cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need for SAP CP identity services

ssimsekler
Active Contributor

on ‎05-22-2018 11:22 AM

0 Kudos

Hello

If an enterprise has a cloud based identity solution, like Microsoft Azure AD, what -if at all- would be the reasoning to utilise SAP CP identity services, i.e.

  • Identity Authentication Service
  • Identity Provisioning Service?

Kind Regards

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member183326
Active Contributor
‎06-13-2018 11:14 PM
0 Kudos

Here is one reason to use IAS:

So your company has been using AD for some years, and the structure of the AD has always been done at a high level (ie: not granular), also as you may see with some AD's, have a common trend to be maintained poorly with a loose rule set of what is allowed to happen there.

Then your company purchases a solution, let's say Hybris E-Commerce. E-comm has a role structure that is fine grained to allow for better and more accurate segregation of duties for the users. As the AD structure is a mess, it would now be better to use IAS as you could design groups here as fine grained as you like, with having the added benefit of standard integration of course.

For IPS, SAP already have standard connectors built for most of the Cloud systems on offer, which means you won't have build connectors for each and every system from your third part provisioning system, most likely using a SCIM connector.

Show replies
Show replies
ssimsekler
Active Contributor
‎06-14-2018 12:27 PM
0 Kudos

Hi Michael

Thanks for your answer. I think I can see the value in IPS from the aspect of readily available connectors.

I am having trouble locating the use of IAS in the picture, e.g. what about if we have Azure AD as the cloud identity provider where we can have user groups as well? What benefit would IAS provide?

Kind Regards

former_member183326
Active Contributor
‎06-14-2018 12:39 PM
0 Kudos

If you have Azure then I see no reason for IAS, this is acting under the premise that I am looking at this from a very high level without knowing the business processes or the requirements, which in itself is the most important part to be honest. you have to look at the service providers you want to firstly authenticate to.

Then you have to look at the azure AD, does it allow for the required attributes from the SP? Are the companies processes flexible enough to use its current structure in the cloud with Azure and the SP's? There are a lot of questions that need to answered. There is no right or wrong answer here unfortunately.

In one of my projects the customer was using azure sync for their existing AD and their structure was based on a high level grouping and they wouldn’t change this to suit the service providers so we then used IAS to achieve SSO.

former_member188370
Participant
‎05-24-2018 2:16 PM
0 Kudos

Hi,

there is no easy answer to this. It depends on the use case and customer requirements.

Some applications require an instance of Identity Authentication service (IAS).

Many applications come preconfigured with the IAS, so with the existing solution there just needs to be one trust to set up between this and the pre-configured IAS.

There are also some cases, in which the solutions are globally distributed, so a benefit in this scenario would be for IAS to hold the session locally, while the initial authentication would be done by the corporate IdP.

Show replies
Show replies
ssimsekler
Active Contributor
‎05-25-2018 11:57 AM
0 Kudos

Hi Jens

Thanks for your response. If you do not mind, can I ask more questions to extend your answer?

Is there a list of the applications requiring IAS instance? Or is there a way to acquire this information for SAP products? At least any examples?

Is the requirement in the form of dependency on IAS where other alternatives, like Azure AD would not work? I am asking this because the documentation I see manifests IAS as a generic identity solution and cannot see much reference how it adds value to landscapes already having a cloud identity solution like Azure AD.

Kind Regards

former_member188370
Participant
‎05-28-2018 9:58 AM
0 Kudos

Hi Serdar,

From the IAS perspective, it is an Identity Provider as you call it, which can be used by all applications supporting the SAML2 standard.

However it is then up to the application itself on how they integrate especially when it comes to automatic provisioning of the application.

I do not have a list of the SAP applications that require IAS.

Kind regards,
Jens

Ask a Question