SAP Cloud Identity Services: Managing Digital Identities

Managing digital identities is crucial for businesses in a hybrid and cloud-driven world. This is where SAP Cloud Identity Services come into play, offering robust identity and access management (IAM) capabilities as part of the SAP Business Technology Platform (BTP).

There are three main components of the SAP Cloud Identity Services: the Identity Authentication Service (IAS), the Identity Directory (IdDS), and the Identity Provisioning Service (IPS).

This is an introduction to the latest ebook, “SAP Cloud Identity Services - Overview, Best Practices, and Typical Use Cases”, by Xiting .

Identity Authentication Service (IAS)

IAS serves as the central identity provider for all SAP applications, utilizing the Security Assertion Markup Language 2.0 and OpenID Connect standards to ensure secure and efficient authentication. IAS acts as a mediator, integrating with a company's existing SAML identity provider to authenticate users for all SAP applications. This enables single sign-on (SSO) across various SAP applications, thereby simplifying user access.

Identity Directory (IdDS)

Acting as a central user database, IdDS holds user and group information, streamlining the user lifecycle process. It generates crucial attributes like the SAP Global User ID, used for accessing SAP cloud applications. This centralized user identity can be enriched with attributes from other systems, simplifying access to the entire SAP cloud ecosystem. The data in the IdDS is easily accessible via its SCIM 2.0 REST API and the IAS user interface.

Identity Provisioning Service (IPS)

The IPS automates the provisioning of users, groups, and permissions for various SAP cloud solutions. IPS uses the System for Cross-Domain Identity Management (SCIM) to provide and keep identities up to date in SAP cloud applications. By storing all user information in a central location, the IPS can efficiently manage the provisioning and de-provisioning of users across multiple SAP applications.

In the context of the hiring process, SAP IPS works in conjunction with an HCM system and the Identity Directory. Data from the HCM system is consolidated in the Identity Directory, and the IPS manages the provisioning of these identities to the appropriate SAP applications.

For companies with existing Identity Management Systems (IDM), SAP IPS can integrate with the system and serve as a centralized SCIM interface. This simplifies the identity management process and increases the flexibility of IAM operations.

Key Recommendations

• Consolidate identities to central SAP Cloud Identity Services tenants.
• Integrate leading source systems via SAP IPS to the Identity Directory.
• Automate SCIM-based provisioning and management of identities with SAP IPS.
• Integrate your existing IDM solution with the SCI for a hybrid IAM scenario.
• Centralize trust management across SAML service providers with IAS tenants.
• Simplify SAML Name ID and claims management for all SAP applications.
• Delegate and centralize authentication to your corporate identity provider and use identity federation.
• Leverage existing security features and policies, including single sign-on and multi-factor authentication.

The growing importance of identity and access management in hybrid SAP environments makes expertise in this area increasingly valuable. Companies like Xiting offer specialized IAM services, including automated identity lifecycle management, single sign-on convenience, and compliance with authorization policies.?

Learn more about the SAP Cloud Identity Services in this free ebook.