cancel
Showing results for 
Search instead for 
Did you mean: 

SAP IDM- Hybrid landscape scenario

former_member256680
Participant

Hi All, I need some technical configuration guidance about implementing SAP IDM8.0 on premise for Hybrid landscape (on premise & cloud systems).

We have S/4HANA & BW/4HANA on Premise system & SAP Ariba & Successfactor on cloud systems. To achieve, automated user lifecyle managment (hire to retire). I have proposed high level architecture as attached.

my assumptions based on latest SAP documents:

SAP IDM8.0 on premise will act as primary IDM solution for both on-premise & cloud systems.

SF Employee central as source for IDM on premise system.

Questions:

1. There is SFSF connector available, only that is sufficient to deploy & configure into IDM8 on premise to read user/position information from SF EC? do we need to do anything for SAP cloud identity provisioning service (IPS)?

2. How IDM on-premise will read cloud authorization roles from SAP Ariba? using SCIM connector? Any specific configuration to follow in SCP Identity provisioning service ?

3. Users will be also stored somewhere in IPS/cloud platform or just IDM on-premise user store is sufficient ?

4. I also read that, IDM on-premise will not do user provisioning for SAP cloud applications (only changing user ID attributes is possible), is this true?

5. If SF Employee central is source, then MS Active directory should be configured as Target repository?

I have done IDM8.0 on premise implementations before, mainly i am looking for how user provisioning will work for SAP cloud systems, what is use of IPS in hybrid scenario? (when I need SF-Employee central as source for IDM)

Your inputs are highly appreciated, thanks.

Accepted Solutions (1)

Accepted Solutions (1)

former_member187331
Participant

Hello Imran,

1. Yes there is a standard connector for SF in the on-prem-idm-bundle. It has most of the features out of the box, somehow a few critical features are missing (like reading time-dependent data e.g. data from the future or from the past) and some features you typically expect are not supported by SF (like setting user passwords). We had to customize the connector a bit for our customers, but its actually an easy task.

2. The on-prem-IDM uses the scim connector, to read from the SAP IPS (identity provisioning service). The IPS works as a proxy, reads the data from Ariba (or whatever cloud system you specify) and send the data back to SAP IdM. So you could imagine the IPS as an abstraction layer, like a forwarder of data. The on-prem-idm think, that it is provisioning to an ARIBA system, but actually it just speaks with the IPS.

3. If you use the proxy-use-case, you have the user-data from the cloud-systems stored in your on-prem-idm, since the IPS has no persistance layer in this mode.

4. Yes, you can provision all sort of things (creation, modification and so on) to the remote cloud system via the proxy mode of IPS. Only the connector of the IPS is your limitation; if it doesnt support certain operations, its not the fault of your on-prem-idm.

5. Depends how you scenario is. Most of the time, you only have 1 source system (like the HR-System). Sometimes the company also have external employees, which are not included in the HR-system but in a special OU in the active directory. Then you might have 2 source systems 😉

Kind regards,

Aydin

former_member256680
Participant

Thank you Aydin, for your detailed explanation. It certainly helpful to me.

I will keep this post open for few days to see other experts opinion too ))

Thanks again !!

former_member431321
Participant
0 Kudos

Good question and good answer.

Thank you!!

Answers (0)