What is IAS/IPS, and what is the relationship between SAP Business Technology Platform (SAP BTP)?

What is IAS/IPS?

The Identity Authentication Service provides you with controlled cloud-based access to business processes, applications, and data. It simplifies your user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options. Here are some features of IAS,

• Authentication and SSO - choose one of the supported authentication methods to control access to your application, like Form, SPNEGO, Social, or two-factor authentication. Use SAML 2.0 protocol to provide single sign-on. Integrate your application programmatically using authentication via API.
• Configure Risk-Based Authentication - help enforce two-factor authentication based on IP ranges, user groups, user types, or authentication methods to manage access to a business application.
• Delegate Authentication - delegate authentication to a 3rd party or on-premise IdP, as default or based on a condition like IdP, e-mail domain, user type, or user group, and thus enable SSO across on-premise and the cloud.
• Use API - use SCIM REST API to manage users and groups, invite users, and customize end-user UI texts in any language.

So in general it provides a stand-alone, harmonized, and central point to connect within SAP Solutions e.g. SAP Successfactors, SAP Business Technology Platform, and also can stand as a proxy for third-party corporate identity providers e.g. Microsoft Azure Active Directory. You can also set up conditional rules for user logins e.g. employees using Corporate Identity Provider A, customers using Corporate Identity Provider B, and partners using Corporate Identity Provider C, depending on their email address domains, user groups, or even IP range. As a simple example where IAS serves as the corporate identity provider, I logon SAP Integration Suite located on my SAP BTP trial account and you can see there are two "sign in with" options. The second one is the default one, which you will ususally use even you are not aware of IAS at all after you got your SAP BTP account. The first one is an additional custom identity provider provided via my IAS tenant.

It's common in real world Microsoft Azure Active Directory serves as the custom corporate provider. In such a case, there is a very nice video illustrating the step-by-step tutorial. I successfully established the trust between Microsoft Azure Active Directory and my SAP BTP trial account using my IAS tenant as a proxy. Usually, the IAS tenant address follows the URL pattern like https://best-run.accounts.ondemand.com/admin. And here is what a typical IAS tenant looks like for its homepage when you log into it,

Identity Provisioning Service manages identity lifecycle processes for cloud and on-premise systems.The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their authorizations to various cloud and on-premise business applications.

Here are some features for IPS,

• User and Group Provisioning - Provision users and groups between multiple supported cloud and on-premise systems, both SAP and non-SAP.
• User and Group Filtering - Configure default transformations or filtering properties to control what data to be provisioned and what to be skipped.
• Full and Delta Read Mode - Run a provisioning job in full mode to read all entities from a source system, or in delta read mode - to read only the modified data.
• Job Logging - View and export job logs from the Identity Provisioning administration console. Logs display details about the job status and the provisioned entities.
• Notifications - Subscribe to a source system to receive notifications for the status of provisioning jobs.

How to provision users from Microsoft Azure Active Directory as the source system to SAP ABAP on-premise as the target system, using IPS. Another example: If a company with an HR-driven identity policy uses SAP SuccessFactors, they would like every new employee created in SAP SuccessFactors to automatically have a user in Identity Authentication, so they can access SAP S/4HANA cloud. Since IAS and IPS are bundled together as SAP Cloud Identity Service, you can just directly add "/ips" to your IAS tenant URL?e.g.https://bestrun.accounts.ondemand.com/ips. And here is what a typical IPS tenant looks like for a homepage when you log into it,

As a summary, here is a overall picture showing SAP Cloud Identity Service.

Where IAS/IPS are both used to configure SAP BTP's another service called SAP Work Zone.

Why will I use it?

I know there are already sigle sign-on options directly to SAP S/4 HANA private version within Rise with SAP, without IAS/IPS. Please check this blog post for more details. It's fine if your company only interacts with this single S/4 HANA private version without IAS/IPS. However, SAP’s strategy is to deliver its cloud solutions pre-configured with Identity Authentication. This also means that you can authenticate against these SAP cloud solutions only via Identity Authentication service. So, if you have other SAP cloud solutions such as SAP Successfactors, SAP S/4 HANA public cloud, SAP Integrated Business Planning (IBP), etc then IAS/IPS is essential for you to have a seemless and secure access to such SAP cloud applications.But you can still use 3rd-party identity provider via IAS as a proxy. You can easily configure it centrally against IAS. The advantage is SAP can deliver preconfigured applications, which is required by most customers – and you can still integrate your 3rdparty solution. Another benefit is there’s only one integration point into the SAP security cloud world.OK, after talking so much about what is IAS/IPS, how can I get a such tenant?

Where is my IAS/IPS tenant?

We know that Rise with SAP contains essential components as following,

• SAP S/4 HANA with Deployment Model of Choice (Public or Private)
• SAP Business Network
• SAP Business Process Intelligence
• SAP Custom Code Migration App, SAP Readiness Check, SAP Learning Hub
• SAP Business Technology Platform

and where is IAS/IPS?The answer is IAS/IPS is now a free service within SAP BTP and you need to create one.?But please notice here, that you may already purchase other SAP solutions e.g. SAP SuccessFactors and it may also trigger IAS/IPS tenant so you don't need to manually create within SAP BTP. BecauseIdentity Authentication provides one productive tenant and one test tenant per customer, regardless of the number of contracts signed in whichIdentity Authentication is included or bundled. But if customers want to achieve an "additional" tenant out of whatever the reason e.g. out of legal compliance, they have to pay for it. Additional productive or test tenants beyond the initial ones must be purchased separately. To purchase additional tenants, go to?the SAP Store and place your order. If you can't place your order, submit a?Request Support ticket. This official help document gives a very clear description of the tenant model and there you can see the IAS/IPS tenant comes either from SAP BTP or from SAP cloud solutions as a bundled component. This"Is SAP Cloud Identity Services for free?" also explains well on the topic. But how can I know I already have one? There is a magic link you can use herehttps://iamtenants.accounts.cloud.sap/. You need to authenticate with your S user ID (using SAP ID Service), and after successful authentication, it brings you the list to show the SAP Cloud Identity Servicestenants belonging to your customer ID. There you can also find out which tenant is a production one and who is admin for the IAS/IPS tenant. Please refer to this blog post for more details. If you cannot find any, then you have to create one within SAP BTP as mentioned in the beginning. The process is also quite easy and you can follow this blog post. I suggest you start with the section "Assignments and Entitlements".You will finally get an IAS/IPS tenant free to use.

How do I make use of IAS/IPS?

I believe if you already go through the blog posts I listed in previous section, you may already get a draft idea of how to make use of IAS/IPS. For more details usage, e.g. how to customize the logo for the login page, how to configure the email template, how to configure terms of use, how to provision users, etc. You can find all these details in SAP help documents,

• Identity Authentication Help Documents
• Identity Provisioning Help Documents

Summary

As mentioned, there are lots of blog posts written by experts from the SAP security team and I just read through some of them and posted the information that I belive useful for Rise with SAP customers. Now let's recap the key takeaways.

• SAP’s strategy is to deliver its cloud solutions pre-configured with identity authentication and IAS/IPS is?the strategic central point for authentication?for any SAP cloud application.
• You can easily embed third-party identity providers e.g. Azue ADFS into IAS which stands for a proxy
• You can either get the free IAS/IPS tenants one for productive and one for test, either as a bundled component from SAP cloud solution e.g. SAP SuccessFactors, or from SAP BTP as a self service.