When two connectors look alike, it’s easy to mistake one for the other. This is exactly the case with Identity Authentication (version 2) and Local Identity Directory in SAP Cloud Identity Services – Identity Provisioning. Although they may appear similar at first, each is designed for a specific purpose.
So why are they often mixed up, and where does the confusion come from?
Who’s Who?
Both connectors are named after two SAP Cloud Identity Services (SCI): Identity Authentication, which handles user authentication and Single Sign-On in the cloud, and Identity Directory, which serves as the user store in SCI.
They were developed several years apart, with Identity Authentication introduced first. This original connector is now referred to as version 1. Its SCIM REST API is deprecated and will be decommissioned on November 30, 2026.
The Identity Directory SCIM API was introduced as the successor to the old one. Both connectors, which read and write users and groups in the SCI user store, now call the same Identity Directory SCIM API. For more information, see Identity Directory API. Additionally, they both support the provisioning of application-specific groups.
However, there is an important distinction:
With Identity Authentication, you can read from and write to the Identity Directory of another SCI tenant. While it is also possible to configure Identity Authentication for read and write operations within the same SCI tenant, this requires additional effort and does not take advantage of the out-of-the-box configuration. For more information, see Identity Authentication (source) and Identity Authentication (target).With the Local Identity Directory, you access the Identity Directory of your own SCI tenant for reading and writing operations. For more information, see Identity Directory (source) and Identity Directory (target).
Similarities and Differences
The table below outlines the key similarities and differences between Identity Authentication version 2 and Local Identity Directory:
Identity Provisioning ConnectorCommunication and authentication setupCentral store-based provisioningIPS tenants running on Neo environment Identity Authentication v 2YesNoYes Communication and authentication must be setup as you are connecting to the identity directory of another SCI tenant.Central store-based provisioning (also called event-based provisioning) is not supported for IAS version 2 source system.You can use Identity Authentication version 2 connector if your Identity Provisioning tenant is running on Neo environment. See List of Properties See Central Store-Based ProvisioningSee Identity AuthenticationLocal Identity DirectoryNoYesNo Communication and authentication is not required as you are connecting to the identity directory of your currently used SCI tenant.Central store-based provisioning (also called event-based provisioning) is only supported for Local Identity Directory source system.You can’t use the Local Identity Directory connector if your Identity Provisioning tenant is running on the Neo environment. See Central Store-Based Provisioning
Choosing the right connector depends on your scenario and your understanding of how each one works. In identity management, as in most fields, knowing the difference makes all the difference.
When two connectors look alike, it’s easy to mistake one for the other. This is exactly the case with Identity Authentication (version 2) and Local Identity Directory in SAP Cloud Identity Services – Identity Provisioning. Although they may appear similar at first, each is designed for a specific purpose.So why are they often mixed up, and where does the confusion come from? Who’s Who?Both connectors are named after two SAP Cloud Identity Services (SCI): Identity Authentication, which handles user authentication and Single Sign-On in the cloud, and Identity Directory, which serves as the user store in SCI.They were developed several years apart, with Identity Authentication introduced first. This original connector is now referred to as version 1. Its SCIM REST API is deprecated and will be decommissioned on November 30, 2026.The Identity Directory SCIM API was introduced as the successor to the old one. Both connectors, which read and write users and groups in the SCI user store, now call the same Identity Directory SCIM API. For more information, see Identity Directory API. Additionally, they both support the provisioning of application-specific groups.However, there is an important distinction:With Identity Authentication, you can read from and write to the Identity Directory of another SCI tenant. While it is also possible to configure Identity Authentication for read and write operations within the same SCI tenant, this requires additional effort and does not take advantage of the out-of-the-box configuration. For more information, see Identity Authentication (source) and Identity Authentication (target).With the Local Identity Directory, you access the Identity Directory of your own SCI tenant for reading and writing operations. For more information, see Identity Directory (source) and Identity Directory (target). Similarities and DifferencesThe table below outlines the key similarities and differences between Identity Authentication version 2 and Local Identity Directory: Identity Provisioning ConnectorCommunication and authentication setupCentral store-based provisioningIPS tenants running on Neo environment Identity Authentication v 2YesNoYes Communication and authentication must be setup as you are connecting to the identity directory of another SCI tenant.Central store-based provisioning (also called event-based provisioning) is not supported for IAS version 2 source system.You can use Identity Authentication version 2 connector if your Identity Provisioning tenant is running on Neo environment. See List of Properties See Central Store-Based ProvisioningSee Identity AuthenticationLocal Identity DirectoryNoYesNo Communication and authentication is not required as you are connecting to the identity directory of your currently used SCI tenant.Central store-based provisioning (also called event-based provisioning) is only supported for Local Identity Directory source system.You can’t use the Local Identity Directory connector if your Identity Provisioning tenant is running on the Neo environment. See Central Store-Based Provisioning Choosing the right connector depends on your scenario and your understanding of how each one works. In identity management, as in most fields, knowing the difference makes all the difference. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
