SAP Reference architecture for IAM – Employee provisioning  with SAP IAS

This is the 2nd part of the 3 blog posts about the reference architecture for Identity and Access Management scenarios:

In the previous post, We discussed the different methods to integrate SAP SuccessFactors with an Identity Provider (IDP) and how this integration will enable 3 important data flows:

  • User identity for Authentication and SSO via SAML
  • User Provisioning from SAP SuccessFactors to other systems
  • Attribute Writeback from AD back to SAP SuccessFactors / HCM (e.g Infotype 0105 / email)

And we described how SAP SuccessFactors + Azure AD User Provisioning can enable authentication / SSO via SAML and a HR driven user provisioning, but it provide no authorization management, no access control and no E2E integration.

In this second post, We will describe a similar scenario (SSO + employee provisioning) but using the SAP Cloud Identity Services – Identity and Authentication Services (IAS) standalone or as a proxy of the corporate IDP.

Why do I need SAP IAS if I already have Azure AD (or any other IDP)?

This is a frequently asked question by many customers and generate huge discussions between the SAP project team and the IT security team when we start a new project.

First of all, from the technical point of view, Azure AD and SAP IAS are quite similar. Both solutions offer similar capabilities for authentication, identity Federation with other IDPs, 2-Factor Authentication (2FA), Risk based / Conditional access, etc… so it’s not a technical decision.

For Microsoft, Azure AD is key and strategic service for Azure. All Azure resources, services and subscriptions must be linked to one Azure AD tenant. Azure AD allows authentication and SSO  but also enables the seamless integration between Azure (and non-Azure) services. Microsoft offers an Azure AD free license as the minimum requirement to create an Azure subscription, although additional license models are available if you require additional features.

Similarly, SAP IAS is strategic for the SAP. SAP IAS is what we call internally at SAP a SAP Kernel Service, a SAP BTP technical service used by all SAP cloud solutions to make the integrated Intelligent Enterprise strategy a reality for our customers. SAP IAS is a key component in this strategy and all SAP cloud applications and SAP BTP services have been designed to integrate with SAP IAS, this enable authentication and SSO of the end users but also enables the seamless integration of different SAP applications.

That’s why SAP IAS is included (bundled) with many SAP Cloud products (like SAP SuccessFactors) although it can be licensed standalone if you require additional features.

It’s not about trying to force a vendor lock-in, If you already have Azure AD or any other IDP, you can continue using it as your main corporate IDP and integrate SAP IAS as a proxy of the corporate IDP to simplify the SAP-to-SAP integration.

Currently there are some scenarios that already require the use of SAP IAS to work. Scenarios like SAP SuccessFactors people analytics or SAP WorkZone for HR cannot be configured without SAP IAS and in the future SAP IAS will be required for more and more business scenarios.

In fact, this end-to-end integration of different SAP products is a key characteristic of the Intelligent Enterprise strategy. Customers don’t have and don’t want a monolithic ERP system anymore and that’s why SAP offers a new set end-to-end processes that run across multiple SAP products and SAP technologies that the customers can use as building blocks to implement, customize and adapt their business processes.

SAP%20Intelligent%20Enterprise%20and%20the%20End-to-End%20processes

SAP Intelligent Enterprise and the End-to-End processes

All these new set of integrated End-to-End processes like “Source to Pay”, “Recruit to Retire”,etc… delivered by SAP as part of the Intelligent Enterprise strategy must fulfil a set of “qualities” or technical requirements to offer a seamless user experience. End users don’t need to know the technical complexity behind these processes.

Suite%20Qualities%20of%20the%20E2E%20processes

Suite Qualities of the E2E processes

So, in order to offer a transparent and seamless user experience, all these E2E business processes that run across multiple SAP products (like Recruit to Retire across S/4HANA, Concur, Fieldglass and SuccessFactors) must offer a consistent security and identity management but also must offer embedded and cross product analytics, one central workflow inbox, one aligned domain model and a coordinated lifecycle management.

One of the important Suite Qualities of the Intelligent Suite is the “One workflow inbox” which allows a central task management across multiple SAP products. This “One workflow inbox”  requires user persistency across multiple SAP products, the same user ID should be shared (via principal propagation) to all the SAP products involved in the E2E process:

SAP%20UUID%20via%20the%20SAP%20IAS

SAP UUID via the SAP IAS

For this new central task management feature, the use of SAP IAS is mandatory to manage the SAP  UUID persistency and SAP will offer automated integrations between different SAP products:

SAP%20UUID%20via%20the%20SAP%20IAS%20-%20Central%20Inbox

SAP UUID via the SAP IAS – Central Inbox

So… Why do you need SAP IAS if you already have Azure AD (or any other IDP)? Because it’s a core service of the SAP Intelligent Suite and helps you to build real end-to-end business processes across your SAP products. And this deep, out-of-the-box integration cannot be done via Azure AD or any other IDP. With Azure AD you have Authentication and SSO and this is a good starting point, but if you want to stablish a true integration between the SAP products you need to use SAP IAS standalone or as a proxy of Azure AD.

Reference architecture for employee provisioning scenarios with SAP IAS as the corporate IDP with or without Azure AD

Customers that don’t have a corporate IDP can use the SAP IAS included (bundled) as part of the SAP SuccessFactors or some other SAP Cloud products as their default IDP:

Reference%20architecture%20for%20SAP%20SuccessFactors%20with%20SAP%20IAS%20as%20default%20IDP

Reference architecture for SAP SuccessFactors with SAP IAS as default IDP

Similarly, customers that already have Azure AD (or any other IDP) can integrate SAP IAS as a proxy and leverage the benefits of SAP IAS without changing their existing architecture:

Reference%20architecture%20for%20SAP%20SuccessFactors%20with%20SAP%20IAS%20as%20a%20proxy%20IDP

Reference architecture for SAP SuccessFactors with SAP IAS as a proxy IDP

As mentioned before, these 2 architectures are quite similar to the architecture based on Azure AD described in my previous post and provide similar capabilities:

  • Authentication and SSO via SAML using SAP IAS as a default IDP.
  • User provisioning from SAP SuccessFactors to other SAP systems

But as you have seen in this post, using SAP IAS enables a better SAP End-to-End integration and it’s a core component for the Intelligent Suite. Some scenarios already require the use of SAP IAS (SAP SSFF People Analytics and SAP WorkZone for HR) and many more will require it in a near future.

Additionally, SAP IAS have some advantages compared with Azure AD when we analyze the user provisioning capabilities. With Azure AD Provisioning Service you can setup a HR-driven user provisioning from SAP SuccessFactors, so whenever an employee is created, updated, enabled, disabled in SAP SuccessFactors, that change can flow downstream to your corporate directory servers and to all your enterprise SaaS applications.

But with Azure AD you still don’t have authorization management, users will be provisioned with a default / generic role and if this is not enough you need to change the roles and authorizations manually or via a 3rd party tool.

Using SAP Cloud Identity Services – Identity Provisioning Service (IPS) in combination with SAP IAS enables you to implement a more flexible and tailored user provisioning and role management.

First, SAP IAS can implement a SAML assertion enrichment. The original SAML assertion from the corporate IDP is enriched with additional attributes and this enable hybrid scenarios such as authenticate via corporate IDP but manage roles & groups via SAP IAS:

SAP%20Cloud%20Identity%20Services%20-%20SAML%20assertion%20enrichment

SAP Cloud Identity Services – SAML assertion enrichment

Additionally, with the SAP Identity Provisioning Service (IPS) included in the SAP Cloud Identity Services you have a flexible and powerful mechanism to provision users in the target systems and perform attribute transformations to meet your requirements.

SAP IPS is also bundled with some SAP cloud products like SAP SuccessFactors and provide a set of source and target systems connectors. These connectors allow you a out-of-the-box user provisioning between different systems.

SAP%20IPS%20-%20Source%20to%20Target%20provisioning

SAP IPS – Source to Target provisioning

User provisioning between different systems is challenging as each system have different authorizations and roles mechanism, different attributes and different field formats. As an example, in Active Directory we have the “mail” attribute but in SAP SuccessFactors you have the “email” attribute. SAP IPS implement standard transformations and mappings so you don’t need to worry about different attributes or field formats.

SAP%20IPS%20changing%20the%20mail%20attribute%20from%20AD%20to%20the%20email%20attribute%20in%20SAP%20SSFF

SAP IPS changing the mail attribute from AD to the email attribute in SAP SSFF

If the default transformations are not flexible enough, you can always adapt the default transformation and include expressions, functions, conditions. As an example, you can assign a SAP specific role in the target system depending on some attribute or condition (e.g. If the username contains “Sales” assign the group/authorization Finance)

SAP%20IPS%20-%20Transformations%20-%20custom%20conditions%2C%20functions%2C%20expressions

SAP IPS – Transformations – custom conditions, functions, expressions

Summary and next steps

In the previous post, we discussed how SAP SuccessFactors plus Azure AD / Microsoft AD offers you a good solution for authentication/SSO and also enables a HR driven user provisioning from SAP SuccessFactors. But with Azure AD you still don’t have role management, access governance or end-to-end integration of SAP processes.

In this second post, we described how SAP IAS offers the same authentication/SSO capabilities but provide a better HR driven user provisioning from SAP SuccessFactors. In fact, SAP IAS is a key service in the integrated Intelligent Enterprise strategy from SAP and enables a deeper end-to-end integration.

So, no matter if you are starting a new project or if you already have Azure AD / Microsoft AD (or any other IDP), you should consider SAP IAS as a key element of your IAM strategy. No need to replace your existing IDP, you can configure SAP IAS as a proxy of your existing corporate IDP with minimal changes in your existing configuration.

In my next post, we will talk in more detail how SAP Cloud Identity Services in combination with other SAP BTP services can allow you to go beyond authentication and HR driven user provisioning and allow you to implement a true HR driven identity lifecycle management that offer better end-to-end integration between SAP applications:

stay tuned!