You can use outbound certificates generated by Identity Provisioning for OAuth authentication with provisioning systems.
In OAuth certificate authentication, Identity Provisioning acts as a client application that sends requests to the URL of the access token provider service (the authorization server). The server issues access tokens following a successful authentication with certificate (instead of using client ID and client secret).
Currently, OAuth certificate authentication is supported for SAP Build Work Zone, advanced edition, SAP CPQ, SAP Business Network and Procurement Data Warehous.
To configure OAuth certificate authentication for communication between Identity Provisioning and a given provisioning system, proceed as follows:
-
Select the Properties tab of the provisioning system and make sure the Authentication property is set to
ClientCertificateAuthentication.This authentication method can only be configured using properties. It doesn't work with destinations.
-
Add the OAuth2TokenServiceURL property and provide the URL of the access token provider service for your provisioning system.
-
Add the client_id property and provide the OAuth Client id used for access token retrieval.
-
Select the Certificates tab and generate the certificate for outbound connection, as described in Generate and Manage Certificates for Outbound Connection.
-
Log in to the provisioning system and upload the certificate. The specific location may vary depending on the system, but it is typically found in the security or certificate management section.
-
Run a provisioning job.
During the job execution, Identity Provisioning authenticates to the authorization server using the client certificate and gets the access token issued by the server.