Skip to main content

SAP IAM integration with SAP Cloud Identity Services

Last updated on by sapgunnar

These reference architectures delve into the critical aspects of Identity Access Management (IAM) for SAP, focusing on essential elements such as user storage, replication, and identity lifecycle.

Identity Access Management consists of three main pillars:

  • Authentication & Single Sign-On
  • Identity Lifecycle
  • Authorization

The SAP Cloud Identity Services serve as the designated Identity and Access Management interface for SAP SaaS integrations.

Architecture

image of solution diagram
Copy to clipboard

Solution Diagram Resources
You can download the Solution Diagram as a .drawio file for offline use. Alternatively, you may view and edit the Solution Diagram directly on draw.io.
Please note that any changes made online will need to be saved locally if you wish to keep them.
DownloadEdit

In an SAP landscape, user data is stored across all service providers. To ensure consistency and synchronization across these different environments, replication is essential.

Single sign-on protocols such as SAML2 and OIDC play a vital role in this process. These protocols facilitate transferring selected attributes during authentication (federation). However, their efficacy can decrease when a user is offline but needs adjustments or, importantly, deletion.

To address such issues and maintain an uninterrupted identity lifecycle, SAP utilizes SCIM2. SCIM2 assists in replicating users and groups into SAP solutions, ensuring a consistent and updated user landscape.

The authorization design hinges on the specific domain and often on the technology in use. For example, an SAP S/4HANA role differs from an SAP BTP Role Collection in its design, but both must be assigned to the user to provide access.

These reference architectures derive from knowledge gathered from customer projects, where SAP is one vendor in a heterogeneous landscape. The goal is to standardize the way IAM is implemented for SAP SaaS. These architectures consider a single interface approach for 3rd party Identity Provider integrations (authentication), as well as for the Identity Lifecycle in order to provide a centralized location to create and maintain an SAP SaaS user.

Moreover, these reference architectures take into account new SAP apps and features that operate across other SAP solutions such as (SAP Task Center or SAP Joule). These applications require a trusted, consistently available, single interface in the landscape, with a known set of features, all of which would not be available without the SAP Cloud Identity Services.