Introduction:

SAP Cloud Identity services consist of 3 key components.

Identity Authentication (IAS): Manages user login and provides single sign-on.

Identity Provisioning (IPS): Syncs user data between systems. It does the transformation/filtering from source to target system. 

Identity Directory: Centralizes user information, acting as a single source of truth for identity management.

In this blog post, I will showcase the following:

Use IAS as a custom IDP for Integration SuiteProvision users from FSM to IAS using IPS

Configure IAS as custom IDP for BTP Subaccount using

OIDC

In this scenario, we have two subaccounts, say trial and cis. Subaccount named – trial has Integration Suite subscribed and Subaccount named – cis has Cloud Identity Services subscribed.

Step 1:

Go to the Sub Account of Integration Suite for trust configuration.

Click on ‘Establish Trust’ Button.

The login page of Integration Suite looks like below:

Step 2:

Go to Cloud Identity Services -> Users & Authorizations -> User Management -> Add New User

After account activation, the user (in our case Mr. John Doe) still cannot access the Integration Suite. See the screenshot below. This brings to the next step.

Step 3:

Go to Subaccount for Integration Suite.

Create a custom role collection containing all the required roles of SAP CPI Consultant.

Step 4:

Go to Cloud Identity Services.

Create a group for CPI consultants and assign the user to that group.

Step 5:

After establishing trust (referring to step 1), an application is auto-generated, as shown below.

Now there is an attribute related to ‘group’.

Go to subaccount for Integration Suite -> Trust Configuration -> Click on Custom IDP link 

Step 6:

When a user logins, we can see the logs from Troubleshooting log of Cloud Identity Service.

Monitoring & Reporting -> Troubleshooting Logs -> search for keyword ‘jwt’.

Action type is ‘issueJwtToken’.

Click on ‘Log Details’.

Step 7:

Enable ‘Risk-based Authentication‘ for email domain.

Now if the user’s email domain is gmail, it will ask for two-factor authentication.

Go to Profile Management UI.

Provision users from FSM to IAS using IPS

Step 1:

Create source system for FSM (Field Service Management)

For this case, I will replicate only one dummy user from FSM to IAS. The filter criteria (fsm.user.filter) is used.

Please note the data used in executing these scenarios throughout this blog post is test data/ fake data only.

Ignore ‘Group‘ entity (to avoid group sync).

Step 2:

Create target system for IAS (Identity Authentication)

Create a system admin for IAS and use the generated client id as user and secret as password.

Step 3:

Run ‘Read Job‘. It is also possible to subscribe for job failure notifications by clicking on ‘Subscribe‘.

Step 4:

Go to Provisioning log to check the job execution status and details.

Reference Links:

SAP Cloud Identity ServicesField Service Management – SCIM APISAP IPS – List of All Properties available for User Sync

Regards,

Priyanka Chakraborti

​ Introduction:SAP Cloud Identity services consist of 3 key components.Identity Authentication (IAS): Manages user login and provides single sign-on.Identity Provisioning (IPS): Syncs user data between systems. It does the transformation/filtering from source to target system. Identity Directory: Centralizes user information, acting as a single source of truth for identity management.In this blog post, I will showcase the following:Use IAS as a custom IDP for Integration SuiteProvision users from FSM to IAS using IPSConfigure IAS as custom IDP for BTP Subaccount usingOIDCIn this scenario, we have two subaccounts, say trial and cis. Subaccount named – trial has Integration Suite subscribed and Subaccount named – cis has Cloud Identity Services subscribed.Step 1:Go to the Sub Account of Integration Suite for trust configuration.Click on ‘Establish Trust’ Button.  The login page of Integration Suite looks like below:Step 2:Go to Cloud Identity Services -> Users & Authorizations -> User Management -> Add New UserAfter account activation, the user (in our case Mr. John Doe) still cannot access the Integration Suite. See the screenshot below. This brings to the next step.Step 3:Go to Subaccount for Integration Suite.Create a custom role collection containing all the required roles of SAP CPI Consultant.Step 4:Go to Cloud Identity Services.Create a group for CPI consultants and assign the user to that group.Step 5:After establishing trust (referring to step 1), an application is auto-generated, as shown below.Now there is an attribute related to ‘group’.Go to subaccount for Integration Suite -> Trust Configuration -> Click on Custom IDP link Step 6:When a user logins, we can see the logs from Troubleshooting log of Cloud Identity Service.Monitoring & Reporting -> Troubleshooting Logs -> search for keyword ‘jwt’.Action type is ‘issueJwtToken’.Click on ‘Log Details’.Step 7:Enable ‘Risk-based Authentication’ for email domain.Now if the user’s email domain is gmail, it will ask for two-factor authentication.Go to Profile Management UI.Provision users from FSM to IAS using IPSStep 1: Create source system for FSM (Field Service Management)For this case, I will replicate only one dummy user from FSM to IAS. The filter criteria (fsm.user.filter) is used.Please note the data used in executing these scenarios throughout this blog post is test data/ fake data only.Ignore ‘Group’ entity (to avoid group sync).Step 2:Create target system for IAS (Identity Authentication)Create a system admin for IAS and use the generated client id as user and secret as password.Step 3:Run ‘Read Job’. It is also possible to subscribe for job failure notifications by clicking on ‘Subscribe’.Step 4:Go to Provisioning log to check the job execution status and details.Reference Links:SAP Cloud Identity ServicesField Service Management – SCIM APISAP IPS – List of All Properties available for User SyncRegards,Priyanka Chakraborti    Read More Technology Blogs by Members articles 

#SAP

#SAPTechnologyblog