Follow this procedure to set up SAP Cloud Identity Service – Identity Authentication as a proxy system.
To establish the connection between Identity Provisioning and Identity Authentication, you need to set up the technical user (of type System) in Identity Authentication and assign this user the necessary authorizations. You have the option to do it either now, as a prerequisite, or while configuring Identity Authentication as a proxy system, as described in step 5.
Administrators of bundle tenants on Neo environment should enable the Manage OAuth Clients permission, as described in Neo Environment section in Manage Authorizations
↗️ .
Identity Authentication provides authentication and single sign-on for users in the cloud.
You can use the Identity Provisioning user interface (UI) to configure Identity Authentication as a proxy system for hybrid integration, where Identity Authentication is connected to an external identity management system for user and group provisioning. Using the Identity Provisioning you can read corporate users from the external system and provision them to the Identity Authentication user store (and the other way around) without making a direct connection between these systems. This way, you can implement secure authentication, single sign-on (SSO), strong authentication, and mobile SSO so that the provisioned users to Identity Authentication have access to the business applications of your company.
The proxy systems consume SCIM 2.0 API which is provided by Identity Authentication.
There are two versions of the Identity Authentication SCIM API. They are handled by the ias.api.version property as follows:
-
When the value is set to
1or the property is not defined (typical for systems created before versioning was introduced on July 9, 2021) - Identity Authentication SCIM API (in short, SCIM API version 1) is used.For more information on how to update to version 2, see Update Connector Version
-
When the value is set to
2- Identity Directory SCIM API (in short, SCIM API version 2) is used. This value is set automatically for all manually created systems in the Identity Provisioning UI after versioning was introduced on July 9, 2021.
SCIM API version 2 is enhanced to support patch operations for proxy systems only, paging for group members and user’s groups, custom attributes, delta read mode for users. Also, the group resource mapping in the transformation is not ignored by default, as it is in SCIM API version 1.
To create Identity Authentication as a proxy system, proceed as follows:
-
Open your subaccount in SAP BTP cockpit (valid for OAuth authentication to the Identity Provisioning proxy system).
If you have a bundle tenant, then in the cockpit → Neo → Overview, you can see the Global account, which SAP provides for your bundle in the corresponding Identity Provisioning region. Then, in the global account, you can see your subaccount, where the Identity Provisioning is enabled as a service for the bundle. The display name of the subaccount starts with SAP_BUNDLE.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Users & Authorizations > Administrators.
-
Create a technical user with the necessary authorizations. It will later be used by the external consumer to connect to Identity Provisioning.
-
For Certificate-based authentication, follow the procedure in Manage Certificates for Inbound Connection → SAP BTP, Neo Environment
-
For OAuth authentication, proceed as follows:
-
Go to Security > OAuth > Clients and choose Register New Client.
-
From the Subscription combo box, select <provider_subaccount>/ipsproxy.
-
From the Authorization Grant combo box, select Client Credentials.
-
In the Secret field, enter a password (client secret) and remember it. You will need it later, for the repository configuration in the external system.
-
Copy/paste and save (in a notepad) the generated Client ID. You will need it later, too.
-
From the left-side navigation, choose Subscriptions > Java Applications > ipsproxy .
-
From the left-side navigation, choose Roles > IPS_PROXY_USER.
-
Choose Assign and enter oauth_client_<client_ID>.
For <client_ID>, enter the one you have saved in the previous main step.
-
-
For Certificate-based authentication, upload the certificate for the technical user of type System, as described in Add System as Administrator and enable the Access Proxy System API permission.
-
For Basic authentication, proceed as follows:
-
Add an administrator user of type System and configure the basic authentication method for this user.
If you already have a technical user, skip this step.
-
Save your changes.
-
Select your administrator user of type System and enable the Access Proxy System API permission.
-
Save your changes.
-
-
-
Access the Identity Provisioning UI.
-
Navigate to Identity Provisioning > Proxy Systems.
-
Add Identity Authentication as a proxy system. For more information, see Add New Systems.
-
Set up the communication between Identity Provisioning and Identity Authentication and configure your authentication method (basic or certificate-based).
We recommend that you use certificate-based authentication.
-
In your newly added Identity Authentication proxy system, select the Certificate tab and choose Generate > Download, as described in Manage Certificates.
Skip step a. if you want to use basic authentication.
In SAP Cloud Identity Services administration console, perform the next steps. They are relevant for both basic and certificate-based authentication.
-
Add System as administrator and provide the respective credentials.
For basic authentication, provide a password. The user ID will be generated automatically when you set the password for the first time.
For certificate-based authentication, upload the certificate you have generated in SAP Cloud Identity Services administration console on the previous step.
-
Save your changes.
-
Make sure Manage Users and Manage Groups authorization roles are enabled for the technical user. This way, you can create, edit and delete users and groups in the Identity Authentication user store.
-
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Description & Value
TypeEnter: HTTP
URLSpecify the URL of the Identity Authentication tenant of your company.
For example: https://mytenant.accounts.ondemand.com
If your Identity Authentication Shanghai (China) tenants reside on SAP BTP, Neo environment, you should use the following URL pattern: https://<tenant_ID>.accounts.sapcloud.cn/
ProxyTypeEnter: Internet
The Identity Authentication is a cloud solution and is outside of your company on-premise infrastructure.
AuthenticationEnter your authentication method:
-
BasicAuthentication
-
ClientCertificateAuthentication
UserValid if BasicAuthentication is configured as authentication method.
Enter the Client ID (previously User ID) of the Identity Authentication technical user. It is generated automatically for the administrator of type system, when choosing Secrets > Add > Save. For example: 1ab7c243-5de5-4530-8g14-1234h26373ab
If your technical user was created before January 2020, enter the T-user. For example: T000003
Password(Credential) Valid if BasicAuthentication is configured as authentication method.
Enter the Client Secret (previously Password) of the Identity Authentication technical user. It is generated automatically for the administrator of type system, when choosing Secrets > Add > Save.
Optional Properties
Property Name
Description & Value
-
ias.<property_name> -
scim.<property_name>
When using SCIM API version 2, property names start with
iasprefix, for example:ias.user.filter.When using SCIM API version 1, property names start with
scimprefix, for example:scim.user.filter.For more information, see List of Properties. Use the main search or filter properties by Name or System Type columns.
ias.user.filterWhen specified, only those users matching the filter expression will be read.
For example: name.familyName eq "Smith" and addresses.country eq "US"
This filter will read only users whose family name is "Smith" and are living in the United States.
For more information, see Identity Directory SCIM API: User Search.
ias.group.filterWhen specified, only those groups matching the filter expression will be read.
For example: displayName eq "ProjectTeam1"
This filter will read only groups, whose display name is "ProjectTeam1".
For more information, see Identity Directory SCIM API: Group Search.
The Identity Provisioning implementation of the Proxy System SCIM API (based on the SCIM Query) supports single entity and delta read filtering for users and groups. For more information, see Query Parameters for Proxy System SCIM API.
-
-
(Optional) Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the Identity Authentication proxy system, whose settings are displayed under the Transformations tab after saving its initial configuration.
You can change the default transformation mapping rules to reflect your current setup of entities in your Identity Authentication system. For more information, see: Manage Transformations
Identity Authentication: SCIM REST API Identity Authentication: SCIM REST API
SCIM API version 2: Identity Directory SCIM API
Default read and write transformations:
The proxy Read Transformation is used when the external client application (for example, SAP Identity Management) makes initial load. That is, executing GET requests to the resource endpoints (/Users or /Groups) to retrieve the corresponding entities of the particular type. The external client application can also execute GET requests to a single resource endpoint (querying a single resource is supported). In this case, the proxy system acts as a source one.
The proxy Write Transformation is used when the external application manages the entities in the proxy system – creates new entities, updates existing ones, or deletes existing ones. In this case, the proxy system acts as a target one.
However, after a Create or Update operation is performed on the proxy system, the Read Transformation is applied to the result, so that the created or updated entity is sent back to the external application. This behavior demonstrates that the proxy Read Transformation is used for write cases, as well.
Default transformations for SCIM API version 1:
Read Transformation
Write Transformation
{ "user": { "scimEntityEndpoint": "Users", "mappings": [ { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem", "targetPath": "$.id" }, { "sourceVariable": "entityBaseLocation", "targetVariable": "entityLocationSourceSystem", "targetPath": "$.meta.location", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "sourcePath": "$.userUuid", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']" }, { "sourcePath": "$.schemas", "preserveArrayWithSingleElement": true, "targetPath": "$.schemas" }, { "sourcePath": "$.userName", "targetPath": "$.userName", "optional": true, "correlationAttribute": true }, { "sourcePath": "$.emails[*].value", "preserveArrayWithSingleElement": true, "targetPath": "$.emails[?(@.value)]" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.emails[0].value" }, { "sourcePath": "$.emails[?(@.primary== true)].value", "correlationAttribute": true }, { "sourcePath": "$.active", "targetPath": "$.active" }, { "sourcePath": "$.userType", "targetPath": "$.userType", "optional": true }, { "sourcePath": "$.name.givenName", "targetPath": "$.name.givenName", "optional": true }, { "sourcePath": "$.name.middleName", "targetPath": "$.name.middleName", "optional": true }, { "sourcePath": "$.name.familyName", "targetPath": "$.name.familyName", "optional": true }, { "sourcePath": "$.name.honorificPrefix", "targetPath": "$.name.honorificPrefix", "optional": true }, { "sourcePath": "$.addresses", "targetPath": "$.addresses", "preserveArrayWithSingleElement": true, "optional": true }, { "sourcePath": "$.locale", "targetPath": "$.locale", "optional": true }, { "sourcePath": "$.phoneNumbers", "targetPath": "$.phoneNumbers", "preserveArrayWithSingleElement": true, "optional": true }, { "sourcePath": "$.timeZone", "targetPath": "$.timezone", "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "optional": true }, { "sourcePath": "$.sourceSystem", "targetPath": "$.sourceSystem", "ignore": true }, { "sourcePath": "$.groups", "targetPath": "$.groups", "preserveArrayWithSingleElement": true, "optional": true }, { "condition": "$.displayName EMPTY true", "type": "remove", "targetPath": "$.displayName" }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "optional": true }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']", "optional": true }, { "sourcePath": "$.company", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "optional": true } ] }, "group": { "scimEntityEndpoint": "Groups", "mappings": [ { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetVariable": "entityLocationSourceSystem", "targetPath": "$.meta.location", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "targetPath": "$.displayName" }, { "optional": true, "preserveArrayWithSingleElement": true, "sourcePath": "$.members", "targetPath": "$.members" }, { "constant": "urn:sap:cloud:scim:schemas:extension:custom:2.0:Group", "targetPath": "$.schemas[1]" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']" }, { "optional": true, "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']" } ] } }{ "user": { "scimEntityEndpoint": "Users", "condition": "($.emails.length() > 0) && ($.name.familyName EMPTY false)", "mappings": [ { "sourcePath": "$.groups", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.corporateGroups" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:User", "targetPath": "$.schemas[0]" }, { "constant": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "targetPath": "$.schemas[1]" }, { "sourcePath": "$.userName", "targetPath": "$.userName", "optional": true }, { "sourcePath": "$.emails[*].value", "preserveArrayWithSingleElement": true, "targetPath": "$.emails[?(@.value)]" }, { "sourcePath": "$.userType", "targetPath": "$.userType", "defaultValue": "employee", "optional": true }, // The userType attribute accepts different values. The default one is employee. // If you set it to public, that means Identity Authentication is the default password store. See the Remember box below. { "sourcePath": "$.name.givenName", "targetPath": "$.name.givenName", "optional": true }, { "sourcePath": "$.name.middleName", "targetPath": "$.name.middleName", "optional": true }, { "sourcePath": "$.name.familyName", "targetPath": "$.name.familyName", "optional": true }, { "sourcePath": "$.name.honorificPrefix", "targetPath": "$.name.honorificPrefix", "optional": true }, // If a user address misses type, the putIfAbsent function sets the default address type – work. // If a user address has type but it's different than home or work, the putIfPresent function sets the default address type – work. // If a user address is of type home or work, the putIfPresent function keeps this value as is. { "sourcePath": "$.addresses", "targetPath": "$.addresses", "preserveArrayWithSingleElement": true, "defaultValue": [], "optional": true, "functions": [ { "function": "putIfAbsent", "key": "type", "defaultValue": "work" }, { "condition": "(@.type NIN ['work', 'home'])", "function": "putIfPresent", "key": "type", "defaultValue": "work" } ] }, { "sourcePath": "$.locale", "targetPath": "$.locale", "optional": true }, { "sourcePath": "$.phoneNumbers", "targetPath": "$.phoneNumbers", "preserveArrayWithSingleElement": true, "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "optional" : true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "optional" : true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "optional" : true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "optional" : true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "optional" : true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "optional" : true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "optional" : true }, { "sourcePath": "$.active", "targetPath": "$.active", "defaultValue": true, "optional": true }, { "constant": "false", "targetPath": "$.sendMail", "scope": "createEntity" }, { "constant": "true", "targetPath": "$.mailVerified", "scope": "createEntity" }, // There will be no initial password provided by default. That's why passwordStatus is disabled. { "constant": "disabled", "targetPath": "$.passwordStatus", "scope": "createEntity" }, // The sourceSystem attribute shows the provisioning source of the users. The supported value is 39. // That means, a corporate user is provisioned via the Identity Authentication REST API. See the Remember box below. { "constant": "39", "targetPath": "$.sourceSystem", "scope": "createEntity" }, { "sourcePath": "$.timezone", "targetPath": "$.timeZone", "optional": true } ] }, "group": { "scimEntityEndpoint": "Groups", "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName" }, { "scope": "createEntity", "sourcePath": "$.displayName", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "functions": [ { "type": "replaceAllString", "regex": "[\\s\\p{Punct}]", "replacement": "_" } ] }, { "scope": "createEntity", "optional": true, "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']" }, { "optional": true, "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']" }, { "optional": true, "preserveArrayWithSingleElement": true, "sourcePath": "$.members", "targetPath": "$.members" } ] } }Default transformations for SCIM API version 2:
Read Transformation
Write Transformation
{ "user": { "scimEntityEndpoint": "Users", "mappings": [ { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem", "targetPath": "$.id" }, { "sourceVariable": "entityBaseLocation", "targetVariable": "entityLocationSourceSystem", "targetPath": "$.meta.location", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']" }, { "sourcePath": "$.schemas", "preserveArrayWithSingleElement": true, "targetPath": "$.schemas" }, { "sourcePath": "$.userName", "targetPath": "$.userName", "optional": true, "correlationAttribute": true }, { "sourcePath": "$.emails[*].value", "preserveArrayWithSingleElement": true, "targetPath": "$.emails[?(@.value)]" }, { "sourcePath": "$.emails[0].value", "targetPath": "$.emails[0].value" }, { "sourcePath": "$.emails[?(@.primary== true)].value", "correlationAttribute": true }, { "sourcePath": "$.active", "targetPath": "$.active" }, { "sourcePath": "$.userType", "targetPath": "$.userType", "optional": true }, { "sourcePath": "$.name.givenName", "targetPath": "$.name.givenName", "optional": true }, { "sourcePath": "$.name.middleName", "targetPath": "$.name.middleName", "optional": true }, { "sourcePath": "$.name.familyName", "targetPath": "$.name.familyName", "optional": true }, { "sourcePath": "$.name.honorificPrefix", "targetPath": "$.name.honorificPrefix", "optional": true }, { "sourcePath": "$.addresses", "targetPath": "$.addresses", "preserveArrayWithSingleElement": true, "optional": true }, { "sourcePath": "$.locale", "targetPath": "$.locale", "optional": true }, { "sourcePath": "$.phoneNumbers", "targetPath": "$.phoneNumbers", "preserveArrayWithSingleElement": true, "optional": true }, { "sourcePath": "$.timezone", "targetPath": "$.timezone", "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "optional": true }, { "sourcePath": "$.sourceSystem", "targetPath": "$.sourceSystem", "ignore": true }, { "sourcePath": "$.groups", "targetPath": "$.groups", "preserveArrayWithSingleElement": true, "optional": true }, { "condition": "$.displayName EMPTY true", "type": "remove", "targetPath": "$.displayName" }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "optional": true }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']", "optional": true }, { "sourcePath": "$.company", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "optional": true } ] }, "group": { "scimEntityEndpoint": "Groups", "mappings": [ { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetVariable": "entityLocationSourceSystem", "targetPath": "$.meta.location", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName" }, { "sourcePath": "$.members", "targetPath": "$.members", "preserveArrayWithSingleElement": true, "optional": true }, { "sourcePath": "$.schemas", "preserveArrayWithSingleElement": true, "targetPath": "$.schemas" } ] } }{ "user": { "scimEntityEndpoint": "Users", "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "constant": ["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User","urn:ietf:params:scim:schemas:extension:sap:2.0:User"], "targetPath": "$.schemas" }, { "sourcePath": "$.userName", "targetPath": "$.userName", "optional": true }, { "sourcePath": "$.emails[*].value", "preserveArrayWithSingleElement": true, "targetPath": "$.emails[?(@.value)]" }, { "sourcePath": "$.userType", "targetPath": "$.userType", "defaultValue": "employee", "optional": true }, { "sourcePath": "$.name.givenName", "targetPath": "$.name.givenName", "optional": true }, { "sourcePath": "$.name.middleName", "targetPath": "$.name.middleName", "optional": true }, { "sourcePath": "$.name.familyName", "targetPath": "$.name.familyName", "optional": true }, { "sourcePath": "$.name.honorificPrefix", "targetPath": "$.name.honorificPrefix", "optional": true }, { "sourcePath": "$.addresses", "targetPath": "$.addresses", "preserveArrayWithSingleElement": true, "defaultValue": [], "optional": true, "functions": [ { "function": "putIfAbsent", "key": "type", "defaultValue": "work" }, { "condition": "(@.type NIN ['work', 'home'])", "function": "putIfPresent", "key": "type", "defaultValue": "work" } ] }, { "sourcePath": "$.locale", "targetPath": "$.locale", "optional": true }, { "sourcePath": "$.phoneNumbers", "targetPath": "$.phoneNumbers", "preserveArrayWithSingleElement": true, "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['validFrom']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['validFrom']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['validTo']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['validTo']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['costCenter']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['division']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['displayName']", "optional": true }, { "sourcePath": "$.active", "targetPath": "$.active", "defaultValue": true, "optional": true }, { "constant": false, "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['sendMail']", "scope": "createEntity" }, { "sourcePath": "$.emails", "preserveArrayWithSingleElement": true, "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['emails']", "scope": "createEntity", "functions": [ { "function": "putIfAbsent", "key": "verified", "defaultValue": true } ] }, { "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['emails'][*]['type']", "type": "remove" }, { "constant": "disabled", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['passwordDetails']['status']", "scope": "createEntity" }, { "constant": 39, "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['sourceSystem']", "scope": "createEntity" }, { "sourcePath": "$.timezone", "targetPath": "$.timezone", "optional": true }, { "sourcePath": "$.Operations", "targetPath": "$.Operations", "preserveArrayWithSingleElement": true, "scope": "patchEntity" }, { "sourcePath": "$.schemas", "targetPath": "$.schemas", "preserveArrayWithSingleElement": true, "scope": "patchEntity" } ] }, "group": { "scimEntityEndpoint": "Groups", "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.Operations", "targetPath": "$.Operations", "preserveArrayWithSingleElement": true, "scope": "patchEntity" }, { "sourcePath": "$.schemas", "targetPath": "$.schemas", "preserveArrayWithSingleElement": true, "scope": "patchEntity" }, { "constant": ["urn:ietf:params:scim:schemas:core:2.0:Group","urn:sap:cloud:scim:schemas:extension:custom:2.0:Group"], "targetPath": "$.schemas" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName" }, { "sourcePath": "$.members", "targetPath": "$.members", "preserveArrayWithSingleElement": true, "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "scope": "createEntity", "functions": [ { "type": "replaceAllString", "regex": "[\\s\\p{Punct}]", "replacement": "_" } ] }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "optional": true, "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "scope": "createEntity" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']", "optional": true, "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']" } ] } }If you set
$.userTypeto "public", all passwords will be written by default in the Identity Authentication. Thus, all provisioned users will successfully sign in to Identity Authentication target system.When
$.userTypeis set to "employee", the sign-in behavior of the provisioned users depends on whether users have been created with or without a password, and where these passwords are stored. Thus, you need to modify the target transformations accordingly in order for the users to successfully sign in to the SAP Cloud Identity Services administration console.To learn more, see Guided Answers: Identity Authentication: Provisioned Users Can't Sign In
-
Connect the external consumer to Identity Provisioning with the technical user you have created in step 2.
If the external consumer system is SAP Identity Management, you can export the newly created proxy system as a SCIM repository from Identity Provisioning and import it in SAP Identity Management. This will create a SCIM repository in SAP Identity Management where most of the repository constants will be automatically filled in. You need to provide the technical user credentials that you have set up in step 2 and the SCIM assignment method as described below:
-
For AUTH_USER and AUTH_PASSWORD, enter your client ID and secret.
-
For the SCIM_ASSIGNMENT_METHOD constant, make sure the value is PUT.
-
For AUTH_USER and AUTH_PASSWORD, enter the user ID and password of the Identity Authentication technical user for which you have set permission Access Proxy System API.
-
For the SCIM_ASSIGNMENT_METHOD constant, make sure the value is PUT.
For external consumer systems, other than SAP Identity Management, you should also use the PUT method for modifying entities.
-
When a proxy system is connected to an external backend system (in the case of SAP Identity Management this means the exported CSV file is imported into the Identity Management Admin UI and a repository is configured), you can start managing the users and groups into this external system. Usually, the first operation is the initial load of the existing entities into your external system. When this load has finished, changes in the external system, such as creating new users or updating existing ones, can trigger CRUD requests back to the proxy system.
To see an example with SAP Identity Management, see Hybrid Scenario: SAP Identity Management → sections Next Steps and Future Identity Lifecycle.
Effective September 2020, Shanghai (China) tenants that reside on SAP BTP, Neo environment can be only accessed on the following domain:
dispatcher.cn1.platform.sapcloud.cnSo make sure you use the correct domain when you construct your REST API requests.
For example: GET https://ipsproxyabcd12345-xyz789.dispatcher.cn1.platform.sapcloud.cn/ipsproxy/api/v1/scim/bbb111aa-1234-aaaa-7777-1234567abcde/Users/s123456789
To learn more, see: Proxy Systems
Related Information
Identity Authentication: Documentation