Real-time user provisioning using SAP Cloud Identity Service (Identity Provisioning)

Real-time user provisioning using SAP Cloud Identity Service (Identity Provisioning)
Estimated read time 5 min read

Introduction

Hello SAP Community,

Today, I’m going to walk you through setting up real-time user provisioning using SAP Identity Provisioning Service (IPS). Recently, I faced a task requiring real-time user provisioning but struggled to find detailed explanations or how-to guides. So, I decided to document the process myself. If you notice any mistakes or have tips, please share them in the comments. Let’s dive in!

 

Feature Overview

As a tenant administrator, you can configure real-time provisioning to instantly sync users and groups from source to target systems. This means newly created, updated, or deleted users are automatically synced without manual or scheduled jobs in Identity Provisioning.

Important Note: For real-time provisioning, the source system must be either Identity Authentication Service (IAS) or SuccessFactors. This setup is perfect for scenarios where immediate system access is needed, like user self-registration. With real-time provisioning, changes are reflected instantly across your systems.

We’ll skip comparing Standard vs. Real-Time provisioning since this info is already available in the official documentation.

 

Technical Overview

Assuming you’re already familiar with configuring source and target systems in IPS (since there are plenty of detailed guides available), let’s focus on the essentials. Here’s a quick rundown of the technical architecture and prerequisites.

 

 

Prerequisites

Source system: Cloud Identity Service tenant 1 or IAS 1 (Source system, I’m simply using Local Identity directory)URL: https://IAS1.accounts400.ondemand.com/Technical administrator user (Add Administrators) with the client ID and secret credentials: user1 and password1Target system: Cloud Identity Service tenant 2 or IAS 2 (Target system) – though in your case, it could be any other supported target system.Again, I’ll skip the technical details of the target system, as they will vary based on your specific use case.

 

Configuration

1) First, you need to configure both the source and target systems in the corresponding IPS menu. After completing this step, you will see a System ID in the URL for your systems. For real-time provisioning, we will need the source System ID: 213…dd7

2) And, of course, the target system IAS 2, where our IAS 1 will be the source:

3) As a next and last step we will need to go IAS Admin Console ➡️ Users & Authorizations ➡️ Real-Time Provisioning:

 

 

Configure your target for real-time user provisioning with the corresponding credentials:

Type: Identity ProvisioningVersion: 1SCIM URL: https://ias1.accounts400.ondemand.com/ipsproxy/service/api/v1/systems/213…dd7/entities/user

The authentication mechanism may vary. In my case, I simply utilized my technical user credentials from the prerequisites.

 

Conclusion

Once our real-time provisioning is configured, you can test it: newly created users should be provisioned automatically, or you can select an already existing user in the User Management menu:

In case of any issues, real-time provisioning logs are available to help troubleshoot:

Hope this guide helps you set up real-time user provisioning using SAP Identity Provisioning Service. If you have any issues or tips, drop them in the comments. Happy provisioning!

 

 

 

​ IntroductionHello SAP Community,Today, I’m going to walk you through setting up real-time user provisioning using SAP Identity Provisioning Service (IPS). Recently, I faced a task requiring real-time user provisioning but struggled to find detailed explanations or how-to guides. So, I decided to document the process myself. If you notice any mistakes or have tips, please share them in the comments. Let’s dive in! Feature OverviewAs a tenant administrator, you can configure real-time provisioning to instantly sync users and groups from source to target systems. This means newly created, updated, or deleted users are automatically synced without manual or scheduled jobs in Identity Provisioning.Important Note: For real-time provisioning, the source system must be either Identity Authentication Service (IAS) or SuccessFactors. This setup is perfect for scenarios where immediate system access is needed, like user self-registration. With real-time provisioning, changes are reflected instantly across your systems.We’ll skip comparing Standard vs. Real-Time provisioning since this info is already available in the official documentation. Technical OverviewAssuming you’re already familiar with configuring source and target systems in IPS (since there are plenty of detailed guides available), let’s focus on the essentials. Here’s a quick rundown of the technical architecture and prerequisites.  PrerequisitesSource system: Cloud Identity Service tenant 1 or IAS 1 (Source system, I’m simply using Local Identity directory)URL: https://IAS1.accounts400.ondemand.com/Technical administrator user (Add Administrators) with the client ID and secret credentials: user1 and password1Target system: Cloud Identity Service tenant 2 or IAS 2 (Target system) – though in your case, it could be any other supported target system.Again, I’ll skip the technical details of the target system, as they will vary based on your specific use case. Configuration1) First, you need to configure both the source and target systems in the corresponding IPS menu. After completing this step, you will see a System ID in the URL for your systems. For real-time provisioning, we will need the source System ID: 213…dd72) And, of course, the target system IAS 2, where our IAS 1 will be the source:3) As a next and last step we will need to go IAS Admin Console ➡️ Users & Authorizations ➡️ Real-Time Provisioning:  Configure your target for real-time user provisioning with the corresponding credentials:Type: Identity ProvisioningVersion: 1SCIM URL: https://ias1.accounts400.ondemand.com/ipsproxy/service/api/v1/systems/213…dd7/entities/userThe authentication mechanism may vary. In my case, I simply utilized my technical user credentials from the prerequisites. ConclusionOnce our real-time provisioning is configured, you can test it: newly created users should be provisioned automatically, or you can select an already existing user in the User Management menu:In case of any issues, real-time provisioning logs are available to help troubleshoot:Hope this guide helps you set up real-time user provisioning using SAP Identity Provisioning Service. If you have any issues or tips, drop them in the comments. Happy provisioning!     Read More Technology Blogs by SAP articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author

+ There are no comments

Add yours