Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Hybrid Scenarios with Identity Provisioning Proxy

GerganaTsakova
Product and Topic Expert
Product and Topic Expert
‎03-24-2019 5:46 AM
If your company has complex IT infrastructure and runs both cloud-based and on-premise applications, you might need a component to bring these two “worlds” together. You need a reliable identity and access management solution that can properly handle the relevant identities and their authorizations between all products.

If you use SAP Identity Management (IDM) as an on-premise system, you are at the right place.

The following step-by step hybrid scenario demonstrates how you can load users from a non-SAP cloud system (Microsoft Azure Active Directory) into an SAP on-premise one (SAP Identity Management). You can then manually create new users in IDM, assign them privileges and groups, and provision them back to Azure AD. This way, you can manage your Azure AD users by working only within your IDM system.

Sounds interesting? Let’s go then!

The provider of this proxy solution is called Identity Provisioning, which is a service belonging to  SAP Cloud Identity Services.


 

Prerequisites



  • You have SAP Identity Management 8.0 SP05 or higher.

  • You have a standalone or bundle  productive version of SAP Cloud Identity Services - Identity Provisioning, and have administration rights for your subaccount/tenant.

  • You have access to the proxy systems in the Identity Provisioning admin console. If you don't see the Proxy Systems tile, create an incident for component BC-IAM-IPS to request it.

  • You have credentials for Microsoft Azure Portal, and your user has the directory role Global administrator.


Now, let’s dive into the hybrid scenario!

 

I. Register an OAuth client and subscribe for the IPS proxy application 


Go to the SAP BTP cockpit: https://account.hana.ondemand.com/cockpit

If your region is not in Europe, configure your URL accordingly. See: Regions and Hosts

  1. Navigate to Security → OAuth.

  2. Choose Clients → Register New Client.

  3. From the Subscription combo box, select <provider_subaccount>/ipsproxy. For example:  a3a5c3a5c/ipsproxy

  4. From the Authorization Grant combo box, select Client Credentials.

  5. In the Secret field, enter a password (client secret). Note: Remember this OAuth secret as you’ll need it later, for the repository configuration in SAP Identity Management!

  6. Copy/paste and save (in a notepad) the generated Client ID. You’ll need that later, too.





  1. From the left-side navigation, choose Applications → Subscriptions.

  2. Under the Java Applications section, choose ipsproxy.





  1. From the left-side navigation, choose Roles.

  2. You have to assign the newly created OAuth client to your IPS_PROXY_USER role. Choose Assign and enter oauth_client_<client_ID>, where <client_ID> is the one from step 6.





  1. Go back to your subaccount.

  2. Navigate to Services → Identity Provisioning.

  3. Choose Go to Service. That opens the Identity Provisioning user interface.


 

II. Configure the proxy system in the Identity Provisioning UI



  1. The Identity Provisioning admin console is open.

  2. Choose Proxy Systems, and then +Add.

  3. From the Type dropdown, select Microsoft Azure Active Directory.





  1. Enter a name for your Azure AD system. NOTE: If you want to export the system in CSV format and import it later in IDM as a SCIM repository, the system name must be no longer than 6 symbols, and should contain only capital letters and dashes (_). For our scenario, we’ll use this export/import functionality, thus we’ll name the system AZURE1.

  2. Open the Properties tab to configure the connection settings the following way: 



















































Type

 Enter: HTTP    

URL

 Enter: https://graph.microsoft.com      

ProxyType

 Enter: Internet   

Authentication

 Enter: BasicAuthentication  

User

 Enter the application ID registered in your Azure AD subscription (see the Prerequisites section at the beginning of this blog post). 

Password

 Enter the secret key associated to your app registration. 

aad.domain.name

 Enter a verified domain name from the corresponding Azure AD tenant. On this domain, you will perform the provisioning operations. To learn more, see Microsoft: Manage domain names. 

OAuth2TokenServiceURL

Enter: https://login.microsoftonline.com/{your_domain}/oauth2/token

where {your_domain} is the one you have set in property aad.domain.name.		 

oauth.resource.name

 Enter: https://graph.microsoft.com  

ips.trace.failed.entity.content

 Enter: false   

aad.group.member.attributes

(Optional property)

It defines the attributes of a group member to be read by the Identity Provisioning. By default, it always reads the type and the id of a member.

If you prefer the Identity Provisioning to read additional attributes, you can add them as a single or a comma-separated value. For example:

  • If you want to read the e-mails too, enter:


     aad.group.member.attributes=mail

This will read a member's type, ID and e-mail.

 

  • If you want to read multiple additional attributes, enter:


     aad.group.member.attributes=mail,mobilePhone,displayName

This will read a member's type, ID, e-mail, phone and display name.



  1. Save your changes.

  2. Configure the transformations, if needed.

  3. Now, export your newly created proxy system. Choose ExportCSV format.


 

III. Import the proxy system in IDM as a SCIM repository and load the Azure AD users



  1. Log on to your SAP Identity Management system.

  2. Open the System Configuration tab in the Administration UI and choose Import.

  3. Import the AZURE1.csv file as a SCIM repository.

  4. Manually add your AUTH_USER and AUTH_PASSWORD. (These are your Client ID and secret, from procedure I, steps 5 and 6.)

  5. Save your changes.

  6. Open the Jobs tab and choose Run Now to start an initial load.


Once you run the SCIM - Initial Load job, the SCIM connector loads the Azure AD users to IDM, according to the mapping between the two systems.

 

IV. Create a new user in IDM and provision it to Azure AD



  1. In the SAP Identity Management UI, select the Manage tab.

  2. The search filter Show: Person is selected by default. If you choose Go, the table will display all existing users, including the ones loaded from your Azure AD system.


If you want to view only the Azure AD users, change the filter to Show: Privilege, enter PRIV:AZURE1:ONLY and choose Go. This privilege is automatically assigned to all Azure AD users in IDM.




  1. To create a new Azure AD user in IDM, click Create.

    • Choose Identity → Create Identity →  Choose Task.

    • In the Create Identity UI, enter the required data for the new Azure AD user.

    • Click Save.







  1. Go back to the Manage tab and search for your new user.

  2. Select the user and click Choose Task.

  3. Select Identity → Assign Privileges, Roles and Groups → Choose Task.





  1. In the Assigned Roles and Privileges tab, search for PRIV:AZURE1:ONLY.

  2. Select it and choose Add.

  3. Specify the direct validity assignment and choose again Add.

  4. In the Assigned Groups tab, search for an existing Azure AD group.

  5. Select it and choose Add.

  6. Save you changes.


The new user is successfully created, and a new job automatically starts. It will provision this user to your Azure AD. You can check the job status in SAP IDM Developer Studio → Job Log.

 

V. Check your User in Azure AD



  1. Log on to Microsoft Azure Active Directory with your account.

  2. Go to Azure Active Directory → Users and Groups → All users.

  3. You should see the newly created user in the list.

  4. Select the user to check its details, as well as its group membership.


This way you can create, update or delete as many users as you need.

 

Future Identity Lifecycle


If you later make changes in Azure AD (e.g. add new users, update or delete existing ones), you need to run a new Initial Load job in IDM for these changes to be reflected in IDM.

 

Now, you try it out! : )

 
16 Comments
Labels in this area
Popular Blog Posts