In this blog I will go through the steps to enable SAP Access Control 12.0 (on-premise) to use SAP Cloud Identity Access Governance as a bridge to facilitate creation of access requests, and performing risk analysis, for cloud applications.

IAG bridge scenario is referred, if customer is using GRC system as primary System.If the customer doesn't has GRC AC in their landscape, its recommended to go for IAG Standard edition.

Prerequisite: IAG Administrator, GRC Access Control Administrator, and knowledge in SAP BTP is preferred to do this setup.

Make sure you have completed the below steps before following the blog:

1. IAG initial Setup
2. Connect any one of the target cloud application. Ex SAP ARIBA
3. Run the repository Synch Job in IAG for target cloud application
4. Cloud Connector Initial setup and user credential for cloud connector

Note: You can only connect one Access Control System with IAG.

Process Overview

The following tasks needs to be done to integrate IAG with GRC AC:

1. Connect Cloud Connector with the IAG Subaccount
2. Maintain destination for GRC AC in the IAG Subaccount
3. Certificate download and upload
4. Create the Authorization Credentials for RFC Connection in the GRC AC
5. Create RFC connection for Cloud Application in the GRC AC
6. Maintain IAS Service in the IAG Subaccount
7. Configure Parameters for Cloud Integration
8. Create Connector and Connector groups for cloud application
9. Create Destination for IAG to display the provisioning status of access request
10. Synch Repository data from IAG to GRC AC
11. Synch Access Control data to IAG

1.Connect Cloud Connector with the IAG Subaccount

Make sure initial configuration in Cloud Connector (Ex: Creation of Self Signed Certificate) has been completed before following below Step.

Login  to the Cloud Connector > Connector > Add Subaccount

Enter the following details:

• Region : < Region and Provider of your IAG Subaccount>(You can find details in the Overview Page)
• Subaccount : <Subaccount id of IAG Subaccount> (You can find details in the Overview Page)
• Display Name : <Free text>
• Login Email : < S user Id or S user Email id>
• Password : S user id password
• Location Id : <Optional>
• Description : < Free text>

Add Subaccount in Cloud Connector

Please create the RFC connection in the Cloud Connector

• Go to the IAG Subaccount in Cloud Connector > Cloud to On-Premise > Access Control > Click + Symbol and give the following details.
• Back-end Type: ABAP System
• Protocol: RFC
• Connection Type: Without load balancing (application server and instance number)
• Application Server: < Give GRC AC Application Server>
• Instance Number: < Give GRC AC Instance Number>
• Virtual Application Server: <Give any random server details to mask the original data>
• Virtual Instance Number: <Give any random instance details to mask the original data>
• Click next and Click Check Internal Host and then save.Once you create the RFC Connection in the Cloud Connector and add the below resources to the RFC Connection

2. Maintain destination for GRC AC in the IAG Subaccount

Procedure to create destination

1. Login to the IAG Subaccount.
2. Open Connectivity > Destinations > New Destinations.
3. Enter a destination name.
4. From the Type dropdown menu, choose RFC.
5. The Description field is optional.
6. From the Proxy Type dropdown box, select OnPremise
7. <Proxy Type> OnPremise requires the Cloud Connector to access resources within your on-premise network ( Added in the above Step)
8. Enter credentials for RFC User and Password. Please refer the link (RFC User Authorization)  for RFC user authorization
9. Alias user, Repository user, Repository Password and Location ID is Optional.
10. Add the below Additional Properties

• jco.client.ashost - <Virtual Application Server added in the above Step>
• jco.client.client - <GRC AC Client Number>
• jco.client.lang - EN
• jco.client.sysnr - <Virtual Instance number added in the above Step

Check Connection and Connection should be successful.

3.Certificate download and upload

You need to download the below mentioned certificates and upload it in the GRC system, Cloud Connector respectively

1) IAG Certificate:

• Identify the customer iag tenant link by referring below link and download the certificate.
• IAG tenant URL

 2) GRC AC certificate:

• Execute STRUST t-code in the GRC AC and download the certificate for the GRC AC system

3) Cloud Connector Certificate:

• Login to the Cloud Connector > Configuration > ON PREMISE > Download the System Certificate

4) Upload the IAG tenant and Cloud Connector certificate to the GRC AC System using STRUST t-code

5) Upload the GRC AC and IAG tenant certificate to the Cloud Connector

• Login to the Cloud Connector > Configuration > ON PREMISE > Upload the Certificate to the Trust Store

4.Create the Authorization Credentials for RFC Connection in the GRC AC

1. Login to the IAS and Create a P user in the IAS system
2. Add the P user as administrator and assign the access
3. User id for the RFC Connection is <P User ID>@<Customer IAG Subdomain>
4. Password is P user Id Password
5. Login to the IAS > Application & Resource > Tenant Settings > Log on Alias > Make Sure Allow Logon is enabled for User ID

5. Create RFC connection for Cloud Application in the GRC AC

5.1. RFC Connection for Authentication (IAG_SOD_AUTH)

• Execute SM59 T-code
• Create HTTP Connection to External Server type RFC Connection
• RFC Destination - IAG_SOD_AUTH
• Host - Kindly refer the below link to identigy the Customer IAG URL IAG tenant URL
• Port - 443
• Path - /authentication
• Go to Logon & Security > Basic Authentication
• User - <<USER ID FROM STEP 4>>
• Password - <<Password FROM STEP 4>>
• Select SSL as Active

5.2. RFC Connection for SOD Check (IAG_SOD)

• Execute SM59 T-code
• Create HTTP Connection to External Server type RFC Connection
• RFC Destination - IAG_SOD
• Host - Kindly refer the below link to identigy the Customer IAG URL IAG tenant URL
• Port - 443
• Path - /
• Leave the Login blank and Select SSL active

5.3 RFC Connection for Cloud Application

• Execute SM59 T-code
• Create HTTP Connection to External Server type RFC Connection
• RFC Destination - <<This Name Should be Corresponded to the one listed in Application Apps>>
• Host - Kindly refer the below link to identigy the Customer IAG URL IAG tenant URL
• Port - 443
• Path - /com/sap/grc/iag/service/roleSimulationService.svc/
• Leave the Login blank and Select SSL active

Check the connection test for IAG_SOD_AUTH & IAG_SOD. Status HTTP Response should be 200 and Status Text should be OK. If you check the connection test for the cloud application RFC Connection, user credential screen will pop up which is fine.

6. Maintain IAS Service in the IAG Subaccount

1. Login to the IAG Subaccount.
2. Open Connectivity > Destinations > New Destinations.
3. Name: IAGAuthService
4. Type: HTTP
5. Description : IAGAuthService
6. URL : <IAS URL>/service/users/password (Ex https://CUSTOMERUNIQUEID.accounts.ondemand.com/service/users/password)
7. Proxy Type : Internet
8. Authentication : No Authentication

Check connection shows green status, but 405 Method Not Allowed

7.Configure Parameters for Cloud Integration

1. Login to GRC AC > SPRO >Governance, Risks and Compliance > Access Control > Maintain Configuration Settings.
2. Maintain the following Parameters
3. 1090 - Yes
4. 1091 - IAG_SOD
5. 1092 - IAG_SOD_AUTH

8.Create Connector and Connector groups for cloud application

Create connectors and connector groups for the target cloud application in GRC AC.

1. Go to SPRO > Governance, Risks and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types
2. Create Connection Type Definition: IAG and IAG_GRP. If privileges have a group type, select IAG_GRP, for examples, for systems such as SAP Ariba and SAP SuccessFactors. 
3. Define the Connectors for the target cloud applications.
4. Assign Connectors to Connector Groups.

Note

For steps 3 and 4, the Systems and Business Function Group apps in SAP Identity Access Governance must have 10 characters or less, as SAP Access Control supports only 10 characters.

9.Create Destination for IAG to display the provisioning status of access request

This delivered service is used by SAP Cloud Identity Access Governance to push provisioning status updates to SAP Access Control. This enables the proper and accurate display of provisioning status for access requests.

1. Go to SPRO > Governance, Risks and Compliance > SAP NetWeaver > SAP Gateway  Administration > General Settings >  Activate and Maintain Services.
2. In the Service Catalog screen, select IAG_PROVISION_STATUS_UPDATE_SRV and activate it.
3. In the System Aliases pane, choose Add System Alias, and add it as local host, and Save.
4. In the ICF Nodes pane, choose SAP Gateway Client, and Execute.
5. In the html pane, copy the href link and identify the Host and Port Number or execute SMICM > Goto > Services > Note down the Host and Port for HTTPS Protocol
6. In the Cloud Connector, Create a system mapping for the provisioning status update service

• Login to the Cloud Connector, select the subaccount, and choose Cloud To On-Premise.
• Go to the Access Control tab and choose the plus (+) sign to add a new system mapping.
• For Backend Type, select ABAP System and choose Next.
• For Protocol, select HTTPS, and choose Next.
• Enter the internal host and port information and choose Next.
• You can copy this information from the services URL. Refer to the image in step 5.
• Internal Host: enter the root URL; do not include the protocol.
• Internal Port: enter the port number.
• Virtual Host: <Give any random server details to mask the original data>
• Virtual Port: <Give any random port details to mask the original data>
• For Principal Type, select 509 Certificate (General Usage)and choose Next.
• Select the Check the Internal Hostbox and choose Finish.
• Add a resource path. In the Mapping Virtual To Internal System table, select the new mapping. In the Resources Accessible On section, choose the pencil icon to edit it.
• In the URL Path field, make sure /sap/opu/odata/sap/IAG_PROVISION_STATUS_UPDATE_SRV is entered, and save.
• Test the configuration. In the Mapping Virtual To Internal System table, select the new mapping, and choose the check-availability icon.

     10. Goto IAG Subaccount > create a destination for Provisioning status update virtual mapping.

Go to Connectivity, choose Destinations and the plus sign (+) to add a destination. Add the destination. Enter the name as IAGProvisionStatusUpdate.

For the URL field, copy and paste the URL from the services configuration step as follows:

Save the entries.

Create an RFC user with the authorization objects as follows:

10. Synch Repository data from IAG to GRC AC

Login to GRC AC > SPRO  Governance, Risks and Compliance > Synchronization Jobs and run the Repository Object Sync.

1. In Select Sync Job, select all three jobs.
2. In Select Connector and Sync mode, select the cloud connector.
3. In Advance Options, select IAG Import.

11. Synch Access Control data to IAG

Login to IAG system > Job Scheduler and run the below Job in the Same order

1. Access Control Risk Definition
2. Mitigation Control Transfer
3. Repository Sync

Now you can use GRC AC system to raise a request for Cloud Applications.

Conclusion

These steps completes the Integration of SAP Access Control 12.0 (on-premise) to use SAP Cloud Identity Access Governance as a bridge to facilitate creation of access requests, and performing risk analysis, for cloud applications.. Please check the help.sap.com for SAP Cloud Identity Access Governance for more detailed document on how to integrate GRC with IAG.

References

IAG Bridge Scenario-https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/fb46...

Maintain Cloud Connector-https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/7203...

IAG_SOD_AUTH error-https://me.sap.com/notes/0003279498