In today’s digital landscape, robust identity and access management systems are essential for organizations operating in the cloud. For this purpose, SAP Cloud Identity Services provide a comprehensive solution. In this blog post, we’ll explore what SAP Cloud Identity Services are, take a closer look at the key components – Identity Authentication Service (IAS) and Identity Provisioning Service (IPS) – and discuss the capabilities the product delivers to organizations.
What are SAP Cloud Identity Services?
SAP Cloud Identity Services is a cloud-based solution for identity and access management. The product is designed to facilitate a seamless single sign-on (SSO) experience across different systems and securely manage user identities. Additionally, it streamlines authentication across SAP and also non-SAP applications. It is delivered as part of a bundle with an SAP cloud solution such as SAP SuccessFactors, which is the context that this blog post is going to focus on.
Here is what SAP Cloud Identity Services offer:
- Centralized authentication and identity management: Serves as a unified platform for managing user identities and controlling access with multiple authentication options including SSO.
- User self-service: Provides users with functions such as registration or password reset.
SAP Cloud Identity Services comprise two main components, which will be covered in more detail in this blog post:
- Identity Authentication Service (IAS): responsible for secure authentication and user logins
- Identity Provisioning Service (IPS): used to synchronize user data across systems
Beyond that, SAP Cloud Identity Services provide two additional components. First, SAP Cloud Identity Services contain an Identity Directory as a central place for storing and managing users and groups. Second, there is the Authorization Management, which allows you to set authorization policies for access to SAP BTP-based business applications.
What are SAP IAS and IPS?
Identity Authentication Service (IAS)
IAS offers advanced authentication features tailored to meet a variety of security needs. It acts in two key roles: as a service provider (a resource to which users log on) and as an identity provider (a service that authenticates users and provides the logon to a service provider).
Supported authentication options include:
- Simple password authentication using username and password
- SAML2 SSO: Users can log in once and gain access to multiple applications without having to re-authenticate.
- Multi-Factor Authentication (MFA): Second authentication via authenticator application, SMS- or email-based one-time passwords (OTPs).
- Conditional authentication: Enforce different authentication methods based on specific attributes, such as user group, domain, or location.
- Identity Provider (IdP) proxy authentication: IAS can function as a primary identity provider itself or as a proxy, delegating authentication to other identity providers, such as Azure Active Directory. This corporate or third-party identity provider can be used either by default or based on conditions such as a specific email domain or user type.
Identity Provisioning Service (IPS)
IPS automates the synchronization of user data between systems, enabling organizations to more effectively manage identity lifecycles. When a user is created, modified, or deleted in a source system (in our context, SuccessFactors), IPS automatically updates the information in a target system (here, IAS).
Key capabilities include:
- Data synchronization: IPS ensures seamless transport of entities (users, groups, and roles) between systems.
- Automated identity lifecycle management: facilitates provisioning and deprovisioning of entities via synchronization jobs. These jobs can be scheduled or run manually on demand, either as a complete job or as a synchronized job that reads only new and updated entities.
- Transformation conditions: Administrators can control how data is read and received from SuccessFactors in IAS, such as replacing blank email addresses with unique values.
How IAS and IPS work together in SAP Cloud Identity Services
For the integrated process of correctly authenticating users, IAS requires the IPS to synchronize the user data from SuccessFactors to the IAS. For example, when a new user is created in SuccessFactors, the IPS makes the data available in IAS. This new user then receives an activation email from IAS, allowing them to set up their password. Once the account is active, they can securely access SuccessFactors through IAS.
SAP Cloud Identity Services: What capabilities are offered?
Administration
SAP Cloud Identity Services provide a variety of customization and configuration options that allow organizations to tailor the identity experience to fit their branding, security requirements, and user experience goals. The administration console provides a central interface for managing and monitoring user authentication, provisioning and tenant configurations.
Some of the main features include:
- User and user group management: Import, export, and manage users, and group them based on attributes to fine-tune user access and permissions.
- Password policies: Set password parameters such as minimum length or expiration intervals.
- SSO configuration: Configure SSO for a seamless user experience across applications.
- Conditional authentication: Implement conditional authentication rules based on attributes such as email domain or user group.
- MFA setup: Select from multiple MFA methods and configure MFA requirements.
- Email templates: Customize email templates used for user notifications in various scenarios, such as account activation or password reset.
- Branding and theming: Customize, for example, the login pages with company logos, color schemes, or other branding elements.
- Identity provider configuration: Set up an external IdP for authentication, such as your corporate IdP or a social IdP.
- IPS transformation rules: Customize rules for attribute mapping and data transformation between source and target systems.
- Monitoring and reporting: Use monitoring tools to track authentication activity, user synchronization, and identify potential security issues.
User Self-Service
Beyond administration, SAP Cloud Identity Services empower users with self-service features. These enable users to manage their profile and personal information and perform other account management tasks, such as resetting passwords or activating devices for MFA.
For a more in-depth look at specific topics related to SAP Cloud Identity Services, see the SAP Help Portal documentation for this product. Also, if you are interested in reading topics similar to this, check out our other blog posts here.
Do you need support with your implementation or do you want to know how this product can benefit you? Don’t hesitate to contact us!
Keine Kommentare