Skip to Content
0
Sep 06, 2023 at 11:42 AM

How to provision Users from two different Sources into SAP-IAS using SAP-IPS

377 Views Last edit Sep 06, 2023 at 11:42 AM 2 rev

Hello SAP-Community,

when it comes to provision users out of a single-source-of-truth for employee data, my common approach with customers, is to sync them from a corporate source system like AD or Azure AD.

Mostly that works out fine, we have one dedicated source system for our user provisioning and can rely of the user data provided from one single source for our SAP-IAS user data. But sometimes we have the request to enrich SAP-IAS user data with attributes provided by SAP SuccessFactors. For example: Supervisor relationship or hire and termination data. Basically from IPS and IAS perspective we then have two source system that provision data to SAP-IAS in this scenario.

When using SCIM API Version 2 for provisioning user data into SAP-IAS from two different sources. The whole entity will be overwritten with the attributes coming from one source system. For example: Sync of First Name, Last Name, Employee ID from Azure AD.

Data is persisted in SAP-IAS Userbase. When syncing Supervisor relation from SAP SuccessFactors into SAP-IAS. First provisioned attributes out of Azure AD vanishes.

There is a solution in form of the “local identity directory” System connection in SAP-IPS in order to achieve syncing user data from two sources into SAP-IAS. In this scenario you would sync user data from two sources into local identity directory, and use local identity directory as source system for provisioning to SAP-IAS. However the local identity directory connector seems only to be available in standalone Cloud Identity Service tenants.

See: https://help.sap.com/docs/identity-provisioning/identity-provisioning/local-identity-directory-59557aec028d4eae9720bf89abd110bf?locale=en-US

Now we have the request to configure this scenario with a customer, but unfortunately local identity directory is not available in our Cloud Identity Service tenants. Does anyone know if we can enable the connector in our tenant by creating an incident request with SAP? Or is there any other way on how to provision user data from two different sources into SAP-IAS using SAP-IPS? Is there a best practice approach from SAP? Have anyone been faced with this kind of request to?

I would really look forward in sharing information and knowledge regarding to this with the SAP Community.

With best regards,

Alex Schaffelke