What is the SAP Identity Provisioning Service?
The SAP Identity Provisioning Service (IPS) automates user provisioning and deprovisioning as a part of an organization’s identity lifecycle management process.
SAP IPS is designed to provision users and groups between multiple supported cloud and on-premise systems (both SAP and non-SAP). IPS leverages the SCIM 2.0 open standard for automated user provisioning.
SAP Identity Provisioning Service (IPS) and SAP Identity Authentication Service (IAS) are SAP’s Cloud Identity Services made available from the SAP Business Technology Platform (BTP). SAP Business Technology Platform is a platform-as-a-service (Paas) that offers a development and runtime environment for cloud applications and is based on open standards. BTP offers developers flexibility and control over which clouds, frameworks, and applications to deploy.
Important Note: Some SAP cloud products provide the Identity Authentication and Identity Provisioning services integrated in them (free of charge) but may not provide a license to work with the Litmos application. Please check if your organization’s IAS/IPS license is compatible with Litmos or be sure to obtain a full license.
Features:
- Choose from multiple supported systems
Provision users and groups between various business applications that you can add as source and target systems. You can also provision identities from one SCIM-based system to another non-SCIM one by using a proxy connector.
- Configure transformations
Use the default system transformations or modify them so as to adapt the transformation logic to your business needs.
- Run provisioning jobs
Run a provisioning job manually or set a time interval for automatic (scheduled) jobs. Also, you can choose whether to run a complete read job or a synchronized one. The sync job reads and provisions only the new and updated entities.
- Manage job logs and notifications
If a job has not finished successfully, you can view its logs directly in the user interface. Logs inform you exactly which entities have failed and why. Also, you can subscribe to a source system to be alerted by email if a job has failed.
Use Cases
You can use the following system categories for identity provisioning goals:
- Source app – this is usually the existing corporate user store of the company (like the central user administration of AS ABAP or Microsoft Active Directory), which can be a cloud or an on-premise system.
- Target app – this is the cloud or on-premise system that you want to populate with entities from your source system.
- Proxy – this is a special connector type you can use for hybrid scenarios. That means, you can provision entities from one SCIM-based system to another external non-SCIM one, without making a direct connection between them. To achieve this, you can add an Identity Provisioning proxy connector, which will play the role of a SCIM 2.0 facade for the back end of the external system.
Setup IAS as a Source System
Once an IPS tenant has been provisioned, the tenant administrator will need to choose a source system and a target system. The source system is the application where user and group records will be read from, and the target system is the application where the user and group records will be written to. Once a source and a target system have been chosen or added, a tenant administrator will proceed to configure an end-to-end provisioning setup between the two applications.
There are two implementation approaches for configuring user provisioning setups. One approach is called “top-down synchronization”, the other is called “bottom-up synchronization”.
- Top-down synchronization – In this approach, SAP Cloud Platform Identity Authentication Service is the source and the application is the target. Users are initially created in SAP IAS, and then synced down to the application.
- Bottom-up synchronization – In this approach, SAP Cloud Platform Identity Authentication Service is the target and the application is the source. Users are created by the application, and then uploaded from the source application to SAP IAS.
Important Note: The following steps guide tenant administrators through the provisioning configuration setup needed to implement a top-down synchronization approach, using IAS as the source application.
- Choose a source system where users and group entities will be read from. In this case, the tenant administrator will add SAP Identity Authentication as a source system.
Important Note: The tenant administrator can also choose to use an alternative identity provider from the list, or select “SCIM system” if the identity provider supports the SCIM 2.0 open standard and does not exist in the list.
- Now that IAS has been selected as the source system, IPS will query this application to source user and group records for provisioning jobs. In order for IPS to read the user and group records from the IAS tenant, the tenant administrator will need to configure a “read” transformation schema. The read transformation is how IPS determines which records and object fields are available to fetch for each provisioning job. When IAS is selected as a source system, a templatized read transformation is automatically loaded. This templated read transformation will need to be configured, and potentially customized, to accommodate the provisioning requirements of the target application (Litmos) and the organization’s provisioning approach overall. As such, it is important to know how IAS can be configured as the source system.
- Once the transformation has been configured, “Properties” must also be entered. Properties are necessary to configure the connection between your source and target systems. Properties can also include filters for reading records and record attributes. In the case of IAS as a source system, properties would include things like:
-
-
- Authentication method (i.e. BasicAuthentication or Oauth)
- User Credentials (i.e. username and password, or Oauth token)
- Domain (i.e. accounts400.ondemand.com)
- Content type (i.e. application/scim+json)
- Connection Type (i.e HTTP)
- Proxy Type (i.e. Internet)
- Unique attribute to identify users (i.e. user Id)
- Unique attribute to identify groups (i.e. group displayName)
- Filters, retry policies and logging/tracing policies (trace failed entities, retry failed entities, read certain record types.)
- Be sure to read up on IAS Properties from the SAP Help Desk to learn more about how the properties can be configured for IAS as the source system.
-
-
- Once the source system read transformation has been configured, and the system properties have been entered, the tenant administrator can proceed to connect the target system Litmos Training!
Setup Litmos as a Target System
Now that IAS has been setup as the source system, the IPS tenant administrator will proceed to setup Litmos as the target system.
- Select the “Target Systems” tab in the navigation menu, click the “+Add” button, and then select “SCIM system”.
Important Note: Litmos has not been added as a branded connector to the list of source or target systems in IPS. Therefore, the IPS tenant administrator will need to select the option “SCIM System” to select and configure Litmos as a target application. While selecting a target system, the tenant administrator must also choose which systems user and group records will be fetched from for provisioning jobs. Select IAS as the source system.
- Once Litmos has been added as a target system, the IPS tenant administrator will need to configure a “write” transformation schema.
- The write transformation is how IPS determines which records and related fields are available to write to for each provisioning job. When Litmos is added as a target system, the read transformation is empty so there’s no template. As such, it is important to know how Litmos can be configured as a target system.
-
-
- An example write transformation has been included below to help tenant administrators with the initial configuration of Litmos as a target SCIM system in IPS.
-
{
"user": {
"mappings": [
{
"constant": "urn:ietf:params:scim:schemas:core:2.0:User",
"targetPath": "$.schemas[0]"
},
{
"sourceVariable": "entityIdTargetSystem",
"targetPath": "$.id"
},
{
"sourcePath": "$.userName",
"targetPath": "$.userName"
},
{
"sourcePath": "$.active",
"optional": true,
"targetPath": "$.active",
"defaultValue": true
},
{
"sourcePath": "$.name.givenName",
"targetPath": "$.name.givenName"
},
{
"sourcePath": "$.name.familyName",
"targetPath": "$.name.familyName"
},
{
"sourcePath": "$.emails",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.emails"
},
{
"constant": "work",
"condition": "$.emails.length() > 0",
"optional": true,
"targetPath": "$.emails[0].type"
},
{
"sourcePath": "$.title",
"optional": true,
"targetPath": "$.title"
},
{
"sourcePath": "$.addresses",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.addresses",
"functions": [
{
"function": "putIfAbsent",
"key": "type",
"defaultValue": "work"
},
{
"condition": "(@.type NIN ['work', 'home'])",
"function": "putIfPresent",
"key": "type",
"defaultValue": "work"
}
],
"defaultValue": []
},
{
"sourcePath": "$.phoneNumbers",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.phoneNumbers"
},
{
"constant": "work",
"condition": "$.phoneNumbers.length() > 0",
"optional": true,
"targetPath": "$.phoneNumbers[0].type"
},
{
"constant": "mobile",
"condition": "$.phoneNumbers.length() > 0",
"optional": true,
"targetPath": "$.phoneNumbers[1].type"
},
{
"ignore": true,
"sourcePath": "$.timeZone",
"optional": true,
"targetPath": "$.timezone"
},
{
"ignore": true,
"targetPath": "$.timeZone",
"type": "valueMapping",
"sourcePaths": [
"timeZone"
],
"defaultValue": "(UTC) Coordinated Universal Time",
"valueMappings": [
{
"key": [
"America/Los_Angeles"
],
"mappedValue": "(UTC-08:00) Pacific Time (US & Canada)"
}
]
},
{
"ignore": true,
"targetPath": "$.preferredLanguage",
"type": "valueMapping",
"sourcePaths": [
"$.locale"
],
"defaultValue": "en-US",
"valueMappings": [
{
"key": [
"EN"
],
"mappedValue": "en-US"
}
]
},
{
"constant": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"targetPath": "$.schemas[1]"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']"
},
{
"ignore": false,
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
"functions": [
{
"type": "resolveEntityIds"
}
]
},
{
"constant": "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User",
"targetPath": "$.schemas[2]"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['CustomAttribute1']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomField:User']['CustomField1']"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['CustomAttribute2']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomField:User']['CustomField2']"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']'CustomAttribute3']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomField:User']['CustomField3']"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['CustomAttribute4']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomField:User']['CustomField4']"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['CustomAttribute5']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomField:User']['CustomField5']"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['CustomAttribute6']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomField:User']['CustomField6']"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['CustomAttribute7']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomField:User']['CustomField7']"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['CustomAttribute8']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomField:User']['CustomField8']"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['CustomAttribute9']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomField:User']['CustomField9']"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['CustomAttribute10']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomField:User']['CustomField10']"
}
]
},
"group": {
"ignore": false,
"mappings": [
{
"constant": "urn:ietf:params:scim:schemas:core:2.0:Group",
"targetPath": "$.schemas[0]"
},
{
"sourceVariable": "entityIdTargetSystem",
"targetPath": "$.id"
},
{
"sourcePath": "$.displayName",
"optional": false,
"targetPath": "$.displayName"
},
{
"sourcePath": "$.members",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.members",
"functions": [
{
"type": "resolveEntityIds"
}
]
}
]
}
}
-
-
- This example write transformation can be configured and customized to satisfy the provisioning requirements and the identity lifecycle requirements of the organization on the whole. For example, certain fields (like address and title) can be made optional while others (like first name, last name and username) are mandatory. The tenant administrator may also choose to comment out or remove certain fields from the transformation all together (like time zone and language), to avoid potential issues like field validation. If time zone and language are included, be sure to review and implement a proper transformation expression for value mapping from the source system to the target system.
-
- Be sure to review the Transformation Types, Examples, Expressions, Functions and Variables to get a full understanding of what can be configured for the IPS transformation.
- Once the transformation has been configured, “Properties” must also be entered. Properties are necessary to configure the connection between your source and target systems. Properties can also include filters for reading records and record attributes. In the case of Litmos as a target system, properties would include things like:
-
-
- Authentication method (i.e. BasicAuthentication)
- User Credentials (i.e. username and password)
- Domain (i.e. companyname.litmos.com)
- Content type (i.e. application/scim+json)
- Connection Type (i.e HTTP)
- Proxy Type (i.e. Internet)
- API URL (i.e. api.litmos.com/v2/SCIM)
- Unique attribute to identify users (i.e. user Id)
- Unique attribute to identify groups (i.e. group displayName)
- Filters, retry policies and logging/tracing policies (trace failed entities, retry failed entities, read certain record types.)
- Be sure to read up on IAS Properties from the SAP Help Desk to learn more about how the properties can be configured for IAS as the source system.
-
Schedule a Provisioning Job in Identity Provisioning
Important Note: This step should only be initiated once a test provisioning job has been successfully run with no errors. Please be sure to test the provisioning job to a Litmos sandbox tenant before proceeding to configure and schedule a provisioning job to your Litmos production tenant.
Once the source and target system have been selected, configured and customized the tenant administrator will proceed to schedule the provisioning job cycle. The tenant administrator will click on “Source Systems” –> select the source system (in this case IAS) –> click “Jobs” –> click “Schedule” –> enter a time value for minutes. This will determine how often the provisioning job is initiated.
Once the job has been initiated, the tenant administrator can click on “Job Logs” to review the job execution logs for any provisioning configurations in the IPS tenant.
To view any errors associated with an execution job click on the row in the table to open the job logs. The error message(s), statistics and failed entries can be reviewed.
Resources
| IAS | IPS | |
| Documentation | Identity Authentication Service | Identity Provisioning Service |
| Care taker | IT Admin | IT Admin |
| Report a Support Incident Component |
BC-IAM-IAS | BC-IAM-IPS |