SECCL1 en Col11 Exercise Handbook A4

SECCL1
Identity and Access Management in

SAP Cloud Platform
.
.
EXERCISES AND SOLUTIONS
.
Course Version: 11
Course Duration: 4 Hours 40 Minutes
Material Number: 50154352
SAP Copyrights, Trademarks and
Disclaimers
© 2022 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. Please see https://www.sap.com/corporate/en/legal/copyright.html for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software
components of other software vendors.
National product specifications may vary.
These materials may have been machine translated and may contain grammatical errors or
inaccuracies.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only,
without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate
company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business
outlined in this document or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’
strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any
reason without notice. The information in this document is not a commitment, promise, or legal
obligation to deliver any material, code, or functionality. All forward-looking statements are subject to
various risks and uncertainties that could cause actual results to differ materially from expectations.
Readers are cautioned not to place undue reliance on these forward-looking statements, which speak
only as of their dates, and they should not be relied upon in making purchasing decisions.
© Copyright. All rights reserved. iii

Typographic Conventions
American English is the standard used in this handbook.

The following typographic conventions are also used.
This information is displayed in the instructor’s presentation
Demonstration
Procedure
Warning or Caution
Hint
Related or Additional Information
Facilitated Discussion
User interface control Example text
Window title Example text
© Copyright. All rights reserved. iv

Contents
Unit 1: SAP Cloud Platform Security
1 Exercise 1: Connect the SAP Cloud Platform Cloud Foundry Account

to an IdP
Unit 2: SAP Cloud Platform Identity Provisioning Service
No exercises
Unit 3: SAP Identity Management
20 Exercise 2: Load Employees from SuccessFactors to SAP IdM
Unit 4: SAP Cloud Platform Identity Authentication Service
32 Exercise 3: sProvision Users to SAP Cloud Platform IAS

40 Exercise 4: Configure Branding and Self-Registration with SAP
Cloud Platform IAS
44 Exercise 5: Configure Two-Factor Authentication and Social Login
Unit 5: S/4HANA On-Premise
47 Exercise 6: Provision Business Partners from SAP Cloud Platform

Identity Authentication Service (IAS) to S/4HANA On-Premise
67 Exercise 7: Assign Roles to Users in S/4HANA
© Copyright. All rights reserved. v

© Copyright. All rights reserved. vi
Unit 1
Exercise 1
Connect the SAP Cloud Platform Cloud
Foundry Account to an IdP
Training System Landscape
Figure 1: Training System Landscape for SECCL1
Training System Landscape Components

● SAP Identity Management (IdM) is the on-premise solution from SAP for Identity and
Access Management. It is the foundation for the on-boarding of new employees from
SuccessFactors and it supports the identity lifecycle, from hire to retire.
● SAP S/4HANA is the latest state-of-the-art business platform, which ensures that you are
on the cutting edge of existing technology by addressing new challenges with innovative
business models and modern infrastructure. It is used as the target for the provisioning.
● Cloud connector is the key component that creates the connection between the on-
premise environment and the Cloud. It establishes a secure tunnel, through which
information is exchanged.
● Connectivity service is the counter part of the Cloud connector. It resides in the Cloud and
ensures that the information from the on-premise systems is correctly available to the
cloud applications.
● SAP Cloud Platform Identity Authentication Service (IAS) supports the authentication of
users to Cloud or on-premise services. It acts as an identity provider (IdP).
● Cloud platform accounts are available in two flavors: Neo and Cloud Foundry. This course
is focused on Cloud Foundry, however, some of the services like IPS are not yet available
on Cloud Foundry. Therefore, we will also access the Neo account.
© Copyright. All rights reserved. 1

SAP Cloud Platform IPS provides user and access provisioning to Cloud and on-premise
systems.
● SAP SuccessFactors is used as the enterprise repository for employees and is used for
syncing new hires.
● The app deployed on Cloud Foundry is a simple app, which has role access. It's purpose is
to show how authentication is handled using IAS.
Exercise 1
In this scenario, we are going to connect the SAP Cloud platform Cloud Foundry account to an
IdP other than SAP ID. Additionally, since our new application requires specific roles to be
attached in order to function, we will investigate what options we have using SAML mapping
to assign those roles to our new users coming from IAS.
Prerequisites
● Deploy and run the Cloud application provided by your instructor.
● Have admin access to IAS Tenant
● Have admin access to the SAP Cloud Platform Cockpit
Execution Plan
Step 1 Log in to your SAP Cloud Foundry account (provided by your instruc-
tor) https://account.hana.ondemand.com/cockpit/#/home/allac-
counts
Step 2 Deploy the provided Cloud application using CLI
Step 3 Connect the IAS tenant to the Cloud Foundry account
Step 4 Define SAML mapping rules to access the custom app
1. Log in to SAP Cloud Platform Cockpit account.
2. Verify availability of the two subaccounts – Neo and Cloud Foundry
3. Check IPS availability – you should see the Proxy systems tile
4. Prepare for the deployment of the Cloud application by configuring a space in SAP Cloud
Platform Cloud Foundry subaccount.
5. Deploy the provided Cloud application in your course folder.

In order to deploy the Cloud application to your Cloud Foundry sub-account, you need
Cloud Foundry Command Line Interface (CLI).
The CLI should be pre-installed in your WTS environment.
6. Access the Cloud app from your Cloud Foundry subaccount.
7. To resolve the Forbidden message, check the roles, scopes, role templates, role
collections and assign the Finance_Admin role collection to your SAP Cloud Platform
Cloud Foundry user account.
8. Access again the Cloud app with the newly assigned role collection. You should not see
anymore the Forbidden message.

Exercise 1: Connect the SAP Cloud Platform Cloud Foundry Account to an IdP
9. Connect an external IdP (IAS) to the Cloud Foundry subaccount to easily onboard new
members to your Cloud app.
10. Retrieve metadata from IAS tenant.
11. Create a new application in IAS, which points to your Cloud Foundry subaccount.
Now that we have established the new IdP on Cloud Foundry side, we need to ensure that
the trust is established in IAS as well.
12. Set up the SAML configuration of your IAS application.
13. Configure the IAS application settings and attributes.
14. Log in to the Cloud application using the new IAS IdP.
15. Define static role assignment using the IAS IdP.
16. Log in to the deployed app again using IAS authentication to verify the newly assigned
groups.
17. Create role collection mappings. but first remove the static assignments.
You must first revert the setup in the Role Collection Assignment for the IAS trust
configuration.
18. Create IAS groups.
19. Maintain role collection mappings in the Cloud Foundry subaccount with created IAS
Groups.
20. Brainstorming task.

Application roles also offer the possibility to restrict data access based on certain
attributes. If you browse the application roles again, you will notice that they support one
attribute called Cost Center. Let’s assume that you would like to limit the access of the
Auditors only to cost center 3333. What would be a possible approach to automate this
assignment for users coming from IAS? What changes need to be done to the current
setup? Do we have to change anything in the application code?
Keep in mind that the default instances of role templates cannot be edited. You need to
create a new role following a certain role template to be able to edit it. The same applies to
the role collections.

Unit 1
Solution 1
Connect the SAP Cloud Platform Cloud
Foundry Account to an IdP
Training System Landscape
Figure 1: Training System Landscape for SECCL1
Training System Landscape Components

● SAP Identity Management (IdM) is the on-premise solution from SAP for Identity and
Access Management. It is the foundation for the on-boarding of new employees from
SuccessFactors and it supports the identity lifecycle, from hire to retire.
● SAP S/4HANA is the latest state-of-the-art business platform, which ensures that you are
on the cutting edge of existing technology by addressing new challenges with innovative
business models and modern infrastructure. It is used as the target for the provisioning.
● Cloud connector is the key component that creates the connection between the on-
premise environment and the Cloud. It establishes a secure tunnel, through which
information is exchanged.
● Connectivity service is the counter part of the Cloud connector. It resides in the Cloud and
ensures that the information from the on-premise systems is correctly available to the
cloud applications.
● SAP Cloud Platform Identity Authentication Service (IAS) supports the authentication of
users to Cloud or on-premise services. It acts as an identity provider (IdP).
● Cloud platform accounts are available in two flavors: Neo and Cloud Foundry. This course
is focused on Cloud Foundry, however, some of the services like IPS are not yet available
on Cloud Foundry. Therefore, we will also access the Neo account.

Solution 1: Connect the SAP Cloud Platform Cloud Foundry Account to an IdP
SAP Cloud Platform IPS provides user and access provisioning to Cloud and on-premise
systems.
● SAP SuccessFactors is used as the enterprise repository for employees and is used for
syncing new hires.
● The app deployed on Cloud Foundry is a simple app, which has role access. It's purpose is
to show how authentication is handled using IAS.
Exercise 1
In this scenario, we are going to connect the SAP Cloud platform Cloud Foundry account to an
IdP other than SAP ID. Additionally, since our new application requires specific roles to be
attached in order to function, we will investigate what options we have using SAML mapping
to assign those roles to our new users coming from IAS.
Prerequisites
● Deploy and run the Cloud application provided by your instructor.
● Have admin access to IAS Tenant
● Have admin access to the SAP Cloud Platform Cockpit
Execution Plan
Step 1 Log in to your SAP Cloud Foundry account (provided by your instruc-
tor) https://account.hana.ondemand.com/cockpit/#/home/allac-
counts
Step 2 Deploy the provided Cloud application using CLI
Step 3 Connect the IAS tenant to the Cloud Foundry account
Step 4 Define SAML mapping rules to access the custom app
1. Log in to SAP Cloud Platform Cockpit account.

a) Use the link from your course folder and log in to your SAP Cloud Platform Cloud
Foundry account with the credentials provided by your instructor.
Figure 2: SAP ID Service
2. Verify availability of the two subaccounts – Neo and Cloud Foundry

a) Navigate to the subaccounts section on the left side of the screen and check that there
is only one Cloud Foundry and one Neo subaccount as shown in the figure,
Subaccounts.
Figure 3: Subaccounts
Note:
The naming should be SECCL-AXX, where XX represents your assigned
group for the course. If you do not see the subaccounts or if there is
another one displayed other than the one assigned to you, please contact
your instructor.
3. Check IPS availability – you should see the Proxy systems tile
a) Navigate to the Neo subaccount, then click on Services from the menu on the left and
search for Provisioning. You should see the service enabled as shown in the
screenshot.
b) Click on the tile and from the newly opened content, select Go to service. This should
take you to the IPS in a separate tab. Within this tab, you should see the second
screenshot below (the Proxy Systems tab should be visible). If this is the case, then
your readiness check is done, and you can move on to the next step.
Figure 4: Check IPS Availability

4. Prepare for the deployment of the Cloud application by configuring a space in SAP Cloud
Platform Cloud Foundry subaccount.
a) Return to the subaccounts section of your Cloud account and navigate to the Cloud
Foundry subaccount.
b) Click Create Space.
c) Name the space security and leave the checkboxes as marked by default.
d) Click Create.
Figure 5: Prepare for the Deployment of the Cloud Application
This will take you directly to the applications within this space where there are
currently none.
5. Deploy the provided Cloud application in your course folder.

In order to deploy the Cloud application to your Cloud Foundry sub-account, you need
Cloud Foundry Command Line Interface (CLI).
The CLI should be pre-installed in your WTS environment.
a) Open a command prompt and run cf to check if the CLI is available
Figure 6: cf_installer
b) Add an environment parameter in your Windows system properties as shown in the

figure Add Environment Variable.

Variable Value
https_proxy https://proxy:8080
Figure 7: Add Environment Variable
c) After setting up the proxy, run the following command in the command prompt
window to add a module of the cf, which allows us to deploy to the SAP Cloud Platform:
cf install-plugin multiapps
This will add the deploy option to your CLI installation.
d) Deploy the Cloud app from the course folder provided by your instructor using the
following set of commands in the command prompt:
● cf login
If asked, provide API endpoint, which you can find in your Cloud Foundry
subaccount on the overview page as shown below in the screenshot:
Figure 8: API Endpoint
Provide the email and password credentials for your Cloud Foundry sub-account
account (e.g. seccl-a##@education.cloud.sap / password)

● cf deploy <path to app><app name>

(e.g. cf deploy "N:\My Documents\SECCL1\AuthApp.mtar")
The deployment will take some time. Once the process has finished, you should see
the app running in your Cloud Foundry subaccount as shown in the Application
State figure.
Figure 9: Application State
6. Access the Cloud app from your Cloud Foundry subaccount.

a) Click on the application name, opens the application overview which contains the
application routes. There should only be one displayed.
b) Click on it to navigate to the app.
c) Log in with your Cloud Foundry email and password, which was used for logging in to
the SAP Cloud Platform Cockpit.
Figure 10: Navigation Links
You should see the two links for the roles Auditor and CFO. For now both options open
a Forbidden screen, as you require special roles to access these resources.
7. To resolve the Forbidden message, check the roles, scopes, role templates, role
collections and assign the Finance_Admin role collection to your SAP Cloud Platform
Cloud Foundry user account.
a) Within the application overview, click Roles in the left navigation menu.
There are two role templates: Finance_Auditor and Finance_CFO.

Figure 11: Roles by Role Templates
b) To see the list of the available role collections, navigate to the subaccount level and
open Security → Role Collections.
There are three role collections. One that combines the Auditor and CFO role
templates and two others for the two separate role templates.
Figure 12: Role Collections
c) To assign the Finance_Admin role collection to your Cloud Foundry user, navigate to
Security → Trust configuration and select the SAP ID identity provider. Type the email
address of your user and click Show Assignments. It should return an empty result.
Click Assign Role Collection.
Figure 13: Show Assignments
d) Select the Finance_Admin role collection from the drop-down and click Assign Role
Collection.

Figure 14: Assign Role Collection
8. Access again the Cloud app with the newly assigned role collection. You should not see
anymore the Forbidden message.
a) Navigate to your application overview and click on the application router URL.
The initial page is shown again, but this time when you navigate to the Auditor and CFO
links, you should no longer see the Forbidden message.
9. Connect an external IdP (IAS) to the Cloud Foundry subaccount to easily onboard new
members to your Cloud app.
a) Enter your subaccount main screen and open the Security menu from the left-hand
side of the screen.
The Trust Configuration option is the entry point for the setup. Currently there is only
one active provider, SAP ID Service.
Figure 15: Connect IAS to the Cloud Foundry Account
b) To set up IAS as a new IdP, we will need to exchange metadata between the Cloud
platform and IAS. Leave this window open and continue with the next task in a new
browser.
10. Retrieve metadata from IAS tenant.

a) Using the URL provided by your instructor, access the SAML2 metadata directly by
entering the below address, where the Identity Authentication Host is simply the
hostname of your IAS instance:
https://<Identity_Authentication_host>/saml2/ metadata
b) Save the result as an XML file, ensure that you include the opening xml tag.

c) Return to the browser window of the previous step with the Trust Configuration and
click New Trust Configuration. In the newly opened window, paste the contents of the
XML file in the large text field below the Upload button. Click Parse, most of the fields
will be populated automatically.
d) Enter an optional name for the trust configuration, e.g. IAS. Provide a description and
click Save.
Figure 16: New Active IdP
A new IdP active has been created in your subaccount.
11. Create a new application in IAS, which points to your Cloud Foundry subaccount.
Now that we have established the new IdP on Cloud Foundry side, we need to ensure that
the trust is established in IAS as well.
a) Navigate to the admin console of IAS which is located at the following URL:
https://<Identity_Authentication_tenant>.accounts.ondemand.com/admin
Figure 17: Admin Console
b) From the menu on the left hand side of the screen, choose Application &
Resources → Applications. Click +Add to add a new application.

Figure 18: Add New Application
c) Enter a name for the new application which represents your service provider, for
example, CF Account.
12. Set up the SAML configuration of your IAS application.

a) Select the newly created application and on the right-hand side you will see SAML 2.0
Configuration. Select the application and you will be guided to the screen shown in the
figure, Set Up SAML Configuration.
Figure 19: Set Up SAML Configuration
b) Import the metadata from our Cloud Foundry account, it can be accessed in your SAP
Cloud Platform cockpit within Security → Trust configuration menu of your subaccount
by clicking on the SAML Metadata button:

Figure 20: SAML Metadata
c) By clicking on the button, you will download the metadata of your Cloud Foundry
subaccount. Follow the same procedure as with IAS and store it as an XML file.
d) To import the stored file in IAS, click Browse and select the metadata file, rename the
Name field to IAS and then click Save.
Figure 21: Import the stored file in IAS
13. Configure the IAS application settings and attributes.

a) From the applications menu in IAS, select the new application and navigate to Subject
Name Identifier. From the drop-down menu, select E-mail and click Save.
b) From the application menu, select Default Name ID format. From the two options,
choose Email and click Save.
c) Go to Assertion Attributes and use +Add to add the Groups user attribute. In the input
field for assertion attribute, enter Groups (it is case-sensitive). Click Save.

Figure 22: Configure New App Settings and Attributes
14. Log in to the Cloud application using the new IAS IdP.
a) If you copy the URL of the application and open it in another browser, you will be
presented with login screen which offers two options - to login using the default SAP ID
or to navigate to the newly configured IAS login.
b) Click on the IAS Login link below the Log on button. This will take you to a new login
screen, which uses the authentication you defined in IAS. To log in to the app, you
must provide the credentials from IAS and not from the SAP ID.
Note:
The username should be the same as the email used to do the setup in IAS.
If you are unsure of these details, ask the instructor for the credentials.
Figure 23: Log In to the Cloud App

Once logged in, you can see that neither of the users in IAS has access to the app, this
is because they don’t have the role collections assigned (remember that current
assignment was done for the default IdP, not for IAS).
15. Define static role assignment using the IAS IdP.

a) To define a static assignment for an IAS user, navigate to your subaccount and click
Security → Trust configuration. Then select the newly configured IdP - IAS.
b) Go to the last item on the left side of the screen -> Role Collection Assignment. In the
User field, type the email of the user from IAS.
c) Click Show Assignments → Assign Role Collection and then Assign Role Collection.
From the drop-down menu, select Finance_Admin and click Assign Role Collection.
Figure 24: Define Static Assignment in the IAS Identity Provider
16. Log in to the deployed app again using IAS authentication to verify the newly assigned
groups.
a) Open the application overview page and open the application router URL in another
browser or a new browser session (e.g. incognito).
b) Log in with your IAS credentials.

If you use the same user that you maintained in the previous step, then you will now
have access to both links. However, this static assignment is not efficient, especially if
you want to support multiple users in an automated manner. In the next steps, we will
investigate what other options are available.
17. Create role collection mappings. but first remove the static assignments.
You must first revert the setup in the Role Collection Assignment for the IAS trust
configuration.
a) Delete the existing fixed assignments, which you created in the previous step. Confirm
the deletion in the newly opened dialog.

b) Navigate within the same page to the Role Collection Mappings menu and click New
Role Collection Mapping.
Figure 25: Check Role Collection Mappings
The new popup contains important information about the next steps. In the first drop-
down menu, the available Role collections are displayed. We are then presented with
the attribute that is used for the mapping and the operator, which cannot be changed.
We can maintain the Value field once we have groups, which you will create in the next
step of the exercise. Leave this browser window open.
18. Create IAS groups.

a) Log in to the admin UI of IAS and navigate to Users & Authorizations → User Groups.
b) Create two groups using +Add. Name the first group: SECCL1_Auditors and the
second group: SECCL1_CFOs.
c) Assign the newly created groups to your user in IAS. Go to Users &
Authorizations → User Management and click on your user. Select the User groups tab
and assign the required groups to the user by selecting Assign Groups.

Figure 26: Create IAS Groups and Assign to User
19. Maintain role collection mappings in the Cloud Foundry subaccount with created IAS
Groups.
a) Return to your open Cloud Foundry subaccount browser window. Within the IAS trust
configuration, maintain the names of the new groups as shown below and choose
Save. Keep in mind that if you assign both groups together, you will have access to
both links in the app. If you would like to have access to only one of the links then
assign only one of the roles from the table below.
Role Collection Name Value

Finance_auditor SECCL1_Auditors
Finance_CFO SECCL1_CFOs
Figure 27: Maintain Role Collection Mappings

b) Access the Cloud app.

Based on the assigned groups in IAS, you should be able to access only one or both of
the links.

Application roles also offer the possibility to restrict data access based on certain
attributes. If you browse the application roles again, you will notice that they support one
attribute called Cost Center. Let’s assume that you would like to limit the access of the
Auditors only to cost center 3333. What would be a possible approach to automate this
assignment for users coming from IAS? What changes need to be done to the current
setup? Do we have to change anything in the application code?
Keep in mind that the default instances of role templates cannot be edited. You need to
create a new role following a certain role template to be able to edit it. The same applies to
the role collections.

Unit 3
Exercise 2
Load Employees from SuccessFactors to SAP
IdM
Creating users in SAP Identity Authentication Service (IAS) manually is an approach that can
be used if you have a low number of users, but it is likely that it will eventually become
necessary to automate their creation. In the landscape, we have an SAP SuccessFactors
system, which can act as a source for the employees.
In this exercise, we are going to use the SAP Cloud Platform Identity Provisioning Service
(IPS) in proxy mode to connect SAP IdM and SAP SuccessFactors. We will then load all users
from SuccessFactors to SAP IdM. In the following exercise, we will build on this task by using
the pre-loaded employees to provision to IAS.
Prerequisites
SuccessFactors user with sufficient privileges to read the employee data.
Enabled proxy mode for IPS
Execution Plan
Step 1 Create proxy system in IPS

Step 2 Import proxy system in SAP IdM
Step 3 Run initial load from proxy system
Step 4 Check results
1. Create and set up a new OAuth client from the Neo sub-account.
2. Assign IPS_PROXY_USER to your newly created OAuth client.
3. Navigate to IPS.
4. Create a proxy system using the details in the following table:

Field Value
Type SAP SuccessFactors
System Name SAP_SF
Description Employee Store for IdM
5. Maintain system properties using the information from the following table:
Table 1: Mandatory Properties

Property Name Description & Value
Type HTTP

Exercise 2: Load Employees from SuccessFactors to SAP IdM

URL Specify the URL to your SAP SuccessFactors API.
Ask the instructor for the correct API endpoint according
to your SF server.
Add the following suffix to it -> /odata/v2
ProxyType Internet
Authentication BasicAuthentication
User Enter the userID of your SAP SuccessFactors technical

user in the following format: <userID>@<companyId>
The companyId can be retrieved form the URL of your
SuccessFactors tenant
Password Enter the password of your SAP SuccessFactors technical

user
(type credential)
6. Export the configured system in CSV format.

Upload the exported file to N:\My Documents\SECCL1\
Figure 31: Export the System in CSV Format
7. Set up SAP IdM using a remote desktop session in the server where SAP IdM is installed.
8. Connect to SAP IdM using Eclipse.
9. Create a new identity store.

Before we can use SAP IdM, we need to create the initial identity store.
10. Import packages.

The standard SAP IdM packages need to be imported to facilitate certain tasks in IdM.
Please ask your instructor for the folder where the packages are located. These include:
● com.sap.idm.provisioning.engine

● com.sap.idm.forms.default
● com.sap.idm.connector.custom
● com.sap.idm.connector.scim
● com.sap.idm.connector.sci
11. Provide access to the Web UI.
Note:
For a user to have access to the Web UI, they must be part of the identity
store.
12. Import the CSV repository.
13. Maintain the OAuth user and password, proxy host, port and assignment method.
14. Check and start the dispatcher if it is not running.
15. Run the initial job for the newly created repository.
The job is likely to finish with an error state.
16. Check the result of the initial load.

Unit 3
Solution 2
Load Employees from SuccessFactors to SAP
IdM
Creating users in SAP Identity Authentication Service (IAS) manually is an approach that can
be used if you have a low number of users, but it is likely that it will eventually become
necessary to automate their creation. In the landscape, we have an SAP SuccessFactors
system, which can act as a source for the employees.
In this exercise, we are going to use the SAP Cloud Platform Identity Provisioning Service
(IPS) in proxy mode to connect SAP IdM and SAP SuccessFactors. We will then load all users
from SuccessFactors to SAP IdM. In the following exercise, we will build on this task by using
the pre-loaded employees to provision to IAS.
Prerequisites
SuccessFactors user with sufficient privileges to read the employee data.
Enabled proxy mode for IPS
Execution Plan
Step 1 Create proxy system in IPS

Step 2 Import proxy system in SAP IdM
Step 3 Run initial load from proxy system
Step 4 Check results
1. Create and set up a new OAuth client from the Neo sub-account.
a) Navigate to Security → OAuth.
b) Select the Clients tab and click Register New Client. Create a similar client as shown in
the Set Up OAuth Client in Neo figure, and click Save.

Figure 28: Set Up OAuth Client in Neo
Note:
Take note of the ID and the Secret you enter.
2. Assign IPS_PROXY_USER to your newly created OAuth client.

a) From the left-hand side of the screen, navigate to Applications → Subscriptions.
b) Find the ipsproxy in the list and select it.
c) Under the Roles section, assign the IPS_PROXY_USER role to the newly created OAuth
Client by adding the prefix oauth_client_ and choose Assign.
Figure 29: Assign IPS_PROXY_USER
3. Navigate to IPS.
a) Navigate to the Services section of your Neo cloud account. Under User Management,
select Identity Provisioning.
b) Click Go to service.
4. Create a proxy system using the details in the following table:

Field Value
Type SAP SuccessFactors
System Name SAP_SF

Solution 2: Load Employees from SuccessFactors to SAP IdM
Field Value
Description Employee Store for IdM
a) Navigate to the Proxy systems tile and create a new proxy system. Enter the data from
the table in the Details section.
Figure 30: Create a Proxy System
b) Click Save.
5. Maintain system properties using the information from the following table:
Table 1: Mandatory Properties

Type HTTP
URL Specify the URL to your SAP SuccessFactors API.

Ask the instructor for the correct API endpoint according
to your SF server.
Add the following suffix to it -> /odata/v2
ProxyType Internet
User Enter the userID of your SAP SuccessFactors technical

user in the following format: <userID>@<companyId>
The companyId can be retrieved form the URL of your
SuccessFactors tenant
Password Enter the password of your SAP SuccessFactors technical

user
(type credential)
a) Maintain the connection properties for the selected type of proxy system using the
information from the table.
6. Export the configured system in CSV format.

Upload the exported file to N:\My Documents\SECCL1\

a) Select your proxy system SAP_SF, click Properties. Choose the CSV format and then
Save.
Figure 31: Export the System in CSV Format
7. Set up SAP IdM using a remote desktop session in the server where SAP IdM is installed.
a) Open a remote desktop session in the server where SAP IdM is installed.
Note:
Details will be provided by the instructor. Each student has one dedicated
instance of SAP IdM.
b) Start the Eclipse provided in D:\ drive. It is pre-configured to include the connection to
your SAP IdM instance.
8. Connect to SAP IdM using Eclipse.

a) In Eclipse, ensure that you are using the SAP Identity Management perspective. Click
the Root to expand it, below it you should see the server. Double-click on the server to
login; your instructor will provide you with the credentials.
9. Create a new identity store.

Before we can use SAP IdM, we need to create the initial identity store.

a) In the SAP IdM perspective, right click on the system name and select New → Identity
Store.
b) In the Identity Store Name field, enter Enterprise People.
c) In the Administrator field, enter the same user you used to login to IdM in Eclipse.
Figure 32: Create New Identity Store
10. Import packages.

The standard SAP IdM packages need to be imported to facilitate certain tasks in IdM.
Please ask your instructor for the folder where the packages are located. These include:
● com.sap.idm.provisioning.engine
● com.sap.idm.forms.default
● com.sap.idm.connector.custom
● com.sap.idm.connector.scim
● com.sap.idm.connector.sci
a) Open the newly created Enterprise People identity store in the SAP Identity
Management perspective.
b) Right click on Packages and select Import….

The packages are located in a folder on the server provided to you by the instructor.

Figure 33: Import Packages
c) Repeat the import operation for all the packages listed in the step detail and keep the
sequence as listed.
11. Provide access to the Web UI.
Note:
For a user to have access to the Web UI, they must be part of the identity
store.
a) Go to your NetWeaver start page and open User Management. There search for
dev_admin. Click on the button Copy to new user. Provide initial password and change
the first and last name. This will be your user for access to the SAP IdM UI. Within the
SAP IdM Developer Studio, double click the Enterprise People identity store and in the
newly opened tab, click Add User… .
Figure 34: Provide Access to Web User Interface
b) Type the same user you created in the User Management of NetWeaver. Select the
checkboxes and click OK.
c) Create a new user from dev_admin with copy to new user option.

Figure 35: Create a new user from dev_admin with copy to new user option
d) To test the access to the IdM UI, try accessing the following URLs:
http://localhost:50000/idm
http://localhost:50000/idm/admin
They should both open without any issues.
12. Import the CSV repository.

a) Access the /idm/admin user interface and navigate to the System configuration tab.
With the repositories selected on the left-hand side, click Import…
b) In the newly opened dialog, select the exported SAP_SF.csv CSV file from the IPS.
Figure 36: Import CSV Repository
13. Maintain the OAuth user and password, proxy host, port and assignment method.
a) Edit the SAP_SF repository, maintain the AUTH_USER and AUTH_PASSWORD fields
with the user and password from the OAuth Cloud platform client you created.
b) Change the SCIM_ASSIGNMENT_METHOD to PUT (by default it is PATCH).
c) Maintain the PROXY_HOST and PROXY_PORT.
d) Click Save.

Figure 37: Maintain OAuth User and Password
14. Check and start the dispatcher if it is not running.

a) To check if the dispatcher is running, go to Eclipse and open the Dispatchers node
under Management. Double click on the dispatcher to open its status.
b) If the status is not running, start the dispatcherutil from your IdM remote server
desktop. If in doubt, ask your instructor for the proper credentials for the login.
Figure 38: Start the Dispatcher
c) Once the GUI is loaded, select the dispatcher and start it. Refresh until the status is
changed to Running.
15. Run the initial job for the newly created repository.
a) Return to the /idm/admin UI, click on Run Now.
Note:
The job won’t start immediately, it usually takes around 5-7 minutes to
complete.

b) Click Refresh to get the actual state. When the job is processed by the dispatcher, the
job state will change from Idle to Running. Keep refreshing until the job is completed.
Figure 39: Run the Initial Job for the Newly Created Repository
The job is likely to finish with an error state.
16. Check the result of the initial load.

a) Navigate to /idm and then to the Manage tab. Search for *Clark*.
b) If we select the admin user, details about that identity will be shown. If we navigate to
the Assigned Roles and Privileges tab, we will see also the group assignments from
SuccessFactors.
Figure 40: Check the Result of the Initial Load

Unit 4
Exercise 3
sProvision Users to SAP Cloud Platform IAS
We would like to work with the loaded users from SuccessFactors, which are currently
unknown to our application in Cloud Foundry. To give them access to the Cloud app, we
provision them to SAP Cloud Platform IAS.
Prerequisites
Successful load of SAP SuccessFactors employees in SAP IdM on-premise.
Execution Plan
Step 1 Create a system as administrator in IAS tenant
Step 2 Create repository for the IAS tenant
Step 3 Initial load users and groups from IAS to SAP IdM
Step 4 Provision new user to the Cloud
1. Create a system as an administrator in the IAS tenant.
2. Log in to SAP IdM system (on-premise) and create a repository. Use the following data:
Field Value
Name IAS
Description IAS Tenant
Type SCI
3. Maintain connection details for the newly created repository.
PROXY_HOST proxy
PROXY_PORT 8080
SCI_HOST <your IAS host>
SCI_User <your IAS user>
SCI_Password <your IAS password>
4. Run the initial job for your newly created repository.

Once finished you should see a green state and no errors/warnings. Users from IAS
should be loaded in IdM.
5. Check the privileges for your repository.

The ONLY privilege will trigger the creation of new users in the cloud IAS tenant.

Exercise 3: sProvision Users to SAP Cloud Platform IAS
6. Replicate SuccessFactors users to IAS.

You need to assign the ONLY privilege in the Assigned Roles and Privileges tab to a user
that was synced from SuccessFactors. Use the Clark admin user and provision it to IAS.
7. Monitor the creation of the user in the Cloud.

Monitoring of the execution is done either through Eclipse or the admin interface. It
requires an additional role. This role can be found in UME of the NetWeaver user
administration which can be accessed using the following URL: http://localhost:50000/
useradmin
8. Check IAS tenant for the new user, Emily Clark.
9. Verify the new IAS user, Emily Clark.
10. Log in with the new user to the Cloud app.

The new user is able to access the application but has no access to the links.

What is the last step we need to do in order to enable our newly created users from
SuccessFactors to have full access to our Cloud app? Are there any limitations with
current setup?
Hint:
We are striving for maximum automation so manual changes in IAS are not
expected.
Not every connector supports provisioning of both groups and users.

Unit 4
Solution 3
sProvision Users to SAP Cloud Platform IAS
We would like to work with the loaded users from SuccessFactors, which are currently
unknown to our application in Cloud Foundry. To give them access to the Cloud app, we
provision them to SAP Cloud Platform IAS.
Prerequisites
Successful load of SAP SuccessFactors employees in SAP IdM on-premise.
Execution Plan
Step 1 Create a system as administrator in IAS tenant
Step 2 Create repository for the IAS tenant
Step 3 Initial load users and groups from IAS to SAP IdM
Step 4 Provision new user to the Cloud
1. Create a system as an administrator in the IAS tenant.

a) Log in to IAS and navigate to Users & Authorizations → Administrators.
b) Click +Add to add a new system and name it SAP IdM. Under Configure
Authorizations, set Manage Users and Manage Groups to ON.
Figure 41: Configuration Authorizations
c) Set a password of your choice for the system. Once a password is set, you will see a
random guid which represents the username for the connection to SAP IdM. Click on
the Set Password again and you will have the option to copy the guid username.
Figure 42: GUID User
2. Log in to SAP IdM system (on-premise) and create a repository. Use the following data:
Field Value
Name IAS

Solution 3: sProvision Users to SAP Cloud Platform IAS
Field Value
Description IAS Tenant
Type SCI
a) Navigate to /idm/admin and then to the System configuration tab.
b) Click Create and choose Create New Repository. Enter the data from the table. above.
The type SCI comes from the old name of Identity Authentication Service.
Figure 43: Create a New Repository
c) Click Save.
3. Maintain connection details for the newly created repository.
PROXY_HOST proxy
PROXY_PORT 8080
SCI_HOST <your IAS host>
SCI_User <your IAS user>
SCI_Password <your IAS password>
a) In the newly created repository, maintain the connection details under the Constants
tab as shown in the figure Connection Details for the New Repository.

Figure 44: Connection Details for the New Repository
b) Click Save.
4. Run the initial job for your newly created repository.

a) In your new repository, select the Jobs tab and click Run Now for the SCI - Initial Load.
Figure 45: Run the Initial Job
Once finished you should see a green state and no errors/warnings. Users from IAS
should be loaded in IdM.
5. Check the privileges for your repository.

a) Go to the Manage tab of SAP IdM. In the Show field, select Privilege and enter *IAS* in
the Find field to check the privileges that have been created for your repository
Figure 46: Check the Privileges for Your Repository
The ONLY privilege will trigger the creation of new users in the cloud IAS tenant.
6. Replicate SuccessFactors users to IAS.

You need to assign the ONLY privilege in the Assigned Roles and Privileges tab to a user
that was synced from SuccessFactors. Use the Clark admin user and provision it to IAS.

a) Find the user by going to the Manage tab of SAP IdM. In the Show field, select Person
and enter *Clark* in the Find field and click on Choose Task....
b) From the new menu, expand Identity and select the Assign Privileges, Roles and
Groups task.
Figure 47: Assign Privileges, Roles and Groups
c) Under the Assign Roles and Privileges tab, enter *IAS* in the Find field and assign the
ONLY privilege using Add and then Save.
A validity and reason entry is not required.
Figure 48: Assign Privileges, Roles and Groups
7. Monitor the creation of the user in the Cloud.

Monitoring of the execution is done either through Eclipse or the admin interface. It
requires an additional role. This role can be found in UME of the NetWeaver user
administration which can be accessed using the following URL: http://localhost:50000/
useradmin
a) In the Search Criteria field, enter the your user and click Go.
b) Under the details of your user, choose the Assigned Roles tab and search for the
idm.monitoring role.
c) Select the idm.monitoring role, click Add and then Save.

If you refresh the /idm/admin UI, you will see one additional tab: Monitoring.
d) From the new tab, select Job Log from the drop-down and refresh periodically to check
the status of provisioning.

Figure 49: Monitor the Creation of the User in the Cloud
8. Check IAS tenant for the new user, Emily Clark.

a) Navigate to User Management in the IAS tenant, you should see the new user Emily
Clark. However, if you try already logging in with that user to your application from
Scenario 1, the login will fail because the user is not yet verified.
Figure 50: Check IAS Tenant for New User
9. Verify the new IAS user, Emily Clark.

a) To verify the new user, click on the newly created user, Emily Clark. In the User Details
tab, select the E-mail verified checkbox. Click Save.
b) Select the Authentication tab on the same screen, choose Set Initial to set an initial
password.
Figure 51: Verify New IAS User

10. Log in with the new user to the Cloud app.

a) When first logging in, you will be asked to change the initial password. Enter a new
password and click Save.
The new user is able to access the application but has no access to the links.

What is the last step we need to do in order to enable our newly created users from
SuccessFactors to have full access to our Cloud app? Are there any limitations with
current setup?
Hint:
We are striving for maximum automation so manual changes in IAS are not
expected.
Not every connector supports provisioning of both groups and users.

Unit 4
Exercise 4
Configure Branding and Self-Registration with
SAP Cloud Platform IAS
Every application requires customer branding and custom layout including SAP Cloud
Platform IAS. You have the capability to customize your application login screen to improve
your UX and adhere to the corporate guidelines. To enable unregistered users to access the
app, we will also allow self-registration.
Prerequisites
Configured application in SAP IAS.
Execution Plan
Step 1 Upload app logo
Step 2 Change color theme
Step 3 Enable self-registration
Step 4 Enable reCAPTCHA for bot protection during registration
1. Apply branding to your application in IAS.
2. Change color theme.
3. Enable self-registration.
4. Enable reCAPTCHA for bot protection during registration.
5. Maintain the reCAPTCHA site key and secret key in the Tenant settings of IAS.
6. Run the Cloud app.

Observe the changes made in the previous steps.
7. Register one new user with reCAPTCHA protection.

Unit 4
Solution 4
Configure Branding and Self-Registration with
SAP Cloud Platform IAS
Every application requires customer branding and custom layout including SAP Cloud
Platform IAS. You have the capability to customize your application login screen to improve
your UX and adhere to the corporate guidelines. To enable unregistered users to access the
app, we will also allow self-registration.
Prerequisites
Configured application in SAP IAS.
Execution Plan
Step 1 Upload app logo
Step 2 Change color theme
Step 3 Enable self-registration
Step 4 Enable reCAPTCHA for bot protection during registration
1. Apply branding to your application in IAS.

a) In IAS, navigate to Application & Resources → Applications. Select your application and
click Branding & Layout tab.
b) Click the logo to upload your own logo or use the one provided by the instructor.
Figure 52: Add Branding to your Application in IAS
2. Change color theme.

a) In the Branding & Layout tab of your application, click Branding Style to further
customize the login experience.

b) In the Available Themes screen area, choose Custom Basic and edit the colors as
desired.
Figure 53: Change Color Theme
3. Enable self-registration.
a) In the Authentication and Access tab of your application, change the User Application
Access to Public. Click Save.
4. Enable reCAPTCHA for bot protection during registration.

a) In the Branding & Layout tab of your application, switch on the Google reCAPTCHA
Protection for the Registration form.
The actual enablement of the service consists of three steps.
b) To get the Site and Secret key, you need to login to the following URL: https://
www.google.com/recaptcha/admin
Note:
You will need a valid Gmail account to access the site. If you do not have
one, you can skip this step.
c) Enter SAP Security in the Label field.
d) Select the reCAPTCHA v2 radio button and Invisible reCAPTCHA badge as shown in the
figure, Enable reCAPTCHA for Bot Protection During Registration.
e) Maintain your IAS domain in the Domains section.
f) Click Register.

Solution 4: Configure Branding and Self-Registration with SAP Cloud Platform IAS
Figure 54: Enable reCAPTCHA for Bot Protection During Registration
5. Maintain the reCAPTCHA site key and secret key in the Tenant settings of IAS.
a) Once the new site is registered, the Site and the Secret Key are displayed. Copy them
from the screen.
b) Go to IAS and navigate to Applications & Resources → Tenant settings. .
c) Select Google reCAPTCHA and maintain the values copied earlier from Google into the
Site Key and the Secret Key field.
Figure 55: Maintain reCAPTCHA Site Key and Secret Key
6. Run the Cloud app.

Observe the changes made in the previous steps.
7. Register one new user with reCAPTCHA protection.

a) In the Cloud app, click Register and setup your user to test the reCAPTCHA
verification. During registration, provide a valid email address, to which you have
access for the activation.
You should receive an activation link to enable your new account in IAS. Follow the
instructions in the email to activate it.

Unit 4
Exercise 5
Configure Two-Factor Authentication and
Social Login
To increase security for our Cloud application, we need to enable two-factor authentication.
Prerequisites
Smart phone and installed authenticator app (for example, SAP Authenticator, Google
Authenticator, and Microsoft Authenticator etc.) and a configured application in SAP IAS.
Execution Plan
Step 1 Configure two-factor authentication
Goal: Increase the authentication process security
1. Onboard two-factor authentication for your account by accessing the user profile of the
newly created user from the previous exercise.
If you have successfully onboarded your account, you should see a green mark in your
profile.
2. Enable two-factor authentication for your application using the following data:
Field Value
Action TOTP Two-Factor Authentication
Authentication Method User Name and Password
Group Cloud Group
3. Log in to the app again using the same user you activated for two-factor authentication.
You will be requested to enter your two-factor authentication code from the app.

Unit 4
Solution 5
Configure Two-Factor Authentication and
Social Login
To increase security for our Cloud application, we need to enable two-factor authentication.
Prerequisites
Smart phone and installed authenticator app (for example, SAP Authenticator, Google
Authenticator, and Microsoft Authenticator etc.) and a configured application in SAP IAS.
Execution Plan
Step 1 Configure two-factor authentication
Goal: Increase the authentication process security
1. Onboard two-factor authentication for your account by accessing the user profile of the
newly created user from the previous exercise.
a) Login to your IAS user profile by using the same IAS URL as before, but without any
URL suffix.
Note:
If you are unsure about the exact URL, ask your instructor.
b) Navigate to the Two-Factor Authentication section and click Activate.
c) Scan the provided bar code and add it to your mobile app of choice (for example,
Google Authenticator, SAP Authenticator, Microsoft Authenticator, etc.). Then enter
the passcode displayed on the screen.
Figure 56: Onboard Two-factor Authentication

If you have successfully onboarded your account, you should see a green mark in your
profile.
2. Enable two-factor authentication for your application using the following data:
Field Value
Action TOTP Two-Factor Authentication
Authentication Method User Name and Password
Group Cloud Group
a) In IAS admin UI, navigate to Application & Resources → Applications.
b) Select your application and go to the Authentication and Access tab . Select the Risk-
based Authentication menu.
If your account hasn't been onboarded with two-factor authentication, you will be
prompted to onboard on the go.
c) Create a new rule by clicking + Add Rule and enter the data from the table.
Figure 57: Risk-Based Authentication
d) Click OK and then Save.
3. Log in to the app again using the same user you activated for two-factor authentication.
You will be requested to enter your two-factor authentication code from the app.

Unit 5
Exercise 6
Provision Business Partners from SAP Cloud
Platform Identity Authentication Service (IAS)
to S/4HANA On-Premise
We would like to create business partners in S/4 HANA on-premise. For that purpose, we will
use SAP Cloud Platform Authentication Service and SAP Cloud Platform Identity Provisioning
Service (IPS). The S/4 HANA system will be attached as a target, whereas the SAP IAS will be
used as a source.
Prerequisites
Exposed services from S/4 HANA on-premise.
Execution Plan
Step 1 Add SAP IAS as source to SAP IPS
Step 2 Expose services from S/4 HANA on-premise and configure Cloud con-
nector
Step 3 Add S/4 HANA on-premise as a target in SAP IPS
Step 4 Run the sync job and observe the results
Step 5 Enable real-time provisioning
1. Create a new system user in IAS.
2. Add IAS using the following data:

Field Value
Type SAP Cloud Platform Identity Au-
thentication
System Name IAS
Description IAS for SECCL1
3. Configure services for provisioning from S/4 HANA on-premise.

To use the S/4 HANA on-premise as a target, there are two services that need to be
configured through SOA manager.
4. Establish the Cloud connector link for S/4 HANA on-premise. Use the following data:
Table 2: Add Subaccount

Field Value
Region Europe (Frankfurt)

Field Value
Subaccount Dependant on subaccount
Display Name SECCL-A0X
Subaccount User Dependant on subaccount

Password Dependant on subaccount
Description Connection for IPS Service
Table 3: Add System Mapping

Field Value
Back-End Type ABAP System
Protocol HTTP
Internal Host Enter the information provided by the in-

structor for your S/4 HANA system
Port Enter the information provided by the in-

Virtual Host s4hana
Virtual Port Leave as is

Principal Type None
Description Enter a description or leave blank

Check internal host Select checkbox
Table 4: Add Resource

Field Value
URL Path /sap/bc/srt/scs/sap
Enabled Select checkbox

Access Policy Path and all sub-paths
Note:
The Cloud connector service is installed on your WTS virtual machine. Your
instructor should provide the URL, port, and credentials.
5. Add S/4HANA as the target in IPS.
Table 5: Details
Field Value
System Name s4hana

Exercise 6: Provision Business Partners from SAP Cloud Platform Identity Authentication Service (IAS) to S/4HANA On-Premise
Field Value
Description S/4HANA connector for provision-
ing
Source Systems IAS
Table 6: Properties
Field Value
ips.date.variable.format yyyy-MM-dd
ips.trace.failed.entity.content true
Password Enter the credentials provided by the in-

structor
ProxyType OnPremise
s4hana.onprem.hr.switch.active false
s4hana.onprem.hr.switch.depend- BUP003, BPP010, BPP005

ent.role.codes
Type HTTP
URL Enter the Virtual Host and Port details from

the previous exercise
User Enter the credentials provided by the in-
structor
6. Start the provisioning from IAS to S/4 HANA for the creation of new business partners.
To do this, we will start the provisioning job from IPS.
Note:
Hint: Make sure that IAS users have defined login names which is required for
the provisioning to S/4 HANA.
7. Enable real-time provisioning. Create a new OAuth client in the Neo subaccount using the
following data, and assign it to the IPS subscription (previous OAuth clients were attached
to ipsproxy).
Note:
Running a scheduled job is a valid approach for provisioning, but sometimes
we need to push newly created entities immediately to the target system. An
example would be the self-registration process, where the user needs to be
provision immediately to the target systems. Only in the scenario where IAS is
acting as source in IPS, is this option available, and it is called real-time
provisioning.

Table 7: New OAuth Client in Neo
Name ias_ips
Subscription sapiam/ips
ID ias_ips
Authorization Grant Client Credentials
Confidential Select checkbox

Secret Your choice (please remember)
Table 8: New System Configurations

Field Value
Target Configurations
Display Name IPS real-time provisioning
Type Identity Provisioning
SCIM URL This is built following a pattern:

https://<ips subscription url from the Neo
sub-account>/api/v1/systems/<Identi-
ty_Authentication_Source_System_guid>/
entities/user
The following two parameters are required
to create this URL:
● <ips subscription url from the Neo sub-

account>
● <Identity_Authentication_Source_Sys-
tem_guid>
Locate the first by navigating within
your Neo subaccount to Applica-
tions → Subscriptions and clicking on
ips within the Subscribed Java Applica-
tions.
The Application URL is what you are
looking for including the suffix /ips
● The <Identity_Authentica-
tion_Source_System_guid> parameter
can be retrieved from the IPS service
when you navigate to the IAS source
system. The URL will contain the ID as
shown in the figure below, Identity Au-
thentication ID.
Authentication Configurations

Exercise 6: Provision Business Partners from SAP Cloud Platform Identity Authentication Service (IAS) to S/4HANA On-Premise
Field Value
OAuth URL Use the Token Endpoint from your Neo
subaccount
Client ID Use the data you created for the IPS sub-
scription
Client Secret Use the data you created for the IPS sub-
scription
Figure 70: Identity Authentication ID
8. Test real-time provisioning by provisioning the SuccessFactors user ccampbell from

SAP Identity Management (IdM) to SAP IAS. This can be done by choosing the user and
assigning the IAS_ONLY privilege. This will trigger the provisioning. For the User Details,
set the Status is Active and select the E-Mail Verified checkbox.

Unit 5
Solution 6
Provision Business Partners from SAP Cloud
Platform Identity Authentication Service (IAS)
to S/4HANA On-Premise
We would like to create business partners in S/4 HANA on-premise. For that purpose, we will
use SAP Cloud Platform Authentication Service and SAP Cloud Platform Identity Provisioning
Service (IPS). The S/4 HANA system will be attached as a target, whereas the SAP IAS will be
used as a source.
Prerequisites
Exposed services from S/4 HANA on-premise.
Execution Plan
Step 1 Add SAP IAS as source to SAP IPS
Step 2 Expose services from S/4 HANA on-premise and configure Cloud con-
nector
Step 3 Add S/4 HANA on-premise as a target in SAP IPS
Step 4 Run the sync job and observe the results
Step 5 Enable real-time provisioning
1. Create a new system user in IAS.

a) In IAS, navigate to Users & Authorizations and then choose Administrators.
b) Create a new system user and enter IAS in the System Display Name field.
c) Under Configuration Authorizations, switch all the settings to ON as shown in the figure,
System User Settings.

Solution 6: Provision Business Partners from SAP Cloud Platform Identity Authentication Service (IAS) to S/4HANA On-Premise
Figure 58: System User Settings
Note:
Don't forget to set the password for the user in order to see their technical
name.
Take note of the username and password.
2. Add IAS using the following data:

Field Value
Type SAP Cloud Platform Identity Au-
thentication
System Name IAS
Description IAS for SECCL1
a) Navigate to IPS and create a source system using the data in the table.

Figure 59: Create Source System
For the properties, see the Identity Authentication Service Mandatory Properties
figure.
Figure 60: Identity Authentication Service Mandatory Properties
3. Configure services for provisioning from S/4 HANA on-premise.

To use the S/4 HANA on-premise as a target, there are two services that need to be
configured through SOA manager.
a) Open the SAP Logon from WTS and login to the T41 system with the user and
password provided by your instructor.
b) Run the SOAMANAGER transaction. From the newly opened browser window, select the
Simplified Web Service Configuration link.

Figure 61: Configure Services for Provisioning from S/4 HANA On-Premise
c) Search for the service with the name: ManageBusinessUserIn.
d) Once you have found the service, mark the Username/Password checkbox . Click
Save.
e) Repeat for the QueryBusinessUserIn service. Click Save.
Figure 62: Configure Service Definitions
This completes the required setup in SOA manager.
4. Establish the Cloud connector link for S/4 HANA on-premise. Use the following data:

Table 2: Add Subaccount

Field Value
Region Europe (Frankfurt)
Subaccount Dependant on subaccount

Display Name SECCL-A0X
Subaccount User Dependant on subaccount

Password Dependant on subaccount
Description Connection for IPS Service
Table 3: Add System Mapping

Field Value
Back-End Type ABAP System
Protocol HTTP
Internal Host Enter the information provided by the in-

Port Enter the information provided by the in-

Virtual Host s4hana
Virtual Port Leave as is

Principal Type None
Description Enter a description or leave blank

Check internal host Select checkbox
Table 4: Add Resource

Field Value
URL Path /sap/bc/srt/scs/sap
Enabled Select checkbox

Access Policy Path and all sub-paths
Note:
The Cloud connector service is installed on your WTS virtual machine. Your
instructor should provide the URL, port, and credentials.
a) Log in to the Cloud connector service using your subaccount.

If you are starting with a Cloud connector that is not yet connected to any Cloud sub-
account, click Define subaccount and enter the data provided in the Add Subaccount
table.
Figure 63: Add Subaccount for Cloud Connector Connection
b) In most cases, there are likely to be some subaccounts connected to the Cloud. In this
scenario, select the Connector menu from the left-hand side and click+ Add
Subaccount.
Maintain the required information, which will differ depending on your subaccount. The
greyed out fields in the figure, Add Subaccount for Cloud Connector Connection, are
different for each subaccount. Keep in mind that we are connecting to the Neo
subaccount, since the IPS service is located there.
c) You can find the subaccount on the Overview page of your Neo subaccount in the
Subaccount information section.
The user and password are the same that you used to login to the Neo environment.
d) Replace the X sign in the Display Name field with the number of your assigned group
for the exercise. Click Save and you should see the newly configured connection with
status Connected as shown in the figure, Cloud Connector Connection.

Figure 64: Cloud Connector Connection
e) Expose the S/4 HANA system from on-premise to the Cloud by selecting the Cloud to
On-Premise menu from the menu on the left and click + icon to map a virtual system to
an internal one.
Figure 65: Cloud to On-Premise
f) On the Add System Mapping pop-up window, select the back-end type as ABAP
System. Click Next and go through the other screens of the wizard, selecting the
options in the Add System Mapping table.
g) On the final window of the wizard, click Finish.

The check should result in the green Reachable status.
h) Now that the system is accessible, it is highly recommended to limit the available
resources which can be accessed. From within the same window, click + icon from the
Resource Accessible table.
i) In the Add Resource dialog box, enter the data from the Add Resource table and click
Save to complete the Cloud connector setup.

Figure 66: Add Resources
5. Add S/4HANA as the target in IPS.
Table 5: Details
Field Value
System Name s4hana
Description S/4HANA connector for provision-

ing
Source Systems IAS
Table 6: Properties
Field Value
ips.date.variable.format yyyy-MM-dd
ips.trace.failed.entity.content true
Password Enter the credentials provided by the in-

structor
ProxyType OnPremise
s4hana.onprem.hr.switch.active false
s4hana.onprem.hr.switch.depend- BUP003, BPP010, BPP005

ent.role.codes
Type HTTP

Field Value
URL Enter the Virtual Host and Port details from
the previous exercise
User Enter the credentials provided by the in-
structor
a) In IPS, navigate to the section with the target systems.
b) Create a new target system using the data from the Details table.
Note:
Make sure you select the newly created IAS source system as the source
for this target system.
Figure 67: Add S4/HANA as Target in IPS
c) On the Properties tab, enter the data from the Properties table.
Note:
We are connecting to the previously established Cloud connector virtual
host.
6. Start the provisioning from IAS to S/4 HANA for the creation of new business partners.
To do this, we will start the provisioning job from IPS.
Note:
Hint: Make sure that IAS users have defined login names which is required for
the provisioning to S/4 HANA.
a) In the IPS service, click on the source systems. and within the IAS source system,
select the Jobs tab.

Figure 68: Start Provisioning Job from IPS
You will see two job types: Read Job and Resync Job. The second is the one that
should be run initially to build the delta. Afterwards we use the Read Job to sync only
the changed entries. As seen in the figure, Start Provisioning Job from IPS, only the
Read Job can be scheduled.
b) Click Run Now for the Resync Job.
c) To monitor the running job, navigate to the Job Logs menu from the left-hand side.
d) Check the provisioned entries in S/4HANA using the SAP Logon in your WTS virtual
server.
Login using the credentials provided by the instructor.
e) Run the BP transaction and search for Persons with login name of your provisioned
users and filter -> BUPA Identification Number.
f) The entries from IAS are created as business partners. You can browse those entities
by double-clicking on them.
g) Navigate to the Identification tab and you will see the P number from IAS in the table.
Figure 69: Business Partner

7. Enable real-time provisioning. Create a new OAuth client in the Neo subaccount using the
following data, and assign it to the IPS subscription (previous OAuth clients were attached
to ipsproxy).
Note:
Running a scheduled job is a valid approach for provisioning, but sometimes
we need to push newly created entities immediately to the target system. An
example would be the self-registration process, where the user needs to be
provision immediately to the target systems. Only in the scenario where IAS is
acting as source in IPS, is this option available, and it is called real-time
provisioning.
Table 7: New OAuth Client in Neo
Name ias_ips
Subscription sapiam/ips
ID ias_ips

Secret Your choice (please remember)
Table 8: New System Configurations

Field Value
Target Configurations
Display Name IPS real-time provisioning
Type Identity Provisioning
SCIM URL This is built following a pattern:

https://<ips subscription url from the Neo
sub-account>/api/v1/systems/<Identi-
ty_Authentication_Source_System_guid>/
entities/user
The following two parameters are required
to create this URL:
● <ips subscription url from the Neo sub-

account>
● <Identity_Authentication_Source_Sys-
tem_guid>
Locate the first by navigating within
your Neo subaccount to Applica-

Field Value
tions → Subscriptions and clicking on

ips within the Subscribed Java Applica-
tions.
The Application URL is what you are
looking for including the suffix /ips
● The <Identity_Authentica-
tion_Source_System_guid> parameter
can be retrieved from the IPS service
when you navigate to the IAS source
system. The URL will contain the ID as
shown in the figure below, Identity Au-
thentication ID.
Authentication Configurations
OAuth URL Use the Token Endpoint from your Neo
subaccount
Client ID Use the data you created for the IPS sub-
scription
Client Secret Use the data you created for the IPS sub-
scription
Figure 70: Identity Authentication ID
a) Create OAuth client credentials as follows:
● Log in to the Neo subaccount where IPS is running.
● Navigate to Security → OAuth → Clients and register a new client using the data
from the above table New OAuth Client in Neo.

● Click Save.
Figure 71: OAuth Client Credentials
b) Copy the token endpoint.
● Navigate to the Security → OAuth → Branding and copy the Token Endpoint URL
from the bottom of the screen
Figure 72: OAuth Settings
c) Assign the IPS_ADMIN role to the OAuth Client.
● Navigate to Subscriptions → Subscribed Java Applications and choose ips.
● Go to Roles and assign the IPS_ADMIN role to a user that is formed using the
following template: oauth_client<client IID>, for example, oauth_client_ias_ips.

Figure 73: Assign Role IPS_ADMIN to OAuth Client
d) Let’s switch to the configuration in IAS. Navigate to Users & Authorizations → User
Provisioning and click +Add to add a new target system. Enter the data from the New
System Configurations table above.
e) The setup is complete, proceed with provisioning by clicking Provision. Do not use the
Test connection button, since it is not always showing the correct result.
8. Test real-time provisioning by provisioning the SuccessFactors user ccampbell from

SAP Identity Management (IdM) to SAP IAS. This can be done by choosing the user and
assigning the IAS_ONLY privilege. This will trigger the provisioning. For the User Details,
set the Status is Active and select the E-Mail Verified checkbox.
a) Go to IAS to investigate the newly created user. Open it to verify the details. (the below
screenshot is just an example, your user might have a different P number)

Figure 74: User Details
b) Set the Status to Active and mark the E-mail Verified checkbox. Click Save. This will
trigger the real-time provisioning.
c) Log in to S/4 HANA to check the newly created business partner.
d) Run the SU01 transaction within S/4HANA to check if the business partner also exists
as a technical user. Enter the business partner identification CCAMPBELL in the User
field and search.
Figure 75: Check User in S/4 HANA
The user doesn't exist. In the next exercise we are going to create the same user also in
SU01, so that those two are linked in S/4 HANA.

Unit 5
Exercise 7
Assign Roles to Users in S/4HANA
In this exercise, we are going to extend the previous exercise and link the created business
partners to users in the SU01 transaction using IPS. However, in this exercise the initiating
system will be SAP IdM.
Prerequisites
Existing business partners created from IAS in S/4 HANA on-premise.
Execution Plan
Step 1 Configure the connection between on-premise and Cloud
Step 2 Create a proxy system within IPS
Step 3 Import the proxy system in SAP IdM and run the initial load
Step 4 Assign privileges and check newly created users in S/4HANA SU01
1. Configure the Cloud connector.

You must setup an additional Cloud connector virtual system as the ABAP connector of
IPS communicates with S/4HANA over a Remote Function Call (RFC) protocol for this
exercise. Use the following data:
Field Value
Back-end Type ABAP system
Protocol RFC
Connection Type Without load balancing
Application Server Enter the SAP Logon credentials for your

S/4HANA server
Instance Number Enter the SAP Logon credentials for your
S/4HANA server
Virtual Application Server abaponprem
Virtual Instance Number 00
You should see the new virtual host and the internal host with the green Reachable status.
2. Add accessible resources to the virtual system. The following RFCs need to be added:
● BAPI_USER_ACTGROUPS_ASSIGN
● BAPI_USER_CREATE1
● BAPI_USER_DELETE

● BAPI_USER_GETLIST
● BAPI_USER_GET_DETAIL
● IDENTITY_MODIFY
● PRGN_ACTIVITY_GROUPS_LOAD_RFC
● PRGN_ROLE_GETLIST
The setup in Cloud connector is complete.
3. Create the S/4HANA destination in your Neo subaccount.

The destination in your Neo subaccount will point to the Cloud connector virtual system to
avoid an alternative to typing the parameters for each system within IPS. Use the following
data:
Field Value
Name ABAPS4
Type RFC
Proxy Type OnPremise
User Provided by the instructor

Password Provided by the instructor
ico.client.ashost Enter the name of the virtual system de-
fined in the previous step of this exercise
ico.client.client Use the default client which opens when
you login through SAP Logon
ico.client.sysnr Provide the system number from the SAP
Logon
Note:
For the user and password, enter the information provided by the instructor.
4. Setup the S/4HANA system as the proxy system in IPS, enter the Name as ABAP and use
the following for defining the abap filters.
abap.role.filter ^(\\?)SAP_BC.*
abap.user.filter ^S4100.*
5. Create an OAuth client for the connection to SAP IdM.

A dedicated OAuth client is required using our Neo subaccount. Use the following data:
Field Value
Name idm_abap

Exercise 7: Assign Roles to Users in S/4HANA
Field Value
Subscription sapiam/ipsproxy
ID idm_abap
6. Import the S/4HANA proxy to SAP IdM and run the initial load.
The process is repeating from the previous exercise when we imported the
SuccessFactors proxy system.
You should see the loaded users and roles according to the filter in IPS.
7. Provision the SU01 user.

Use the user created as business partner and assign the ONLY privilege for our new ABAP
proxy as well as the SAP_BC_JSF_COMMUNICATION privilege.
8. After a short provisioning cycle, login to S/4HANA and check your SuccessFactors user in
the SU01 transaction.
You will see also that the requested privilege is assigned as a role in S/4HANA.

Unit 5
Solution 7
Assign Roles to Users in S/4HANA
In this exercise, we are going to extend the previous exercise and link the created business
partners to users in the SU01 transaction using IPS. However, in this exercise the initiating
system will be SAP IdM.
Prerequisites
Existing business partners created from IAS in S/4 HANA on-premise.
Execution Plan
Step 1 Configure the connection between on-premise and Cloud
Step 2 Create a proxy system within IPS
Step 3 Import the proxy system in SAP IdM and run the initial load
Step 4 Assign privileges and check newly created users in S/4HANA SU01
1. Configure the Cloud connector.

You must setup an additional Cloud connector virtual system as the ABAP connector of
IPS communicates with S/4HANA over a Remote Function Call (RFC) protocol for this
exercise. Use the following data:
Field Value
Back-end Type ABAP system
Protocol RFC
Connection Type Without load balancing
Application Server Enter the SAP Logon credentials for your

S/4HANA server
Instance Number Enter the SAP Logon credentials for your
S/4HANA server
Virtual Application Server abaponprem
Virtual Instance Number 00
a) Navigate to your Cloud connector subaccount which you configured in the previous
exercise and click the + icon to add a new mapping from a virtual to an internal system.

Solution 7: Assign Roles to Users in S/4HANA
Figure 76: Add New Mapping from Virtual to Internal System
b) On the wizard screen, for Back-end Type, select ABAP system. Click Next.
c) Continue through the wizard by selecting the values from the table.
d) Enter a description, and on the Summary screen, mark the Check Internal Host
checkbox and click Finish.
Figure 77: Add System Mapping - Summary
You should see the new virtual host and the internal host with the green Reachable status.
2. Add accessible resources to the virtual system. The following RFCs need to be added:
● BAPI_USER_ACTGROUPS_ASSIGN
● BAPI_USER_CREATE1
● BAPI_USER_DELETE
● BAPI_USER_GETLIST
● BAPI_USER_GET_DETAIL
● IDENTITY_MODIFY
● PRGN_ACTIVITY_GROUPS_LOAD_RFC
● PRGN_ROLE_GETLIST

a) Click + icon in the second table: Resource Accessible while your virtual host is selected
in the first table.
b) Enter the RFC name into the Function Name field, mark the Enabled checkbox and click
Save.
Figure 78: Add Function
c) Repeat the process for each of the RFCs in the above list.
The setup in Cloud connector is complete.
3. Create the S/4HANA destination in your Neo subaccount.

The destination in your Neo subaccount will point to the Cloud connector virtual system to
avoid an alternative to typing the parameters for each system within IPS. Use the following
data:
Field Value
Name ABAPS4
Type RFC
Proxy Type OnPremise
User Provided by the instructor

Password Provided by the instructor
ico.client.ashost Enter the name of the virtual system de-
fined in the previous step of this exercise
ico.client.client Use the default client which opens when
you login through SAP Logon
ico.client.sysnr Provide the system number from the SAP
Logon
Note:
For the user and password, enter the information provided by the instructor.

a) In Destination Configuration, enter the data from the table.
Figure 79: Destination Configuration
b) Save the destination and click Check connection.

You should see a green confirmation that your setup is complete.
4. Setup the S/4HANA system as the proxy system in IPS, enter the Name as ABAP and use
the following for defining the abap filters.
abap.role.filter ^(\\?)SAP_BC.*
abap.user.filter ^S4100.*
a) Navigate to the IPS service and create a proxy system, enter the Name as ABAP.
Make sure that the selected destination is the same as the one you configured in the
previous step.
Figure 80: Create Proxy System in IPS
b) Since all connection parameters are defined in the destination, we just need to apply
the filter in IPS. Search for roles that start with SAP_BC and only for users starting with
S4100.
Refer to the table above for defining the abap filter.
c) Export the system as CSV as you did for the SuccessFactors system in the previous
exercise.
5. Create an OAuth client for the connection to SAP IdM.

A dedicated OAuth client is required using our Neo subaccount. Use the following data:
Field Value
Name idm_abap
Subscription sapiam/ipsproxy
ID idm_abap
a) Create the OAuth Client, enter the details from the table.
Note:
Note the ID and Secret as they will be needed during setup in SAP IdM.
b) Assign the IPS_PROXY_USER role from the subscriptions of the ipsproxy
Note:
Don't forget to enter the prefix oauth_client_.
Figure 81: Create OAuth Client for the Connection to SAP IdM
6. Import the S/4HANA proxy to SAP IdM and run the initial load.
The process is repeating from the previous exercise when we imported the
SuccessFactors proxy system.
a) Using the exported CSV from IPS, click Import within the /idm/admin UI of SAP IdM
and create a new repository. Maintain the auth_user and password, the proxy host and
port and do not forget to change the assignment method from PATCH to PUT.

Figure 82: Maintain the Repository
b) Run the Initial Load and observe the results.
Figure 83: Loaded Users and Roles
You should see the loaded users and roles according to the filter in IPS.
7. Provision the SU01 user.

Use the user created as business partner and assign the ONLY privilege for our new ABAP
proxy as well as the SAP_BC_JSF_COMMUNICATION privilege.
a) Navigate to the user ccampbell and open the Assigned Roles and Privileges tab. Click
Add and assign the SAP_BC_JSF_COMMUNICATION and the ABAP ONLY role.

Figure 84: Provision SU01 User
8. After a short provisioning cycle, login to S/4HANA and check your SuccessFactors user in
the SU01 transaction.
a) After a short provisioning cycle, login again to S/4 HANA. Run the SU01 transaction
and check for the CCAMPBELL username.
b) In SU01, open the Roles tab.
Figure 85: Check User in SU01
You will see also that the requested privilege is assigned as a role in S/4HANA.

SECCL1 en Col11 Exercise Handbook A4

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SECCL1 en Col11 Exercise Handbook A4

Uploaded by

Copyright:

Available Formats

SECCL1

Identity and Access Management in

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

© Copyright. All rights reserved. iii

American English is the standard used in this handbook.

This information is displayed in the instructor’s presentation

Related or Additional Information

User interface control Example text

Window title Example text

© Copyright. All rights reserved. iv

Unit 1: SAP Cloud Platform Security

1 Exercise 1: Connect the SAP Cloud Platform Cloud Foundry Account

Unit 2: SAP Cloud Platform Identity Provisioning Service

Unit 3: SAP Identity Management

20 Exercise 2: Load Employees from SuccessFactors to SAP IdM

Unit 4: SAP Cloud Platform Identity Authentication Service

32 Exercise 3: sProvision Users to SAP Cloud Platform IAS

Unit 5: S/4HANA On-Premise

47 Exercise 6: Provision Business Partners from SAP Cloud Platform

© Copyright. All rights reserved. v

Training System Landscape

Figure 1: Training System Landscape for SECCL1

Training System Landscape Components

© Copyright. All rights reserved. 1

1. Log in to SAP Cloud Platform Cockpit account.

2. Verify availability of the two subaccounts – Neo and Cloud Foundry

5. Deploy the provided Cloud application in your course folder.

6. Access the Cloud app from your Cloud Foundry subaccount.

© Copyright. All rights reserved. 2

10. Retrieve metadata from IAS tenant.

12. Set up the SAML configuration of your IAS application.

13. Configure the IAS application settings and attributes.

15. Define static role assignment using the IAS IdP.

18. Create IAS groups.

20. Brainstorming task.

© Copyright. All rights reserved. 3

Training System Landscape

Figure 1: Training System Landscape for SECCL1

Training System Landscape Components

© Copyright. All rights reserved. 4

1. Log in to SAP Cloud Platform Cockpit account.

Figure 2: SAP ID Service

2. Verify availability of the two subaccounts – Neo and Cloud Foundry

© Copyright. All rights reserved. 5

Figure 4: Check IPS Availability

© Copyright. All rights reserved. 6

b) Click Create Space.

Figure 5: Prepare for the Deployment of the Cloud Application

5. Deploy the provided Cloud application in your course folder.

b) Add an environment parameter in your Windows system properties as shown in the

© Copyright. All rights reserved. 7

Figure 7: Add Environment Variable

Figure 8: API Endpoint

© Copyright. All rights reserved. 8

● cf deploy <path to app><app name>

Figure 9: Application State

6. Access the Cloud app from your Cloud Foundry subaccount.

b) Click on it to navigate to the app.

Figure 10: Navigation Links

© Copyright. All rights reserved. 9

Figure 11: Roles by Role Templates

Figure 12: Role Collections

Figure 13: Show Assignments

© Copyright. All rights reserved. 10