Hybrid SAP Identity Management: Connecting Microsoft Azure Active Directory
A hybrid scenario is the combination of on-premise and one or more cloud systems. While the cloud has been at the forefront of the SAP environment for some time now, it’s still one of SAP’s highest priorities. As an SAP IDM customer or prospect, you may be wondering what will happen to IDM as SAP increasingly embraces a cloud-first strategy. And you may be wondering about the extent to which IDM – a classic on-premise product – can connect to cloud systems. In this article, we’ll show you how to jump on the cloud bandwagon and embrace SAP’s new (cloud) technology while continuing to use on-prem IDM (and integrating it with the cloud).
Times are changing in every way. Cloud computing is no longer a future trend; it’s today’s reality. Cloud systems have found their way into both our private lives and our everyday workflows and business environments. Accordingly, many companies face a similar set of challenges, having to wrestle with questions like… What will my IT infrastructure look like in the future? Which systems will still be available on-premise? How can these systems communicate with each other? What happens to my SAP IDM? Does it make sense to introduce an on-premise SAP IDM into my system landscapes?
Below, we’ll explain what a hybrid SAP system landscape could look like in relation to SAP IDM, and we’ll describe how you can connect a Microsoft Azure Active Directory to your SAP IDM in just a few steps.
Before we get to the details of the Microsoft Azure Active Directory connection, we would like to use the following illustration to clarify how the hybrid scenario would look in this case:
Your SAP IDM is still set up as an on-premise system, and the connected on-premise systems are available as usual (as illustrated above the red dotted line). Below the line represents the area of cloud systems. In addition to on-premise systems, you can also connect cloud systems. These are made available in the SAP Identity Provisioning Service (IPS) via a proxy system. The connection between SAP IPS and SAP IDM is made using the SCIM connector supplied by SAP. The goal of the hybrid system landscape is to integrate cloud systems into the existing IT infrastructure, but SAP IDM remains the central data provider. The linked list shows which systems can currently be connected as proxy systems. Based on this list, you can then carry out the next step: the Microsoft Azure Active Directory connection.
Connecting Microsoft Azure Active Directory
- You have access to the Proxy Systems tile in the SAP IPS Admin interface.
- You have a user in the Microsoft Azure Active Directory Portal who has the role of global administrator; the app (see next requirement) must be registered with this user.
- In Microsoft Azure Active Directory, you have registered an application with a secret key, and optionally “https://graph.microsoft.com” as the redirection URI under App registrations. The app is mainly defined by the API permissions as follows: Group.ReadWriteAll, GroupMember.ReadWrite.All, and User.ReadWrite.All. Please write down the secret key and the application ID from the app registration, as these will be required later. Additional authorizations may be required, more information can be found here.
2) Register Oauth Client on the SAP Cloud Platform:
With the “Subscription”, the corresponding entry for “ipsproxy” must be selected. Additionally, please write down the secret ID and the client ID from the Oauth registration, as these will be needed later.
3) Assign the role IPS_PROXY_USER to the Oauth client:
Input: oauth_client_ <CLIENT ID> from Oauth registration from Step 2.
Set up a new proxy system in SAP IPS:
Enter properties as shown below:
2) Visible from the app registration endpoints in Microsoft Azure Active Directory
3) Secret key from the app registration
4) Application ID from the app registration
5) Export des .csv File
5) Import the .csv file as a new repository in the SAP IDM Admin UI
1) AUTH_PASSWORD: Secret from Oauth
2) AUTH_USER: Client ID from Oauth
3) SCIM_ASSIGNMENT_METHOD: Must be changed to “PUT”
You can then start the initial load and provision the users accordingly.
By following these steps, you will have successfully connected the Microsoft Azure Active Directory and can assign licenses to end users – e.g., for Office365.
In order to better understand how the authentication flow works among these systems, we have created an overview for you. Below, you can see the exact relationships between SAP IDM, SAP Cloud Platform, SAP IPS, Microsoft Graph and Microsoft Azure Active Directory:
The individual access points are divided into three clusters. These are briefly explained below.
1) The first access token is issued by the SAP Cloud Platform and reported back accordingly if successful.
2) The second access token is issued by Microsoft Graph and reported back to the IPS if successful.
3) The actual request can only be sent when the two access tokens are available. Only then can authenticated access to the Microsoft Azure Active Directory be successful.
Conclusion: SAP Identity Provisioning Service
With the SAP Cloud Platform Identity Provisioning Service and the provided options for connecting cloud systems, SAP has created an option for a hybrid SAP IDM scenario.
The use case presented here — Microsoft Azure connection to SAP Identity Management — shows that even non-SAP cloud systems can be integrated into the existing system landscape in an uncomplicated manner. The following link leads to the corresponding SAP documentation on the subject of SAP IPS.
Are you interested in, or do you have questions about, hybrid landscapes? Have we sparked your interest in our company? We would be happy to show you a roadmap and workflows for your SAP landscape in order to achieve your SAP security goals and automate your SAP systems.
You can find further information and know-how on the topic of SAP Identity Management in our special SAP IDM webinars for beginners and in the webinars on Xiting SAP IDM Services. Make a request for an individual webinar.