Global User ID and SAP IAS: Essentials for AI integration in SAP landscape

Global User ID and SAP IAS: Essentials for AI integration in SAP landscape
Estimated read time 21 min read

Introduction

Modern companies are increasingly using SAP across multiple products as their operations are becoming more cloud-based, diversified and advanced with AI. In these environments, consistent identity management for each user is required, and it is important to accurately identify the same person across multiple systems and to provide appropriate authentication and authorization. SAP’s AI Digital Assistant, Joule, and SAP Task Center also require consistent identity management.

This guide describes the role and mechanism of “Global User ID”, an important feature of SAP’s cloud foundation, SAP Cloud Identity Services, as well as how to configure SAP Cloud Identity Services – Identity Authentication (SAP IAS) to support its implementation. In particular, it focuses on how to integrate user information and enable single sign-on in collaboration with key SAP products, such as SAP SuccessFactors and SAP S/4HANA, and introduces practical steps and notes.

 

1. What are Global User IDs?

A global user ID is a common ID that uniquely identifies a particular user in a broad landscape, including various business applications and services from SAP. *1

In this system configuration without a global user ID, when accessing System B from System A, it was necessary to implement appropriate actions to know which user in each system was the same person as which user.

 

However, by introducing the concept and implementation of global user ID, you can avoid the complexity of ID mapping across systems. Technically, global user ID is a generated identifier in UUID (Universally Unique Identifier) or GUID (Global Unique Identifier) format, which is automatically assigned when a user is created in SAP Cloud Identity Services, Identity Authentication (aka SAP IAS, referred to below as SAP IAS).

This global user ID acts as a correlation attribute” and acts as a back-to-back link between user accounts that exist in multiple systems.

For example, if an employee has a user account in both SAP SuccessFactors and SAP S/4HANA, the global user ID uniquely connects the person. This allows other systems to know that certain actions are being done in relation to the same user, as well as to provide a consolidated reference to user information and tasks. Global user IDs are only internal, separate from the username and email address that end users enter when they log in, but they are a key element of system integration.

 

2. Why do I need a global user ID now?

The modern environment around SAP requires the integration of multiple cloud services and on-premise systems to provide a seamless experience for users. However, with disparate user IDs in each system, it is very difficult to have a corresponding relationship when integrating data and tasks for each user. So, by implementing a single identifier, the global user ID, it can be used effectively to address the challenge of integrating user-related data across system boundaries and to achieve consistent user identification across the enterprise. As a result, single sign-on (SSO) access to multiple SAP services with one authentication and consistent authorization management is possible.

One of the concrete use cases is the SAP Task Center. *2 The SAP Task Center is a service that consolidates workflow approval requests and tasks for users from various SAP applications (for example, SAP SuccessFactors) and displays them in a single inbox. The key here is user consistency and must be ensured that tasks coming from different back-end systems are tied to the same person. A global user ID serves as its common key and relates the tasks gathered from each system to the correct user. Without global user ID harmonization, complex logic is needed to match user IDs across systems, which can lead to missing or misallotted tasks.

 

 

Global user IDs are also important for use scenarios with Joule, our new AI digital assistant. Joule runs on the SAP Business Technology Platform and integrates with multiple back-end systems (such as SAP S/4HANA Cloud and SAP SuccessFactors) to support users by providing intelligent assistance and insights. *4

 

The assumption is that each system must be able to recognize that a user is the same person. Indeed, in order to activate Joule, there must be a global user ID for the same user on all products that work together. *5 In this way, global user identity is essential as an integrated authentication foundation for cross-sectional services like SAP Task Center and Joule, and is key to smoothly sharing user context across solutions.

 

3. Setup Overview

Here are the high-level steps for implementing Global User Identification and setting up integration with SAP IAS.

Precondition Preparation: First, develop the system environment to take advantage of the Global User ID. Ensure that you have a tenant for SAP Cloud Identity Services and that each SAP product (for example, SAP SuccessFactors or SAP S/4HANA) is versioned for SAP IAS integration.Centralize and provision user identity; then design central management of user account information. Synchronize user information using tools such as SAP Cloud Identity Services – Identity Provisioning (commonly referred to as SAP IPS, referred to below as SAP IPS) to consolidate users that exist across different systems. For example, if you want to treat SAP SuccessFactors as the master of users, as an HR system, you can create and grant global user IDs at the same time by provisioning users to the SAP IAS user store via SAP IPS. SCIM provisioning in SAP IPS includes the userUuid attribute (Global User ID) in urn:ietf:params:scim:schemas:extension:sap:2.0:User, which is part of the SAP extension schema, so that all systems can have a common ID. *1
In this way, provisioning users from the master source to SAP IAS provides each user with a unified global user ID, and the same identity can be deployed to other systems. In other SAP IPS usage scenarios, patterns such as the synchronization of user email addresses, global user IDs and group affiliations from SAP SuccessFactors and SAP S/4HANA Cloud to SAP Build Work Zone (Integrated Portal Service on SAP BTP) may also be taken.Trust configuration with SAP IAS: Configure trust relationships and user attribute mappings to ensure that SAP IAS is the authentication foundation (IdP) for each system. Specifically, open the SAML 2.0 configuration for each application (connected system) in the SAP IAS Administration Console and configure the attributes to be used for user identification. For authentication linkage with global user IDs, you must ensure that user_uuid (display name “Global User Id”) is included as one of the SAML assertion attributes on the SAP IAS side. If it does not exist by default, you must add the user_uuid attribute as a source with Identity Directory from the Add Custom Attribute feature and map the Global User ID to that value. *6 This setting ensures that when a user is authenticated with SAP IAS, the global user ID is included in the SAML token to uniquely identify the user on the integrated application side. Other attributes, such as Email and Login Name, are included in the assertion as needed, but the global user ID (user_uuid) is the key field for the cross-system user reconciliation process.Acceptance settings in each system: Finally, you make settings that map users received from SAP IAS correctly on the individual SAP product side. For SAP SuccessFactors, integration authentication with SAP IAS ensures that users in SAP SuccessFactors are associated with global user IDs (IDs generated on SAP IAS are mapped to SAP SuccessFactors users), so no additional configuration is required. Systems such as SAP S/4HANA also set up trust settings with SAP IAS for cloud products, and configure Global User IDs as Name IDs and attributes. In cases like connecting on-premise SAP S/4HANA to SAP Task Center, make sure that the Global User ID (SAPUSER_UUID) is available on the ABAP user management (e.g. SU01) and use it to link the user on the Task Center side. Although the configuration steps vary depending on the specific product, the key point is to ensure that each target system is configured to recognize users based on the Global User ID provided by SAP IAS.

 

4. Issues and considerations for the setup

The challenges and points to note when setting up Global User IDs and SAP IAS are summarized below.

Note the confusion of the identity concept: There are various IDs and numbers for each user in the SAP system (for example, user ID, employee ID, person ID, user GUID, and so on). Project members should be aware of the difference between the purpose of the Global User ID and other IDs, and avoid confusion due to similar names.User synchronization and uniqueness: You must avoid the fact that each system issues a separate global user ID for the same user. Global user IDs are automatically generated when users are created in SAP IAS, but if you create the same person separately on different systems, for example, each has a separate global ID. To prevent this, you need to manage your users in central provisioning as described above, or connect them to a single user with a common key such as email address or employee ID when consolidating existing users. In particular, it is safe to first create a user on the SAP IAS side, issue a global user ID, and use it as a flow to link the user to other systems.Wrong attribute mapping: User mapping inconsistencies occur if global user IDs are mapped incorrectly in the connection configuration between SAP IAS and the respective application. For example, if you forget to include user_uuid in the assertion on the SAP IAS side, or if the receiving side has a different attribute (email address, etc.) as the user key, the integration breaks across systems without considering the user as the same person. You should check carefully if the Global User ID is set to use as a user identification axis.User management during production: After the introduction of a global user ID, user lifecycle management must also be kept in mind. When a user enters the company or leaves the company, verify that the user account addition and deletion process on SAP IAS (the Identity Directory feature, which is also the user master of) is properly synchronized with the user management on the part of each business system. For example, if an alumni account is deleted in one system but remains on SAP IAS, there is a risk that unnecessary access remains via a global user ID. In addition, if you are federating your corporate identity provider (e.g. Entra ID / Microsoft Active Directory) and SAP IAS, consider regular synchronization in SAP IPS or automatic provisioning setup on first login, as simply using SAP IAS in proxy mode does not automatically route global user IDs to each system.

 

Conclusion

You now have an overview of global user IDs and SAP IAS configuration points in the SAP environment. When using multiple SAP solutions in an integrated way, a common user foundation with a global user ID is key to success. Please refer to the official SAP Help Portal and the SAP Community guide article to design and configure for your landscape.

 

References

*1) SAP Help Portal: User Identity integration scenario with SAP Cloud Identity Services and its configuration guide
 https://help.sap.com/docs/cloud-identity/system-integration-guide/global-user-id-in-integration-scenarios*2) SAP Help Portal: What is the SAP Task Center?
https://help.sap.com/docs/task-center/sap-task-center/what-is-sap-task-center? locale=en-US*3) SAP Community Blog: SAP S/4HANA Cloud Private Edition Step-by-Step Guide to Joule Setup Procedures
 https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/joule-for-sap-s-4hana-cloud-private-edition-a-comprehensive-setup-guide/ba-p/13786453*4) SAP Help Portal: What is Joule?
https://help.sap.com/docs/JOULE/3fdd7b321eb24d1b9d40605dce822e84/38636457acc346daa4ff7069f041a11a.html*5) SAP Help Portal: Prerequisites for working with SAP products
 https://help.sap.com/doc/de3af3c0f81642dbaa4d36172ed57a72/CLOUD/en-US/79bfc83ab386450c8cd9c7937ce26a3a.pdf#:~:text=services%20tenant%20and%20within%20all,based%20application%20and%20relies%20on*6) SAP Help Portal: Setup instructions for Joule Integration with SAP Cloud Identity Services
https://help.sap.com/doc/de3af3c0f81642dbaa4d36172ed57a72/CLOUD/en-US/79bfc83ab386450c8cd9c7937ce26a3a.pdf#:~:text=groups%20Groups%20user_uuid%20Global%20User,Save%20your%20configuration 

​ IntroductionModern companies are increasingly using SAP across multiple products as their operations are becoming more cloud-based, diversified and advanced with AI. In these environments, consistent identity management for each user is required, and it is important to accurately identify the same person across multiple systems and to provide appropriate authentication and authorization. SAP’s AI Digital Assistant, Joule, and SAP Task Center also require consistent identity management.This guide describes the role and mechanism of “Global User ID”, an important feature of SAP’s cloud foundation, SAP Cloud Identity Services, as well as how to configure SAP Cloud Identity Services – Identity Authentication (SAP IAS) to support its implementation. In particular, it focuses on how to integrate user information and enable single sign-on in collaboration with key SAP products, such as SAP SuccessFactors and SAP S/4HANA, and introduces practical steps and notes. 1. What are Global User IDs?A global user ID is a common ID that uniquely identifies a particular user in a broad landscape, including various business applications and services from SAP. *1In this system configuration without a global user ID, when accessing System B from System A, it was necessary to implement appropriate actions to know which user in each system was the same person as which user. However, by introducing the concept and implementation of global user ID, you can avoid the complexity of ID mapping across systems. Technically, global user ID is a generated identifier in UUID (Universally Unique Identifier) or GUID (Global Unique Identifier) format, which is automatically assigned when a user is created in SAP Cloud Identity Services, Identity Authentication (aka SAP IAS, referred to below as SAP IAS).This global user ID acts as a “correlation attribute” and acts as a back-to-back link between user accounts that exist in multiple systems.For example, if an employee has a user account in both SAP SuccessFactors and SAP S/4HANA, the global user ID uniquely connects the person. This allows other systems to know that certain actions are being done in relation to the same user, as well as to provide a consolidated reference to user information and tasks. Global user IDs are only internal, separate from the username and email address that end users enter when they log in, but they are a key element of system integration. 2. Why do I need a global user ID now?The modern environment around SAP requires the integration of multiple cloud services and on-premise systems to provide a seamless experience for users. However, with disparate user IDs in each system, it is very difficult to have a corresponding relationship when integrating data and tasks for each user. So, by implementing a single identifier, the global user ID, it can be used effectively to address the challenge of integrating user-related data across system boundaries and to achieve consistent user identification across the enterprise. As a result, single sign-on (SSO) access to multiple SAP services with one authentication and consistent authorization management is possible.One of the concrete use cases is the SAP Task Center. *2 The SAP Task Center is a service that consolidates workflow approval requests and tasks for users from various SAP applications (for example, SAP SuccessFactors) and displays them in a single inbox. The key here is user consistency and must be ensured that tasks coming from different back-end systems are tied to the same person. A global user ID serves as its common key and relates the tasks gathered from each system to the correct user. Without global user ID harmonization, complex logic is needed to match user IDs across systems, which can lead to missing or misallotted tasks.  Global user IDs are also important for use scenarios with Joule, our new AI digital assistant. Joule runs on the SAP Business Technology Platform and integrates with multiple back-end systems (such as SAP S/4HANA Cloud and SAP SuccessFactors) to support users by providing intelligent assistance and insights. *4 The assumption is that each system must be able to recognize that a user is the same person. Indeed, in order to activate Joule, there must be a global user ID for the same user on all products that work together. *5 In this way, global user identity is essential as an integrated authentication foundation for cross-sectional services like SAP Task Center and Joule, and is key to smoothly sharing user context across solutions. 3. Setup OverviewHere are the high-level steps for implementing Global User Identification and setting up integration with SAP IAS.Precondition Preparation: First, develop the system environment to take advantage of the Global User ID. Ensure that you have a tenant for SAP Cloud Identity Services and that each SAP product (for example, SAP SuccessFactors or SAP S/4HANA) is versioned for SAP IAS integration.Centralize and provision user identity; then design central management of user account information. Synchronize user information using tools such as SAP Cloud Identity Services – Identity Provisioning (commonly referred to as SAP IPS, referred to below as SAP IPS) to consolidate users that exist across different systems. For example, if you want to treat SAP SuccessFactors as the master of users, as an HR system, you can create and grant global user IDs at the same time by provisioning users to the SAP IAS user store via SAP IPS. SCIM provisioning in SAP IPS includes the userUuid attribute (Global User ID) in urn:ietf:params:scim:schemas:extension:sap:2.0:User, which is part of the SAP extension schema, so that all systems can have a common ID. *1In this way, provisioning users from the master source to SAP IAS provides each user with a unified global user ID, and the same identity can be deployed to other systems. In other SAP IPS usage scenarios, patterns such as the synchronization of user email addresses, global user IDs and group affiliations from SAP SuccessFactors and SAP S/4HANA Cloud to SAP Build Work Zone (Integrated Portal Service on SAP BTP) may also be taken.Trust configuration with SAP IAS: Configure trust relationships and user attribute mappings to ensure that SAP IAS is the authentication foundation (IdP) for each system. Specifically, open the SAML 2.0 configuration for each application (connected system) in the SAP IAS Administration Console and configure the attributes to be used for user identification. For authentication linkage with global user IDs, you must ensure that user_uuid (display name “Global User Id”) is included as one of the SAML assertion attributes on the SAP IAS side. If it does not exist by default, you must add the user_uuid attribute as a source with Identity Directory from the Add Custom Attribute feature and map the Global User ID to that value. *6 This setting ensures that when a user is authenticated with SAP IAS, the global user ID is included in the SAML token to uniquely identify the user on the integrated application side. Other attributes, such as Email and Login Name, are included in the assertion as needed, but the global user ID (user_uuid) is the key field for the cross-system user reconciliation process.Acceptance settings in each system: Finally, you make settings that map users received from SAP IAS correctly on the individual SAP product side. For SAP SuccessFactors, integration authentication with SAP IAS ensures that users in SAP SuccessFactors are associated with global user IDs (IDs generated on SAP IAS are mapped to SAP SuccessFactors users), so no additional configuration is required. Systems such as SAP S/4HANA also set up trust settings with SAP IAS for cloud products, and configure Global User IDs as Name IDs and attributes. In cases like connecting on-premise SAP S/4HANA to SAP Task Center, make sure that the Global User ID (SAPUSER_UUID) is available on the ABAP user management (e.g. SU01) and use it to link the user on the Task Center side. Although the configuration steps vary depending on the specific product, the key point is to ensure that each target system is configured to recognize users based on the Global User ID provided by SAP IAS. 4. Issues and considerations for the setupThe challenges and points to note when setting up Global User IDs and SAP IAS are summarized below.Note the confusion of the identity concept: There are various IDs and numbers for each user in the SAP system (for example, user ID, employee ID, person ID, user GUID, and so on). Project members should be aware of the difference between the purpose of the Global User ID and other IDs, and avoid confusion due to similar names.User synchronization and uniqueness: You must avoid the fact that each system issues a separate global user ID for the same user. Global user IDs are automatically generated when users are created in SAP IAS, but if you create the same person separately on different systems, for example, each has a separate global ID. To prevent this, you need to manage your users in central provisioning as described above, or connect them to a single user with a common key such as email address or employee ID when consolidating existing users. In particular, it is safe to first create a user on the SAP IAS side, issue a global user ID, and use it as a flow to link the user to other systems.Wrong attribute mapping: User mapping inconsistencies occur if global user IDs are mapped incorrectly in the connection configuration between SAP IAS and the respective application. For example, if you forget to include user_uuid in the assertion on the SAP IAS side, or if the receiving side has a different attribute (email address, etc.) as the user key, the integration breaks across systems without considering the user as the same person. You should check carefully if the Global User ID is set to use as a user identification axis.User management during production: After the introduction of a global user ID, user lifecycle management must also be kept in mind. When a user enters the company or leaves the company, verify that the user account addition and deletion process on SAP IAS (the Identity Directory feature, which is also the user master of) is properly synchronized with the user management on the part of each business system. For example, if an alumni account is deleted in one system but remains on SAP IAS, there is a risk that unnecessary access remains via a global user ID. In addition, if you are federating your corporate identity provider (e.g. Entra ID / Microsoft Active Directory) and SAP IAS, consider regular synchronization in SAP IPS or automatic provisioning setup on first login, as simply using SAP IAS in proxy mode does not automatically route global user IDs to each system. ConclusionYou now have an overview of global user IDs and SAP IAS configuration points in the SAP environment. When using multiple SAP solutions in an integrated way, a common user foundation with a global user ID is key to success. Please refer to the official SAP Help Portal and the SAP Community guide article to design and configure for your landscape. References*1) SAP Help Portal: User Identity integration scenario with SAP Cloud Identity Services and its configuration guide https://help.sap.com/docs/cloud-identity/system-integration-guide/global-user-id-in-integration-scenarios*2) SAP Help Portal: What is the SAP Task Center?https://help.sap.com/docs/task-center/sap-task-center/what-is-sap-task-center? locale=en-US*3) SAP Community Blog: SAP S/4HANA Cloud Private Edition Step-by-Step Guide to Joule Setup Procedures https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/joule-for-sap-s-4hana-cloud-private-edition-a-comprehensive-setup-guide/ba-p/13786453*4) SAP Help Portal: What is Joule?https://help.sap.com/docs/JOULE/3fdd7b321eb24d1b9d40605dce822e84/38636457acc346daa4ff7069f041a11a.html*5) SAP Help Portal: Prerequisites for working with SAP products https://help.sap.com/doc/de3af3c0f81642dbaa4d36172ed57a72/CLOUD/en-US/79bfc83ab386450c8cd9c7937ce26a3a.pdf#:~:text=services%20tenant%20and%20within%20all,based%20application%20and%20relies%20on*6) SAP Help Portal: Setup instructions for Joule Integration with SAP Cloud Identity Serviceshttps://help.sap.com/doc/de3af3c0f81642dbaa4d36172ed57a72/CLOUD/en-US/79bfc83ab386450c8cd9c7937ce26a3a.pdf#:~:text=groups%20Groups%20user_uuid%20Global%20User,Save%20your%20configuration   Read More Technology Blogs by SAP articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author