Follow this procedure to set up SAP BTP ABAP environment as a proxy system.
-
You have user credentials for an external back-end system with read and write permissions.
-
To establish the connection between Identity Provisioning and SAP BTP ABAP environment, you need to set up the communication (user, system and arrangement) on SAP BTP ABAP environment. You can do it now (as a prerequisite) or in the process of configuring SAP BTP ABAP environment as a proxy system, as described in step 5.
-
Administrators of bundle tenants on Neo environment should enable the Manage OAuth Clients permission, as described in Neo Environment section in Manage Authorizations
↗️ .
You can use SAP BTP ABAP environment as a proxy connector to execute hybrid scenarios. That means, it can provision its entities to another (external) back-end system by request, and then can continue executing CRUD operations back to SAP BTP ABAP environment, whenever the external back-end requests such. This scenario supports:
- Reading of business users (Employee) and business roles (which are considered as groups)
- Writing of users and assignments
The Identity Provisioning implementation of the Proxy System SCIM API (based on the SCIM Query) supports single entity and delta read filtering for users and groups. For more information, see Query Parameters for Proxy System SCIM API.
-
Open your subaccount in SAP BTP cockpit (valid for OAuth authentication to the Identity Provisioning proxy system).
If you have a bundle tenant, then in the cockpit → Neo → Overview, you can see the Global account, which SAP provides for your bundle in the corresponding Identity Provisioning region. Then, in the global account, you can see your subaccount, where the Identity Provisioning is enabled as a service for the bundle. The display name of the subaccount starts with SAP_BUNDLE.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Users & Authorizations > Administrators.
-
Create a technical user with the necessary authorizations. It will later be used by the external consumer to connect to Identity Provisioning.
-
For Certificate-based authentication, follow the procedure in Manage Certificates for Inbound Connection → SAP BTP, Neo Environment
-
For OAuth authentication, proceed as follows:
-
Go to Security > OAuth > Clients and choose Register New Client.
-
From the Subscription combo box, select <provider_subaccount>/ipsproxy.
-
From the Authorization Grant combo box, select Client Credentials.
-
In the Secret field, enter a password (client secret) and remember it. You will need it later, for the repository configuration in the external system.
-
Copy/paste and save (in a notepad) the generated Client ID. You will need it later, too.
-
From the left-side navigation, choose Subscriptions > Java Applications > ipsproxy .
-
From the left-side navigation, choose Roles > IPS_PROXY_USER.
-
Choose Assign and enter oauth_client_<client_ID>.
For <client_ID>, enter the one you have saved in the previous main step.
-
-
For Certificate-based authentication, upload the certificate for the technical user of type System, as described in Add System as Administrator and enable the Access Proxy System API permission.
-
For Basic authentication, proceed as follows:
-
Add an administrator user of type System and configure the basic authentication method for this user.
If you already have a technical user, skip this step.
-
Save your changes.
-
Select your administrator user of type System and enable the Access Proxy System API permission.
-
Save your changes.
-
-
-
Access the Identity Provisioning UI.
-
Add SAP BTP ABAP environment as a proxy system. For more information, see: Add New Systems.
-
Set up the communication between Identity Provisioning and SAP BTP ABAP environment and configure your authentication method (basic or certificate-based).
We recommend that you use certificate-based authentication.
-
In your newly added SAP BTP ABAP environment proxy system, select the Certificate tab and choose Generate > Download, as described in Generate and Manage Certificates for Outbound Connection.
Skip step a. if you want to use basic authentication.
The next steps are performed in SAP BTP ABAP environment backend system and are relevant for both basic and certificate-based authentication.
-
Create a communication user and provide the respective credentials.
For basic authentication, provide User Name and Password.
For certificate-based authentication, upload the certificate you have generated in the Identity Provisioning UI on the previous step.
-
Create a communication system and assign the created user to the communication system.
For your Identity Provisioning scenario, provide System ID, System Name and Host Name.
-
Create a communication arrangement with the created system.
For your Identity Provisioning scenario, choose Scenario ID SAP_COM_0193 (SAP Cloud Identity Provisioning Integration).
For more information, see Maintain a Communication Arrangement for Inbound Communication
The communication scenario SAP_COM_0193 is enhanced to support the User UUID attribute which is generated by Identity Authentication at user creation.
The User UUID is universally unique identifier. This attribute is immutable and unique across technology layers, such as user interface, APIs, and security tokens, as well as across products and lines of business contributing to a business process in the Intelligent Enterprise.
-
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Description & Value
TypeEnter: HTTP
URLSpecify the API URL to your SAP BTP ABAP environment system.
You can take the URL from the communication scenario SAP_COM_0193.
ProxyTypeEnter: Internet
AuthenticationEnter your authentication method:
-
BasicAuthentication
-
ClientCertificateAuthentication
UserValid if BasicAuthentication is configured as authentication method.
Enter the User Name from the communication arrangement.
Do not use special symbol ',' (comma) as it is not supported.
Password(Credential) Valid if BasicAuthentication is configured as authentication method.
Enter the Password for the user name from the communication arrangement.
Do not use special symbol ',' (comma) as it is not supported.
a4c.skip.read.archivedIn the event of archived (disabled) entities in your SAP BTP ABAP environment system, choose whether the provisioning jobs to continue reading such entities or to skip them.
This property is enabled by default. If you want to always read disabled entities, set the property to false, or delete it.
ips.date.variable.formatyyyy-MM-dd
(needed for the Read Transformation)
a4c.user.roles.overwriteThis property defines whether the current roles of a user to be preserved or overwritten by the Identity Provisioning service within the SAP BTP ABAP environment proxy system in a hybrid scenario.
- true – the current user roles will be deleted in the proxy system, and the user will be updated only with the roles provisioned by the service.
- false – the current user roles will be preserved, and the new roles (if any) will be added for the relevant user in the proxy system.
See also: Extended Explanation of the *user.roles.overwrite Properties
(Optional)
a4c.roles.filterEnter OData filtering for reading roles in the SAP BTP ABAP environment system.
To learn what criteria you can use, see: OData URI Conventions → 4.5 Filter System Query Option
a4c.user.unique.attributeIf Identity Provisioning tries to provision a user that already exists in the SAP BTP ABAP environment target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved.
According to your use case, choose how to set up this property:
-
Default behavior: This property does not appear in the UI during system creation. Its default value is personExternalID. That means, if the service finds an existing user by a personExternalID, it updates this user with the data of the conflicting one.
If a user with such а personExternalID is not found, the creation of the conflicting user fails.
-
Value = emails[0].value. If the service finds an existing user matching both unique attributes email and personExternalID, it updates this user with the data of the conflicting one. If the service finds an existing user matching only the email, the update of the existing user fails.
If a user with such email is not found, that means the conflict is due to another reason, so the creation of the conflicting user fails.
Possible values:
- personExternalID
- emails[0].value
Default value: personExternalID
(Optional)
a4c.roles.page.sizeIndicate how many business roles (considered as groups) per page to be read from your SAP BTP ABAP environment system.
The value must be an integer number.
To learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.
Exemplary destination:
Type=HTTPAuthentication=BasicAuthenticationProxyType=InternetURL=https://12345-aaaaa-3333.abap.hana.ondemand.comUser=MyABAPEnvUserPassword=************ips.date.variable.format=yyyy-MM-dda4c.skip.read.archived=truea4c.user.roles.overwrite= falsea4c.roles.filter=startswith(ID, 'EMPLOYEE_LEVEL_3') eq truea4c.roles.page.size=30 -
-
(Optional) Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the SAP BTP ABAP environment proxy system, whose settings are displayed under the Transformations tab after saving its initial configuration.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP BTP ABAP environment system. For more information, see:
Inbound Service: Business User
Default read and write transformations:
The proxy Read Transformation is used when the external client application (for example, SAP Identity Management) makes initial load. That is, executing GET requests to the resource endpoints (/Users or /Groups) to retrieve the corresponding entities of the particular type. The external client application can also execute GET requests to a single resource endpoint (querying a single resource is supported). In this case, the proxy system acts as a source one.
The proxy Write Transformation is used when the external application manages the entities in the proxy system – creates new entities, updates existing ones, or deletes existing ones. In this case, the proxy system acts as a target one.
However, after a Create or Update operation is performed on the proxy system, the Read Transformation is applied to the result, so that the created or updated entity is sent back to the external application. This behavior demonstrates that the proxy Read Transformation is used for write cases, as well.
Read Transformation
Write Transformation
{ "user": { "scimEntityEndpoint": "Users", "mappings": [ { "sourcePath": "$.personID", "targetVariable": "entityIdSourceSystem", "targetPath": "$.id" }, { "sourceVariable": "entityBaseLocation", "targetVariable": "entityLocationSourceSystem", "targetPath": "$.meta.location", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "sourcePath": "$.personalInformation.firstName", "targetPath": "$.name.givenName", "optional": true }, { "sourcePath": "$.personalInformation.lastName", "targetPath": "$.name.familyName", "optional": true }, { "sourcePath": "$.personalInformation.middleName", "targetPath": "$.name.middleName", "optional": true }, { "sourcePath": "$.personalInformation.personFullName", "targetPath": "$.name.formatted", "optional": true }, { "sourcePath": "$.user.userName", "targetPath": "$.userName", "optional": true, "correlationAttribute": true }, { "constant": true, "targetPath": "$.active" }, { "condition": "$.user.lockedIndicator == 'true'", "constant": false, "targetPath": "$.active", "optional": true }, { "condition": "($.user.validityPeriod.startDate > '${currentDate}') || ('${currentDate}' > $.user.validityPeriod.endDate)", "constant": false, "optional": true, "targetPath": "$.active" }, { "sourcePath": "$.workplaceInformation.emailAddress", "targetPath": "$.emails[0].value", "optional": true, "correlationAttribute": true }, { "sourcePath": "$.user.logonLanguageCode", "optional": true, "targetPath": "$.locale" }, { "sourcePath": "$.PersonExternalID", "optional": true, "correlationAttribute": true }, { "sourcePath": "$.user.role[*].roleName", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.groups[?(@.value)]" }, { "sourcePath": "$.user.globalUserID", "optional": true, "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']" }, { "type": "valueMapping", "sourcePaths": [ "$.user.timeZoneCode" ], "targetPath": "$.timezone", "defaultValue": "Europe/Berlin", "valueMappings": [ { "key": [ "WDFT" ], "mappedValue": "Europe/Berlin" }, { "key": [ "ISRAEL" ], "mappedValue": "Asia/Jerusalem" }, { "key": [ "RUS03" ], "mappedValue": "Europe/Moscow" }, { "key": [ "AUSNSW" ], "mappedValue": "Australia/Sydney" }, { "key": [ "UTC+4" ], "mappedValue": "Asia/Dubai" }, { "key": [ "BRAZIL" ], "mappedValue": "America/Sao_Paulo" }, { "key": [ "BRZLEA" ], "mappedValue": "America/Sao_Paulo" }, { "key": [ "MSTNO" ], "mappedValue": "America/Phoenix" }, { "key": [ "EST" ], "mappedValue": "America/New_York" }, { "key": [ "UTC" ], "mappedValue": "Etc/UTC" }, { "key": [ "UTC+3" ], "mappedValue": "Asia/Riyadh" }, { "key": [ "EST_" ], "mappedValue": "America/Toronto" }, { "key": [ "UTC+8" ], "mappedValue": "Asia/Shanghai" }, { "key": [ "JAPAN" ], "mappedValue": "Asia/Tokyo" } ] }, { "type": "valueMapping", "sourcePaths": [ "$.businessPartnerRoleCode" ], "targetPath": "$.userType", "defaultValue": "Employee", "valueMappings": [ { "key": [ "BUP003" ], "mappedValue": "Employee" } ] } ] }, "group": { "scimEntityEndpoint": "Groups", "mappings": [ { "sourcePath": "$.ID", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourceVariable": "entityBaseLocation", "targetVariable": "entityLocationSourceSystem", "targetPath": "$.meta.location", "functions": [ { "type": "concatString", "suffix": "${entityIdSourceSystem}" } ] }, { "sourcePath": "$.ID", "targetPath": "$.displayName" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.to_BusinessUserAssignment.results", "optional": true, "preserveArrayWithSingleElement": true, "targetPath": "$.members" }, { "type": "remove", "targetPath": "$.members[*].__metadata" }, { "type": "remove", "targetPath": "$.members[*].UserName" }, { "type": "rename", "constant": "value", "targetPath": "$.members[*].PersonID" }, { "constant": "User", "targetPath": "$.members[*].type" } ] } }{ "user": { "mappings": [ { "sourcePath": "$.userName", "targetPath": "$.personExternalID" }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['employeeNumber']", "optional": true, "targetPath": "$.personExternalID" }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "optional": true, "targetPath": "$.user.globalUserID" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.personID" }, { "targetPath": "$.businessPartnerRoleCode", "type": "valueMapping", "sourcePaths": [ "$.userType" ], "defaultValue": "BUP003", "valueMappings": [ { "key": [ "Employee" ], "mappedValue": "BUP003" } ] }, { "scope": "createEntity", "sourceVariable": "currentDate", "targetPath": "$.validityPeriod.startDate" }, { "scope": "createEntity", "constant": "9999-12-31", "targetPath": "$.validityPeriod.endDate" }, { "scope": "createEntity", "sourceVariable": "currentDate", "targetPath": "$.user.validityPeriod.startDate" }, { "scope": "createEntity", "constant": "9999-12-31", "targetPath": "$.user.validityPeriod.endDate" }, { "sourcePath": "$.name.givenName", "optional": true, "targetPath": "$.personalInformation.firstName" }, { "sourcePath": "$.name.familyName", "targetPath": "$.personalInformation.lastName" }, { "sourcePath": "$.name.middleName", "optional": true, "targetPath": "$.personalInformation.middleName" }, { "sourcePath": "$.name.formatted", "optional": true, "targetPath": "$.personalInformation.personFullName" }, { "sourcePath": "$.userName", "targetPath": "$.user.userName" }, { "sourcePath": "$.nickName", "optional": true, "targetPath": "$.user.nickName" }, { "sourcePath": "$.locale", "optional": true, "targetPath": "$.user.logonLanguageCode" }, { "sourcePath": "$.emails[0].value", "optional": true, "targetPath": "$.workplaceInformation.emailAddress" }, { "condition": "$.active == false", "constant": "true", "targetPath": "$.user.lockedIndicator" } ], "scimEntityEndpoint": "Users" }, "group": { "mappings": [ { "sourcePath": "$.displayName", "targetVariable": "entityIdTargetSystem", "scope": "createEntity" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName" }, { "sourcePath": "$.members[*].value", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]" }, { "sourcePath": "$.Operations", "targetPath": "$.Operations", "preserveArrayWithSingleElement": true, "scope": "patchEntity" }, { "sourcePath": "$.schemas", "targetPath": "$.schemas", "preserveArrayWithSingleElement": true, "scope": "patchEntity" } ], "scimEntityEndpoint": "Groups" } }By default, Identity Provisioning reads group IDs and members. If you want the service to also read group descriptions, you can add an extra mapping to the "group" resource in the Read Transformation. To learn how, see Guided Answers: Business Role Description.
-
Connect the external consumer to Identity Provisioning with the technical user you have created in step 2.
If the external consumer system is SAP Identity Management, you can export the newly created proxy system as a SCIM repository from Identity Provisioning and import it in SAP Identity Management. This will create a SCIM repository in SAP Identity Management where most of the repository constants will be automatically filled in. You need to provide the technical user credentials that you have set up in step 2 and the SCIM assignment method as described below:
-
For AUTH_USER and AUTH_PASSWORD, enter your client ID and secret.
-
For the SCIM_ASSIGNMENT_METHOD constant, make sure the value is PATCH.
-
For AUTH_USER and AUTH_PASSWORD, enter the user ID and password of the Identity Authentication technical user for which you have set permission Access Proxy System API.
-
For the SCIM_ASSIGNMENT_METHOD constant, make sure the value is PATCH.
For external consumer systems, other than SAP Identity Management, you should also use the PATCH method for modifying entities.
-
When a proxy system is connected to an external backend system (in the case of SAP Identity Management this means the exported CSV file is imported into the Identity Management Admin UI and a repository is configured), you can start managing the users and groups into this external system. Usually, the first operation is the initial load of the existing entities into your external system. When this load has finished, changes in the external system, such as creating new users or updating existing ones, can trigger CRUD requests back to the proxy system.
To see an example with SAP Identity Management, see Hybrid Scenario: SAP Identity Management → sections Next Steps and Future Identity Lifecycle.
Effective September 2020, Shanghai (China) tenants that reside on SAP BTP, Neo environment can be only accessed on the following domain:
dispatcher.cn1.platform.sapcloud.cnSo make sure you use the correct domain when you construct your REST API requests.
For example: GET https://ipsproxyabcd12345-xyz789.dispatcher.cn1.platform.sapcloud.cn/ipsproxy/api/v1/scim/bbb111aa-1234-aaaa-7777-1234567abcde/Users/s123456789
To learn more, see: Proxy Systems