cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Transfer (azure) Active Directory Groups to SAP Cloud Identity Authentication Service

Go to solution
jonasmeyer1
Explorer

on ‎06-14-2018 3:06 PM

0 Kudos

We've built a SAML/SSO Trust between IAS and azure AD for the authentication of SAP Cloud applications and SCP subaccounts (platform users).

Now to manage the users in groups, we'd want to transfer assigned AD groups to IAS to further work with them and on that basis manage the access to single Cloud apps.

Has anyone made some experiences in a similar setup?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member183326
Active Contributor
‎06-14-2018 11:38 PM
0 Kudos

With your scenario you firstly set up a job using SAP IPS. In this job it would be Azure as your source system, provisioning to IAS, so IAS will be your target system: https://help.sap.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/f217bd39c17d47cdb4f89ed19cb...


Then a second job using SAP IPS, this time IAS will be your source system and you can configure either a standard out of the box connector if it is relevant or a SCIM connector if it's custom. Some services providers can do this dynamically upon logging in, like SAC and others cannot, like C4C (this may be subject to change with new releases).

You can configure mapping from IAS to the SP's. So for ex, if you have a role created in SAP SAC, this can be mapped to a group in IAS or AD, either works.


From what I gather you want to provision AD groups to IAS groups dynamically, I'm not sure if this feature exists in IAS yet. The documentation may help with this:

https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/

Show replies
Show replies

Answers (3)

Answers (3)

jonasmeyer1
Explorer
‎03-11-2019 4:06 PM
0 Kudos

Hello Shunji, We have many projects where Identity Provisioning Service will be relevant, but we are not quite there yet.

For example with SAP Analytics Cloud there is the functionality of importing users from AD and also mapping SAML-attributes to the SAC-users. But not the groups! There I think you would have to buy IPS service, which makes it quite easy to map or transform groups.

I would still be interested to hear more about your use case!

Show replies
Show replies
jonasmeyer1
Explorer
‎06-14-2018 3:09 PM
0 Kudos

ps. provisioning to IAS happens manually or "on the fly" during login attempt via IAS --> SCP --> SAP Cloud Connector (LDAP, Cloud User Store) --> corporate Active Directory

Show replies
Show replies
jonasmeyer1
Explorer
‎06-14-2018 3:07 PM
0 Kudos

We'd want to set rules (which is possible in a native IAS/IPS constellation) like "if user is in group X, he can access this application" or "if user is in domain Y..." etc.

Show replies
Show replies
former_member243324
Participant
‎03-08-2019 10:55 PM
0 Kudos

Hi Jonas, I am working on the same case, do you have updated that you can share with us?

Ask a Question