Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Cloud Identity Services Administration for first time implementers in SAP S/4HANA Cloud, public edition project

Saumitra
Product and Topic Expert
Product and Topic Expert
‎08-20-2023 11:13 PM

Introduction


Customers and Partners leveraging SAP S/4HANA Cloud, public edition are also provided with SAP Cloud Identity Services by-default with the subscription of the software. As the SaaS world and the Public Cloud framework is a bit different than that of the SAP On Premise or Legacy world, this blogpost intends to help our viewers with the understanding of how SAP Cloud Identity Services help throughout the lifecycle of the SAP S/4HANA Cloud, public edition for user identity and authentication.

We will be posing some scenarios and subsequently try to look into it in details accordingly. I will try to cover the most basic scenarios which happens during an implementation of the SAP S/4HANA Cloud, public edition implementations as well as operations.

Though the SAP Cloud Identity Services is used for multiple use cases, this blogpost is only limited to the scope of using it for SAP S/4HANA Cloud, public edition.

Before we get started, the first and foremost thing to understand is that for any SAP S/4HANA Cloud, public edition - it is MANDATORY to have the SAP Cloud Identity Services for authentications and to manage identity lifecycle to the applications included in it (here SAP S/4HANA Cloud, public edition). You cannot choose to skip using the SAP Cloud Identity Services when it comes to SAP S/4HANA Cloud, public edition implementation. In case you have a separate/externals Identity Provider, still the SAP Cloud Identity Services must be used as proxy delegating the authentication to your own Identity Provider.

First-time SAP S/4HANA Cloud, public edition Project Managers and Implementers: Making it easy to understand the Identity Services in SAP S/4HANA Cloud, public edition project:



Identity Administrator Sequence of Initial Tasks


The above illustration is a timelaned representation of tasks which an Identity administrator needs to do during the initial provisioning of the systems and the landscapes.

  1. Onboard Users for SAP Cloud ALM

  2. Initial User Account Setup for SAP CBC

  3. Import Users to IAS from Starter System (both Customizing and Development tenants)

  4. Import Users to IAS from Development System (bioh Customizing and Development tenants)

  5. Import Users to IAS from Test System

  6. Import Users to IAS from Production System


Question 1: How to subscribe for SAP Cloud Identity Authentication Services for SAP S/4HANA Cloud, public edition?


As stated in the introduction above, in very simple words - once a customer or partner signs a contract for SAP S/4HANA Cloud, public edition, they also get the SAP Cloud Identity Services included in the same offering. This means that you don't have to separately subscribe or acquire separate licensing for the usage of the SAP Cloud Identity Services. This is a part of the SAP Cloud Services which comes as a part of the RISE with SAP and GROW with SAP packages. Find more details here - Service Use Description.

  1. The Cloud Service includes use of SAP Cloud Platform, Identity Authentication, which may only be used for Authorized User authentication

  2. The Cloud Service includes use of SAP Cloud Platform Identity Provisioning.


Hence the answer here is that - you don't have to separately request or subscribe for the SAP Cloud Identity Services in an SAP S/4HANA Cloud, public edition project.


Question 2: Without subscribing for SAP Cloud Identity Services separately, how do I request for the SAP Cloud Identity Services?


In order to receive the actual SAP Cloud Identity Services tenants, you as implementers don't need to separately request for theses tenants.





 

Question 3: If SAP Cloud Identity Services is not to be requested, how will I know if I have access to the tenant or can start my project work?


That's a pretty fair question looking at the above two answer. If you are not expected to request the SAP Identity Services tenants, how in the world will you know what are the tenants and how to start working on them? Worry not - SAP has made this automatic too. The IT contact person is the customer/partner contact who receives the initial emails to activate and access the SAP Cloud Identity Services. Hence for those who have not yet used the SAP Cloud Identity Services prior to the current project, they can find the activation email to the IT contact person which consist of the Activation URL + SAP Cloud Identity Services Admin Console URL which will be used for further actions and steps in the SAP Cloud Identity Services. The first user created by SAP Cloud Operations is this IT contact person in the SAP Cloud Identity Services and is also the initial administrator of the system. This person is now here-on responsible for doing the administrative steps or add further administrators to the SAP Cloud Identity Services.

The below is a look-alike of the email for activation which the IT contact person should receive:



 

Question 4: What if I already have an SAP Cloud Identity Services being used separately or with other SAP Cloud solutions?


The SAP Cloud Identity Services - Tenants application shows which are the Identity Authentication and Identity Provisioning tenants that are assigned to a customer ID and who are the tenant administrators of these tenants. Viewing Assigned Tenants and Administrators tells how to check for the tenants assigned for your contracts.


The default tenants, one test and productive tenant per customer, are provided regardless of the number of contracts signed in which SAP Cloud Identity Services is included or bundled. Additional productive or test tenants beyond the initial ones must be purchased separately. For more information, see Tenant Model and Licensing. This means that if you already have an SAP Cloud Identity Services with your Customer or Partner scenario, you will have to re-use the same for managing the overall applications you will be provisioning in SAP S/4HANA Cloud, public edition project.


Once you login to the SAP Cloud Identity Services as an administrator, you can also check the applications managed by the current Identity Services in the Applications & Resources tab.



 

Question 5: Now that I have accessed the SAP Cloud Identity Services as an administrator, what do I do next ?


Depending on the project charter and the roles and responsibilities, you are either an administrator yourself or you being the IT contact person want to delegate the next steps to the right person.

  • If you are an Administrator yourself - You should now proceed with the next steps for accessing the landscape systems and setting up the tenants and the systems as listed in the Prepare Phase. Soon after you received the activation emails for the SAP Cloud Identity Services, the same IT contact person should also have received the initial emails for the SAP Cloud ALM, SAP Central Business Configuration tenant, SAP S/4HANA Cloud, public edition - Customizing and Development tenants. If you are just going to take care of the security and identity related administration, then you should immediately get in touch with the project team - project managers, technical consultants, functional consultants and the business stakeholders as the next setup steps are going to be critical with the original project. Critical tasks like adding the business users to the SAP Central Business Configuration, selecting the scope, localizations, primary finance settings and selecting the deployment targets. If you are looking for tasks only related to the SAP Cloud Identity Services you are supposed to follow the steps mentioned here for 1) Access SAP Cloud ALM and Create Users and 2) Access SAP Central Business Configuration Tenant and Setup the tenant for authentications to the users going to be working on the SAP Cloud ALM and SAP Central Business Configuration.

    • For the SAP Cloud ALM Setup, the SAP Cloud Identity Services assumes the role of the identity provider. hence any users logging in to the SAP Cloud ALM will have to mandatorily go through the authentication process of the provided SAP Cloud Identity Services. Please note that for SAP Cloud ALM, a productive SAP Cloud Identity Services is provisioned and used. The steps for the Identity Administrator to be done for SAP Cloud ALM is mentioned here and can be followed here - Onboard Users in Your Identity Authentication Service. For SAP Cloud ALM only the authentications is done in the SAP Cloud Identity Services whereas the authorizations/roles are assigned directly in the SAP Cloud ALM.

    • For the SAP Central Business Configuration, currently the SAP Cloud Identity Services assumes the role for both authentication as well as authorizations. Meaning the SAP Cloud identity Services is responsible for not just authentication but also responsible for authorizations on the tasks to be done in the SAP Central Business Configuration. The SAP Central Business Configuration does not have it's own authorization concept as of today and hence relies on the SAP Cloud Identity Services for propagating the authorizations using the User Groups which are nothing but the roles in the SAP Central Business Configuration. These roles are already created in the SAP Cloud Identity Services by default and cannot be tweaked. Find more details here - Standard Roles and Authorizations and Standard Authorization Concept in Project Experiences (SAO Central Business Configuration). The steps in the SAP Cloud Identity Services for the SAP Central Business Configuration is mentioned here - Initial User Account Setup.

    • For the SAP S/4HANA Cloud system, currently the SAP Cloud Identity Services assumes the role of authenticators, hence you will have to add the users who want to login to SAP S/4HANA Cloud systems into the respective SAP Cloud Identity Services so that they can be authenticated every time logging in to SAP S/4HANA Cloud systems. The non-Productive SAP Cloud Identity Services is used for systems including Starter System - Customizing + Development tenant, Development System - Customizing + Development tenant, Test System whereas Production System in the Productive SAP Cloud Identity Services (the one which was received with SAP Cloud ALM). The steps mentioned here should be able to help for the Identity administrator of the project to use the SAP Cloud Identity Services - Initial System Access to SAP S/4HANA Cloud in Your 3-System Landscape. For the Starter System, these steps are done in the Prepare phase, whereas for the Development, Test and the Production, the same steps are done in the Realize phase.





  • If you are not an Administrator - You should immediately add an administrator following the steps mentioned here -Add Administrators . Subsequently as you are not really an administrator, then it would also be important for you to change the IT Contact person who will be receiving the initial emails for the initial emails for also the Dev, Test and the Production system. This can be done by submitting a ticket to the component XX-OPR-SRV-SRV with the valid email detail of the person intending to be the IT contact person titled 'Request update to the Contact Person IT.' Once the right admin is determined and added, then that person would be responsible for doing the above mentioned activities in SAP Cloud Identity Services for the project.



 

Question 6: Now that the Admin has done the initial setup tasks, what are the next steps for the Identity Admin?


Once the initial setup is done, there can be multiple tasks which might be requiring your expertise as an Identity Admin for maintaining the identity management throughout the implementation and even beyond the Go-Live. I am just jotting down very few of the common tasks which I have seen during real SAP S/4HANA Cloud, public edition implementation projects:

  • Adding a new project member to SAP Central Business Configuration in between a project -

    1. Login to the SAP Cloud Identity Services Admin Console as administrator

    2. Adding a user in the SAP Identity Services -> Go to the Tab 'User & Authorization' >> User Management >> Import/Add. This also sends the initial emails for activation to the SAP Central Business Configuration system or you can use the 'Import Users' after the users are created to send them activation emails later.

      1. For importing a CSV file for a User profile - Import CSV File with Full User Profile

      2. For Creating a New User by 'Add' button - Create a New UserIt is mandatory that the users have the Status - Active and the LoginName is maintained or else the authentication/access will fail.



    3. Once the user is created, add the relevant user group (SAP Central Business Configuration role) already available in the SAP Cloud Identity Services

      1. Add the User Groups by navigating directly to the user in 'User Management' >> Sub-tab 'User Groups' >> Assign

      2. Add multiple users to a User group by navigating to the 'User Group'  >> Select the User Group >> Click 'Add' to add user listed after they are created



    4. Now that the user is created and assigned with the user group, next would be to replicate the created user to SAP Central Business Configuration using the SAP Cloud Identity Provisioning Service

      1. Go to the tab - 'Identity Provisioning' >> Drop down option 'Source System' >> Select the Source System as IAS-<part of CBC Link>. This will replicate the users from the IAS to the SAP Central Business Configuration



    5. The new user created now has the SAP Central Business Configuration roles assigned and can seamlessly access the SAP Central Business Configuration. Depending on what roles are assigned, the user can perform tasks in the SAP Central Business Configuration project experience. However many times the new users also need to work on configurations in the SAP S/4HANA Cloud system (Starter or Development System), hence the user will be required to be created as a worker (employee) in SAP S/4HANA Cloud system. After the worker has a business user in the SAP S/4HANA Cloud system with the right roles and authorizations which are directly governed by the SAP S/4HANA Cloud systems, the same user can now directly be propagated to the SAP S/4HANA Cloud configuration screen from the SAP Central Business Configuration. For this whole process, please once again follow the steps mentioned in the Initial System Access to SAP S/4HANA Cloud in Your 3 System Landscape.



  • Allowing/Restricting User Authentication based on an IP Range:


  • Setting up Single Sign-On (SSO) with Microsoft Azure AD

    • This is also one of the common scenarios where you might want to integrate the SAP Cloud Identity Services with Microsoft Azure AD for SSO. For that case please look into this Product Documentation - Integrating the Service with Microsoft Azure AD 



  • Troubleshooting and Monitoring:

    • There are multiple tasks under administration for troubleshooting and monitoring

      • Usually while running the read jobs, inconsistencies or changes might cause the read job to fail for replication of users from IAS to the CBC. In such cases, go o the Provisioning Logs and analyze for errors. Most of the cases the error is quite comprehensive and the errors are already very well documented in the SAP For Me KBA collections. Just a glimpse of one of the errors we faced which we found an KBA immediately and solved the issue within 5 mins.






Hope this provides a very brief yet essential view of the initial tasks for an SAP identity Administrator in SAP S/4HANA Cloud, public edition project. Naturally and obviously, there are many more tasks  overall in the context of the SAP Cloud identity Services, but as this blogpost was just intended towards first timers SAP Cloud identity services for SAP S/4HANA Cloud, I believe this will help them to kickstart the projects easily and confidently.

Thanks,
Saumi
Labels:
17 Comments
gurubalan
Participant
‎08-21-2023 6:12 AM
Hello sir,

In the 2308 release, the "Import Employee" tile is not visible. The Fiori App Reference Library indicates that this application has been deprecated. Are you aware of an alternative tile for this function?

Thanks in Advance,

Guru Balan.
Saumitra
Product and Topic Expert
Product and Topic Expert
‎08-21-2023 8:39 AM

Hi gurubalan : Please check the app 'Manage Workforce' for creation/importing of the employees in the SAP S/4HANA Cloud, public edition. This has been available since Cloud Edition 2208. Check this blogpost - SAP S/4HANA Cloud 2208 – Manage Workforce Application

Once an employee/worker is created in the SAP S/4HANA Cloud, public edition using this app, you must follow the steps mentioned here for further steps - Initial System Access to SAP S/4HANA Cloud in Your 3-System Landscape.

Thanks,
Saumi

Enda
Product and Topic Expert
Product and Topic Expert
‎08-21-2023 2:06 PM
Great Blog as always Saumitra !
Saumitra
Product and Topic Expert
Product and Topic Expert
‎08-21-2023 2:54 PM
0 Kudos
Thanks a lot enda.fennelly 🙂
Frank1
Participant
‎08-22-2023 2:59 PM
Amazing blogs contains lots of useful information, learned a lot. Looking forward your next blog regarding S4 public cloud project experience sharing.
Saumitra
Product and Topic Expert
Product and Topic Expert
‎08-22-2023 3:07 PM
0 Kudos
Thanks a lot frankli123
Lucian
Product and Topic Expert
Product and Topic Expert
‎08-23-2023 7:58 PM
Great blog as usual Saumi !

One small observation to add: with 2205 FD3 SAP Central Business Configuration release the initial IAS admin/IT Contact will also be provisioned as business user -> (Project manager) in the SAP Central Business Configuration system so you can access the system in theory with this user and create the first project before you extend the team with additional users in IAS and start the user replication job .

Regards,

Lucian
Saumitra
Product and Topic Expert
Product and Topic Expert
‎08-23-2023 8:11 PM
0 Kudos
Thanks a lot for this update lucian.marian, I will update the blog as soon this is available.

Regards,
Saumi
gurubalan
Participant
‎09-12-2023 9:38 AM
Thank you for your guidance !

 
Dario_D
Product and Topic Expert
Product and Topic Expert
‎11-02-2023 10:29 AM
0 Kudos
Thank you, Saumitra, for this insightful blog article!

I have a quick question regarding the tenants (Starter Systems and the Central Business Configuration):

If these tenants are not appearing in the Cloud Identity Service, what possible issues could be responsible for this situation? Could it be connected to user authorizations?

Regards,
Dario
Saumitra
Product and Topic Expert
Product and Topic Expert
‎11-02-2023 11:40 AM
Hi dario.dispirito : Are you checking the Productive Cloud Identity Service or the non-productive Cloud Identity Services tenant. As mentioned above in the blogpost, there will be two Cloud Identity Services tenants provisioned (one non-productive having Starter + CBC + Dev + Test; and another Production having Cloud ALM + Production). So if you are checking the Productive Cloud Identity Services, you won't see the CBC & Starter system.

-Saumi
GoranKovacic
Participant
‎12-15-2023 12:47 PM
0 Kudos
Hi saumitra.deshmukh2, thank you for the amazing blog!

I don't know if this is the right place to ask this, but I will try my luck.
As far as I understand, you (SAP) will automatically take care of the configuration of our newly provisioned S/4HANA Public Cloud in the Cloud Identity Services (under the option Applications) during the provisioning, right?

Now my question - is it somehow possible to affect how the S4HC operates with the CIS?

In our specific example - we integrated our CIS with all our other SAP Solutions (all BTP Services (Build Suite, IS, BAS, ...), CALM, CBC, Datasphere, SAC, Signavio, ....). The integration works with each and every solution, apart from our 2 S4HC Instances (TDD 080 and 100).
When the user tries to log into any of those 2 S4HCs, the system redirects him to the "wrong" domain, to which he then needs to log into separately. Of course after he logs into it, he is signed into both systems, but this "wrong" redirection causes problems in the Integration of S4HC Apps into Workzone, where it breaks the SSO principle.

Example with URLs:

  1. all other solutions log in screen is: xyz123456.accounts.ondemand.com,

  2. the 2 S4HCs route the user to: https://xyz123456.accounts.cloud.sap/saml2/idp/sso/xyz123456.accounts.ondemand.com


 

Do you maybe know if it is somehow possible to affect where the S4HC will route the user? I found no options for doing that - not in S4HC and not in the CIS.

 

Thank you and best regards,
Goran
Saumitra
Product and Topic Expert
Product and Topic Expert
‎12-15-2023 2:01 PM

@gk_axians: Thanks for the question.

There are multiple possibilities here and mainly you would have to check with your Partner contact from SAP or raise a ticket to BC-IAM-IDS for this as this might need further investigations on your specific configurations.

Meanwhile, what you can do here is to check if the TDD system is registered in the same CIS under which all other instances are registered. You can find it out in the applications under Cloud Identity Authentication Services. There might be a case that the TDD system is registered to a separate SAP CIS whereas all other tenants are registered to some other SAP CIS. If it's the same SAP CIS for TDD as well as all other systems, then there should be no problem and as you rightly stated - SAP will take care of setting up the S/4HANA Cloud, public edition system to the SAP CIS as per your contract.

So once you check back, you can further see the root cause behind it.

If you are a SAP Partner you can always reach out to us into a gated community for SAP S/4HANA Cloud, public edition here - https://groups.community.sap.com/t5/sap-s-4hana-cloud-public-edition/ct-p/s4hana-cloud-public

Hope this  provides some direction.

Thanks,
Saumi

GoranKovacic
Participant
‎12-18-2023 8:09 PM
0 Kudos
Hi saumitra.deshmukh2,

Thank you very much for the fast response!
I checked, and both S4HCs are registered in the same CIS as all other applications.

I will follow your advice and move my topic into the Partner Community. Maybe someone there already experiences something similar and will be able to give some tips on what specifically I should check.
If also there should be not suggestions, I will raise a ticket. Thank you in advance for the correct support component!

 

BR, Goran
adeda1770
Member
‎01-03-2024 9:12 PM
0 Kudos
Ok.interessting question

Br ade
Subhankar1
Newcomer
‎02-23-2024 7:51 PM

Hello Soumitra,

Thank you for your amazing blog!

Here you have well explained the steps for non productive Cloud Identity Services tenant for Starter + CBC + Dev + Test.

Do you have specific blog for how we can use production Cloud Identity Services tenant for user provisioning for Production S4 HANA cloud. What steps to perform for user on board to Production S4 HANA cloud from Productive IAS. 

Thanks,

Subhankar

Saumitra
Product and Topic Expert
Product and Topic Expert
‎02-27-2024 2:16 PM
0 Kudos

Hi @Subhankar1 : The steps for the Production should be more or less the same, just that you need to make sure that the users and the setup is purely for the productive users unless you have use cases for project team for validation reasons in the system. In most cases, you would take the users from the Test environment to the Production (via Import-Export function) as you would have used the users in the Test environment for testing scenarios.. However, the IAS steps remain more or less the same as non-productive cloud identity.

-Saumi

Popular Blog Posts