on 06-14-2018 3:06 PM
We've built a SAML/SSO Trust between IAS and azure AD for the authentication of SAP Cloud applications and SCP subaccounts (platform users).
Now to manage the users in groups, we'd want to transfer assigned AD groups to IAS to further work with them and on that basis manage the access to single Cloud apps.
Has anyone made some experiences in a similar setup?
With your scenario you firstly set up a job using SAP IPS. In this job it would be Azure as your source system, provisioning to IAS, so IAS will be your target system: https://help.sap.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/f217bd39c17d47cdb4f89ed19cb...
Then a second job using SAP IPS, this time IAS will be your source system and you can configure either a standard out of the box connector if it is relevant or a SCIM connector if it's custom. Some services providers can do this dynamically upon logging in, like SAC and others cannot, like C4C (this may be subject to change with new releases).
You can configure mapping from IAS to the SP's. So for ex, if you have a role created in SAP SAC, this can be mapped to a group in IAS or AD, either works.
From what I gather you want to provision AD groups to IAS groups dynamically, I'm not sure if this feature exists in IAS yet. The documentation may help with this:
https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Shunji, We have many projects where Identity Provisioning Service will be relevant, but we are not quite there yet.
For example with SAP Analytics Cloud there is the functionality of importing users from AD and also mapping SAML-attributes to the SAC-users. But not the groups! There I think you would have to buy IPS service, which makes it quite easy to map or transform groups.
I would still be interested to hear more about your use case!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
ps. provisioning to IAS happens manually or "on the fly" during login attempt via IAS --> SCP --> SAP Cloud Connector (LDAP, Cloud User Store) --> corporate Active Directory
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We'd want to set rules (which is possible in a native IAS/IPS constellation) like "if user is in group X, he can access this application" or "if user is in domain Y..." etc.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
80 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.