Professional Documents
Culture Documents
SAPFieldglassand SAPCloud Identity Services Integration Business Synopsis
SAPFieldglassand SAPCloud Identity Services Integration Business Synopsis
SAP Fieldglass
2023-05-22
Business Synopsis
Provides an overview of the SAP Fieldglass and SAP Cloud Identity Services integration.
Introduction
SAP Cloud Identity Services is a central cloud identity suite that enables organizations to easily manage user on-
boarding and application access. SAP Cloud Identity Services offers comprehensive single sign-on and encryption
across organizational and technical boundaries.
SAP Cloud Identity Services consists of 2 main components, the identity center and the virtual directory server,
which combine to deliver the following functions:
• Password management
• Roles and entitlements
• Reporting and auditing
• Provisioning, workflow, and approvals
• Identity virtualization
• Data synchronization
This central identity integration is used by all SAP users, applications, platforms, and sister companies, as well as
by SAP Fieldglass Buyers.
Internally, it allows for seamless user access to SAP Fieldglass, SAP applications and sister companies, giving users
secure access to SAP applications with a single password.
SAP Fieldglass has implemented integration with the SAP Cloud Identity Services: Identity Provisioning (IPS),
Identity Authentication (IAS) and SAP Cloud Identity Access Governance (IAG).
Effective November 22, 2021, SAP Cloud Identity Services: Identity Provisioning (IPS), and; Identity Authentication
(IAS) are automatically provisioned for new SAP Fieldglass buyer companies.
• User Management – the user community is loaded into IAS for distribution to SAP Cloud Applications, in this
case SAP Fieldglass.
• Login Management – all users when calling the SAP Fieldglass URL are routed to SAP Identity Authentication
Service (IAS), which validates the user either through single sign-on with the buyer’s own Identity Management
System or through username and password.
The SAP Identity Provisioning Service (IPS) is responsible for provisioning users from the SAP Identity
Authentication Service (IAS) to SAP Fieldglass, and for updating those records as and when they change in the SAP
Identity Authentication Service (IAS).
Note
All users need to be created and managed within the SAP Identity Authentication Service (IAS) and there's
no ability to create a user through the SAP Fieldglass user interface. Editing of users within SAP Fieldglass is
restricted to only those fields/attributes that aren't captured within IAS.
Note
User Groups/Roles can be managed and assigned to users in both the SAP Identity Authentication Service
(IAS) and SAP Fieldglass. It should therefore be decided which system to designate as the master for user
role assignment and management. Where SAP Fieldglass is used, the SAP Identity Provisioning Service (IPS)
updates any user role changes back into the SAP Identity Authentication Service (IAS) at its next schedule run.
Related Information
The following illustration shows a reference architecture for integration with SAP Cloud Identity Services that run
on the SAP Business Technology Platform (previously SAP Cloud Platform). It defines the requirements that SAP
Cloud applications must fulfill in order to enable themselves for single sign-on and identity provisioning.
The architecture focuses mainly on integration points between both SAP Cloud Identity Services and applications.
Additional aspects of identity lifecycle (such as workflows, auditing, reporting, etc.) are out-of-scope of this
document and are covered in the SAP Cloud Identity Services themselves.
Related Information
The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their
authorizations to various cloud and on-premise business applications. The service provisions and synchronizes
user accounts and authorizations in a system landscape and includes a directory for storing basic user attributes
that support the authentication and identity lifecycle management scenarios.
This integration is coded to the System for Cross-domain Identity Management (SCIM) v2 protocol, the open
REST API standard for automating and managing the exchange of user identity information between IT systems.
The integration supports all operations as per the SCIM guidelines, including bulk operations, GET, POST, and so
forth. SCIM is designed to make managing user identities in cloud-based applications and services easier. In short,
SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle
management process. For more information on SCIM, go to http://www.simplecloud.info/ .
• SAP uploads users to the Identity Provisioning service via the SCIM API and assigns a unique universal ID (IDM
ID) to each user. The IDM ID is global for all SAP applications, platforms, and sister companies.
• The Identity Provisioning service sends the user name and external IDM ID to SAP Fieldglass. New users
are created, with SAP Fieldglass storing both the username and UUID. Existing users are updated where
appropriate and where an existing user doesn't have a UUID or valid UUID it's also updated.
• The logic of the User Upload Connector populates SAP Fieldglass with the users provisioned via the Identity
Provisioning service.
Note
In SAP Fieldglass, you can add groups to a member and add roles to a user, but you can’t add members to a
group or add users to a role.
Note
Where users are being managed via SAP Cloud Identity Services, new users can't be created directly within SAP
Fieldglass via the user interface, and restrictions apply to certain user attributes when editing an existing user
via the SAP Fieldglass user interface.
Related Information
SAP Fieldglass provides the following APIs for buyers to facilitate the actions they want to perform in the SAP
Fieldglass application.
After a buyer user gets an access token and logs into the SAP Fieldglass application, the API gets all user roles
(groups in SAP) for the company of the user who obtained the access token and logged in. Then the API returns the
schema ID details of group, group name, group details, and all group members.
API Description
Get Access Token Sends a GET request that returns a token to access the SAP
Fieldglass application.
Get Details of a Group Sends a GET request that returns all details of a role.
Create User Sends a POST request that creates a user in SAP Fieldglass.
If user isn’t created in SAP, then the user doesn't have a UUID.
IPS sends PUT requests to upload user details into SAP Field
glass. Upload requests use the coding logic of the User Upload
connector, without actually triggering the connector to run,
and therefore, the connector activity isn’t visible in the Audit
Trail.
Get Details of User Sends a GET request that returns the details of a user, in
cluding schema, displayName, profileUrl, addresses, ims, and
meta.
Update User Sends a PUT request that updates the details of a user.
Get Details of User After Update Sends a GET request that returns the details of a specified user
after update.
Delete User Sends a DEL request that deactivates a specified user (it
doesn’t remove the user from the application).
Related Information
SAP Cloud Identity Access Governance (IAG) is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems.
By connecting to the IAG solution, it enables SAP Fieldglass users to initiate access requests, which are then
provisioned to target applications. This leverages out-of-box authorizations and risk modeling to analyze SAP
Fieldglass access requests.
The SAP Cloud Identity Access Governance (IAG) solution is built on the SAP Business Technology Platform. It
uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions, and enables you to use the following
services to create access requests, analyze risks, and design roles:
IAG allows users to select SAP Fieldglass as a product from within any SAP sister company and attain access for
buyer users.
SAP Cloud Identity Access Governance is a service on the SAP Business Technology Platform (SAP BTP) that
integrates with other SAP BTP services and connects with cloud and on-premise target applications.
For detailed information on the integration scenarios, see Integration Scenarios in the SAP Cloud Identity Access
Governance Admin Guide.
Related Information
This integration requires the following SAP Fieldglass connectors enabled and the format type set to JSON:
• User Upload
• User Role Download
• User Role Detail Download
• User Download
Related Information
Connecting SAP Fieldglass to SAP Cloud Identity Access Governance Service [page 10]
Additional Resources [page 12]
The information in this section provides an overview of the procedure for connecting SAP Fieldglass to the SAP
Cloud Identity Access Governance (IAG) service. By connecting to the IAG service, it enables SAP Fieldglass users
to initiate access requests, which are then provisioned to target applications.
Prerequisites
Before setting up the integration, ensure you complete the configuration for the SAP Cloud Identity Access
Governance service:
Process Overview
There are three owner steps to enable integration between SAP Fieldglass and the SAP Cloud Identify Access
Governance service:
1. In the SAP BTP, set up a destination for the SAP Fieldglass solution.
2. In the access request service, use the Systems app to create an instance for the SAP Fieldglass solution.
3. In the access request service, use the Job Scheduler app to synchronize user data and provision access
requests.
The assignment of groups and roles to users controls the following three security aspects:
Related Information
Google provides a wealth of knowledge and information on SAP Cloud Integration. In addition, the following internal
and external resources are available.
Resource URL
and
https://help.sap.com/viewer/
f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/
2d2685d469a54a56b886105a06ccdae6.html
User assistance for SAP Cloud Integration on SAP Help Portal https://help.sap.com/viewer/product/CLOUD_INTEGRA
TION/Cloud/en-US
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements
with SAP) to this:
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using such links,
you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and
phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example
code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities, genders,
and abilities.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
*20190716*