwords. To learn how, see: Corporate User Store
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
Related Information
Identity Authentication: DocumentationIdentity Authentication: SCIM REST API
162 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
1.5.2.3 SAP Analytics Cloud (Beta)
Follow this procedure to set up SAP Analytics Cloud (Beta) as a target system.
Prerequisites
1. In SAP Analytics Cloud, you have enabled a custom SAML Identity Provider, for which User Attribute is set to Custom SAML User Mapping. To learn how, see: Enabling a Custom SAML Identity Provider
2. Add an OAuth client with authorization grant Client Credentials. To learn how, see: Managing OAuth Clients and Trusted Identity Providers
3. Create a user representing the OAuth client. Set its SAML USER MAPPING to be oauth_client_<CLIENT_ID>, where <CLIENT_ID> (case sensitive) matches the OAuth client ID from the previous step. To learn how, see: Creating New Users
NoteIf you don't see a column SAML USER MAPPING, go back to step 1 and make sure you set the attribute right.
4. Assign this user to a role that grants him/her permissions to manage users and teams. To learn how, see: Assigning Roles to UsersList of all standard application roles in SAP Analytics Cloud: Standard Application Roles
Context
After fulfilling the prerequisites, follow the procedure below to add SAP Analytics Cloud (Beta) as a target system to provision users and groups.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP Analytic Cloud (Beta) as a target system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 163
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter the URL to your SAP Analytics Cloud system.
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the client ID to retrieve the OAuth access token for SAP Analytics Cloud.
Password Enter the secret key to retrieve the OAuth access token for SAP Analytics Cloud.
OAuth2TokenServiceURL Enter the URL of the access token provider service for your SAP Analytics Cloud instance, in format: https://oauthasservices-<subaccount>.hana.ondemand.com/oauth2/api/v1/token
scim.api.csrf.protection Specifies whether to fetch a CSRF token when sending requests to the system.
This property is automatically added to the system, with default value: enabled
csrf.token.path Path which is appended to the URL to retrieve the CSRF token.
This property is automatically added in the system, with default value: /api/v1/scim/Users?count=1
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Analytic Cloud system. For more information, see Manage Transformations [page 37].
Default transformation:
Code Syntax { "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "condition": "$.emails[0].length() > 0",
164 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"constant": true, "targetPath": "$.emails[0].primary" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.members[*].value", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "type": "resolveEntityIds" } ] } ] } }
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.2.4 SAP Hybris Cloud for Customer
Follow this procedure to set up SAP Hybris Cloud for Customer as a target system.
Prerequisites
You have a technical user with admin rights for SAP Hybris Cloud for Customer.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 165
Context
If you use SAP Hybris Cloud for Customer (C4C), you can automatically create, update and maintain the lifecycle of the required business users and employee accounts, by using the Identity Provisioning service. Keep in mind that once you have provisioned the entities to SAP Hybris C4C, a business user and an employee are created for every provisioned user. The business user is required for the user to log into the SAP Hybris C4C system. The Identity Provisioning service uses the SAP Hybris C4C Web Service API for the provisioning process.
SAP Hybris C4C provides two types of Web Service APIs. They differ in behavior and require configuration of specific sets of properties (see step 3. from the main Procedure).
● Version 1: When created via API v.1, users are initially transferred to a staging area, and then can be replicated to the SAP Hybris C4C system manually or via a job, depending on your tenant setup.
● Version 2: When using API v.2, users are created immediately – there is no need to transfer them to a staging area.
To learn how to replicate users (using API v.1), see: Employee Master Data Replication
To check the whole C4C API, see: Web Service APIs in SAP Hybris Cloud for Customer
If you find troubles with the replication, check the following blog: Employee Replication (FAQ)
Configure the Communication System and Arrangement
First of all, you have to configure the communication and information exchange for your SAP Hybris C4C system. Details:
1. In a web browser, open a SAP Hybris C4C system with your admin credentials: https://<C4C_account>.crm.ondemand.com
2. Create and activate a communication system. See: Configure Connections → Create Communication Systems
NoteThe SAP client needs to be different than 000 (for example, 001).
3. Configure the communication and information exchange:1. Go to Business Configuration tab of your SAP Hybris C4C system.2. Select the relevant implementation project from the list and choose Edit Project Scope.
3. Go to step Scoping and expand Communication and Information Exchange Integration with External Applications and Solutions .
4. Select the checkbox next to Integration of Master Data.5. On the right-hand side, select the checkboxes next to questions:
○ Group: Employees → Do you want to replicate employees from an external application or solution to your cloud solution?
○ Group: Attributes and Attribute Sets → Do you want to replicate business attributes from an external application to your cloud solution?
166 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
4. Create a communication arrangement. See: Configure Connections → Maintain Communication Arrangements1. Communication scenario: Select Employee Replication from SAP Business Suite.2. Business data: Enter the system instance ID defined in the communication system.3. Technical data: Select Web Service as the application protocol, and then UserID and Password for the
authentication method.4. Define the user ID and password for the technical user.5. Save the communication arrangement and review the data – the service URL will be displayed.
NoteTo set up the SAP Hybris Cloud for Customer system in the Identity Provisioning UI, you need the service URL, user ID and password defined during the setup of the arrangement.
Now, continue with the main procedure.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP Hybris Cloud for Customer as a target system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Specify the service URL of the set communication arrangement.
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the user ID of the technical user, configured for the communication arrangement in the SAP Hybris Cloud for Customer system.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 167
Property Name Description & Value
Password Enter the password of the technical user, set in the communication arrangement for the SAP Hybris Cloud for Customer user.
c4c.api.version The version of the SAP Hybris C4C API you use. Possible values – 1 or 2. By default, the Identity Provisioning service uses version 1.
NoteAfter you set up the communication arrangement, you can determine the API version used by your SAP Hybris C4C system. It represents the ID at the end of your generated URL – the name of API v.1 is humancapitalmanagementmasterd6, and for API v.2 is employeereplicationin2.
Relevant only to API v.1
RemoteSystemID Enter the system instance ID, configured for the communication system setting in the SAP Hybris C4C system.
Relevant only to API v.2
RecipientPartyID Enter the recipient system name.
Example: 0011SAP
SenderPartyID Enter the name of the sender system name. It's equal to the value of property RemoteSystemID from API v.1.
For example: IPS
c4c.custom.namespace.<prefix> The Identity Provisioning service uses a single predefined namespace for all attributes. However, you can provision entities by defining your own (custom) namespaces for some attributes. For this purpose, you have to:
1. Specify a namespace using this property.2. Set the custom namespace in the JSON transformation
(see the code block in step 4, API version 2).
The value of this property is the namespace URI. For <prefix>, enter the prefix of the custom XML namespace (for example, a123).
Example for setting the whole property:
c4c.custom.namespace.a123=http://sap.com/xi/AP/CustomerExtension/ABC/A123XX
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. Configure the transformations.
168 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
You can change the default transformation mapping rules to reflect your current setup of entities before sending them to the target system. The initial transformation logic contains the minimum required properties for successful provisioning of the users. If you want to extend the default transformation, see the Web Service APIs Employee Master Data Replication , supported by SAP Hybris C4C. For more information, see the Related Information section.
For more information about the default transformation rules and the transformation process, see Manage Transformations [page 37].
Using the old API (version 1)
By default, the Identity Provisioning UI uses the old SAP Hybris C4C API (humancapitalmanagementmasterd6). Respectively, systems are created with c4c.api.version=1. You need to use the transformation below and specify the mandatory attribute RemoteSystemID. The following interface is used for replicating employee master data to SAP Hybris C4C: HumanCapitalManagementMasterDataReplicationEmployeeMasterDataReplicationIn.
Besides replicated employees in SAP Hybris C4C, a business user is created for every user.
Code Syntax /* Attribute RemoteObjectID stores the user name from the source system in the SAP Hybris C4C system. */ { "user": { "mappings": [ { "sourcePath": "$.userName", "targetPath": "$.RemoteObjectID" }, /* Statements that start with PersonalDetails are related to the employee created in SAP Hybris C4C. */ { "sourceVariable": "currentDate", "targetPath": "$.PersonalDetails.ValidityPeriod.StartDate", "functions": [ { "type": "manipulateDate", "targetDateFormat": "yyyy-MM-dd" } ] }, { "constant": "9999-12-31", "targetPath": "$.PersonalDetails.ValidityPeriod.EndDate" }, { "sourcePath": "$.name.givenName", "optional": true, "targetPath": "$.PersonalDetails.GivenName" }, { "sourcePath": "$.name.familyName", "targetPath": "$.PersonalDetails.FamilyName" }, /* Statements that start with EmployeeType are supported by the SAP Hybris C4C system only for internal employees. (Service agents are not supported as EmployeeType. The supported employee types are mandatory and relevant only to lean employees). The value of the currentDate variable (the date when the provisioning is executed) is set as validity start date of the employee.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 169
In the default transformation statement, it's converted to the format required by SAP Hybris C4C via a transformation function. */ { "sourceVariable": "currentDate", "targetPath": "$.EmployeeType.ValidityPeriod.StartDate", "functions": [ { "type": "manipulateDate", "targetDateFormat": "yyyy-MM-dd" } ] }, { "constant": "9999-12-31", "targetPath": "$.EmployeeType.ValidityPeriod.EndDate" }, { "sourcePath": "$.userName", "targetPath": "$.Identity.ID" }, { "constant": "false", "targetPath": "$.Identity.UserAccountsInactiveIndicator" }, { "sourcePath": "$.phoneNumbers[?(@.type == 'mobile')].value", "optional": true, "targetPath": "$.WorkplaceAddress.MobilePhoneNumberDescription" }, { "sourcePath": "$.phoneNumbers[?(@.type == 'work')].value", "optional": true, "targetPath": "$.WorkplaceAddress.PhoneNumberDescription" }, { "sourcePath": "$.emails[0].value", "optional": true, "targetPath": "$.WorkplaceAddress.EmailURI" } ] }}
Using the new API (version 2)
If you want to use the new SAP Hybris C4C API (employeereplicationin2), you have to set c4c.api.version=2, change the transformation with the one below, and specify the two mandatory attributes – RecipientPartyID and SenderPartyID.
Code Syntax { "user": { "condition" : "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].employeeNumber EMPTY false", "mappings": [ { "targetPath": "$.ReceiverEmployeeID", "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].employeeNumber" }, { "targetPath": "$.BusinessPartnerID", "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].employeeNumber"
170 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
}, { "targetPath": "$.EmployeeType.ValidityPeriod.StartDate", "sourceVariable": "currentDate", "functions": [ { "type": "manipulateDate", "targetDateFormat" : "yyyy-MM-dd" } ] }, { "targetPath": "$.EmployeeType.ValidityPeriod.EndDate", "constant": "9999-12-31" }, { "targetPath": "$.Common.Name.GivenName", "sourcePath": "$.name.givenName", "optional": true }, { "targetPath": "$.Common.Name.FamilyName", "sourcePath": "$.name.familyName" }, /* You can set a custom namespace for an attribute. For example, if your namespace prefix is called a123, enter the following lines in your transformation: { "targetPath": "$[‘a123:PersonalDetails’][‘a123:FamilyName’]", "sourcePath": "$.name.familyName" }When sending the request to SAP Hybris C4C, the Identity Provisioning service will transform this data into XML elements, as follows: <a123:PersonalDetails> <a123:FamilyName>...</FamilyName> </a123:PersonDetails> */ { "targetPath": "$.Identity.IdentityID", "sourcePath": "$.userName" }, { "targetPath": "$.Identity.UserAccountsInactiveIndicator", "constant": "false" }, { "condition": "$.active == false", "targetPath": "$.Identity.UserAccountsInactiveIndicator", "constant": "true" }, { "targetPath": "$.WorkplaceAddress.MobilePhoneNumberDescription", "sourcePath": "$.phoneNumbers[?(@.type == 'mobile')].value", "optional": true }, { "targetPath": "$.WorkplaceAddress.PhoneNumberDescription", "sourcePath": "$.phoneNumbers[?(@.type == 'work')].value", "optional": true }, { "targetPath": "$.WorkplaceAddress.EmailURI", "sourcePath": "$.emails[0].value", "optional": true }, { "constant": "SALES_REP",
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 171
"targetPath": "$.Identity.BusinessRole[0].ID" }, { "constant": "SALES_MANAGER", "targetPath": "$.Identity.BusinessRole[1].ID" } ] }}
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
Related Information
Employee Master Data ReplicationWorking in the Employee Staging AreaWeb Service APIs in SAP Hybris Cloud for CustomerBlog: Employee Replication (FAQ)
1.5.2.5 SAP HANA Database (Beta)
Follow this procedure to set up SAP HANA Database (Beta) as a target system.
Prerequisites
● You have credentials for a tenant in SAP Cloud Platform. For more information, see: Accounts● You have the necessary connection settings to reach an SAP HANA database.● (Optional) You have installed the Cloud Connector in your corporate environment and have done the initial
configuration. You need this only when your SAP HANA DB resides in a remote on-premise system, outside your Neo environment. For more information, see Cloud Connector.
NoteThis is a beta feature available on SAP Cloud Platform. For more information, see: Using Beta Features in Subaccounts
172 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Context
SAP HANA Database is a system (connector) in beta state, which allows you to log into remote systems that have SAP HANA installed. Only provisioning of entity type user is currently supported by this connector. That includes user assignments to roles and all types of catalog and repository privileges (schema, analytic, application). For more information about SAP HANA privileges, see:
SAP HANA: GRANT Statement (Access Control)
SAP HANA: Stored Procedures Used to Grant/Revoke Privileges on Activated Repository Objects
When using this connector, what you actually need is to connect to the JDBC SQL port of SAP HANA. Depending on whether this port is visible or hidden, you have the following use cases:
Case 1 – The JDBC port is directly accessible by the enabled Identity Provisioning NEO account. That mostly happens when it resides in the same Neo environment as your Identity Provisioning service.
Case 2 – The JDBC port is not directly accessible by your Neo environment. There are two subcases:
● JDBC port of SAP HANA DB is accessible by a system, which is publicly reachable through SSH protocol. You have to configure your SAP HANA Database (Beta) connector so as to open an SSH tunnel to this system. Set the proxy type to Internet.
● JDBC port of SAP HANA DB is accessible by a system, which is reachable through SSH protocol only from an internal network. You need to have the Cloud Connector installed in that network and configure it to allow SSH connections from the Identity Provisioning service account. You have to create an SSH tunnel by using TCP protocol connection configuration from the Cloud Connector. When configuring the access control, specify the SSH host and port to reach the system that has access to the JDBC port. Set the proxy type to OnPremise.
Case 3 – SAP HANA DB is installed in the Cloud Foundry environment. You need to enable SSH access on both space and application level. To do this, execute the relevant console commands in the Cloud Foundry command line tool (see: Cloud Foundry: Accessing Apps with SSH ). The SAP HANA Database (Beta) connector will open an SSH tunnel to a running application container on the Cloud Foundry space. The space configuration of the security groups allows access to the JDBC port of SAP HANA MDC. You need to have the Space Developer role. Again, there are two subcases:
● Cloud Foundry landscape is publicly accessible through SSH protocol. Set the proxy type to Internet.● Cloud Foundry landscape is accessible through SSH protocol, which is allowed only from a particular network.
You need to have the Cloud Connector installed in that network and configure it to allow SSH connections from the Identity Provisioning service account. Set the proxy type to OnPremise.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP HANA Database (Beta) as a target system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 173
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Below are listed all available SAP HANA properties. Some of them can be mandatory and others – optional, depending on your scenario.
Mandatory Properties
Property Name Description & Value
ProxyType This property is applicable if you use an SSH tunnel (hana.jdbc.access.type=ssh.tunnel|cf.app.ssh.tunnel). Possible values:
○ Internet – if the SSH port is visible in your Neo environment
○ OnPremise – if the SSH port is not directly accessible, and you have to use the Cloud Connector. You have to configure TCP protocol connection to the SSH host and port (specify the configuration properties hana.jdbc.ssh.tunnel.host and hana.jdbc.ssh.tunnel.port).
CloudConnectorLocationId Relevant when the proxy type is OnPremise. Use it only if your SAP Cloud Platform account uses more than one Cloud Connector.
hana.jdbc.db.user
hana.jdbc.db.password (Credential)
hana.jdbc.db.host
hana.jdbc.db.port 30015
hana.jdbc.access.type There are three types of SAP HANA access:
○ direct – It requires only hana.jdbc.db.* properties○ ssh.tunnel – it requires hana.jdbc.db.* and
hana.jdbc.ssh.tunnel.* properties.○ cf.app.ssh.tunnel – It requires hana.jdbc.ssh.tunnel.cf.*
properties to establish an SSH tunnel to the Cloud Foundry application, from which to access the JDBC SQL port of SAP HANA.
hana.jdbc.ssh.tunnel.username
hana.jdbc.ssh.tunnel.host
hana.jdbc.ssh.tunnel.port 22
174 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Property Name Description & Value
hana.jdbc.ssh.tunnel.auth.type Supported SSH authentication types:
○ key○ pwd○ otp○ key+otp○ key+pwd○ pwd+otp○ key+pwd+otp
hana.jdbc.ssh.tunnel.cf.api.url
hana.jdbc.ssh.tunnel.cf.oauth.token.url
hana.jdbc.ssh.tunnel.cf.org This is the Cloud Foundry organization.
hana.jdbc.ssh.tunnel.cf.space This is the Cloud Foundry space.
hana.jdbc.ssh.tunnel.cf.app This is the Cloud Foundry application to which the SAP HANA Database (Beta) system opens an SSH tunnel. For more information, see: Cloud Foundry: Accessing Apps with SSH
hana.jdbc.ssh.tunnel.cf.app.instance This is the instance number of the Cloud Foundry application.
hana.jdbc.ssh.tunnel.cf.username This is the Cloud Foundry user. It has the role Developer for the space where the application is deployed.
hana.jdbc.ssh.tunnel.cf.password (Credential) The password for property hana.jdbc.ssh.tunnel.cf.username
hana.jdbc.ssh.tunnel.password (Credential) Taken into account only if the authentication type includes pwd. That means any of the following:
○ hana.jdbc.ssh.tunnel.auth.type = pwd○ hana.jdbc.ssh.tunnel.auth.type = pwd
+otp○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd+otp
hana.jdbc.ssh.tunnel.totp.secret.key (Credential) Taken into account only if the authentication type includes otp. That means any of the following:
○ hana.jdbc.ssh.tunnel.auth.type = otp○ hana.jdbc.ssh.tunnel.auth.type = key+otp○ hana.jdbc.ssh.tunnel.auth.type = pwd
+otp○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd+otp
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 175
Property Name Description & Value
hana.jdbc.ssh.tunnel.private.key (Credential) Taken into account only if the authentication type includes key. That means any of the following:
○ hana.jdbc.ssh.tunnel.auth.type = key○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd○ hana.jdbc.ssh.tunnel.auth.type = key+otp○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd+otp
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. (Optional) Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP HANA Database (Beta) target system. For more information, see Manage Transformations [page 37].
Code Syntax { "user": { "condition": "$.userName EMPTY false", "mappings": [ { "sourcePath": "$.userName", "targetPath": "$.username" }, { "targetPath": "$.password_option.password", "scope": "createEntity", "functions": [ { "type": "randomPassword", "passwordLength": 24, "minimumNumberOfLowercaseLetters": 1, "minimumNumberOfUppercaseLetters": 1, "minimumNumberOfDigits": 1, "minimumNumberOfSpecialSymbols": 0 } ] }, { "ignore": true, "constant": true, "targetPath": "$.password_option.no_force_first_password_change", "scope": "createEntity" }, { "constant": true, "targetPath": "$.deactivate", "scope": "deleteEntity" }, { "sourcePath": "$.userName", "targetPath": "$.username", "scope": "deleteEntity" }, {
176 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"constant": false, "targetPath": "$.deactivate" }, { "constant": true, "targetPath": "$.reset_connect_attempts" }, { "ignore": true, "constant": true, "targetPath": "$.force_password_change" }, { "ignore": true, "constant": true, "targetPath": "$.enable_password_lifetime" }, { "ignore": true, "constant": true, "targetPath": "$.disable_client_connect" }, { "constant": "NOW", "targetPath": "$.valid_from" }, { "constant": "FOREVER", "targetPath": "$.valid_to" }, { "ignore": true, "constant": "1970-01-01 00:00:00.0", "targetPath": "$.valid_from" }, { "ignore": true, "constant": "1970-01-01 00:00:00.0", "targetPath": "$.valid_to" }, { "ignore": true, "constant": "role", "targetPath": "$.catalog_permissions[0].type" }, { "ignore": true, "constant": "MONITORING", "targetPath": "$.catalog_permissions[0].name" }, { "ignore": true, "constant": "ADMIN", "targetPath": "$.catalog_permissions[0].option" }, { "ignore": true, "constant": "object_privilege", "targetPath": "$.catalog_permissions[1].type" }, { "ignore": true, "constant": "SELECT CDS METADATA", "targetPath": "$.catalog_permissions[1].name" }, { "ignore": true, "constant": "SYS.USERS",
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 177
"targetPath": "$.catalog_permissions[1].on" }, { "ignore": true, "constant": "role", "targetPath": "$.repository_permissions[0].type" }, { "ignore": true, "constant": "sap.appcore.auth.p::select_ACCESS_VIEWS_BY_USER", "targetPath": "$.repository_permissions[0].name" }, { "ignore": true, "constant": "application_privilege", "targetPath": "$.repository_permissions[1].type" }, { "ignore": true, "constant": "sap.hana.ide::Catalog", "targetPath": "$.repository_permissions[1].name" }, { "ignore": true, "constant": true, "targetPath": "$.repository_permissions[2].revoke" }, { "ignore": true, "constant": "analytic_privilege", "targetPath": "$.repository_permissions[2].type" }, { "ignore": true, "constant": "_SYS_BI_CP_ALL", "targetPath": "$.repository_permissions[2].name" } ] }}
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
178 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
1.5.2.6 SAP Document Center
Follow this procedure to set up SAP Document Center as a target system.
Prerequisites
● You have an SAP Cloud Platform user with administration rights for the tenant.● You have enabled the SAP Document Center service in the cockpit.
Context
SAP Document Center offers programs (apps) that can be downloaded and run on multiple independent devices. For more information, see SAP Document Center.
It plays the role of a content service for your SAP Cloud Platform subaccount. To use it as a target system for writing users, follow the procedure below.
Procedure
1. Assign your SAP Cloud Platform user admin rights for SAP Document Center. To do this, open the SAP Document Center service tile (in the cockpit), open link Assign Roles & Set Destinations, choose Administrator, and then – Assign.
2. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
3. Add SAP Document Center as a target system. For more information, see Add System [page 59].4. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 179
Property Name Description & Value
URL Enter the URL, generated in the cockpit for your subaccount in the SAP Document Center tile. You can take this URL from the Configure SAP Document Center link.
Remove the last slash after ".../admin".
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter your SAP Cloud Platform user (with administrator rights).
Password Enter the password for your SAP Cloud Platform user.
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
5. (Optional) Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Document Store target system. For more information, see Manage Transformations [page 37].
Code Syntax { "user": { "condition": "$.userName EMPTY false", "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.name.givenName", "optional": true, "targetPath": "$.firstName" }, { "sourcePath": "$.name.familyName", "optional": true, "targetPath": "$.lastName" }, { "sourcePath": "$.emails[0].value", "optional": true, "targetPath": "$.email" }, { "sourcePath": "$.userName", "targetPath": "$.logonId" } ] }}
180 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.2.7 SAP Jam
Follow this procedure to set up SAP Jam as a target system.
Prerequisites
You get OAuth credentials for SAP Jam. If your SAP Jam tenant is of "SCIM provisioning" type, an OAuth client is automatically created for it, with the name SCIM API Client. To find this client:
1. Go to the SAP Jam admin panel.
2. Choose Integrations OAuth Clients .3. For SCIM API Client, choose View.4. Save the Key and Secret values – you'll need them later while configuring your SAP Jam provisioning system.
Context
After fulfilling the prerequisites, follow the procedure below to create a target SAP Jam system to provision users and groups.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP Jam as a target system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 181
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter the URL related to your SAP Jam database, in format: https://<SAP_Jam_landscape>.sapjam.com
Example: https://jam4.sapjam.com
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the OAuth client key, created for your SAP Jam tenant (see Prerequisites).
Password Enter the OAuth client secret, created for your SAP Jam tenant (see Prerequisites).
OAuth2TokenServiceURL Enter the URL of the access token provider service for your SAP Jam instance, in format: https://<SAP_Jam_instance>/api/v1/auth/token
Example: https://jam4.sapjam.com/api/v1/auth/token
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Jam system. For more information, see Manage Transformations [page 37].
○ Mapping logic – The behavior of the default transformation logic is to map all attributes from the internal SCIM representation to the target entity. If the entity has e-mail addresses, the first entry will be marked as primary.
○ User offboarding:○ Users can be deleted from the SAP Jam system via the SCIM REST API. For more information, see
SCIM: Deleting Resources .○ Users can be deactivated by setting the value of their active attribute to false. For more information,
see SCIM: Singular AttributesDefault transformation:
Sample Code { "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id",
182 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"scope": "deleteEntity" }, { "condition": "$.emails[0].length() > 0", "constant": true, "targetPath": "$.emails[0].primary" }, { "constant": false, "targetPath": "$.active", "scope": "deleteEntity" }, { /* To get the language and country, the transformation will read the locale attribute of the user and the country attribute of the user's work address. The value, written in the SAP Jam target system, will be of type "aa_BB", where "aa" is the code for language, and "BB" is the code for country. For example: en_US, fr_CA, ja_JP */ { "targetPath": "$.locale", "type": "remove" }, { "condition": "($.locale EMPTY false) && ($.addresses[?(@.type == 'work')].country EMPTY false)", "sourcePath": "$.locale", "targetPath": "$.locale", "functions": [ { "function": "toLowerCaseString" }, { "function": "concatString", "suffix": "_" }, { "function": "concatString", "suffix": "$.addresses[?(@.type == 'work')].country" } ] }, /* If the enterprise user schema extension is present and its version is 2.0, set version 1.0, which is supported by SAP Jam. */ { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']", "optional": true, "targetPath": "$['urn:scim:schemas:extension:enterprise:1.0']" }, /* Remove the enterprise user schema extension with version 2.0. */ { "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']", "type": "remove" }, { "targetPath": "$['urn:scim:schemas:extension:enterprise:1.0']['manager']", "type": "remove" }, /* The value of the manager attribute in the source system is resolved to the ID of the SCIM resource which represents the user's manager in the target system. This ID is stored as managerId. */
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 183
{ { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "optional": true, "targetPath": "$['urn:scim:schemas:extension:enterprise:1.0']['manager']['managerId']", "functions": [ { "function": "resolveEntityIds" } ] } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "targetPath": "$.schemas", "type": "remove" }, { "constant": "urn:scim:schemas:core:1.0", "targetPath": "$.schemas[0]" }, { "targetPath": "$.members", "type": "remove" }, { "sourcePath": "$.members[*].value", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "type": "resolveEntityIds" } ] } ] }}
Next Steps
1. Before starting a provisioning job, you can first subscribe to the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during your jobs. For more information, see Manage Job Notifications [page 102].
184 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
RestrictionBear in mind the following limitations for the number of sent requests during a provisioning job:
● The SAP Jam SCIM API allows up to 13,000 requests per hour and up to 200 requests per minute.● The Identity Provisioning service can handle the 200 requests per minute limit. If more requests are sent
during the minute, the service will "wait" until it can execute them.
1.5.2.8 Google G Suite
Follow this procedure to set up Google G Suite as a target system.
Prerequisites
1. Log on to the Google API console (https://console.developers.google.com ) and create a project.
2. Enable the Admin SDK. To do this, go to Dashboard ENABLE API Admin SDK ENABLE .3. Create a service account for your project. We recommend that you select Enable G Suite Domain-wide
Delegation during the creation. If you skip this option, you can set it later. For more information, see Creating a service account .
4. Then, in the Google admin console (https://admin.google.com ), a user with Super Admin role can delegate domain-wide authority to your service account. This way, it will have access to the Google Admin SDK on behalf of your user. For more information, see Delegating domain-wide authority .
NoteWhen specifying the scopes, the administrator has to enter the following:
https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group
Context
A Google service account with delegated domain-wide authority is required for authentication and authorization of the Identity Provisioning service to G Suite domain. The authentication is based on OAuth 2.0 protocol with JSON Web Token (JWT). The private key for the signature is distributed by Google via one-time downloadable JSON data, which is accessible by the domain administrator. The private key is encoded in PKCS8 format and is in the private_key field of the JSON data. For more information, see JSON Web Token (JWT) .
● When using it as a source system, you can read both users and groups from Google G Suite and provision them to any target system you have added in the Identity Provisioning user interface.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 185
● When using it as a target system, you can write both users and groups, read from any source system you have added in the Identity Provisioning user interface. Google G Suite can automatically create accounts for your users in the Google Cloud Datastore.
The Identity Provisioning service supports user and group operations based on the following Google Directory API. See the table below.
User Operations Group Operations
Create a user Create a group
Retrieve a user Retrieve a group's properties
Update a user Update a group's properties
Delete a user Delete a group
CautionYou can only provision users whose e-mails are from verified domains.
If you have successfully finished with the initial setup (described in the Prerequisites section), continue with the procedure below.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add Google G Suite as a target system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Specify the service URL:
https://www.googleapis.com/admin/directory
186 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Property Name Description & Value
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
The authentication type in use is actually OAuth with JWT. But for any provisioning system based on OAuth, BasicAuthentication is used along with the OAuth2TokenServiceURL additional property.
User Enter the service account’s ID. You can take it from the "client_email" field in the JSON data, downloaded during the setup of Google service account.
Password Enter the service account’s private key, which represents a long string in PKCS8 format. You can take it from the "private key" field in the JSON data, downloaded during the setup of Google service account.
OAuth2TokenServiceURL To make OAuth authentication to the Google G Suite system, enter the URL to the access token provider service. For more information, see Using OAuth 2.0 to Access Google APIs .
jwt.subject Enter the Google G Suite user on behalf of which the Google Directory API is called. This user has been assigned the role User Management Admin.
This property corresponds to “sub” claim in JWT being generated during access token request: JWT: "sub" (Subject) Claim
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
Exemplary Configuration:
Name=MyGGSDestination
URL=https://www.googleapis.com/admin/directory
ProxyType=Internet
Type=HTTP
Authentication=BasicAuthentication
Password=-----BEGIN PRIVATE KEY-----\n123ABCDEFG123456789...
… /123456789ABCDEFG123=\n-----END PRIVATE KEY-----\n
OAuth2TokenServiceURL=https://www.googleapis.com/oauth2/v4/token
# jwt.scope=https://www.googleapis.com/auth/admin.directory.user
4. (Optional) Configure the transformations.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 187
Any target transformation should produce JSON data, which is required by the Google Directory API. See Directory API (Reference): Users .
Transformation principles for the target system integration:
○ Mapping logic – The provisioning framework reads all attributes from the intermediate JSON data and tries to create consistent records in the Google G Suite target system, using all the available attributes accepted by the Google Directory API. When a required attribute is missing, the default transformation is designed with a condition that will exclude the inconsistent records. Bear in mind the following:○ Make sure that the JSON data sent by the source system is consistent with the configuration template
of the target. For example, if the source system contains mandatory fields and the target one does not support such kind of data, then the target system skips these fields. This may cause crucial data loss.
○ There is a special user status type called suspended (temporarily blocks a user without deleting any account data) for the Google directory accounts. When the status of the user account is changed to suspended, the Google Directory API will not accept any changes on the user attributes. Once the suspended user is restored by the administrator, all attribute changes pending for the account will be successfully provisioned with the next provisioning job.
CautionAn initial password setup is mandatory for all newly provisioned users. This is required by the Google G Suite API and must be provided when new accounts are created. The constant value that you see as configuration for the password attribute in the default transformation is generated by SAP. You have to change the constant value with another one, known only by the representatives of your company, before starting to use the Identity Provisioning service for creating users in your corporate Google G Suite system automatically.
○ User offboarding – Identity Provisioning service is handling the deletion status of the users. When a user is deleted from the source system, this deletion will be enforced into the Google G Suite system as well.
Default transformation:
Code Syntax { "user": { "condition": "($.emails.length() > 0) && ($.name.familyName EMPTY false)", "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.name", "targetPath": "$.name" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.primaryEmail" }, { "sourcePath": "$.phoneNumbers", "optional": true, "targetPath": "$.phones" }, { "targetPath": "$.password", "scope": "createEntity",
188 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"functions": [ { "type": "randomPassword", "passwordLength": 16, "minimumNumberOfLowercaseLetters": 1, "minimumNumberOfUppercaseLetters": 1, "minimumNumberOfDigits": 1, "minimumNumberOfSpecialSymbols": 0 } ] }, { "constant": "false", "targetPath": "$.suspended" }, { "condition": "$.active == false", "constant": true, "targetPath": "$.suspended" }, { "constant": "true", "targetPath": "$.changePasswordAtNextLogin" } ] }, "group": { "ignore": true, "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.displayName", "targetPath": "$.name" }, /* Google G Suite requires a group e-mail. By default, the email attribute is mapped to displayName. If group's Display Name does not contain an e-mail, you can either map email to another attribute, or concatenate displayName with your domain. To learn how, see the Note below. */ { "sourcePath": "$.displayName", "targetPath": "$.email", "scope": "createEntity" }, { "sourcePath": "$.members[?(@.type == 'User')].value", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.id)]", "functions": [ { "entityType": "user", "type": "resolveEntityIds" } ] } ] }}
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 189
If the displayName attribute in the source system transformation does not provide group e-mails, you can modify the transformation the following ways:
○ Map email to another attribute that contains a unique group e-mail.○ Concatenate the displayName attribute with your domain. For example:
Sample Code { "sourcePath": "$.displayName", "targetPath": "$.email", "scope": "createEntity", "functions": [ { "type": "concatString", "suffix": "@test.myaccount.ondemand.com" } ] }
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.2.9 SCIM System
Follow this procedure to set up a SCIM system as а target system.
Prerequisites
● You have installed the Cloud Connector in your corporate environment and have done the initial configuration. You need this only if the SCIM system is exposed in a private corporate network. For more information, see SAP Cloud Platform Connector.
● You have technical user credentials for a SCIM system, with read/write access permissions, depending on the scenario you want to implement. In case OAuth is used for authentication, client ID and secret are required when creating a destination for access token retrieval.
190 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Procedure
1. (Optional) If the SCIM system is exposed in a private corporate network, add an access control system mapping in Cloud Connector. For more information, see Configuring Access Control (HTTP).
2. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
3. Add SCIM System as a target system. For more information, see Add System [page 59].4. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Value
Type Enter: HTTP
URL Specify the service URL. For example:
http://<cloudfoundry_server>.com/api/uaa/
ProxyType Enter Internet or OnPremise.
Authentication Enter: BasicAuthentication
User You can specify one of the following:○ Technical user ID○ Client ID for OAuth HTTP destinations. It is used for re
trieving of the access token.
Password You can enter one of the following:○ Technical user password○ Client secret for OAuth HTTP destinations. It is used for
retrieving of the access token.
OAuth2TokenServiceURL If you need to make OAuth authentication to the system, enter the URL to the access token provider service for OAuth HTTP destinations.
For example:
https://token-provider.com/api/auth/token
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
5. (Optional) Configure the transformations.You can change the default transformation mapping rules to reflect your current setup of entities in your SCIM system. For more information, see Manage Transformations [page 37].
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 191
○ Mapping logic – The behavior of the default transformation logic is to map all attributes from the internal SCIM representation to the target entity. If the entity has e-mail addresses, the first entry will be marked as primary.
○ User offboarding – Users can be deleted from the target system. Depending on the implementation, this could be done through a user interface (if such exists) or the SCIM REST API. Users could be deactivated, depending on the SCIM system implementation. The SCIM core schema defines an attribute “active”, whose definition depends on the service provider. For more information, see SCIM: Singular Attributes
Default transformation:
Code Syntax { "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "condition": "$.emails[0].length() > 0", "constant": true, "targetPath": "$.emails[0].primary" }, { "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']", "type": "remove" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.members[*].value", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "type": "resolveEntityIds" } ] } ] } }
192 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Next Steps
1. Before starting a provisioning job, you can first subscribe to the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during your jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.2.10 Concur
Follow this procedure to set up Concur as a target system.
Prerequisites
● You have created a technical user with administrator permissions that will be used to call the Concur API for creating or updating user account information. For more information, see Concur API: User Account Information .
● You have registered a partner application in your Concur system. You need the administrator permissions to register the application. For more information, see Concur: Registering a Partner Application in Sandbox .
Context
Companies that use Concur for managing and controlling travel expenses, invoices and other can use Identity Provisioning service to automate the identity and access management for the Concur solution. Customers can reuse the identity data from their existing corporate identity stores, such as SAP AS ABAP user store, Microsoft Active Directory, and others. Customers can also reuse data from different SAP cloud users stores like the user data available for their employees in SAP SuccessFactors, or the user data for internal or external users available in the user store of the Identity Authentication service.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add Concur as a target system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 193
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter: https://www.concursolutions.com
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the user ID of the Concur technical user.
Password Enter the password of the Concur technical user.
X-ConsumerKey Enter the Concur Consumer Key here. For more information, see Concur: Generate an Access Token .
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your Concur target system. For more information, see Manage Transformations [page 37].
○ Mapping logic – When the Concur system is configured as a target, the default transformation logic offered by the Identity Provisioning service contains the minimum of required properties for the successful provisioning of the users. You can change the default transformation mapping rules to reflect your current setup of entities in the source system. Before you start extending the default transformation, you have to get familiar with the requirements of the Concur API to avoid inconsistencies. For more information, see Concur API: User Account Information .
○ User offboarding – Identity Provisioning service handles the end-to-end lifecycle of the users, including their offboarding. For some source systems, the deletion of a user or inactive user status is the final step of this lifecycle process. The Concur solution, however, does not allow user accounts to be deleted. The offboarding of Concur user accounts is always performed by setting them as disabled. When a user is deleted or set with status inactive in a system configured as a source for user data provisioning to Concur, the user account in Concur will be disabled (the attribute "targetPath": "$.Active" gets a value “N”).
CautionThe Concur API requires an initial password setup for all newly provisioned user accounts. The default transformation offers a statement with an empty string as a value for the password configuration. However, it is ignored in order to prevent from a default setup of a wrong initial password for your systems. While the password statement is ignored, the provisioning will not be working. To enable the provisioning to Concur, you need to perform the following operations:
194 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
1. Enable the password statement. To do this, either delete "ignore": true, or set it as "ignore": false.2. Set a proper statement for the password attribute value ("targetPath": "$.Password").
(Optional) You can leave the default empty string, or you can use the randomPassword function to calculate a random value for the initial password of the newly created Concur accounts. If you choose one of these two options and if you are not using single sign-on solution for Concur, you have to also arrange a password reset support process in your company. This will securely offer an initial password to your corporate users for their newly created Concur accounts. For more information, see JSON Expressions [page 38] → Transformation Functions.
Default transformation:
Code Syntax "user": { "mappings": [ { "sourcePath": "$.userName", "targetPath": "$.EmpId" }, /* The first array value of the SCIM attribute emails will be used as an e-mail address (EmailAddress) for the user record in Concur. */ { "sourcePath": "$.emails[0].value", "targetPath": "$.EmailAddress" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.LoginId" }, { "sourcePath": "$.name.givenName", "targetPath": "$.FirstName" }, { "sourcePath": "$.name.familyName", "targetPath": "$.LastName" }, { "constant": "N", "targetPath": "$.Active" }, { "condition": "$.active == true", "constant": "Y", "targetPath": "$.Active" }, { "constant": "N", "targetPath": "$.ExpenseApprover" }, { "constant": "N", "targetPath": "$.ExpenseUser" }, { "constant": "N", "targetPath": "$.InvoiceApprover" }, { "constant": "N", "targetPath": "$.InvoiceUser" },
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 195
{ "constant": "N", "targetPath": "$.IsTestEmp" }, { "constant": "N", "targetPath": "$.TripUser" },/* An initial password setup is mandatory for all newly provisioned user accounts. To enable the provisioning to Concur, enable the statement for the Password attribute and make sure its value is not empty. For more information, see the Caution box above. */ { "ignore": true, "constant": "", "targetPath": "$.Password" }, { "constant": "USD", "targetPath": "$.CrnKey" }, { "sourcePath": "$.addresses[?(@.type == 'home')].country", "targetPath": "$.CtryCode" }, { "constant": "US", "targetPath": "$.Custom21" }, { "constant": "DEFAULT", "targetPath": "$.LedgerName" }, { "constant": "DEFAULT", "targetPath": "$.LedgerCode" }, { "constant": "en_US", "targetPath": "$.LocaleName" } ] } }
Concur offers three types of edition sites: Standard, Professional and Standard-to-Professional Upgrade. The Identity Provisioning service supports the Standard one, which allows you to provision users without grouping them into organizational units.
If your Concur site requires grouping of users, you'll need to enhance your target transformation. The missing JSON code lines you have to add depend on your Concur edition site. For more information, see Concur: How To Provision A Basic User Record .
Below is an example of additional JSON code lines you can add if using the Professional edition:
Sample Code ... { "constant": "<provided by Concur>", "targetPath": "$.LedgerCode" },
196 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
{ "constant": "<obtain from Concur API>", "targetPath": "$.Custom21" }, { "constant": "<obtain from Concur API>", "targetPath": "$.OrgUnit1" }, { "constant": "<obtain from Concur API>", "targetPath": "$.OrgUnit2" } { "constant": "DEFAULT" or "<obtain from Concur API>", "targetPath": "$.LedgerKey" },
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
Related Information
Concur: Registering a Partner Application in SandboxConcur: Generate an Access TokenConcur API: User Account Information
1.5.2.11 SSH Server (Beta)
Follow this procedure to set up an SSH server (Beta) as a target system.
Prerequisites
● You have credentials for a tenant in SAP Cloud Platform. For more information, see: Accounts● (Optional) You have installed the Cloud Connector in your corporate environment and have done the initial
configuration. You need this only when your SSH server resides in a remote system, outside your Neo environment. For more information, see Cloud Connector.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 197
NoteThis is a beta feature available on SAP Cloud Platform. For more information, see: Using Beta Features in Subaccounts
Context
SSH Server is a system (connector) in beta state. It helps you execute bash scripts through SSH connection. The configuration allows you to attach separate scripts per entity lifecycle callback (such as user create, group create/update, and so on). This system helps you connect to remote machines via SSH tunnel, with or without use of the Cloud Connector, depending on whether the SSH port is visible or not.
The bash scripts can take as parameters fields that are coming from the entity JSON data. For example: sudo su - vcap /home/myscript.sh $.userName $.email
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SSH Server (Beta) as a target system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Below are listed all available SSH Server properties. Some of them can be mandatory and others – optional, depending on your scenario.
Mandatory Properties
Property Name Description & Value
ProxyType Possible values:
○ Internet – if the SSH port is visible in your Neo environment
○ OnPremise – if the SSH port is not directly accessible, and you have to use the Cloud Connector. You have to configure TCP protocol connection to the SSH host and port (specify the configuration properties ssh.host and ssh.port).
198 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Property Name Description & Value
CloudConnectorLocationId Relevant when the proxy type is OnPremise. Use it only if your SAP Cloud Platform account uses more than one Cloud Connector.
ssh.create.user.command Path to the bash command you need to execute to create a user.
ssh.update.user.command Path to the bash command you need to execute to update a user.
ssh.delete.user.command Path to the bash command you need to execute to delete a user.
ssh.create.group.command Path to the bash command you need to execute to create a group.
ssh.update.group.command Path to the bash command you need to execute to update a group.
ssh.delete.group.command Path to the bash command you need to execute to delete a group.
ssh.create.user.command.exit.code.already.exists
An exit code number
ssh.update.user.command.exit.code.not.found
An exit code number
ssh.delete.user.command.exit.code.not.found
An exit code number
ssh.create.group.command.exit.code.already.exists
An exit code number
ssh.update.group.command.exit.code.not.found
An exit code number
ssh.delete.group.command.exit.code.not.found
An exit code number
ssh.auth.type Supported SSH authentication types:
○ key○ pwd○ otp○ key+otp○ key+pwd○ pwd+otp○ key+pwd+otp
ssh.host
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 199
Property Name Description & Value
ssh.port 22
ssh.username
ssh.password (Credential) Taken into account only if the authentication type includes pwd. That means any of the following:
○ hana.jdbc.ssh.tunnel.auth.type = pwd○ hana.jdbc.ssh.tunnel.auth.type = pwd
+otp○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd+otp
ssh.totp.secret.key (Credential) Taken into account only if the authentication type includes otp. That means any of the following:
○ hana.jdbc.ssh.tunnel.auth.type = otp○ hana.jdbc.ssh.tunnel.auth.type = key+otp○ hana.jdbc.ssh.tunnel.auth.type = pwd
+otp○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd+otp
ssh.private.key.type The type of SSH private key. Possible values:
○ ssh-rsa○ ssh-dsa
Default value: ssh-rsa
NoteIf you choose ssh-rsa, the key should be in format PKCS #8, non-encrypted.
ssh.private.key (Credential) Taken into account only if the authentication type includes key. That means any of the following:
○ hana.jdbc.ssh.tunnel.auth.type = key○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd○ hana.jdbc.ssh.tunnel.auth.type = key+otp○ hana.jdbc.ssh.tunnel.auth.type = key
+pwd+otp
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. (Optional) Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your SSH Server (Beta) target system. For more information, see Manage Transformations [page 37].
200 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Default transformation:
Code Syntax { "user": { "mappings": [ { "sourcePath": "$.userName", "targetPath": "$.userName" } ] }}
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.2.12 CloudFoundry UAA Server
Follow this procedure to set up a CloudFoundry UAA Server as а target system.
Prerequisites
● You have installed the Cloud Connector in your corporate environment and have done the initial configuration. You need this only if the CloudFoundry UAA server is exposed in a private corporate network. For more information, see SAP Cloud Platform Connector.
● You have technical user credentials for a CloudFoundry system with write access permissions. In case OAuth is used for authentication, client ID and secret are required when creating a destination for access token retrieval.
Context
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 201
Procedure
1. (Optional) If the CloudFoundry UAA server is exposed in a private corporate network, add an access control system mapping in Cloud Connector. For more information, see Configuring Access Control (HTTP).
2. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
3. Add CloudFoundry UAA Server as a target system. For more information, see Add System [page 59].4. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Specify the service URL.
For example: http://<cloudfoundry_server>.com/uaa/
ProxyType Depending on your scenario, enter Internet or OnPremise.
Authentication Enter: BasicAuthentication
User Enter the client ID for OAuth HTTP destinations – it is used for access token retrieval.
Password Enter the client secret for OAuth HTTP destinations – it is used for retrieving the access token.
OAuth2TokenServiceURL If you need to make OAuth authentication to the system, enter the URL to the access token provider service for OAuth HTTP destinations.
For example: https://token-provider.com/uaa/auth/token
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
5. (Optional) Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your CloudFoundry UAA server. For more information, see Manage Transformations [page 37].
○ Mapping logic - The behavior of the default transformation logic is to map all attributes from the internal CloudFoundry UAA representation to the target entity.
○ User offboarding - If a user has been deleted from the source system, this change is recognized and the user is deleted from the CloudFoundry UAA target system too.
202 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Below is an example of the default transformation:
Code Syntax { "user": { "condition": "$.emails.length() > 0", "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "targetPath": "$.schemas", "type": "remove" }, { "constant": "urn:scim:schemas:core:1.0", "targetPath": "$.schemas[0]" },/* If the entity has e-mail addresses, the first entry will be marked as primary. */ { "condition": "$.emails[0].length() > 0", "targetPath": "$.emails[0].primary", "constant": true } ] }, /* By default, group is inactive (ignored) but groups are supported. To start provisioning groups, either delete the statement "ignore": true, or set its value to false.*/ "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "targetPath": "$.schemas", "type": "remove" }, { "constant": "urn:scim:schemas:core:1.0", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.member", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "type": "resolveEntityIds" } ] } ]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 203
}}
NoteIf you want to apply group assignments, you have to execute the transformation in this exact order (users first, then groups). Otherwise, the resolveEntityId function will not work during a single provisioning job, and thus a second job will be needed. This behavior occurs due to the external IDs, which are not known in advance - the CloudFoundry UAA system provides them only after it has written the relevant user/group entities.
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
Related Information
CloudFoundry: UsersCloudFoundry: Groups
1.5.2.13 Microsoft Azure Active Directory
Follow this procedure to set up Microsoft Azure Active Directory (in short, Azure AD) as a target system.
Prerequisites
● You have logged on to Microsoft Azure Portal, with credentials for а user with directory role Global administrator. For more information, see Microsoft: Assigning administrator roles in Azure Active Directory
.
● In Azure Active Directory App registrations , you have registered an application with a secret key and permissions (see below) for Microsoft Graph API. These permissions must be consented by an administrator. For more information, see Microsoft Graph permissions reference .
● (Relevant to target systems) Your registered application is assigned the User Account Administrator role. This role allows you to deprovision users. For more information, see MS Azure PowerShell: Add-MsolRoleMember .
204 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
NoteIf this role is not assigned, you can only disable users. To do that, set the accountEnabled property to false. For more information, see MS Graph: user resource type
Permissions
Assign the following permissions to your application, according to your scenario:
● Users – User.ReadWrite.All, Directory.AccessAsUser.All● Groups – Group.ReadWrite.All
For more information, see MS Graph: Users and MS Graph: Groups
Context
When using it as a target system, you can write both users and groups, read from any source system you have added in the Identity Provisioning user interface. The Azure AD target systems use Microsoft Graph API. For more information, see Microsoft Graph .
If you have successfully finished with the initial setup (described in the Prerequisites section), continue with the procedure below.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add Microsoft Azure Active Directory as a target system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter: https://graph.microsoft.com
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 205
Property Name Description & Value
User Enter the application ID registered in your Azure AD subscription (see the Prerequisites section).
Password Enter the secret key associated to your app registration.
aad.domain.name Enter one of the verified domain names from the corresponding Azure AD tenant. On this domain, you will perform the provisioning operations. For more information, see Microsoft: Manage domain names .
oauth.resource.name Enter: https://graph.microsoft.com
OAuth2TokenServiceURL Enter: https://login.microsoftonline.com/{your_domain}/oauth2/token, where {your_domain} is the domain name you have set in the aad.domain.name property.
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. (Optional) Configure the transformations.
Default transformation:
Code Syntax { "user": { "mappings": [ { "sourcePath": "$.onPremisesImmutableId", "optional": true, "targetPath": "$.onPremisesImmutableId" }, { "sourcePath": "$.active", "optional": true, "targetPath": "$.accountEnabled" }, { "sourcePath": "$.name.givenName", "optional": true, "targetPath": "$.mailNickname" }, { "sourcePath": "$.displayName", "optional": true, "targetPath": "$.displayName" }, { "sourcePath": "$.name.givenName", "optional": true, "targetPath": "$.givenName" }, { "sourcePath": "$.name.familyName", "optional": true, "targetPath": "$.surname" }, { "sourcePath": "$.addresses[0].locality",
206 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"optional": true, "targetPath": "$.city" }, { "sourcePath": "$.addresses[0].country", "optional": true, "targetPath": "$.country" }, { "sourcePath": "$.userName", "targetPath": "$.userPrincipalName", "scope": "createEntity", "functions": [ { "type": "concatString", "suffix": "@%aad.domain.name%" } ] }, { "sourcePath": "$.active", "targetPath": "$.accountEnabled", "scope": "createEntity" }, { "sourcePath": "$.name.givenName", "targetPath": "$.mailNickname", "scope": "createEntity" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "scope": "createEntity" }, { "targetPath": "$.passwordProfile.password", "scope": "createEntity", "functions": [ { "type": "randomPassword", "passwordLength": 16, "minimumNumberOfLowercaseLetters": 1, "minimumNumberOfUppercaseLetters": 1, "minimumNumberOfDigits": 1, "minimumNumberOfSpecialSymbols": 0 } ] }, { "constant": false, "targetPath": "$.passwordProfile.forceChangePasswordNextSignIn", "scope": "createEntity" } ] }, "group": { "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.displayName", "optional": true, "targetPath": "$.displayName" }, {
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 207
"sourcePath": "$.description", "optional": true, "targetPath": "$.description" }, { "sourcePath": "$.allowExternalSenders", "optional": true, "targetPath": "$.allowExternalSenders" }, { "sourcePath": "$.autoSubscribeNewMembers", "optional": true, "targetPath": "$.autoSubscribeNewMembers" }, { "sourcePath": "$.isSubscribedByMail", "optional": true, "targetPath": "$.isSubscribedByMail" }, { "sourcePath": "$.visibility", "optional": true, "targetPath": "$.visibility" }, { "sourcePath": "$.securityEnabled", "optional": true, "targetPath": "$.securityEnabled" }, { "sourcePath": "$.mailEnabled", "optional": true, "targetPath": "$.mailEnabled" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "scope": "createEntity" }, { "sourcePath": "$.externalId", "targetPath": "$.mailNickname", "scope": "createEntity" }, { "constant": true, "targetPath": "$.mailEnabled", "scope": "createEntity" }, { "constant": false, "targetPath": "$.securityEnabled", "scope": "createEntity" }, { "constant": "Unified", "targetPath": "$.groupTypes[0]", "scope": "createEntity" } ] } }
208 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.3 Proxy Systems
Below this section are all proxy systems supported by the Identity Provisioning user interface.
A proxy system is a special connector used for "hybrid" scenarios. That means, you can provision entities from a cloud to an on-premise system (and the other way around) without making a direct connection between them. To achieve this, the Identity Provisioning service uses a proxy system that executes provisioning operations (create, update, delete, etc.) requested by the on-premise system.
Restriction● Currently, this scenario is only applicable to SAP Identity Management, used as the on-premise system.
See: Hybrid Scenario: SAP Identity Management [page 246]● The Proxy Systems tile is not available for bundle accounts but only for productive, standalone Identity
Provisioning service.● This tile is not displayed by default in the user interface. If you need it for hybrid scenarios, create an
incident to component BC-IAM-IPS to request the Proxy Systems tile.
To provide communication between SAP Identity Management and the back-end system, the proxy application uses a SCIM 2.0 protocol. A system can act as a proxy if it supports both read and write operations.
How a proxy system works:
1. The Identity Provisioning service exposes the back-end system as a "proxy".2. SAP Identity Management regards the proxy system as its back-end system.3. The entities (users) exposed by the back-end system are mapped to SCIM 2.0 entities, if possible. If not
possible, the SCIM standard provides a mechanism to define a new resource type with the appropriate schema. You can use the custom resource type to map the back-end entities. See: SCIM Resources
Proxy Systems
Concur
Google G Suite
Microsoft Azure Active Directory
SAP Analytics Cloud (Beta)
SAP Cloud Platform Identity Authentication
SAP Jam
SCIM
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 209
1.5.3.1 SAP Cloud Platform Identity Authentication
Follow this procedure to set up SAP Cloud Platform Identity Authentication as a proxy system.
Prerequisites
You have created a technical user in the Identity Authentication service. For more information, see Add System as Administrator.
NoteOn the Identity Authentication service side, the technical users are known as systems.
Details:
● The technical user will call the SCIM REST API of the service.● You must configure the technical user with a password and assign to it the authorization roles Manage Users
and Manage Groups. This way you can create, edit and delete users and groups in the Identity Authentication user store.
Context
The Identity Provisioning service offers a user store in the cloud platform, which could be used as a source or a target system for the Identity Provisioning service.
Using the Identity Provisioning service you can read corporate users from an on-premise system and provision them to the Identity Authentication user store (and the other way around) without making a direct connection between these systems. This way, you can implement secure authentication, single sign-on (SSO) or strong authentication, and mobile SSO as a service for the Web and cloud applications of your company.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP Cloud Platform Identity Authentication as a proxy system. For more information, see Add System [page 59].
3. Choose the Properties tab to configure the connection settings for your system.
210 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Specify the URL of the Identity Authentication service tenant of your company. For example:
https://mytenant.accounts.ondemand.com
ProxyType Enter: Internet
The Identity Authentication service is a cloud solution and is outside of your company on-premise infrastructure.
Authentication Enter: BasicAuthentication
User Enter the technical user name configured for the Identity Authentication service.
Password Enter the password for the Identity Authentication service technical user.
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. (Optional) Configure the transformations.
Transformations are used to map the user attributes from the data model of a source system to the data model of the target system, and the other way around. The Identity Provisioning service offers default transformations when Identity Authentication is used as a source or target system. The default transformation settings can be displayed under the Transformations tab after saving the initial source or target system configuration.
When Identity Authentication is configured as a proxy system, the default transformation logic reads all the user attributes from the Identity Authentication user store. The logic is provided by the Identity Authentication SCIM REST API, which then maps the attributes to the internal SCIM representation. For more information, see Identity Authentication service SCIM REST API.
When Identity Authentication is configured as a proxy system, the default transformation logic:
○ reads all user attributes from the intermediate SCIM representation;○ excludes some of the identity records;○ skips some of the attributes from the identity records.
This way, the transformation logic ensures that the identity data, sent to the Identity Authentication SCIM REST API, is consistent.
You can change the default transformation mapping rules depending on your setup of entities in the Identity Authentication service. For more information, see Manage Transformations [page 37].
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 211
Default read and write transformations:
Read Transformation Write Transformation
{ "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "targetPath": "$.groups[*].display", "type": "remove" }, { "condition": "$.displayName EMPTY true", "targetPath": "$.displayName", "type": "remove" }, { "sourcePath": "$.timeZone", "optional": true, "targetPath": "$.timezone" } ], "scimEntityEndpoint": "Users" }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" },
{ "user": { "condition": "($.emails.length() > 0) && ($.name.familyName EMPTY false)", "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.groups", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.corporateGroups" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "constant": true, "targetPath": "$.active" }, { "constant": "false", "targetPath": "$.sendMail", "scope": "createEntity" }, { "constant": "true", "targetPath": "$.mailVerified", "scope": "createEntity" }, { "constant": "disabled", "targetPath": "$.passwordStatus", "scope": "createEntity" }, { "constant": "39", "targetPath": "$.sourceSystem", "scope": "createEntity" }, {
212 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Read Transformation Write Transformation
{ "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "targetPath": "$.displayName" }, { "sourcePath": "$.members", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members" }, { "constant": "urn:sap:cloud:scim:schemas:extension:custom:2.0:Group", "targetPath": "$.schemas[1]" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']", "optional": true, "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']"
"constant": "employee", "targetPath": "$.userType" }, { "targetPath": "$.groups", "type": "remove" }, { "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']", "type": "remove" }, { "sourcePath": "$.timezone", "optional": true, "targetPath": "$.timeZone" } ], "scimEntityEndpoint": "Users" }, "group": { "ignore": true, "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName" }, { "sourcePath": "$.displayName", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "scope": "createEntity", "functions": [ { "type": "replaceAllString", "regex": "[\\s\\p{Punct}]", "replacement": "_" } ] }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "optional": true,
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 213
Read Transformation Write Transformation
} ], "scimEntityEndpoint": "Groups" } }
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "scope": "createEntity" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']", "optional": true, "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']" }, { "sourcePath": "$.members", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members" } ], "scimEntityEndpoint": "Groups" } }
You can change the default transformation mapping rules depending on your setup of entities in the Identity Authentication. For more information, see Manage Transformations [page 37].
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
Related Information
Identity Authentication: DocumentationIdentity Authentication: SCIM REST APIHybrid Scenario: SAP Identity Management [page 246]
214 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
1.5.3.2 SAP Analytics Cloud (Beta)
Follow this procedure to set up SAP Analytics Cloud (Beta) as a proxy system.
Prerequisites
1. In SAP Analytics Cloud, you have enabled a custom SAML Identity Provider, for which User Attribute is set to Custom SAML User Mapping. To learn how, see: Enabling a Custom SAML Identity Provider
2. Add an OAuth client with authorization grant Client Credentials. To learn how, see: Managing OAuth Clients and Trusted Identity Providers
3. Create a user representing the OAuth client. Set its SAML USER MAPPING to be oauth_client_<CLIENT_ID>, where <CLIENT_ID> (case sensitive) matches the OAuth client ID from the previous step. To learn how, see: Creating New Users
NoteIf you don't see a column SAML USER MAPPING, go back to step 1 and make sure you set the attribute right.
4. Assign this user to a role that grants him/her permissions to manage users and teams. To learn how, see: Assigning Roles to UsersList of all standard application roles in SAP Analytics Cloud: Standard Application Roles
Context
After fulfilling the prerequisites, follow the procedure below to add SAP Analytics Cloud as a beta proxy system to load its users into an on-premise system and provision groups and new users back to SAP Analytics Cloud.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP Analytic Cloud (Beta) as a proxy system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 215
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter the URL to your SAP Analytics Cloud system.
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the client ID to retrieve the OAuth access token for SAP Analytics Cloud.
Password Enter the secret key to retrieve the OAuth access token for SAP Analytics Cloud.
OAuth2TokenServiceURL Enter the URL of the access token provider service for your SAP Analytics Cloud instance, in format: https://oauthasservices-<subaccount>.hana.ondemand.com/oauth2/api/v1/token
scim.api.csrf.protection Specifies whether to fetch a CSRF token when sending requests to the system.
This property is automatically added to the system, with default value: enabled
csrf.token.path Path which is appended to the URL to retrieve the CSRF token.
This property is automatically added in the system, with default value: /api/v1/scim/Users?count=1
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Analytic Cloud system. For more information, see Manage Transformations [page 37].
216 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Default read and write transformations:
Read Transformation Write Transformation
{ "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] } ], "scimEntityEndpoint": "Users" }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }
{ "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "condition": "$.emails[0].length() > 0", "constant": true, "targetPath": "$.emails[0].primary" } ], "scimEntityEndpoint": "Users" }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" } ], "scimEntityEndpoint": "Groups" } }
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 217
Read Transformation Write Transformation
], "scimEntityEndpoint": "Groups" } }
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.3.3 SAP Jam
Follow this procedure to set up SAP Jam as a proxy system.
Prerequisites
You get OAuth credentials for SAP Jam. If your SAP Jam tenant is of "SCIM provisioning" type, an OAuth client is automatically created for it, with the name SCIM API Client. To find this client:
1. Go to the SAP Jam admin panel.
2. Choose Integrations OAuth Clients .3. For SCIM API Client, choose View.4. Save the Key and Secret values – you'll need them later while configuring your SAP Jam provisioning system.
Context
After fulfilling the prerequisites, follow the procedure below to create a proxy SAP Jam system to load its users into an on-premise system and provision groups and new users back to SAP Jam.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
218 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
2. Add SAP Jam as a proxy system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter the URL related to your SAP Jam database, in format: https://<SAP_Jam_landscape>.sapjam.com
Example: https://jam4.sapjam.com
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the OAuth client key, created for your SAP Jam tenant (see Prerequisites).
Password Enter the OAuth client secret, created for your SAP Jam tenant (see Prerequisites).
OAuth2TokenServiceURL Enter the URL of the access token provider service for your SAP Jam instance, in format: https://<SAP_Jam_instance>/api/v1/auth/token
Example: https://jam4.sapjam.com/api/v1/auth/token
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Jam system. For more information, see Manage Transformations [page 37].
○ Mapping logic – The behavior of the default transformation logic is to map all attributes from the internal SCIM representation to the target entity. If the entity has e-mail addresses, the first entry will be marked as primary.
○ User offboarding:○ Users can be deleted from a SAP Jam system via the SCIM REST API. For more information, see SCIM:
Deleting Resources .○ Users can be deactivated by setting the value of their active attribute to false. For more information,
see SCIM: Singular Attributes
Default transformation:
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 219
Read Transformation Write Transformation
{ "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] } ], "scimEntityEndpoint": "Users" }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] } ], "scimEntityEndpoint": "Groups" }
{ "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id", "scope": "deleteEntity" }, { "condition": "$.emails[0].length() > 0", "constant": true, "targetPath": "$.emails[0].primary" }, { "constant": false, "targetPath": "$.active", "scope": "deleteEntity" }, { "targetPath": "$.locale", "type": "remove" }, { "condition": "($.locale EMPTY false) && ($.addresses[?(@.type == 'work')].country EMPTY false)", "sourcePath": "$.locale", "targetPath": "$.locale", "functions": [ { "function": "toLowerCaseString" }, { "function": "concatString", "suffix": "_" }, { "function": "concatString",
220 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Read Transformation Write Transformation
} "suffix": "$.addresses[?(@.type == 'work')].country" } ] } ], "scimEntityEndpoint": "Users" }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" } ], "scimEntityEndpoint": "Groups" } }
Next Steps
1. Before starting a provisioning job, you can first subscribe to the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during your jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
RestrictionBear in mind the following limitations for the number of sent requests during a provisioning job:
● The SAP Jam SCIM API allows up to 13,000 requests per hour and up to 200 requests per minute.● The Identity Provisioning service can handle the 200 requests per minute limit. If more requests are sent
during the minute, the service will "wait" until it can execute them.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 221
1.5.3.4 Concur
Follow this procedure to set up Concur as a proxy system.
Prerequisites
● You have created a technical user with administrator permissions that will be used to call the Concur API for creating or updating user account information. For more information, see Concur API: User Account Information .
● You have registered a partner application in your Concur system. You need the administrator permissions to register the application. For more information, see Concur: Registering a Partner Application in Sandbox .
Context
Companies that use Concur for managing and controlling travel expenses, invoices and other can use Identity Provisioning service to automate the identity and access management for the Concur solution. Customers can reuse the identity data from their existing corporate identity stores, such as AS ABAP user store, Microsoft Active Directory, and others. Customers can also reuse data from different SAP cloud users stores like the user data available for their employees in SAP SuccessFactors, or the user data for internal or external users available in the user store of the Identity Authentication service.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add Concur as a proxy system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter: https://www.concursolutions.com
222 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Property Name Description & Value
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the user ID of the Concur technical user.
Password Enter the password of the Concur technical user.
X-ConsumerKey Enter the Concur Consumer Key here. For more information, see Concur: Generate an Access Token .
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your Concur target system. For more information, see Manage Transformations [page 37].
○ Mapping logic – When the Concur system is configured as a target, the default transformation logic offered by the Identity Provisioning service contains the minimum of required properties for the successful provisioning of the users. You can change the default transformation mapping rules to reflect your current setup of entities in the source system. Before you start extending the default transformation, you have to get familiar with the requirements of the Concur API to avoid inconsistencies. For more information, see Concur API: User Account Information .
○ User offboarding – Identity Provisioning service handles the end-to-end lifecycle of the users, including their offboarding. For some source systems, the deletion of a user or inactive user status is the final step of this lifecycle process. The Concur solution, however, does not allow user accounts to be deleted. The offboarding of Concur user accounts is always performed by setting them as disabled. When a user is deleted or set with status inactive in a system configured as a source for user data provisioning to Concur, the user account in Concur will be disabled (the attribute "targetPath": "$.Active" gets a value “N”).
CautionThe Concur API requires an initial password setup for all newly provisioned user accounts. The default transformation offers a statement with an empty string as a value for the password configuration. However, it is ignored in order to prevent from a default setup of a wrong initial password for your systems. While the password statement is ignored, the provisioning will not be working. To enable the provisioning to Concur, you need to perform the following operations:
1. Enable the password statement. To do this, either delete "ignore": true, or set it as "ignore": false.2. Set a proper statement for the password attribute value ("targetPath": "$.Password").
(Optional) You can leave the default empty string, or you can use the randomPassword function to calculate a random value for the initial password of the newly created Concur accounts. If you choose one of these two options and if you are not using single sign-on solution for Concur, you have to also arrange a password reset support process in your company. This will securely offer an initial password to your corporate users for their newly created Concur accounts. For more information, see JSON Expressions [page 38] → Transformation Functions.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 223
Default transformation:
224 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Read Transformation Write Transformation
{ "user": { "mappings": [ { "sourcePath": "$.EmployeeID", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem", "functions": [ { "type": "compositeId", "subId": "$.LoginID" } ] }, { "sourcePath": "$.EmployeeID", "targetPath": "$.userName" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.PrimaryEmail", "targetPath": "$.emails[0].value" }, { "constant": true, "targetPath": "$.emails[0].primary" }, { "sourcePath": "$.FirstName", "optional": true,
{ "user": { "mappings": [ { "sourcePath": "$.userName", "targetPath": "$.EmpId" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.EmailAddress" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.LoginId" }, { "sourcePath": "$.name.givenName", "targetPath": "$.FirstName" }, { "sourcePath": "$.name.familyName", "targetPath": "$.LastName" }, { "constant": "N", "targetPath": "$.Active" }, { "condition": "$.active == true", "constant": "Y", "targetPath": "$.Active" }, { "constant": "N", "targetPath": "$.ExpenseApprover" }, { "constant": "N", "targetPath": "$.ExpenseUser" }, { "constant": "N", "targetPath": "$.InvoiceApprover" }, { "constant": "N",
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 225
Read Transformation Write Transformation
"targetPath": "$.name.givenName" }, { "sourcePath": "$.LastName", "optional": true, "targetPath": "$.name.familyName" }, { "sourcePath": "$.CellPhoneNumber", "optional": true, "targetPath": "$.phoneNumbers[0].value" } ], "scimEntityEndpoint": "Users" } }
"targetPath": "$.InvoiceUser" }, { "constant": "N", "targetPath": "$.IsTestEmp" }, { "constant": "N", "targetPath": "$.TripUser" }, { "ignore": true, "constant": "", "targetPath": "$.Password" }, { "constant": "USD", "targetPath": "$.CrnKey" }, { "constant": "US", "targetPath": "$.CtryCode" }, { "sourcePath": "$.locale", "optional": true, "targetPath": "$.CtryCode", "functions": [ { "type": "substring", "beginIndex": 3 } ] }, { "constant": "en_US", "targetPath": "$.LocaleName" }, { "constant": "US", "targetPath": "$.Custom21" }, { "constant": "DEFAULT", "targetPath": "$.LedgerName" }, { "constant": "DEFAULT", "targetPath": "$.LedgerCode"
226 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Read Transformation Write Transformation
} ], "scimEntityEndpoint": "Users" } }
Concur offers three types of edition sites: Standard, Professional and Standard-to-Professional Upgrade. The Identity Provisioning service supports the Standard one, which allows you to provision users without grouping them into organizational units. For more information, see: Concur (Target System) [page 193]
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
Related Information
Concur: Registering a Partner Application in SandboxConcur: Generate an Access TokenConcur API: User Account Information
1.5.3.5 SCIM System
Follow this procedure to set up SCIM as a proxy system.
Prerequisites
● You have installed the Cloud Connector in your corporate environment and have done the initial configuration. You need this only if the SCIM system is exposed in a private corporate network. For more information, see SAP Cloud Platform Connector.
● You have technical user credentials for a SCIM system, with read/write access permissions, depending on the scenario you want to implement. In case OAuth is used for authentication, client ID and secret are required when creating a destination for access token retrieval.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 227
Context
Procedure
1. (Optional) If the SCIM system is exposed in a private corporate network, add an access control system mapping in Cloud Connector. For more information, see Configuring Access Control (HTTP).
2. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
3. Add SCIM System as a proxy system. For more information, see Add System [page 59].4. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Value
Type Enter: HTTP
URL Specify the service URL. For example:
http://<cloudfoundry_server>.com/api/uaa/
ProxyType Enter Internet or OnPremise.
Authentication Enter: BasicAuthentication
User You can specify one of the following:○ Technical user ID○ Client ID for OAuth HTTP destinations. It is used for re
trieving of the access token.
Password You can enter one of the following:○ Technical user password○ Client secret for OAuth HTTP destinations. It is used for
retrieving of the access token.
228 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Property Name Value
OAuth2TokenServiceURL If you need to make OAuth authentication to the system, enter the URL to the access token provider service for OAuth HTTP destinations.
For example:
https://token-provider.com/api/auth/token
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
5. Configure the transformations.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Jam system. For more information, see Manage Transformations [page 37].
○ Mapping logic – The behavior of the default transformation logic is to map all attributes from the internal SCIM representation to the target entity. If the entity has e-mail addresses, the first entry will be marked as primary.
○ User offboarding – Users can be deleted from the target system. Depending on the implementation, this could be done through a user interface (if such exists) or the SCIM REST API. Users could be deactivated, depending on the SCIM system implementation. The SCIM core schema defines an attribute “active”, whose definition depends on the service provider. For more information, see SCIM: Singular Attributes
Default transformation:
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 229
Read Transformation Write Transformation
{ "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] } ], "scimEntityEndpoint": "Users" }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] } ], "scimEntityEndpoint": "Groups" }
{ "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "condition": "$.emails[0].length() > 0", "constant": true, "targetPath": "$.emails[0].primary" } ], "scimEntityEndpoint": "Users" }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" } ], "scimEntityEndpoint": "Groups" } }
230 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Read Transformation Write Transformation
}
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.3.6 Google G Suite
Follow this procedure to set up Google G Suite as a proxy system.
Prerequisites
1. Log on to the Google API console (https://console.developers.google.com ) and create a project.
2. Enable the Admin SDK. To do this, go to Dashboard ENABLE API Admin SDK ENABLE .3. Create a service account for your project. We recommend that you select Enable G Suite Domain-wide
Delegation during the creation. If you skip this option, you can set it later. For more information, see Creating a service account .
4. Then, in the Google admin console (https://admin.google.com ), a user with Super Admin role can delegate domain-wide authority to your service account. This way, it will have access to the Google Admin SDK on behalf of your user. For more information, see Delegating domain-wide authority .
NoteWhen specifying the scopes, the administrator has to enter the following:
https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group
Context
A Google service account with delegated domain-wide authority is required for authentication and authorization of the Identity Provisioning service to G Suite domain. The authentication is based on OAuth 2.0 protocol with JSON Web Token (JWT). The private key for the signature is distributed by Google via one-time downloadable JSON data,
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 231
which is accessible by the domain administrator. The private key is encoded in PKCS8 format and is in the private_key field of the JSON data. For more information, see JSON Web Token (JWT) .
● When using it as a source system, you can read both users and groups from Google G Suite and provision them to any target system you have added in the Identity Provisioning user interface.
● When using it as a target system, you can write both users and groups, read from any source system you have added in the Identity Provisioning user interface. Google G Suite can automatically create accounts for your users in the Google Cloud Datastore.
The Identity Provisioning service supports user and group operations based on the following Google Directory API. See the table below.
User Operations Group Operations
Create a user Create a group
Retrieve a user Retrieve a group's properties
Update a user Update a group's properties
Delete a user Delete a group
CautionYou can only provision users whose e-mails are from verified domains.
If you have successfully finished with the initial setup (described in the Prerequisites section), continue with the procedure below.
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add Google G Suite as a proxy system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
232 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Specify the service URL:
https://www.googleapis.com/admin/directory
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
The authentication type in use is actually OAuth with JWT. But for any provisioning system based on OAuth, BasicAuthentication is used along with the OAuth2TokenServiceURL additional property.
User Enter the service account’s ID. You can take it from the "client_email" field in the JSON data, downloaded during the setup of Google service account.
Password Enter the service account’s private key, which represents a long string in PKCS8 format. You can take it from the "private key" field in the JSON data, downloaded during the setup of Google service account.
OAuth2TokenServiceURL To make OAuth authentication to the Google G Suite system, enter the URL to the access token provider service. For more information, see Using OAuth 2.0 to Access Google APIs .
jwt.subject Enter the Google G Suite user on behalf of which the Google Directory API is called. This user has been assigned the role User Management Admin.
This property corresponds to “sub” claim in JWT being generated during access token request: JWT: "sub" (Subject) Claim
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 233
Exemplary Configuration:
Name=MyGGSDestination
URL=https://www.googleapis.com/admin/directory
ProxyType=Internet
Type=HTTP
Authentication=BasicAuthentication
Password=-----BEGIN PRIVATE KEY-----\n123ABCDEFG123456789...
… /123456789ABCDEFG123=\n-----END PRIVATE KEY-----\n
OAuth2TokenServiceURL=https://www.googleapis.com/oauth2/v4/token
# jwt.scope=https://www.googleapis.com/auth/admin.directory.user
4. (Optional) Configure the transformations.
Any target transformation should produce JSON data, which is required by the Google Directory API. See Directory API (Reference): Users .
Transformation principles for the target system integration:
○ Mapping logic – The provisioning framework reads all attributes from the intermediate JSON data and tries to create consistent records in the Google G Suite target system, using all the available attributes accepted by the Google Directory API. When a required attribute is missing, the default transformation is designed with a condition that will exclude the inconsistent records. Bear in mind the following:○ Make sure that the JSON data sent by the source system is consistent with the configuration template
of the target. For example, if the source system contains mandatory fields and the target one does not support such kind of data, then the target system skips these fields. This may cause crucial data loss.
○ There is a special user status type called suspended (temporarily blocks a user without deleting any account data) for the Google directory accounts. When the status of the user account is changed to suspended, the Google Directory API will not accept any changes on the user attributes. Once the suspended user is restored by the administrator, all attribute changes pending for the account will be successfully provisioned with the next provisioning job.
CautionAn initial password setup is mandatory for all newly provisioned users. This is required by the Google G Suite API and must be provided when new accounts are created. The constant value that you see as configuration for the password attribute in the default transformation is generated by SAP. You have to change the constant value with another one, known only by the representatives of your company, before starting to use the Identity Provisioning service for creating users in your corporate Google G Suite system automatically.
○ User offboarding – Identity Provisioning service is handling the deletion status of the users. When a user is deleted from the source system, this deletion will be enforced into the Google G Suite system as well.
Default transformation:
234 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Read Transformation Write Transformation
{ "user": { "mappings": [ { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.primaryEmail", "targetPath": "$.emails[0].value" }, { "sourcePath": "$.primaryEmail", "targetPath": "$.userName" }, { "constant": true, "targetPath": "$.emails[0].primary" }, { "sourcePath": "$.name", "targetPath": "$.name" }, { "constant": true, "targetPath": "$.active" }, { "condition": "$.suspended == true",
{ "user": { "condition": "($.emails.length() > 0) && ($.name.familyName EMPTY false)", "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.name", "targetPath": "$.name" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.primaryEmail" }, { "sourcePath": "$.phoneNumbers", "optional": true, "targetPath": "$.phones" }, { "targetPath": "$.password", "scope": "createEntity", "functions": [ { "type": "randomPassword", "passwordLength": 16, "minimumNumberOfLowercaseLetters": 1, "minimumNumberOfUppercaseLetters": 1, "minimumNumberOfDigits": 1, "minimumNumberOfSpecialSymbols": 0 } ] }, { "constant": "false", "targetPath": "$.suspended" }, { "condition": "$.active == false", "constant": true, "targetPath": "$.suspended"
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 235
Read Transformation Write Transformation
"constant": false, "targetPath": "$.active" } ], "scimEntityEndpoint": "Users" }, "group": { "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "sourcePath": "$.name", "targetPath": "$.displayName" }, { "sourcePath": "$.members[?((@.type == 'USER') && (@.status == 'ACTIVE'))]", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members" }, { "targetPath": "$.members[*].status", "type": "remove" }, { "constant": "value",
}, { "constant": "true", "targetPath": "$.changePasswordAtNextLogin" } ], "scimEntityEndpoint": "Users" }, "group": { "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.displayName", "targetPath": "$.email", "scope": "createEntity" }, { "sourcePath": "$.displayName", "targetPath": "$.name" }, { "sourcePath": "$.members", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members" }, { "constant": "id", "targetPath": "$.members[*].value", "type": "rename" }, { "targetPath": "$.members[*].display", "type": "remove" } ], "scimEntityEndpoint": "Groups" } }
236 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Read Transformation Write Transformation
"targetPath": "$.members[*].id", "type": "rename" }, { "targetPath": "$.members[*].kind", "type": "remove" }, { "targetPath": "$.members[*].etag", "type": "remove" }, { "targetPath": "$.members[*].role", "type": "remove" }, { "constant": "display", "targetPath": "$.members[*].email", "type": "rename" } ], "scimEntityEndpoint": "Groups" } }
If the displayName attribute in the source system transformation does not provide group e-mails, you can modify the transformation the following ways:
○ Map email to another attribute that contains a unique group e-mail.○ Concatenate the displayName attribute with your domain. For example:
Sample Code { "sourcePath": "$.displayName", "targetPath": "$.email", "scope": "createEntity", "functions": [ { "type": "concatString", "suffix": "@test.myaccount.ondemand.com" } ] }
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 237
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.3.7 Microsoft Azure Active Directory
Follow this procedure to set up Microsoft Azure Active Directory as a proxy system.
Prerequisites
● You have logged on to Microsoft Azure Portal, with credentials for а user with directory role Global administrator. For more information, see Microsoft: Assigning administrator roles in Azure Active Directory
.
● In Azure Active Directory App registrations , you have registered an application with a secret key and permissions (see below) for Microsoft Graph API. These permissions must be consented by an administrator. For more information, see Microsoft Graph permissions reference .
● (Relevant to target systems) Your registered application is assigned the User Account Administrator role. This role allows you to deprovision users. For more information, see MS Azure PowerShell: Add-MsolRoleMember .
NoteIf this role is not assigned, you can only disable users. To do that, set the accountEnabled property to false. For more information, see MS Graph: user resource type
Permissions
Assign the following permissions to your application, according to your scenario:
● Users – User.ReadWrite.All, Directory.AccessAsUser.All● Groups – Group.ReadWrite.All
For more information, see MS Graph: Users and MS Graph: Groups
Context
When using it as a proxy system, you can write both users and groups, read from any source system you have added in the Identity Provisioning user interface. The Azure AD target systems use Microsoft Graph API. For more information, see Microsoft Graph .
If you have successfully finished with the initial setup (described in the Prerequisites section), continue with the procedure below.
238 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add Microsoft Azure Active Directory as a proxy system. For more information, see Add System [page 59].3. Choose the Properties tab to configure the connection settings for your system.
NoteIf you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority.
Mandatory Properties
Property Name Description & Value
Type Enter: HTTP
URL Enter: https://graph.microsoft.com
ProxyType Enter: Internet
Authentication Enter: BasicAuthentication
User Enter the application ID registered in your Azure AD subscription (see the Prerequisites section).
Password Enter the secret key associated to your app registration.
aad.domain.name Enter one of the verified domain names from the corresponding Azure AD tenant. On this domain, you will perform the provisioning operations. For more information, see Microsoft: Manage domain names .
oauth.resource.name Enter: https://graph.microsoft.com
OAuth2TokenServiceURL Enter: https://login.microsoftonline.com/{your_domain}/oauth2/token, where {your_domain} is the domain name you have set in the aad.domain.name property.
To learn what additional properties are relevant to your scenario, see List of Properties [page 67]. You can search or filter the table by your system type name, as well as by "All Systems".
4. (Optional) Configure the transformations.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 239
Default transformation:
Read Transformation Write Transformation
{ "user": { "condition": "$.userPrincipalName EMPTY false", "mappings": [ { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.mail", "targetPath": "$.emails[0].value" }, { "sourcePath": "$.userPrincipalName", "targetPath": "$.userName" }, { "sourcePath": "$.displayName", "optional": true, "targetPath": "$.displayName" }, { "sourcePath": "$.givenName", "optional": true, "targetPath": "$.name.givenName"
{ "user": { "mappings": [ { "sourcePath": "$.onPremisesImmutableId", "optional": true, "targetPath": "$.onPremisesImmutableId" }, { "sourcePath": "$.active", "optional": true, "targetPath": "$.accountEnabled" }, { "sourcePath": "$.name.givenName", "optional": true, "targetPath": "$.mailNickname" }, { "sourcePath": "$.displayName", "optional": true, "targetPath": "$.displayName" }, { "sourcePath": "$.name.givenName", "optional": true, "targetPath": "$.givenName" }, { "sourcePath": "$.name.familyName", "optional": true, "targetPath": "$.surname" }, { "sourcePath": "$.addresses[0].locality", "optional": true, "targetPath": "$.city" }, { "sourcePath": "$.addresses[0].country", "optional": true, "targetPath": "$.country" }, {
240 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Read Transformation Write Transformation
}, { "sourcePath": "$.surname", "optional": true, "targetPath": "$.name.familyName" }, { "sourcePath": "$.mobilePhone", "optional": true, "targetPath": "$.phoneNumbers[0].value" }, { "condition": "$.businessPhones.length() > 0", "constant": "mobile", "targetPath": "$.phoneNumbers[0].type" }, { "sourcePath": "$.businessPhones[0]", "optional": true, "targetPath": "$.phoneNumbers[1].value" }, { "condition": "$.businessPhones.length() > 0", "constant": "work", "targetPath": "$.phoneNumbers[1].type" } ], "scimEntityEndpoint": "Users" }, "group": { "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem", "functions": [ {
"sourcePath": "$.userName", "targetPath": "$.userPrincipalName", "scope": "createEntity", "functions": [ { "type": "concatString", "suffix": "@%aad.domain.name%" } ] }, { "sourcePath": "$.active", "targetPath": "$.accountEnabled", "scope": "createEntity" }, { "sourcePath": "name.givenName", "targetPath": "$.mailNickname", "scope": "createEntity" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "scope": "createEntity" }, { "targetPath": "$.passwordProfile.password", "scope": "createEntity", "functions": [ { "type": "randomPassword", "passwordLength": 16, "minimumNumberOfLowercaseLetters": 1, "minimumNumberOfUppercaseLetters": 1, "minimumNumberOfDigits": 1, "minimumNumberOfSpecialSymbols": 0 } ] }, { "constant": false,
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 241
Read Transformation Write Transformation
"type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "sourcePath": "$.displayName", "targetPath": "$.displayName" }, { "sourcePath": "$.members", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]" } ], "scimEntityEndpoint": "Groups" } }
"targetPath": "$.passwordProfile.forceChangePasswordNextSignIn", "scope": "createEntity" } ], "scimEntityEndpoint": "Users" }, "group": { "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.displayName", "optional": true, "targetPath": "$.displayName" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "scope": "createEntity" }, { "sourcePath": "$.externalId", "targetPath": "$.mailNickname", "scope": "createEntity" }, { "constant": true, "targetPath": "$.mailEnabled", "scope": "createEntity" }, { "constant": false, "targetPath": "$.securityEnabled", "scope": "createEntity" }, { "constant": "Unified", "targetPath": "$.groupTypes[0]", "scope": "createEntity" } ], "scimEntityEndpoint": "Groups" }
242 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Read Transformation Write Transformation
}
Next Steps
1. Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications [page 102].
2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 98].
1.5.4 Local Identity Directory
Prerequisites
You have enabled Beta Features in SAP Cloud Platform cockpit and have access to the Identity Directory (Beta) tile. For more information, see Enabling Identity Directory [page 250].
Context
The identity directory is part of the Identity Provisioning service and provides organizations with a directory for storing and managing users and groups in SAP Cloud Platform. Users and groups in this directory can then be provisioned to various cloud systems (both SAP and non-SAP) supported by the Identity Provisioning service.
The Local Identity Directory system, which you can find in the Identity Provisioning UI, is a SCIM-based connector.
To use the Identity Directory as a local connector, you need to perform two main provisioning tasks:
1. Add a source system and provision its entities to Local Identity Directory (as a target).2. Add the Local Identity Directory (as a source) and provision its entities to another target system.
Below is an exemplary scenario that includes Local Identity Directory, SAP SuccesssFactors and Microsoft Azure AD.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 243
Procedure
1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning (Standalone) [page 26].
2. Add SAP SuccesssFactors as a source system. For more information, see SAP SuccessFactors [page 120].3. Add Local Identity Directory as a target system. You don't need to configure any properties for it.4. (Optional) If needed, configure its default transformations:
Code Syntax { "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "constant": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "targetPath": "$.schemas[1]" }, { "condition": "$.emails[0].length() > 0", "constant": true, "targetPath": "$.emails[0].primary" }, { "targetPath": "$.meta", "type": "remove" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "targetPath": "$.meta", "type": "remove" }, { "sourcePath": "$.member", "preserveArrayWithSingleElement": true,
244 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "type": "resolveEntityIds" } ] } ] } }
5. Start a provisioning job for the SAP SuccesssFactors source system. For more information, see Manage Jobs and Job Logs [page 98].
NoteBefore starting a provisioning job, you can first subscribe to this system. This way, you will be notified by e-mail about eventual failed entities during the job. For more information, see Manage Job Notifications [page 102]
6. Add Local Identity Directory as a source system. It already contains all the users provisioned from the SAP SuccessFactors system.
7. (Optional) If needed, configure its default transformations:
Code Syntax { "user": { "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "targetPath": "$.id", "type": "remove" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "targetPath": "$.id", "type": "remove" } ] }}
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 245
8. Add Microsoft Azure Active Directory as a target system. For more information, see Microsoft Azure Active Directory [page 204].
9. Start another provisioning job – for the Local Identity Directory source system.
NoteWe recommend that you subscribe to receive notifications from this system, too.
10. Check if everything is successfully provisioned.
Related Information
Identity Directory (Beta) [page 248]
1.5.5 Hybrid Scenario: SAP Identity Management
Use a proxy system to execute a hybrid scenario between SAP Identity Management and cloud systems.
Prerequisites
● You have the Identity Provisioning service enabled on your account for SAP Cloud Platform. For more information, see Access the Identity Provisioning (Standalone) [page 26].
NoteIf you don't have a platform account, you will get one by purchasing the Identity Provisioning service.
● You have user credentials for an SAP Identity Management system, with write permissions.● You have access to the Proxy Systems section in the Identity Provisioning service UI. To do that, create a ticket
(incident) with request to get that access. For more information on creating tickets, see Support [page 288] → Productive Use.
Context
A proxy system is a special connector used for "hybrid" scenarios. That means, you can provision entities from a cloud to an on-premise system (and the other way around) without making a direct connection between them. To achieve this, the hybrid scenario uses a proxy system which executes provisioning operations (read, create, update, delete, etc.) requested by the on-premise system.
246 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
NoteCurrently, this scenario is only applicable to SAP Identity Management, used as the on-premise system.
Procedure
1. Open your subaccount in SAP Cloud Platform cockpit.2. Register a new OAuth client for the subscription to the ipsproxy application:
1. Go to Security OAuth Clients .2. Choose Register New Client.3. From the Subscription combo box, select <provider_subaccount>/ipsproxy.4. From the Authorization Grant combo box, select Client Credentials.5. In the Secret field, enter a password (client secret) and remember it. You will need it later, for the
repository configuration in SAP Identity Management.6. Copy/paste and save (in a notepad) the generated Client ID. You will need it later, too.
3. Assign role IPS_PROXY_USER to the OAuth client:1. From the left-side navigation, choose Subscriptions.2. Under the Java Applications section, choose ipsproxy.3. From the left-side navigation, choose Roles.4. Assign role IPS_PROXY_USER to the newly created OAuth client. Choose Assign and enter
oauth_client_<client_ID>, where <client_ID> is the one from step 2.f.4. Now, open the Identity Provisioning UI. You can access it in two ways:
○ Go to the Subscriptions section, select ips from the HTML5 Applications section, and then choose the provided application URL.
○ Go to the Services section, select the Identity Provisioning tile, and choose Go to Service.5. You can add a proxy system (connector). For more information, see Add System [page 59].
NoteA system can act as a proxy if it supports both read and write operations. To check which system types are appropriate for this role, see the topics listed under Proxy Systems [page 209].
6. Open the Properties tab to configure the connection settings for the proxy system.7. Save the proxy system.
Next Steps
1. Now, you can export the newly created proxy system. To do that, choose Export → CSV format.2. Then, go to SAP Identity Management to register or import a SCIM repository.
NoteIf you decide to import the .csv file (from step 1.), you will have all the fields automatically filledin. You will only need to enter your client ID and secret (AUTH_USER and AUTH_PASSWORD).
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 247
3. Then start an initial load job. After the initial load is done, you can create new users or update existing ones in SAP Identity Management.
For more information, see SAP Identity Management: Setting up a SCIM System.
NoteThe hybrid scenario supports:
● Reading and writing of users● Reading of groups (no writing yet) from SAP Identity Management to another system. Writing groups is
currently only applicable for Microsoft Azure.
1.6 Identity Directory (Beta)
NoteThe identity directory is a beta functionality that is available in the SAP Cloud Platform Identity Provisioning service.
The identity directory in the SAP Cloud Platform Identity Provisioning service provides organizations with a directory for storing and managing users and groups in the SAP Cloud Platform. The users and groups in this directory can be provisioned to and read from various cloud systems (both SAP and non-SAP) supported by the Identity Provisioning service.
The figure below shows an example of a system landscape you can use for a provisioning scenario with the identity directory.
248 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
The identity directory stores resources (users and groups) with a set of attributes, according to the System for Cross-Domain Identity Management (SCIM) 2.0 standard. The supported attributes are defined in the SCIM core schema and the Enterprise user resource schema. Custom attributes are also supported through a schema extension.
The identity directory ensures strong security for corporate data by tenant isolation and secure programming. Every organization obtains a tenant that is identified with a <consumer subaccount> (tenant) and stores tenant data in a separate database schema. What this means is that every SAP Cloud Platform customer can enable the Identity Provisioning service and thus subscribe its customer tenant to it. This will create their own identity vault into the identity directory.
You can access the identity directory using dedicated URL for a consumer subaccount in the format https://<application name><provider subaccount>-<consumer subaccount>.<host>. For example: https://<idds><a1111b222>-<c333d4e5f>.<hana.ondemand.com>.
You see the list of subscriptions and the corresponding application URLs to access them in the Subscriptions pane in the cockpit.
Scenarios
You can use the identity directory in the following scenarios, depending on your business needs and your system landscape.
● Managing ResourcesThe identity directory provides a SCIM REST API for create, read, update, delete (CRUD) operations on users and groups. You can use it to manage your own resources in the directory. See Managing Resources [page 251]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 249
● Provisioning ResourcesIn the Identity Provisioning service, you can configure the identity directory as a source system. Based on this configuration, users and groups are provisioned to the defined corresponding target systems. See Systems
● Reading and Storing ResourcesIn the Identity Provisioning service, you can configure the identity directory as a target system. Based on this configuration, users and groups are provisioned to the identity directory from the defined source systems. See Systems
1.6.1 Enabling Identity Directory
Prerequisites
● You have a license to use the Identity Provisioning service.● You have enabled the Identity Provisioning service.
Context
To enable the identity directory, proceed as follows:
Procedure
1. In the SAP Cloud Platform cockpit, navigate to your global account.
2. On your subaccount tile, choose Edit.3. For Beta Features, select the Enable checkbox.4. Choose Save.5. Open your subaccount tile.6. From the left-side navigation, choose Services.7. Find the Identity Directory (Beta) tile and open it.8. Choose Enable.9. When the service is successfully enabled, choose Go to Service.
The UI of the Identity Provisioning service is open. You can now perform provisioning of entities between SAP identity directory and other systems.
250 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Next Steps
Scenarios
Adding Systems
Managing Transformations
1.6.2 Managing Resources
The identity directory provides a System for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups and custom schemas).
Consumers of this REST API should be familiar with System for Cross-domain Identity Management Protocol before managing their own resources. For more information, see System for Cross-domain Identity Management: Protocol .
A SCIM resource is represented in JavaScript Object Notation (JSON) format. All examples in this document are based on the Content-Type application/scim+json.
To Learn About See
Supported resources and operations Resources and Operations [page 252]
Supported attribute types Attributes [page 253]
Examples for SCIM REST API usage Search Users with Filtering [page 254]
Search Users with Paging [page 257]
Create User [page 261]
Update User [page 263]
Delete User [page 265]
Search Groups with Paging [page 266]
Create Group [page 269]
Update Group [page 271]
Delete Group [page 273]
Create Custom Schema [page 274]
Delete Custom Schema [page 277]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 251
1.6.2.1 Resources and Operations
The identity directory SCIM REST API supports the following resources and operations:
Resource Endpoint Operation Schema URI Description
User /Users GET, POST, PUT, DELETE
urn:ietf:params:scim:schemas:core:2.0:User
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
urn:sap:cloud:scim:schemas:extension:custom:2.0:<Name>
Retrieve, create, modify and delete a user resource.
Group /Groups GET, POST, PUT, DELETE
urn:ietf:params:scim:schemas:core:2.0:Group
Retrieve, create, modify and delete a group resource.
Schema /Schemas GET, POST, DELETE
urn:ietf:params:scim:schemas:core:2.0:User
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
urn:sap:cloud:scim:schemas:extension:custom:2.0:<Name>
urn:ietf:params:scim:schemas:core:2.0:Group
Retrieve, create and delete a resource's schema.
Service Provider Configuration
/ServiceProviderConfig
GET urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig
Retrieve the service provider's configuration.
For more information about the SCIM specification, see System for Cross-domain Identity Management: Protocol
252 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
1.6.2.2 Attributes
A resource is a collection of attributes identified by one or more schemas. An attribute consists of the attribute name and at least one simple or complex value. For each attribute, SCIM schema defines the data type.
SCIM Schemas
The identity directory supports the following SCIM schemas:
● Core Schema - a collection of core attributes for users and groups, for example: userName and members● Enterprise User Schema Extension - a collection of attributes representing a user that belongs to an
enterprise, for example: employeeNumber and manager.● Custom Schema Extension - a collection of custom attributes defined through a schema extension, for
example: equipment, roomNumber.
Attribute Values
The identity directory supports the following types of SCIM schema attributes:
● Single-valued attributes - an attribute that contains one value, for example: displayName.● Multi-valued attributes - an attribute that contains more than one value, for example: emails.● Simple attributes - a single- or multi-valued attribute whose value is primitive, for example: String. Simple
attributes do not contain sub-attributes.● Complex attributes - a single- or multi-valued attribute that contains one or more simple attributes, the
addresses attribute for example contains the following sub-attributes: streetAddress, locality, postalCode, and country.
NoteComplex custom attributes are not supported.
● Sub-attributes - a simple attribute that is contained within a complex attribute, for example: postalCode is a sub-attribute within the addresses complex attribute.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 253
Attribute Data Types
The identity directory supports the following data types of SCIM schema attributes:
SCIM Data Type DB Type Valid Values
string varchar(255) A string value should not exceed 2000 bytes (UTF-8 encoding).
boolean smallint A boolean value should be true or false.
integer int (4 byte) An integer value should be in the range of -2,147,483,648 to 2,147,483,647.
decimal decimal(38,18) A decimal value should be a floating point number with precision 38 and scale 18.
datetime datetime Dates are in ISO 8601 UTC timezone (yyyy-MM-ddTHH:mm:ss.SSSZ)
binary varchar(5000) Base64 encoded binary data. It should not exceed 5000 bytes.
reference varchar(255) A reference value is validated as a string value.
For more information about the SCIM schema, see System for Cross-domain Identity Management: Core Schema
1.6.2.3 Search Users with Filtering
To search for a user resource, you need to send an HTTP GET request to the resource endpoint, in this case /Users, and append the id of the user.
In addition to search for a single user, you can search for a number of users by specifying the filter parameter in the request. When specified, only those users matching the filter expression (attribute names and values) are returned. The identity directory SCIM REST API supports filtering by core schema attributes, enterprise schema attributes and custom schema attributes.
Attribute names and attribute operators that are used in filters are case insensitive.
Supported Operators
Operator Description Behavior
eq equal The attribute and operator values must be identical for a match.
254 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Operator Description Behavior
and Logical and The filter is only a match if both expressions evaluate to true.
Supported User Search Attributes
SCIM Schema Attributes
Core schema username
active
emails
addresses.locality
addresses.region
addresses.postalCode
addresses.country
groups
roles
Enterprise user resource schema employeeNumber
costCenter
organization
division
department
manager.value
All Enterprise user resource schema attributes by using the schema URI urn:ietf:params:scim:schemas:extension:enterprise:2.0:User and the attribute name. For example: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter
Custom schema All custom schema defined attributes by using fully qualified attribute name. For example, urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema.CustomString
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 255
Request
URI for retrieving a single user: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/<id>
URI for retrieving users with filtering: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users?filter=<attribute name> eq <"attribute value">
URI for retrieving users with filtering by custom schema attributes: https://<tenant ID>.hana.ondemand.com/idds/scim/Users?filter=<fully qualified attribute name> eq <"custom attribute value">
HTTP Method: GET
Content-Type: application/scim+json
Authorization: OAuth 2.0
Request Example
GET /Users?filter=addresses.locality eq "San Francisco"
Response
Response Status and Error Codes
Code Reason Description
200 OK Indicates that the user is retrieved.
Response Example
{ "totalResults": 2, "itemsPerPage": 2, "startIndex": 1, "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "resources": [ { "id": "4af5b1a1-38bd-44f8-8a21-ff108a9d126c", "meta": { "created": "2017-06-08T13:43:22.660Z", "lastModified": "2017-06-08T14:00:52.946666666Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/4af5b1a1-38bd-44f8-8a21-ff108a9d126c", "version": "4bb12863-b6dd-47bf-856f-31133e0888a6", "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "userName": "Denise Smith", "addresses": [ {
256 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"locality": "San Francisco", "country": "USA" } ] }, { "id": "6c47a304-a3b1-433e-9a72-494abe69387d", "meta": { "created": "2017-06-08T13:44:29.550Z", "lastModified": "2017-06-08T14:01:52.626666666Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/6c47a304-a3b1-433e-9a72-494abe69387d", "version": "3fe1d07d-d848-4b94-8318-4d746cac09b9", "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "userName": "Isabel Dupont", "addresses": [ { "locality": "San Francisco", "country": "USA" } ] } ] }
1.6.2.4 Search Users with Paging
You can search for users by specifying paging parameters in the HTTP GET request to page through large number of resources. When searching for users, you can combine paging with filtering.
Depending on the specified paging parameters, there are two approaches when searching for users with paging:
● Index-Based paging as defined in the SCIM 2.0 standard - that is, page through users by specifying startIndex parameter.
● Id-Based paging - that is, page through users by specifying startId parameter.
You can use the following paging parameters in the request:
Paging Parameters
Approach Parameter Value Description
Index-Based paging
startIndex Default value: 1 The 1-based index of the first query result. A value less than 1 is interpreted as 1.
count Default value: 100 Specifies the required maximum number of query results per page, for example 10. A negative value is interpreted as 0. A value of 0 indicates that no resource results are to be returned except for totalResults.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 257
Approach Parameter Value Description
Id-Based paging startId Default value: None
Possible values:
● initial● <user id>
The first entry of the query result.
If no value is specified, the Index-based paging is used.
If initial value is specified, the initial user is returned as the first entry of the query result.
If <user id> value is specified, the user with this user id is returned as the first entry of the query result.
count Default value: 100 Specifies the required maximum number of query results per page, for example 10. A negative value is interpreted as 0. A value of 0 indicates that no resource results are to be returned except for totalResults.
Depending on the paging approach you choose, the following paging attributes are returned in the response:
Paging Attributes
Approach Attribute Description
Index-Based paging totalResults Specifies the total number of results matching the query, for example: 100.
itemsPerPage Specifies the number of query results returned in a query response page, for example: 3.
startIndex The 1-based index of the first result in the current set of query results, for example: 1.
Id-Based paging totalResults Specifies the total number of results matching the query, for example: 100.
itemsPerPage Specifies the number of query results returned in a query response page, for example: 3.
startId Specifies the first entry of the query result, for example: initial or <user id>.
nextId Specifies the next user id (that is, the id of the first user on the next page). For example: <user id> or <end>. The <end> value indicates that the last user of the total number of users matching the query is returned.
Request
URI for retrieving users with paging: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users?startId=<value>&count=<value>
258 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
URI for retrieving users with paging and filtering: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users?startId=<value>&count=<value>&filter=<attribute name> eq <"attribute value">
HTTP Method: GET
Content-Type: application/scim+json
Authorization: OAuth 2.0
Request Example
GET /Users?startId=initial&count=3&filter=userName eq "Hristo"
In this example, to retrieve 3 users starting with the initial one as the first query result and matching a filter expression (attribute names and values), set the startId to initial, the count to 3 and the filter to userName equal to "Hristo".
Response
Response Status and Error Codes
Code Reason Description
200 OK Indicates that the users are retrieved.
Response Example
{ "Resources": [ { "id": "00896434-aa00-40a4-b012-a316e2a067fa", "externalId": "Hristo", "meta": { "created": "2017-07-05T07:55:26.666666666Z", "lastModified": "2017-07-05T07:55:26.666666666Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/00896434-aa00-40a4-b012-a316e2a067fa", "version": "d7707201-143d-4542-a75b-365618dba464", "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "userName": "Hristo", "name": { "formatted": "Mr. Test Borisov", "familyName": "Borisov", "givenName": "Hristo" }, "displayName": "Hristo", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984", "costCenter": "4130", "organization": "IdDStore", "division": "IdDS", "department": "Development"
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 259
} }, { "id": "097bfceb-b67a-4079-bdaf-27f5efd8949e", "externalId": "Hristo", "meta": { "created": "2017-07-05T07:53:39.046666666Z", "lastModified": "2017-07-05T07:53:39.046666666Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/097bfceb-b67a-4079-bdaf-27f5efd8949e", "version": "93cb00c8-ec02-4ca4-8968-cc3794613dda", "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "userName": "Hristo", "name": { "formatted": "Mr. Test Borisov", "familyName": "Borisov", "givenName": "Hristo" }, "displayName": "Hristo", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984", "costCenter": "4130", "organization": "IdDStore", "division": "IdDS", "department": "Development" } }, { "id": "26ed19d4-d68c-427f-abb8-4cb4a7f37f54", "externalId": "Hristo", "meta": { "created": "2017-07-05T07:53:44.833333333Z", "lastModified": "2017-07-05T07:53:44.833333333Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/26ed19d4-d68c-427f-abb8-4cb4a7f37f54", "version": "9f648fe3-63a1-4d4e-9741-399795dd63a7", "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "userName": "Hristo", "name": { "formatted": "Mr. Test Borisov", "familyName": "Borisov", "givenName": "Hristo" }, "displayName": "Hristo", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984", "costCenter": "4130", "organization": "IdDStore", "division": "IdDS", "department": "Development" } } ], "totalResults": 12, "itemsPerPage": 3, "startId": "initial",
260 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"nextId": "464cba30-0479-4c4c-b7f9-dba3a29c3098", "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ]}
1.6.2.5 Create User
To create a user resource, you need to send an HTTP POST request to the resource endpoint, in this case /Users.
When creating a user, schemas and userName attributes are required.
NoteA user is only created with an existing schema.
Request
URI: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users
HTTP Method: POST
Content-Type: application/scim+json
Authorization: OAuth 2.0
Request Example
{ "schemas":[ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema" ], "userName":"jarmstrong", "displayName":"Julie Armstrong", "name":{ "formatted":"Ms. Julie Jane Armstrong", "familyName":"Armstrong", "givenName":"Julie", "middleName":"Jane" }, "addresses":[ { "locality":"New York", "country":"USA" } ], "userType":"Employee", "preferredLanguage": "en-US", "locale": "en-US", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{ "employeeNumber":"751988", "costCenter":"4130",
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 261
"organization":"Manufacturing company", "department":"Marketing", "division":"Luxury vehicle", "manager":{ "value":"d478473e-af5f-45dc-977c-8447313216dc", "displayName":"John Smith" } }, "urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema":{ "CustomString":[ "MyValue" ] } }
Response
Response Status and Error Codes
Code Reason Description
201 Created Indicates that the user is created.
Response Example
{ "id": "c76d2fce-5759-45c0-8e09-ffd3e59dcabe", "meta": { "created": "2017-06-15T10:04:30.204Z", "lastModified": "2017-06-15T10:04:30.204Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/c76d2fce-5759-45c0-8e09-ffd3e59dcabe", "version": "90e8e05f-ffde-4f11-bfbc-b683453b6148", "resourceType": "User" }, "schemas": [ "urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema", "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "userName": "jarmstrong", "name": { "formatted": "Ms. Julie Jane Armstrong", "familyName": "Armstrong", "givenName": "Julie", "middleName": "Jane" }, "displayName": "Julie Armstrong", "userType": "Employee", "preferredLanguage": "en-US", "locale": "en-US", "addresses": [ { "primary": false, "locality": "New York", "country": "USA" } ], "urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema": { "CustomString": [ "MyValue" ]
262 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
}, "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "751988", "costCenter": "4130", "organization": "Manufacturing company", "division": "Luxury vehicle", "department": "Marketing", "manager": { "value": "d478473e-af5f-45dc-977c-8447313216dc", "displayName": "John Smith" } } }
1.6.2.6 Update User
To update a user resource, you need to send an HTTP PUT request to the resource endpoint, in this case /Users, and append the id of the user. The HTTP PUT request is used to replace a resource's attributes.
NoteIf you update the displayName attribute of a user that is referenced by another user (for example, a manager user is referenced by an employee user), note that the update is asynchronous.
Request
URI: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/<id>
HTTP Method: PUT
Content-Type: application/scim+json
Authorization: OAuth 2.0
Request ExampleIn this example, the familyName, costCenter and department attributes of a user are replaced (updated), the middleName attribute is removed, and a new streetAddress attribute is added.
{ "id": "c76d2fce-5759-45c0-8e09-ffd3e59dcabe", "meta": { "created": "2017-06-15T10:04:30.204Z", "lastModified": "2017-06-15T10:04:30.204Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/c76d2fce-5759-45c0-8e09-ffd3e59dcabe", "version": "90e8e05f-ffde-4f11-bfbc-b683453b6148", "resourceType": "User" }, "schemas": [ "urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema", "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 263
], "userName": "jarmstrong", "name": { "formatted": "Ms. Julie Jane Armstrong", "familyName": "Brown", "givenName": "Julie" }, "displayName": "Julie Armstrong", "userType": "Employee", "preferredLanguage": "en-US", "locale": "en-US", "addresses": [ { "streetAddress":"51 MyStreet", "primary": false, "locality": "New York", "country": "USA" } ], "urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema": { "CustomString": [ "MyValue" ] }, "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "751988", "costCenter": "6100", "organization": "Manufacturing company", "division": "Luxury vehicle", "department": "Customer Suport", "manager": { "value": "d478473e-af5f-45dc-977c-8447313216dc", "displayName": "John Smith" } } }
Response
Response Status and Error Codes
Code Reason Description
200 Updated Indicates that the user is updated.
Response Example
{ "id": "c76d2fce-5759-45c0-8e09-ffd3e59dcabe", "meta": { "created": "2017-06-15T10:04:30.204Z", "lastModified": "2017-06-15T10:17:05.071Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/c76d2fce-5759-45c0-8e09-ffd3e59dcabe", "version": "30fb5e69-f2db-4525-9aaa-cfa978b059b5", "resourceType": "User" }, "schemas": [ "urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema", "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
264 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
], "userName": "jarmstrong", "name": { "formatted": "Ms. Julie Jane Armstrong", "familyName": "Brown", "givenName": "Julie" }, "displayName": "Julie Armstrong", "userType": "Employee", "preferredLanguage": "en-US", "locale": "en-US", "addresses": [ { "primary": false, "streetAddress": "51 MyStreet", "locality": "New York", "country": "USA" } ], "urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema": { "CustomString": [ "MyValue" ] }, "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "751988", "costCenter": "6100", "organization": "Manufacturing company", "division": "Luxury vehicle", "department": "Customer Suport", "manager": { "value": "d478473e-af5f-45dc-977c-8447313216dc", "displayName": "John Smith" } } }
1.6.2.7 Delete User
To delete a user resource, you need to send an HTTP DELETE request to the resource endpoint, in this case /Users, and append the id of the user.
NoteIf you delete a user that is a member of a group or is referenced by another user (for example, a manager user is referenced by an employee user), note that the update is asynchronous.
Request
URI: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/<id>
HTTP Method: DELETE
Content-Type: application/scim+json
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 265
Authorization: OAuth 2.0
Request Example
DELETE /Users/e5817e9d-03b4-4336-8d9a-6b5fe3e16e1d
Response
Response Status and Error Codes
Code Reason Description
204 No Content Indicates that the user is deleted.
When you try to retrieve the deleted user with HTTP GET request, you get status: 404 Not Found.
Response Example
{ "status": "404", "detail": "User e5817e9d-03b4-4336-8d9a-6b5fe3e16e1d not found", "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ] }
1.6.2.8 Search Groups with Paging
You can search for groups by specifying paging parameters in the HTTP GET request to page through large number of resources.
Depending on the specified paging parameters, there are two approaches when searching for groups with paging:
● Index-Based paging as defined in the SCIM 2.0 standard - that is, page through groups by specifying startIndex parameter.
● Id-Based paging - that is, page through groups by specifying startId parameter.
You can use the following paging parameters in the request:
Paging Parameters
Approach Parameter Value Description
Index-Based paging
startIndex Default value: 1 The 1-based index of the first query result. A value less than 1 is interpreted as 1.
266 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Approach Parameter Value Description
count Default value: 100 Specifies the required maximum number of query results per page, for example 10. A negative value is interpreted as 0. A value of 0 indicates that no resource results are to be returned except for totalResults.
Id-Based paging startId Default value: None
Possible values:
● initial● <group id>
The first entry of the query result.
If no value is specified, the Index-based paging is used.
If initial value is specified, the initial group is returned as the first entry of the query result.
If <group id> value is specified, the group with this group id is returned as the first entry of the query result.
count Default value: 100 Specifies the required maximum number of query results per page, for example 10. A negative value is interpreted as 0. A value of 0 indicates that no resource results are to be returned except for totalResults.
Depending on the paging approach you choose, the following paging attributes are returned in the response:
Paging Attributes
Approach Attribute Description
Index-Based paging totalResults Specifies the total number of results matching the query, for example: 100.
itemsPerPage Specifies the number of query results returned in a query response page, for example: 3.
startIndex The 1-based index of the first result in the current set of query results, for example: 1.
Id-Based paging totalResults Specifies the total number of results matching the query, for example: 100.
itemsPerPage Specifies the number of query results returned in a query response page, for example: 3.
startId Specifies the first entry of the query result, for example: initial or <group id>.
nextId Specifies the next group id (that is, the id of the first group on the next page). For example: <group id> or <end>. The <end> value indicates the last group of the total number of groups matching the query is returned.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 267
Request
URI for retrieving users with paging: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Groups?startId=<value>&count=<value>
HTTP Method: GET
Content-Type: application/scim+json
Authorization: OAuth 2.0
Request Example
GET /Groups?startId=a9653e66-bc3d-47bb-9d3b-7bdf0aa40633&count=3
In this example, to retrieve 3 groups starting with a <group id> as the first query result, set the startId to <group id> and the count to 3. Since the <group id> is the id of the 4th group out of a total of 5 groups, you retrieve only 2 groups in the response.
Response
Response Status and Error Codes
Code Reason Description
200 OK Indicates that the groups are retrieved.
Response Example
{ "Resources": [ { "id": "a9653e66-bc3d-47bb-9d3b-7bdf0aa40633", "meta": { "created": "2017-07-07T09:28:16.973333333Z", "lastModified": "2017-07-07T09:28:16.973333333Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Groups/a9653e66-bc3d-47bb-9d3b-7bdf0aa40633", "version": "ed2dc84f-cce4-4110-97b1-d60a46b7de0b", "resourceType": "Group" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "displayName": "DemoGroup3", "members": [ { "value": "e11970fb-95be-4c3d-935c-a9d2b761b370", "display": "Hristo", "$ref": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/e11970fb-95be-4c3d-935c-a9d2b761b370", "type": "USER" } ] },
268 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
{ "id": "d4b00b11-9cdb-46fa-9b77-6cd8c170454f", "meta": { "created": "2017-07-07T09:27:51.866666666Z", "lastModified": "2017-07-07T09:27:51.866666666Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Groups/d4b00b11-9cdb-46fa-9b77-6cd8c170454f", "version": "813d7ff7-aa5c-4648-94b2-2125a0164c1a", "resourceType": "Group" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "displayName": "DemoGroup2" } ], "totalResults": 5, "itemsPerPage": 2, "startId": "a9653e66-bc3d-47bb-9d3b-7bdf0aa40633", "nextId": "end", "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ]}
1.6.2.9 Create Group
To create a group resource, you need to send an HTTP POST request to the resource endpoint, in this case /Groups.
A group can contain users or other groups. When creating a group, schemas and displayName attributes are required. If you add members to the group, the value attribute of the member is required, while all other attributes of the member are optional.
Request
URI: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Groups
HTTP Method: POST
Content-Type: application/scim+json
Authorization: OAuth 2.0
Request Example
{ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], "displayName": "TestGroup", "members": [ { "value": "eff4f49c-aeb4-4203-8f6a-979ecf9d2320", "display": "Julie Armstrong"
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 269
}, { "value": "d478473e-af5f-45dc-977c-8447313216dc", "display": "John Smith" }, { "value": "a2f5518f-5dd5-48c2-9b1a-28b88b152885", "display": "MyFavoriteGroup" } ] }
Response
Response Status and Error Codes
Code Reason Description
201 Created Indicates that the group is created.
Response Example
{ "id": "5a028516-0538-4af3-b69d-18be92decef9", "meta": { "created": "2017-06-08T12:40:10.143Z", "lastModified": "2017-06-08T12:40:10.143Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Groups/5a028516-0538-4af3-b69d-18be92decef9", "version": "529410f3-dee0-4721-991d-6a4b2e145b8b", "resourceType": "Group" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "displayName": "TestGroup", "members": [ { "value": "a2f5518f-5dd5-48c2-9b1a-28b88b152885", "display": "MyFavoriteGroup" }, { "value": "eff4f49c-aeb4-4203-8f6a-979ecf9d2320", "display": "Julie Armstrong" }, { "value": "d478473e-af5f-45dc-977c-8447313216dc", "display": "John Smith" } ] }
270 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
1.6.2.10 Update Group
To update a group resource, you need to send an HTTP PUT request to the resource endpoint, in this case /Groups and append the id of the group. The HTTP PUT request is used to replace a resource's attributes.
NoteIf you update group members (users or other groups) or the displayName attribute of group members, note that in both cases groups will be updated asynchronously.
Request
URI: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Groups/<id>
HTTP Method: PUT
Content-Type: application/scim+json
Authorization: OAuth 2.0
Request ExampleIn this example, a group is updated with a new group member (user).
{ "id": "5a028516-0538-4af3-b69d-18be92decef9", "meta": { "created": "2017-06-08T12:40:10.143333333Z", "lastModified": "2017-06-08T12:40:10.143333333Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Groups/5a028516-0538-4af3-b69d-18be92decef9", "version": "529410f3-dee0-4721-991d-6a4b2e145b8b", "resourceType": "Group" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "displayName": "TestGroup", "members": [ { "value": "d478473e-af5f-45dc-977c-8447313216dc", "display": "John Smith", "$ref": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/d478473e-af5f-45dc-977c-8447313216dc", "type": "User" }, { "value": "895c338a-8a75-4650-b56b-d4eec9b77dc0", "display": "Donna Moore", "$ref": "https://<tenant ID>.hana.ondemand.com/idds/scim/Users/895c338a-8a75-4650-b56b-d4eec9b77dc0", "type": "User" }, { "value": "a2f5518f-5dd5-48c2-9b1a-28b88b152885", "display": "MyFavoriteGroup",
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 271
"$ref": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Groups/a2f5518f-5dd5-48c2-9b1a-28b88b152885", "type": "Group" }, { "value": "eff4f49c-aeb4-4203-8f6a-979ecf9d2320", "display": "Julie Armstrong", "$ref": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/eff4f49c-aeb4-4203-8f6a-979ecf9d2320", "type": "User" } ] }
Response
Response Status and Error Codes
Code Reason Description
200 Updated Indicates that the group is updated.
Response Example
{ "id": "5a028516-0538-4af3-b69d-18be92decef9", "meta": { "created": "2017-06-08T12:40:10.143333333Z", "lastModified": "2017-06-08T12:45:10.688Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Groups/5a028516-0538-4af3-b69d-18be92decef9", "version": "c81d2038-f2e2-4b2f-93d6-ac7c5a7b5ae9", "resourceType": "Group" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "displayName": "TestGroup", "members": [ { "value": "d478473e-af5f-45dc-977c-8447313216dc", "display": "John Smith", "$ref": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/d478473e-af5f-45dc-977c-8447313216dc", "type": "User" }, { "value": "a2f5518f-5dd5-48c2-9b1a-28b88b152885", "display": "MyFavoriteGroup", "$ref": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Groups/a2f5518f-5dd5-48c2-9b1a-28b88b152885", "type": "Group" }, { "value": "895c338a-8a75-4650-b56b-d4eec9b77dc0", "display": "Donna Moore", "$ref": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/895c338a-8a75-4650-b56b-d4eec9b77dc0",
272 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"type": "User" }, { "value": "eff4f49c-aeb4-4203-8f6a-979ecf9d2320", "display": "Julie Armstrong", "$ref": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Users/eff4f49c-aeb4-4203-8f6a-979ecf9d2320", "type": "User" } ] }
1.6.2.11 Delete Group
To delete a group resource, you need to send an HTTP DELETE request to the resource endpoint, in this case /Groups and append the id of the group.
NoteIf you delete a nested group (a group that is a member of another group), note that the parent group is updated asynchronously.
Request
URI: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Groups/<id>
HTTP Method: DELETE
Content-Type: application/scim+json
Authorization: OAuth 2.0
Request Example
DELETE /Groups/82af6531-1491-4438-a8ee-68cc9ff19576
Response
Response Status and Error Codes
Code Reason Description
204 No Content Indicates that the group is deleted.
When you try to retrieve the deleted group with HTTP GET request, you get status: 404 Not Found.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 273
Response Example
{ "status": "404", "detail": "Group 82af6531-1491-4438-a8ee-68cc9ff19576 not found", "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ] }]
1.6.2.12 Create Custom Schema
To create a custom schema, you need to send an HTTP POST request to the resource endpoint, in this case /Schemas.
You can create up to 20 custom schemas, each of it containing a maximum number of 20 custom attributes based on the supported data types. Complex custom attributes are not supported.
The id of the custom schema and the name of the custom attributes should not exceed 20 characters (alphanumeric and underscore) without counting the prefix of the custom schema.
Request
URI: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Schemas
HTTP Method: POST
Content-Type: application/scim+json
Authorization: OAuth 2.0
Request Example
{ "id": "urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Schema" ], "name": "MyCustomSchema", "description": "MyCustomSchema description!", "attributes": [ { "name": "CustomString", "type": "string", "multiValued": false, "description": "A human-readable name. REQUIRED.", "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none", "referenceTypes" : [ "external", "uri" ]
274 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
}, { "name": "CustomIinteger", "type": "integer", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "server" }, { "name": "CustomDecimal", "type": "decimal", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "server" }, { "name": "CustomBoolean", "type": "boolean", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "server" }, { "name": "CustomDatetime", "type": "datetime", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "server" }, { "name": "CustomBinary", "type": "binary", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "server" }, { "name": "CustomReference", "type": "reference", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "server" } ]
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 275
}
Response
Response Status and Error Codes
Code Reason Description
201 Created Indicates that the custom schema is created.
Response Example
{ "id": "urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema", "meta": { "created": "2017-06-07T13:02:39.030Z", "lastModified": "2017-06-07T13:02:39.030Z", "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Schemas/urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema", "version": "84dd1ae5-f031-48f7-9d96-f53928401f2e", "resourceType": "Schema" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Schema" ], "name": "MyCustomSchema", "description": "MyCustomSchema description!", "attributes": [ { "name": "CustomString", "type": "string", "multiValued": false, "description": "A human-readable name. REQUIRED.", "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none", "referenceTypes": [ "external", "uri" ] }, { "name": "CustomIinteger", "type": "integer", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "server" }, { "name": "CustomDecimal", "type": "decimal", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true,
276 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
"mutability": "readWrite", "returned": "default", "uniqueness": "server" }, { "name": "CustomBoolean", "type": "boolean", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "server" }, { "name": "CustomDatetime", "type": "datetime", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "server" }, { "name": "CustomBinary", "type": "binary", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "server" }, { "name": "CustomReference", "type": "reference", "multiValued": false, "description": "Super secret internal system id", "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "server" } ] }
1.6.2.13 Delete Custom Schema
To delete a custom schema, you need to send an HTTP DELETE request to the resource endpoint, in this case /Schemas, and append the id of the custom schema.
NoteYou can only delete an existing custom schema.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 277
Request
URI: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand.com/idds/scim/Schemas/<id>
HTTP Method: DELETE
Content-Type: application/scim+json
Authorization: OAuth 2.0
Request Example
DELETE /Schemas/urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema
Response
Response Status and Error Codes
Code Reason Description
204 No Content Indicates that the custom schema is deleted.
When you try to retrieve the deleted custom schema with HTTP GET request, you get status: 404 Not Found.
Response Example
{ "status": "404", "detail": "Schema urn:sap:cloud:scim:schemas:extension:custom:2.0:MyCustomSchema not found", "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ] }
1.6.3 Requesting Audit Logs
The audit log displays information about who (user) performed what (action) and when (precise time stamp). The request ID is also displayed for detailed traceability.
Context
For example: {"action":"POST","timestamp":"2017-04-19T09:40:47.218+0000"},object={"objectID":"4b7b2be8-cd9b-4a4a-87ff-450aa76af061","objectName":"Users"},custom={"request-id":"a5c95242-7ff9-4697-a605-ac91d1688888"}
278 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
To view your Audit logs, you need to request them by creating a BCP incident.
Procedure
1. Create a BCP incident on component BC-NEO-AUDITLOG.2. Provide the following information:
Landscape - for example Factory EU
Account - for example avatar
Time frame - for example 1st to 3rd May
TenantID - The tenant ID for the account.
Results
The audit logs are exported, archived and uploaded to a password protected mdoc share with an expiry date of two weeks from today's date.
1.6.4 Security
Authentication
To authenticate to the identity directory SCIM REST API, you need an OAuth Client Credentials Grant authentication. For more information on how to configure it, see Configuring OAuth 2.0
Every request must include an Authorization request header. The header value is provided as follows: Bearer <access token>.
Authorization
To access all resources endpoints (/Users, /Groups, /Schemas), you need to register an OAuth client and assign the following roles to it:
● SCIM_READ – Gives read-only access to all operations in the identity directory. That is, you can send only an HTTP GET request to the resource endpoint and HEAD methods.
● SCIM_MANAGE – Gives write access to all HTTP requests.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 279
To assign the roles to your OAuth client, proceed as follows:
1. Open your subaccount in the SAP Cloud Platform cockpit.2. From the left-side navigation, choose Subscriptions.3. Under the Java Applications section, choose idds.
4. From the left-side navigation, choose Roles Assign .5. In the User ID field, provide the OAuth client in the following format: oauth_client_<client_ID>, where
<client_ID> is the one that is generated when you register your OAuth client.
1.7 Security
Before You Start
You can choose whether to only try out the Identity Provisioning service for testing (trial) purposes, or purchase it for productive use. To learn how, see: Getting Started [page 22]
Authentication and Roles
See: Authentication and Roles [page 283]
Communication Channels
See: Communication Security [page 281]
Managing Customer Data
See: Customer Data [page 281]
Managing Logs
See: Job Logs [page 283]
280 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Encryption
When configuring a system, always set credentials (such as passwords and OAuth secrets) as Credential properties.
Session Management
The Identity Provisioning service uses the session management principles of SAP Cloud Platform. Also, no session cookies are generated. For more information, see Handling Session Timeout.
Related Information
Data Protection and Privacy [page 284]
1.7.1 Communication Security
By default, the Identity Provisioning service uses secure communication channels. Still, when connecting to customer systems, you decide (define) what the communication channel to be.
Recommendations
● Always use secure protocols when specifying your connection details (in the cockpit → Destinations section, in the Identity Provisioning UI → Properties tab).
● Avoid using property TrustAll in productive scenarios. When it's set to true, the SSL server certificate is not verified, and thus the server is not authenticated.
1.7.2 Customer Data
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 281
Data Isolation
● Trial Use – all trial users subscribed to the Identity Provisioning application share a common database schema but their data is written in separate DB columns. This guarantees that your provisioned entities are stored separately, which means other trial customers cannot see your data.
● Productive Use – after you subscribe to the productive Identity Provisioning application, a new dedicated database schema is created for you. This guarantees that your provisioned data is stored separately, which means it's isolated from other productive customer data.
NoteEven if you have more than one account, you receive only one Identity Provisioning DB schema.
Data Storage Security
In the Identity Provisioning service, no personal or sensitive information about the provisioned entities is saved. To check whether any changes have been made to an entity after the initial provisioning, the Identity Provisioning uses strong hashed algorithm for the provisioned entities.
If a provisioning job repeatedly fails and you need problem investigation, you can enable full logging. That means, the Identity Provisioning service will log the complete information (general and personal data, if any) of your provisioned entities. If you want to activate such logging, perform as follows:
1. In your source system, set property ips.trace.failed.entity.content to true.2. Run again the provisioning job.3. Open the Job Logs section, select your job, and under Failed Entities, choose an entity and find the log
information about it.4. If you cannot resolve the problem yourself, contact the Identity Provisioning operators. For more information,
see Support [page 288].
NoteThe operators may need the full trace content, so they can ask you to set the property in your target system as well, and once again run the provisioning job.
Reset Customer Data
If you need to clear all you customer data (systems, jobs, execution logs), choose Reset from the Support section in the UI.
Related Information
Data Protection and Privacy [page 284]
282 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
1.7.3 Authentication and Roles
The Identity Provisioning service can be consumed either directly through its APIs, or by the user interface (UI).
Protection Categories
● The APIs are protected with OAuth2.0. To call an API, you need to obtain an OAuth token. See: Register an OAuth Client
● The user interface is protected with SAML2.0 authentication against the trusted identity provider configured for SAP Cloud Platform.
NoteUse the service UI for provisioning entities between standard source and target systems.
Use APIs only when user interface is not available (for proxy scenarios). See: Hybrid Scenario: SAP Identity Management [page 246]
Roles
You can provide additional users with admin rights for your consumer (sub)account. You can do this in the platform cockpit → Applications Subscriptions . Choose your Java application and then, in the Roles section, assign new users. The available roles are:
● IPS_ADMIN – this is the main administrator role. It provides you with access to all Identity Provisioning UI systems and features. You can manage source, target and proxy systems, run and schedule jobs, view and maintain job logs, and reset the tenant.
● IPS_PROXY_USER – this role allows you to provision entities from and to proxy systems via proxy system APIs.
For more information, see Managing Java EE Roles and Creating Roles (HTML5 Applications).
1.7.4 Job Logs
Execution
Job logs show important information about the state of your jobs. If a job is unsuccessful, the logs will display how many entities have failed and the first few of them.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 283
Cleanup
Job logs are automatically deleted on a defined retention period. You can set this period to be 7, 14 or 30 days. By default, logs are kept for 7 days.
Export
If you need to keep your job logs longer than the retention period, or just need to have them available offline, export them to your local system.
NoteLogs can contain any customer data depending on what kind of information is provisioned (general or private). The Identity Provisioning service is not responsible for the content of the provisioned data. You, as administrator, can control this by the transformation logic of the systems.
Related Information
Manage Jobs and Job Logs [page 98]
1.7.5 Data Protection and Privacy
Governments place legal requirements on industry to protect data and privacy. We provide features and functions to help you meet these requirements.
NoteSAP does not provide legal advice in any form. SAP software supports data protection compliance by providing security features and data protection-relevant functions, such as blocking and deletion of personal data. In some cases, compliance with applicable data protection and privacy laws may not be completely covered by the Identity Provisioning service. That’s because Identity Provisioning scenarios require actions from you too, which the service cannot do for you.
Furthermore, this information should not be taken as an advice or a recommendation regarding additional features that would be required in specific IT environments. Decisions related to data protection must be made on a case-by-case basis, taking into consideration the given system landscape and the applicable legal requirements. Definitions and other terms used in this documentation are not taken from a specific legal source.
Handle personal data with care. As a data controller, you are legally responsible when processing personal data.
284 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
Glossary for Data Protection and Privacy [page 285]
The terms listed in this page are general to SAP products. Not all terms may be relevant for the SAP Cloud Platform Identity Provisioning service.
Change Logging and Read-Access Logging [page 287]
Change logging guarantees that changes made to personal data are recorded. Read-access logging records access to sensitive personal data. You may be required to gather this information for auditing purposes or legal requirements.
Information Report [page 287] Currently, this functionality is not applicable for the Identity Provisioning service.
Erasure [page 287] When handling personal data, consider the legislation in the different countries where your organization operates. After the data has passed the end of purpose, regulations may require you to delete the data. However, additional regulations may require you to keep the data longer. During this period you must block access to the data by unauthorized persons until the end of the retention period, when the data is finally deleted.
Consent [page 288] We assume that software operators, such as SAP customers, collect and store the consent of data subjects, before collecting personal data from data subjects. A data privacy specialist can later determine whether data subjects have granted, withdrawn, or denied consent.
1.7.5.1 Glossary for Data Protection and Privacy
The following terms are general to SAP products. Not all terms may be relevant for SAP Cloud Platform Identity Provisioning service.
Term Definition
Blocking A method of restricting access to data for which the primary business purpose has ended.
Business purpose A legal, contractual, or in other form justified reason for the processing of personal data. The assumption is that any purpose has an end that is usually already defined when the purpose starts.
Consent The action of the data subject confirming that the usage of his or her personal data shall be allowed for a given purpose. A consent functionality allows the storage of a consent record in relation to a specific purpose and shows if a data subject has granted, withdrawn, or denied consent.
Deletion Deletion of personal data so that the data is no longer available.
End of business Date where the business with a data subject ends, for example the order is completed, the subscription is canceled, or the last bill is settled.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 285
Term Definition
End of purpose (EoP) End of purpose and start of blocking period. The point in time, when the primary processing purpose ends (for example contract is fulfilled).
End of purpose (EoP) check A method of identifying the point in time for a data set when the processing of personal data is no longer required for the primary business purpose. After the EoP has been reached, the data is blocked and can only be accessed by users with special authorization (for example, tax auditors).
Personal data Any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person
Purpose The information that specifies the reason and the goal for the processing of a specific set of personal data. As a rule, the purpose references the relevant legal basis for the processing of personal data.
Residence period The period of time between the end of business and the end of purpose (EoP) for a data set during which the data remains in the database and can be used in case of subsequent processes related to the original purpose. At the end of the longest configured residence period, the data is blocked or deleted. The residence period is part of the overall retention period.
Retention period The period of time between the end of the last business activity involving a specific object (for example, a business partner) and the deletion of the corresponding data, subject to applicable laws. The retention period is a combination of the residence period and the blocking period.
Sensitive personal data A category of personal data that usually includes the following type of information:
● Special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation.
● Personal data subject to professional secrecy● Personal data relating to criminal or administrative offenses● Personal data concerning insurances and bank or credit card accounts
Where-used check (WUC) A process designed to ensure data integrity in the case of potential blocking of business partner data. An application's where-used check (WUC) determines if there is any dependent data for a certain business partner in the database. If dependent data exists, this means the data is still required for business activities. Therefore, the blocking of business partners referenced in the data is prevented.
286 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
1.7.5.2 Change Logging and Read-Access Logging
Change logging guarantees that changes made to personal data are recorded. Read-access logging records access to sensitive personal data. You may be required to gather this information for auditing purposes or legal requirements.
● Job logs are automatically deleted on a defined retention period. You can set this period to be 7, 14 or 30 days. By default, logs are kept for 7 days.
● Audit logs are available on request by opening a ticket with primary support. For more information, see Request Extraction of Audit Logs.
1.7.5.3 Information Report
NoteCurrently, this functionality is not applicable for the Identity Provisioning service.
The Identity Provisioning service only transfers entities from a source system to a target one. The applications representing these source and target systems may provide data about the provisioned entities but this data is only stored in the systems, not in the Identity Provisioning service itself.
1.7.5.4 Erasure
When handling personal data, consider the legislation in the different countries where your organization operates. After the data has passed the end of purpose, regulations may require you to delete the data. However, additional regulations may require you to keep the data longer. During this period you must block access to the data by unauthorized persons until the end of the retention period, when the data is finally deleted.
Personal data can also include referenced data. The challenge for deletion and blocking is first to handle referenced data and then other data, such as business partner data.
NoteIf your data is stored outside SAP Cloud Platform, we cannot guarantee that your data does not get reintegrated if you are pushing such data to our systems. You are responsible for terminating such integrations.
We cannot restore data you have in your local system.
Account Expiration
Productive accounts expire based on the terms of your contract.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 287
When your accounts expire, we delete your data barring legal requirements that SAP retains your data. If your organization has separate retention requirements, you are responsible for saving this data before we terminate your account.
Disaster Recovery and Data Restore
The service maintains backups of lost data in the event of a disaster. The Identity Provisioning service uses the disaster recovery principles of SAP Cloud Platform.
When your account is deleted, we may have this data in our backup system for the length of our backup cycle.
Related Information
Account Termination
1.7.5.5 Consent
We assume that software operators, such as SAP customers, collect and store the consent of data subjects, before collecting personal data from data subjects. A data privacy specialist can later determine whether data subjects have granted, withdrawn, or denied consent.
To help you manage the consent of data subjects, the Identity Provisioning service relies on SAP Cloud Platform Identity Authentication service, which manages privacy policies and terms of use agreements.
For more information, see the Identity Authentication documentation: Configuring Privacy Policies and Configuring Terms of Use
1.8 Support
If you experience issues with the Identity Provisioning service, follow the procedures below, depending on the version you use (trial or productive).
Productive Use
Report an incident:
1. Open the SAP Support Portal page.2. Perform a search to check if your problem has already been reported.
288 P U B L I CSAP Cloud Platform Identity Provisioning Service
SAP Cloud Platform Identity Provisioning Service
3. If you cannot find any incidents related to your problem, create your own incident.4. For Component, enter: BC-IAM-IPS5. Fill in the rest mandatory fields.6. Explain your problem, specifying first if your Identity Provisioning service is purchased as a standalone
solution, or is part of a bundle license (SAP Jam or SAP SuccessFactors).
Trial Use
Ask a question:
1. Open URL: https://answers.sap.com/questions/ask.html2. Enter your SAP trial user name and password, and choose Next. A page with title Ask a Question is displayed.3. Enter the short and full text of your question or feedback.4. For the primary tag, enter: SAP Cloud Platform Identity Provisioning5. Once you have finished, choose Submit your Question.6. A page dedicated to your feedback is created. On this page, you can check for answers from SAP developers
and other users.7. If you want to receive e-mail notifications from your feedback page, choose Follow.
Account Information
On section Support in the Identity Provisioning user interface, you can see the SAP Cloud Platform information relevant to your tenant (region host, global account and subaccount name).
An informative message displays on how many subaccounts you have so far enabled the Identity Provisioning service for your global account. The default number of subaccounts is 2 – one you can use for test purposes, and one for productive scenarios. For more information, see Access the Identity Provisioning (Standalone) [page 26] → step 3.
A warning message will appear if you have reached the maximum number of enabled subaccounts. If this number is insufficient to your business needs, you can request more subaccounts. To do this, create an incident to component BC-IAM-IPS.
SAP Cloud Platform Identity Provisioning ServiceSAP Cloud Platform Identity Provisioning Service P U B L I C 289
Important Disclaimers and Legal Information
HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.
Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related LanguageWe try not to use genderspecific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
290 P U B L I CSAP Cloud Platform Identity Provisioning ServiceImportant Disclaimers and Legal Information
SAP Cloud Platform Identity Provisioning ServiceImportant Disclaimers and Legal Information P U B L I C 291
go.sap.com/registration/contact.html
© 2018 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.