ABAP SDK for SAP Cloud Identity Services

The SAP Cloud Identity Services offer a lot of out of the box intergrations that lets you sync user data between different applications.

Using the (SCIM) 2.0 REST API for managing resources (users, groups and custom schemas) it is possible to create users and groups in the identity directory programmatically.

Overview | Identity Directory Service | SAP API Business Hub

As a result it is possible to create users in the identity directory based on data (such as data from your business partners or customers) that can be retrieved from your ABAP systems.

Using the communication scenario SAP_COM_0193 it is then possible to create users in your Steampunk system automatically.

Based on a project on which I was working recently I developed an ABAP SDK that wraps the calls using the SCIM protocol so that the ABAP developer can retrieve user and group data in internal tables.

At the same time users can be created easily in the SAP IDS by simply providing basic user data in a form like the following:

USER_DATA Structure: deep Type T_USER in ZDMO_CL_USER_JSON_VISITOR

ID USERNAME	SHUGO24 DISPLAYNAME	Hugo Test24 EMAIL Hugo.Test24@Test.de FAMILYNAME	Test24 GIVENNAME	Hugo PARTNER_ID	1234 EXTERNALID 

And send it via a POST request with a scim json payload to the SAP IDS.

{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "urn:ietf:params:scim:schemas:extension:sap:2.0:User" ], "userName": "SHUGO24", "displayName": "Hugo Test24", "externalId": "SHUGO24", "name": { "givenName": "Hugo", "familyName": "Test24" }, "emails": [ { "value": "Hugo.Test24@Test.de" } ], "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "division": "1234", "employeeNumber": "SHUGO24" }, "urn:ietf:params:scim:schemas:extension:sap:2.0:User": { "sendMail": true , "mailVerified": false
}
} A detailed documentation and the source code can be found on GitHub abap-platform-code-samples-cloud/readme_abap_ids_sdk.md at main · SAP-samples/abap-platform-code-samples-cloud (github.com) 

The ABAP SDK consist out of three classes:

  • zdmo_cl_manage_custom_ids
  • zdmo_cl_user_json_visitor
  • zdmo_cl_group_json_visitor

The two json visitor classes zdmo_cl_user_json_visitor and zdmo_cl_group_json_visitor are used to travers through the json scim responses that we get from the SAP Identity Service when trying to get a list of users or groups. The class zdmo_cl_manage_custom_ids contains the main logic and provides the following methods:

  • get_users_from_ids

    This method accepts a query string as it is supported by the SCIM 2.0 REST API. It is send to the http client and added to the GET request. The method returns a list of user ressources. In addition it returns the total number of entries that matched the query, the page size and the starting element.

  • get_user_from_ids_by_email

    This method allows you to retrieve the data of a single user based on its email address.

  • get_user_from_ids_by_extid

    This method allows you to retrieve the data of a single user based on its external id.

  • get_groups_from_ids

    This method accepts a query string as it is supported by the SCIM 2.0 REST API. It is send to the http client and added to the GET request. The method returns a list of groups ressources. In addition it returns the total number of entries that matched the query, the page size and the starting element.

  • get_group_from_ids_by_displayn

    This method returns a single group using its displayName as a filter.

  • create_user_in_ids

    This user takes basic user data such as the firstname, lastname, email adress and the external name that is used as the employeeid in Steampunk.

  • change_user_in_ids

    This method allows you to change a user using a PUT request. All entries that are provided are changed.

  • patch_user_in_ids

    This method just changes the following attributes of a user: firstname, lastname, displayname and email adress. The extern id, that means the employee id in Steampunk can not be changed

  • assign_user_to_group_in_ids

    This method allows to assign a user identified by its email adress to a group identified by its displayname.

  • start_ids_synch

    This method allows you to start a synchronization (READ) job for a specific source system identified by its Id. This way it would be possible to develop an action in a RAP BO that would trigger a sync after changes have been performed. Please not that jobs can not be started if another job has run within the last 30 minutes.