Professional Documents
Culture Documents
SECCL1 en Col11 Exercise Handbook A4
SECCL1 en Col11 Exercise Handbook A4
.
.
EXERCISES AND SOLUTIONS
.
Course Version: 11
Course Duration: 4 Hours 40 Minutes
Material Number: 50154352
SAP Copyrights, Trademarks and
Disclaimers
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. Please see https://www.sap.com/corporate/en/legal/copyright.html for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software
components of other software vendors.
National product specifications may vary.
These materials may have been machine translated and may contain grammatical errors or
inaccuracies.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only,
without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable
for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate
company products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an
additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business
outlined in this document or any related presentation, or to develop or release any functionality
mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’
strategy and possible future developments, products, and/or platform directions and functionality are
all subject to change and may be changed by SAP SE or its affiliated companies at any time for any
reason without notice. The information in this document is not a commitment, promise, or legal
obligation to deliver any material, code, or functionality. All forward-looking statements are subject to
various risks and uncertainties that could cause actual results to differ materially from expectations.
Readers are cautioned not to place undue reliance on these forward-looking statements, which speak
only as of their dates, and they should not be relied upon in making purchasing decisions.
Demonstration
Procedure
Warning or Caution
Hint
Facilitated Discussion
No exercises
SAP Cloud Platform IPS provides user and access provisioning to Cloud and on-premise
systems.
● SAP SuccessFactors is used as the enterprise repository for employees and is used for
syncing new hires.
● The app deployed on Cloud Foundry is a simple app, which has role access. It's purpose is
to show how authentication is handled using IAS.
Exercise 1
In this scenario, we are going to connect the SAP Cloud platform Cloud Foundry account to an
IdP other than SAP ID. Additionally, since our new application requires specific roles to be
attached in order to function, we will investigate what options we have using SAML mapping
to assign those roles to our new users coming from IAS.
Prerequisites
● Deploy and run the Cloud application provided by your instructor.
● Have admin access to IAS Tenant
● Have admin access to the SAP Cloud Platform Cockpit
Execution Plan
Step 1 Log in to your SAP Cloud Foundry account (provided by your instruc-
tor) https://account.hana.ondemand.com/cockpit/#/home/allac-
counts
Step 2 Deploy the provided Cloud application using CLI
Step 3 Connect the IAS tenant to the Cloud Foundry account
Step 4 Define SAML mapping rules to access the custom app
3. Check IPS availability – you should see the Proxy systems tile
4. Prepare for the deployment of the Cloud application by configuring a space in SAP Cloud
Platform Cloud Foundry subaccount.
7. To resolve the Forbidden message, check the roles, scopes, role templates, role
collections and assign the Finance_Admin role collection to your SAP Cloud Platform
Cloud Foundry user account.
8. Access again the Cloud app with the newly assigned role collection. You should not see
anymore the Forbidden message.
9. Connect an external IdP (IAS) to the Cloud Foundry subaccount to easily onboard new
members to your Cloud app.
11. Create a new application in IAS, which points to your Cloud Foundry subaccount.
Now that we have established the new IdP on Cloud Foundry side, we need to ensure that
the trust is established in IAS as well.
14. Log in to the Cloud application using the new IAS IdP.
16. Log in to the deployed app again using IAS authentication to verify the newly assigned
groups.
17. Create role collection mappings. but first remove the static assignments.
You must first revert the setup in the Role Collection Assignment for the IAS trust
configuration.
19. Maintain role collection mappings in the Cloud Foundry subaccount with created IAS
Groups.
SAP Cloud Platform IPS provides user and access provisioning to Cloud and on-premise
systems.
● SAP SuccessFactors is used as the enterprise repository for employees and is used for
syncing new hires.
● The app deployed on Cloud Foundry is a simple app, which has role access. It's purpose is
to show how authentication is handled using IAS.
Exercise 1
In this scenario, we are going to connect the SAP Cloud platform Cloud Foundry account to an
IdP other than SAP ID. Additionally, since our new application requires specific roles to be
attached in order to function, we will investigate what options we have using SAML mapping
to assign those roles to our new users coming from IAS.
Prerequisites
● Deploy and run the Cloud application provided by your instructor.
● Have admin access to IAS Tenant
● Have admin access to the SAP Cloud Platform Cockpit
Execution Plan
Step 1 Log in to your SAP Cloud Foundry account (provided by your instruc-
tor) https://account.hana.ondemand.com/cockpit/#/home/allac-
counts
Step 2 Deploy the provided Cloud application using CLI
Step 3 Connect the IAS tenant to the Cloud Foundry account
Step 4 Define SAML mapping rules to access the custom app
a) Navigate to the subaccounts section on the left side of the screen and check that there
is only one Cloud Foundry and one Neo subaccount as shown in the figure,
Subaccounts.
Figure 3: Subaccounts
Note:
The naming should be SECCL-AXX, where XX represents your assigned
group for the course. If you do not see the subaccounts or if there is
another one displayed other than the one assigned to you, please contact
your instructor.
3. Check IPS availability – you should see the Proxy systems tile
a) Navigate to the Neo subaccount, then click on Services from the menu on the left and
search for Provisioning. You should see the service enabled as shown in the
screenshot.
b) Click on the tile and from the newly opened content, select Go to service. This should
take you to the IPS in a separate tab. Within this tab, you should see the second
screenshot below (the Proxy Systems tab should be visible). If this is the case, then
your readiness check is done, and you can move on to the next step.
4. Prepare for the deployment of the Cloud application by configuring a space in SAP Cloud
Platform Cloud Foundry subaccount.
a) Return to the subaccounts section of your Cloud account and navigate to the Cloud
Foundry subaccount.
c) Name the space security and leave the checkboxes as marked by default.
d) Click Create.
This will take you directly to the applications within this space where there are
currently none.
Figure 6: cf_installer
Variable Value
https_proxy https://proxy:8080
c) After setting up the proxy, run the following command in the command prompt
window to add a module of the cf, which allows us to deploy to the SAP Cloud Platform:
cf install-plugin multiapps
This will add the deploy option to your CLI installation.
d) Deploy the Cloud app from the course folder provided by your instructor using the
following set of commands in the command prompt:
● cf login
If asked, provide API endpoint, which you can find in your Cloud Foundry
subaccount on the overview page as shown below in the screenshot:
Provide the email and password credentials for your Cloud Foundry sub-account
account (e.g. seccl-a##@education.cloud.sap / password)
c) Log in with your Cloud Foundry email and password, which was used for logging in to
the SAP Cloud Platform Cockpit.
You should see the two links for the roles Auditor and CFO. For now both options open
a Forbidden screen, as you require special roles to access these resources.
7. To resolve the Forbidden message, check the roles, scopes, role templates, role
collections and assign the Finance_Admin role collection to your SAP Cloud Platform
Cloud Foundry user account.
a) Within the application overview, click Roles in the left navigation menu.
There are two role templates: Finance_Auditor and Finance_CFO.
b) To see the list of the available role collections, navigate to the subaccount level and
open Security → Role Collections.
There are three role collections. One that combines the Auditor and CFO role
templates and two others for the two separate role templates.
c) To assign the Finance_Admin role collection to your Cloud Foundry user, navigate to
Security → Trust configuration and select the SAP ID identity provider. Type the email
address of your user and click Show Assignments. It should return an empty result.
Click Assign Role Collection.
d) Select the Finance_Admin role collection from the drop-down and click Assign Role
Collection.
8. Access again the Cloud app with the newly assigned role collection. You should not see
anymore the Forbidden message.
a) Navigate to your application overview and click on the application router URL.
The initial page is shown again, but this time when you navigate to the Auditor and CFO
links, you should no longer see the Forbidden message.
9. Connect an external IdP (IAS) to the Cloud Foundry subaccount to easily onboard new
members to your Cloud app.
a) Enter your subaccount main screen and open the Security menu from the left-hand
side of the screen.
The Trust Configuration option is the entry point for the setup. Currently there is only
one active provider, SAP ID Service.
b) To set up IAS as a new IdP, we will need to exchange metadata between the Cloud
platform and IAS. Leave this window open and continue with the next task in a new
browser.
b) Save the result as an XML file, ensure that you include the opening xml tag.
c) Return to the browser window of the previous step with the Trust Configuration and
click New Trust Configuration. In the newly opened window, paste the contents of the
XML file in the large text field below the Upload button. Click Parse, most of the fields
will be populated automatically.
d) Enter an optional name for the trust configuration, e.g. IAS. Provide a description and
click Save.
11. Create a new application in IAS, which points to your Cloud Foundry subaccount.
Now that we have established the new IdP on Cloud Foundry side, we need to ensure that
the trust is established in IAS as well.
a) Navigate to the admin console of IAS which is located at the following URL:
https://<Identity_Authentication_tenant>.accounts.ondemand.com/admin
b) From the menu on the left hand side of the screen, choose Application &
Resources → Applications. Click +Add to add a new application.
c) Enter a name for the new application which represents your service provider, for
example, CF Account.
b) Import the metadata from our Cloud Foundry account, it can be accessed in your SAP
Cloud Platform cockpit within Security → Trust configuration menu of your subaccount
by clicking on the SAML Metadata button:
c) By clicking on the button, you will download the metadata of your Cloud Foundry
subaccount. Follow the same procedure as with IAS and store it as an XML file.
d) To import the stored file in IAS, click Browse and select the metadata file, rename the
Name field to IAS and then click Save.
b) From the application menu, select Default Name ID format. From the two options,
choose Email and click Save.
c) Go to Assertion Attributes and use +Add to add the Groups user attribute. In the input
field for assertion attribute, enter Groups (it is case-sensitive). Click Save.
14. Log in to the Cloud application using the new IAS IdP.
a) If you copy the URL of the application and open it in another browser, you will be
presented with login screen which offers two options - to login using the default SAP ID
or to navigate to the newly configured IAS login.
b) Click on the IAS Login link below the Log on button. This will take you to a new login
screen, which uses the authentication you defined in IAS. To log in to the app, you
must provide the credentials from IAS and not from the SAP ID.
Note:
The username should be the same as the email used to do the setup in IAS.
If you are unsure of these details, ask the instructor for the credentials.
Once logged in, you can see that neither of the users in IAS has access to the app, this
is because they don’t have the role collections assigned (remember that current
assignment was done for the default IdP, not for IAS).
b) Go to the last item on the left side of the screen -> Role Collection Assignment. In the
User field, type the email of the user from IAS.
c) Click Show Assignments → Assign Role Collection and then Assign Role Collection.
From the drop-down menu, select Finance_Admin and click Assign Role Collection.
16. Log in to the deployed app again using IAS authentication to verify the newly assigned
groups.
a) Open the application overview page and open the application router URL in another
browser or a new browser session (e.g. incognito).
17. Create role collection mappings. but first remove the static assignments.
You must first revert the setup in the Role Collection Assignment for the IAS trust
configuration.
a) Delete the existing fixed assignments, which you created in the previous step. Confirm
the deletion in the newly opened dialog.
b) Navigate within the same page to the Role Collection Mappings menu and click New
Role Collection Mapping.
The new popup contains important information about the next steps. In the first drop-
down menu, the available Role collections are displayed. We are then presented with
the attribute that is used for the mapping and the operator, which cannot be changed.
We can maintain the Value field once we have groups, which you will create in the next
step of the exercise. Leave this browser window open.
b) Create two groups using +Add. Name the first group: SECCL1_Auditors and the
second group: SECCL1_CFOs.
c) Assign the newly created groups to your user in IAS. Go to Users &
Authorizations → User Management and click on your user. Select the User groups tab
and assign the required groups to the user by selecting Assign Groups.
19. Maintain role collection mappings in the Cloud Foundry subaccount with created IAS
Groups.
a) Return to your open Cloud Foundry subaccount browser window. Within the IAS trust
configuration, maintain the names of the new groups as shown below and choose
Save. Keep in mind that if you assign both groups together, you will have access to
both links in the app. If you would like to have access to only one of the links then
assign only one of the roles from the table below.
Creating users in SAP Identity Authentication Service (IAS) manually is an approach that can
be used if you have a low number of users, but it is likely that it will eventually become
necessary to automate their creation. In the landscape, we have an SAP SuccessFactors
system, which can act as a source for the employees.
In this exercise, we are going to use the SAP Cloud Platform Identity Provisioning Service
(IPS) in proxy mode to connect SAP IdM and SAP SuccessFactors. We will then load all users
from SuccessFactors to SAP IdM. In the following exercise, we will build on this task by using
the pre-loaded employees to provision to IAS.
Prerequisites
SuccessFactors user with sufficient privileges to read the employee data.
Enabled proxy mode for IPS
Execution Plan
1. Create and set up a new OAuth client from the Neo sub-account.
3. Navigate to IPS.
5. Maintain system properties using the information from the following table:
ProxyType Internet
Authentication BasicAuthentication
7. Set up SAP IdM using a remote desktop session in the server where SAP IdM is installed.
● com.sap.idm.provisioning.engine
● com.sap.idm.forms.default
● com.sap.idm.connector.custom
● com.sap.idm.connector.scim
● com.sap.idm.connector.sci
Note:
For a user to have access to the Web UI, they must be part of the identity
store.
13. Maintain the OAuth user and password, proxy host, port and assignment method.
15. Run the initial job for the newly created repository.
The job is likely to finish with an error state.
Creating users in SAP Identity Authentication Service (IAS) manually is an approach that can
be used if you have a low number of users, but it is likely that it will eventually become
necessary to automate their creation. In the landscape, we have an SAP SuccessFactors
system, which can act as a source for the employees.
In this exercise, we are going to use the SAP Cloud Platform Identity Provisioning Service
(IPS) in proxy mode to connect SAP IdM and SAP SuccessFactors. We will then load all users
from SuccessFactors to SAP IdM. In the following exercise, we will build on this task by using
the pre-loaded employees to provision to IAS.
Prerequisites
SuccessFactors user with sufficient privileges to read the employee data.
Enabled proxy mode for IPS
Execution Plan
1. Create and set up a new OAuth client from the Neo sub-account.
a) Navigate to Security → OAuth.
b) Select the Clients tab and click Register New Client. Create a similar client as shown in
the Set Up OAuth Client in Neo figure, and click Save.
Note:
Take note of the ID and the Secret you enter.
c) Under the Roles section, assign the IPS_PROXY_USER role to the newly created OAuth
Client by adding the prefix oauth_client_ and choose Assign.
3. Navigate to IPS.
a) Navigate to the Services section of your Neo cloud account. Under User Management,
select Identity Provisioning.
b) Click Go to service.
Field Value
Description Employee Store for IdM
a) Navigate to the Proxy systems tile and create a new proxy system. Enter the data from
the table in the Details section.
b) Click Save.
5. Maintain system properties using the information from the following table:
ProxyType Internet
Authentication BasicAuthentication
a) Maintain the connection properties for the selected type of proxy system using the
information from the table.
7. Set up SAP IdM using a remote desktop session in the server where SAP IdM is installed.
a) Open a remote desktop session in the server where SAP IdM is installed.
Note:
Details will be provided by the instructor. Each student has one dedicated
instance of SAP IdM.
b) Start the Eclipse provided in D:\ drive. It is pre-configured to include the connection to
your SAP IdM instance.
a) In the SAP IdM perspective, right click on the system name and select New → Identity
Store.
c) In the Administrator field, enter the same user you used to login to IdM in Eclipse.
● com.sap.idm.provisioning.engine
● com.sap.idm.forms.default
● com.sap.idm.connector.custom
● com.sap.idm.connector.scim
● com.sap.idm.connector.sci
a) Open the newly created Enterprise People identity store in the SAP Identity
Management perspective.
c) Repeat the import operation for all the packages listed in the step detail and keep the
sequence as listed.
Note:
For a user to have access to the Web UI, they must be part of the identity
store.
a) Go to your NetWeaver start page and open User Management. There search for
dev_admin. Click on the button Copy to new user. Provide initial password and change
the first and last name. This will be your user for access to the SAP IdM UI. Within the
SAP IdM Developer Studio, double click the Enterprise People identity store and in the
newly opened tab, click Add User… .
b) Type the same user you created in the User Management of NetWeaver. Select the
checkboxes and click OK.
c) Create a new user from dev_admin with copy to new user option.
Figure 35: Create a new user from dev_admin with copy to new user option
d) To test the access to the IdM UI, try accessing the following URLs:
http://localhost:50000/idm
http://localhost:50000/idm/admin
They should both open without any issues.
b) In the newly opened dialog, select the exported SAP_SF.csv CSV file from the IPS.
13. Maintain the OAuth user and password, proxy host, port and assignment method.
a) Edit the SAP_SF repository, maintain the AUTH_USER and AUTH_PASSWORD fields
with the user and password from the OAuth Cloud platform client you created.
d) Click Save.
b) If the status is not running, start the dispatcherutil from your IdM remote server
desktop. If in doubt, ask your instructor for the proper credentials for the login.
c) Once the GUI is loaded, select the dispatcher and start it. Refresh until the status is
changed to Running.
15. Run the initial job for the newly created repository.
a) Return to the /idm/admin UI, click on Run Now.
Note:
The job won’t start immediately, it usually takes around 5-7 minutes to
complete.
b) Click Refresh to get the actual state. When the job is processed by the dispatcher, the
job state will change from Idle to Running. Keep refreshing until the job is completed.
Figure 39: Run the Initial Job for the Newly Created Repository
b) If we select the admin user, details about that identity will be shown. If we navigate to
the Assigned Roles and Privileges tab, we will see also the group assignments from
SuccessFactors.
We would like to work with the loaded users from SuccessFactors, which are currently
unknown to our application in Cloud Foundry. To give them access to the Cloud app, we
provision them to SAP Cloud Platform IAS.
Prerequisites
Successful load of SAP SuccessFactors employees in SAP IdM on-premise.
Execution Plan
Step 1 Create a system as administrator in IAS tenant
Step 2 Create repository for the IAS tenant
Step 3 Initial load users and groups from IAS to SAP IdM
Step 4 Provision new user to the Cloud
2. Log in to SAP IdM system (on-premise) and create a repository. Use the following data:
Field Value
Name IAS
Type SCI
PROXY_HOST proxy
PROXY_PORT 8080
SCI_HOST <your IAS host>
SCI_User <your IAS user>
SCI_Password <your IAS password>
Hint:
We are striving for maximum automation so manual changes in IAS are not
expected.
We would like to work with the loaded users from SuccessFactors, which are currently
unknown to our application in Cloud Foundry. To give them access to the Cloud app, we
provision them to SAP Cloud Platform IAS.
Prerequisites
Successful load of SAP SuccessFactors employees in SAP IdM on-premise.
Execution Plan
Step 1 Create a system as administrator in IAS tenant
Step 2 Create repository for the IAS tenant
Step 3 Initial load users and groups from IAS to SAP IdM
Step 4 Provision new user to the Cloud
b) Click +Add to add a new system and name it SAP IdM. Under Configure
Authorizations, set Manage Users and Manage Groups to ON.
c) Set a password of your choice for the system. Once a password is set, you will see a
random guid which represents the username for the connection to SAP IdM. Click on
the Set Password again and you will have the option to copy the guid username.
2. Log in to SAP IdM system (on-premise) and create a repository. Use the following data:
Field Value
Name IAS
Field Value
Description IAS Tenant
Type SCI
b) Click Create and choose Create New Repository. Enter the data from the table. above.
The type SCI comes from the old name of Identity Authentication Service.
c) Click Save.
PROXY_HOST proxy
PROXY_PORT 8080
SCI_HOST <your IAS host>
SCI_User <your IAS user>
SCI_Password <your IAS password>
a) In the newly created repository, maintain the connection details under the Constants
tab as shown in the figure Connection Details for the New Repository.
b) Click Save.
Once finished you should see a green state and no errors/warnings. Users from IAS
should be loaded in IdM.
The ONLY privilege will trigger the creation of new users in the cloud IAS tenant.
a) Find the user by going to the Manage tab of SAP IdM. In the Show field, select Person
and enter *Clark* in the Find field and click on Choose Task....
b) From the new menu, expand Identity and select the Assign Privileges, Roles and
Groups task.
c) Under the Assign Roles and Privileges tab, enter *IAS* in the Find field and assign the
ONLY privilege using Add and then Save.
A validity and reason entry is not required.
b) Under the details of your user, choose the Assigned Roles tab and search for the
idm.monitoring role.
d) From the new tab, select Job Log from the drop-down and refresh periodically to check
the status of provisioning.
b) Select the Authentication tab on the same screen, choose Set Initial to set an initial
password.
The new user is able to access the application but has no access to the links.
Hint:
We are striving for maximum automation so manual changes in IAS are not
expected.
Every application requires customer branding and custom layout including SAP Cloud
Platform IAS. You have the capability to customize your application login screen to improve
your UX and adhere to the corporate guidelines. To enable unregistered users to access the
app, we will also allow self-registration.
Prerequisites
Configured application in SAP IAS.
Execution Plan
Step 1 Upload app logo
Step 2 Change color theme
Step 3 Enable self-registration
Step 4 Enable reCAPTCHA for bot protection during registration
3. Enable self-registration.
5. Maintain the reCAPTCHA site key and secret key in the Tenant settings of IAS.
Every application requires customer branding and custom layout including SAP Cloud
Platform IAS. You have the capability to customize your application login screen to improve
your UX and adhere to the corporate guidelines. To enable unregistered users to access the
app, we will also allow self-registration.
Prerequisites
Configured application in SAP IAS.
Execution Plan
Step 1 Upload app logo
Step 2 Change color theme
Step 3 Enable self-registration
Step 4 Enable reCAPTCHA for bot protection during registration
b) Click the logo to upload your own logo or use the one provided by the instructor.
b) In the Available Themes screen area, choose Custom Basic and edit the colors as
desired.
3. Enable self-registration.
a) In the Authentication and Access tab of your application, change the User Application
Access to Public. Click Save.
b) To get the Site and Secret key, you need to login to the following URL: https://
www.google.com/recaptcha/admin
Note:
You will need a valid Gmail account to access the site. If you do not have
one, you can skip this step.
d) Select the reCAPTCHA v2 radio button and Invisible reCAPTCHA badge as shown in the
figure, Enable reCAPTCHA for Bot Protection During Registration.
f) Click Register.
5. Maintain the reCAPTCHA site key and secret key in the Tenant settings of IAS.
a) Once the new site is registered, the Site and the Secret Key are displayed. Copy them
from the screen.
c) Select Google reCAPTCHA and maintain the values copied earlier from Google into the
Site Key and the Secret Key field.
To increase security for our Cloud application, we need to enable two-factor authentication.
Prerequisites
Smart phone and installed authenticator app (for example, SAP Authenticator, Google
Authenticator, and Microsoft Authenticator etc.) and a configured application in SAP IAS.
Execution Plan
Step 1 Configure two-factor authentication
1. Onboard two-factor authentication for your account by accessing the user profile of the
newly created user from the previous exercise.
If you have successfully onboarded your account, you should see a green mark in your
profile.
2. Enable two-factor authentication for your application using the following data:
Field Value
Action TOTP Two-Factor Authentication
3. Log in to the app again using the same user you activated for two-factor authentication.
You will be requested to enter your two-factor authentication code from the app.
To increase security for our Cloud application, we need to enable two-factor authentication.
Prerequisites
Smart phone and installed authenticator app (for example, SAP Authenticator, Google
Authenticator, and Microsoft Authenticator etc.) and a configured application in SAP IAS.
Execution Plan
Step 1 Configure two-factor authentication
1. Onboard two-factor authentication for your account by accessing the user profile of the
newly created user from the previous exercise.
a) Login to your IAS user profile by using the same IAS URL as before, but without any
URL suffix.
Note:
If you are unsure about the exact URL, ask your instructor.
c) Scan the provided bar code and add it to your mobile app of choice (for example,
Google Authenticator, SAP Authenticator, Microsoft Authenticator, etc.). Then enter
the passcode displayed on the screen.
If you have successfully onboarded your account, you should see a green mark in your
profile.
2. Enable two-factor authentication for your application using the following data:
Field Value
Action TOTP Two-Factor Authentication
b) Select your application and go to the Authentication and Access tab . Select the Risk-
based Authentication menu.
If your account hasn't been onboarded with two-factor authentication, you will be
prompted to onboard on the go.
c) Create a new rule by clicking + Add Rule and enter the data from the table.
3. Log in to the app again using the same user you activated for two-factor authentication.
You will be requested to enter your two-factor authentication code from the app.
We would like to create business partners in S/4 HANA on-premise. For that purpose, we will
use SAP Cloud Platform Authentication Service and SAP Cloud Platform Identity Provisioning
Service (IPS). The S/4 HANA system will be attached as a target, whereas the SAP IAS will be
used as a source.
Prerequisites
Exposed services from S/4 HANA on-premise.
Execution Plan
Step 1 Add SAP IAS as source to SAP IPS
Step 2 Expose services from S/4 HANA on-premise and configure Cloud con-
nector
Step 3 Add S/4 HANA on-premise as a target in SAP IPS
Step 4 Run the sync job and observe the results
Step 5 Enable real-time provisioning
4. Establish the Cloud connector link for S/4 HANA on-premise. Use the following data:
Field Value
Subaccount Dependant on subaccount
Display Name SECCL-A0X
Protocol HTTP
Note:
The Cloud connector service is installed on your WTS virtual machine. Your
instructor should provide the URL, port, and credentials.
Table 5: Details
Field Value
System Name s4hana
Field Value
Description S/4HANA connector for provision-
ing
Table 6: Properties
Field Value
Authentication BasicAuthentication
ips.date.variable.format yyyy-MM-dd
ips.trace.failed.entity.content true
s4hana.onprem.hr.switch.active false
6. Start the provisioning from IAS to S/4 HANA for the creation of new business partners.
To do this, we will start the provisioning job from IPS.
Note:
Hint: Make sure that IAS users have defined login names which is required for
the provisioning to S/4 HANA.
7. Enable real-time provisioning. Create a new OAuth client in the Neo subaccount using the
following data, and assign it to the IPS subscription (previous OAuth clients were attached
to ipsproxy).
Note:
Running a scheduled job is a valid approach for provisioning, but sometimes
we need to push newly created entities immediately to the target system. An
example would be the self-registration process, where the user needs to be
provision immediately to the target systems. Only in the scenario where IAS is
acting as source in IPS, is this option available, and it is called real-time
provisioning.
Name ias_ips
Subscription sapiam/ips
ID ias_ips
● <Identity_Authentication_Source_Sys-
tem_guid>
Locate the first by navigating within
your Neo subaccount to Applica-
tions → Subscriptions and clicking on
ips within the Subscribed Java Applica-
tions.
The Application URL is what you are
looking for including the suffix /ips
● The <Identity_Authentica-
tion_Source_System_guid> parameter
can be retrieved from the IPS service
when you navigate to the IAS source
system. The URL will contain the ID as
shown in the figure below, Identity Au-
thentication ID.
Authentication Configurations
Field Value
OAuth URL Use the Token Endpoint from your Neo
subaccount
Client ID Use the data you created for the IPS sub-
scription
Client Secret Use the data you created for the IPS sub-
scription
We would like to create business partners in S/4 HANA on-premise. For that purpose, we will
use SAP Cloud Platform Authentication Service and SAP Cloud Platform Identity Provisioning
Service (IPS). The S/4 HANA system will be attached as a target, whereas the SAP IAS will be
used as a source.
Prerequisites
Exposed services from S/4 HANA on-premise.
Execution Plan
Step 1 Add SAP IAS as source to SAP IPS
Step 2 Expose services from S/4 HANA on-premise and configure Cloud con-
nector
Step 3 Add S/4 HANA on-premise as a target in SAP IPS
Step 4 Run the sync job and observe the results
Step 5 Enable real-time provisioning
b) Create a new system user and enter IAS in the System Display Name field.
c) Under Configuration Authorizations, switch all the settings to ON as shown in the figure,
System User Settings.
Note:
Don't forget to set the password for the user in order to see their technical
name.
a) Navigate to IPS and create a source system using the data in the table.
For the properties, see the Identity Authentication Service Mandatory Properties
figure.
b) Run the SOAMANAGER transaction. From the newly opened browser window, select the
Simplified Web Service Configuration link.
Figure 61: Configure Services for Provisioning from S/4 HANA On-Premise
d) Once you have found the service, mark the Username/Password checkbox . Click
Save.
4. Establish the Cloud connector link for S/4 HANA on-premise. Use the following data:
Protocol HTTP
Note:
The Cloud connector service is installed on your WTS virtual machine. Your
instructor should provide the URL, port, and credentials.
If you are starting with a Cloud connector that is not yet connected to any Cloud sub-
account, click Define subaccount and enter the data provided in the Add Subaccount
table.
b) In most cases, there are likely to be some subaccounts connected to the Cloud. In this
scenario, select the Connector menu from the left-hand side and click+ Add
Subaccount.
Maintain the required information, which will differ depending on your subaccount. The
greyed out fields in the figure, Add Subaccount for Cloud Connector Connection, are
different for each subaccount. Keep in mind that we are connecting to the Neo
subaccount, since the IPS service is located there.
c) You can find the subaccount on the Overview page of your Neo subaccount in the
Subaccount information section.
The user and password are the same that you used to login to the Neo environment.
d) Replace the X sign in the Display Name field with the number of your assigned group
for the exercise. Click Save and you should see the newly configured connection with
status Connected as shown in the figure, Cloud Connector Connection.
e) Expose the S/4 HANA system from on-premise to the Cloud by selecting the Cloud to
On-Premise menu from the menu on the left and click + icon to map a virtual system to
an internal one.
f) On the Add System Mapping pop-up window, select the back-end type as ABAP
System. Click Next and go through the other screens of the wizard, selecting the
options in the Add System Mapping table.
h) Now that the system is accessible, it is highly recommended to limit the available
resources which can be accessed. From within the same window, click + icon from the
Resource Accessible table.
i) In the Add Resource dialog box, enter the data from the Add Resource table and click
Save to complete the Cloud connector setup.
Table 5: Details
Field Value
System Name s4hana
Table 6: Properties
Field Value
Authentication BasicAuthentication
ips.date.variable.format yyyy-MM-dd
ips.trace.failed.entity.content true
s4hana.onprem.hr.switch.active false
Field Value
URL Enter the Virtual Host and Port details from
the previous exercise
User Enter the credentials provided by the in-
structor
b) Create a new target system using the data from the Details table.
Note:
Make sure you select the newly created IAS source system as the source
for this target system.
c) On the Properties tab, enter the data from the Properties table.
Note:
We are connecting to the previously established Cloud connector virtual
host.
6. Start the provisioning from IAS to S/4 HANA for the creation of new business partners.
To do this, we will start the provisioning job from IPS.
Note:
Hint: Make sure that IAS users have defined login names which is required for
the provisioning to S/4 HANA.
a) In the IPS service, click on the source systems. and within the IAS source system,
select the Jobs tab.
You will see two job types: Read Job and Resync Job. The second is the one that
should be run initially to build the delta. Afterwards we use the Read Job to sync only
the changed entries. As seen in the figure, Start Provisioning Job from IPS, only the
Read Job can be scheduled.
c) To monitor the running job, navigate to the Job Logs menu from the left-hand side.
d) Check the provisioned entries in S/4HANA using the SAP Logon in your WTS virtual
server.
Login using the credentials provided by the instructor.
e) Run the BP transaction and search for Persons with login name of your provisioned
users and filter -> BUPA Identification Number.
f) The entries from IAS are created as business partners. You can browse those entities
by double-clicking on them.
g) Navigate to the Identification tab and you will see the P number from IAS in the table.
7. Enable real-time provisioning. Create a new OAuth client in the Neo subaccount using the
following data, and assign it to the IPS subscription (previous OAuth clients were attached
to ipsproxy).
Note:
Running a scheduled job is a valid approach for provisioning, but sometimes
we need to push newly created entities immediately to the target system. An
example would be the self-registration process, where the user needs to be
provision immediately to the target systems. Only in the scenario where IAS is
acting as source in IPS, is this option available, and it is called real-time
provisioning.
Name ias_ips
Subscription sapiam/ips
ID ias_ips
● <Identity_Authentication_Source_Sys-
tem_guid>
Locate the first by navigating within
your Neo subaccount to Applica-
Field Value
● The <Identity_Authentica-
tion_Source_System_guid> parameter
can be retrieved from the IPS service
when you navigate to the IAS source
system. The URL will contain the ID as
shown in the figure below, Identity Au-
thentication ID.
Authentication Configurations
OAuth URL Use the Token Endpoint from your Neo
subaccount
Client ID Use the data you created for the IPS sub-
scription
Client Secret Use the data you created for the IPS sub-
scription
● Navigate to Security → OAuth → Clients and register a new client using the data
from the above table New OAuth Client in Neo.
● Click Save.
● Navigate to the Security → OAuth → Branding and copy the Token Endpoint URL
from the bottom of the screen
● Go to Roles and assign the IPS_ADMIN role to a user that is formed using the
following template: oauth_client<client IID>, for example, oauth_client_ias_ips.
d) Let’s switch to the configuration in IAS. Navigate to Users & Authorizations → User
Provisioning and click +Add to add a new target system. Enter the data from the New
System Configurations table above.
e) The setup is complete, proceed with provisioning by clicking Provision. Do not use the
Test connection button, since it is not always showing the correct result.
b) Set the Status to Active and mark the E-mail Verified checkbox. Click Save. This will
trigger the real-time provisioning.
d) Run the SU01 transaction within S/4HANA to check if the business partner also exists
as a technical user. Enter the business partner identification CCAMPBELL in the User
field and search.
The user doesn't exist. In the next exercise we are going to create the same user also in
SU01, so that those two are linked in S/4 HANA.
In this exercise, we are going to extend the previous exercise and link the created business
partners to users in the SU01 transaction using IPS. However, in this exercise the initiating
system will be SAP IdM.
Prerequisites
Existing business partners created from IAS in S/4 HANA on-premise.
Execution Plan
Step 1 Configure the connection between on-premise and Cloud
Step 2 Create a proxy system within IPS
Step 3 Import the proxy system in SAP IdM and run the initial load
Step 4 Assign privileges and check newly created users in S/4HANA SU01
Protocol RFC
You should see the new virtual host and the internal host with the green Reachable status.
2. Add accessible resources to the virtual system. The following RFCs need to be added:
● BAPI_USER_ACTGROUPS_ASSIGN
● BAPI_USER_CREATE1
● BAPI_USER_DELETE
● BAPI_USER_GETLIST
● BAPI_USER_GET_DETAIL
● IDENTITY_MODIFY
● PRGN_ACTIVITY_GROUPS_LOAD_RFC
● PRGN_ROLE_GETLIST
Type RFC
Note:
For the user and password, enter the information provided by the instructor.
4. Setup the S/4HANA system as the proxy system in IPS, enter the Name as ABAP and use
the following for defining the abap filters.
abap.role.filter ^(\\?)SAP_BC.*
abap.user.filter ^S4100.*
Field Value
Subscription sapiam/ipsproxy
ID idm_abap
6. Import the S/4HANA proxy to SAP IdM and run the initial load.
The process is repeating from the previous exercise when we imported the
SuccessFactors proxy system.
You should see the loaded users and roles according to the filter in IPS.
8. After a short provisioning cycle, login to S/4HANA and check your SuccessFactors user in
the SU01 transaction.
You will see also that the requested privilege is assigned as a role in S/4HANA.
In this exercise, we are going to extend the previous exercise and link the created business
partners to users in the SU01 transaction using IPS. However, in this exercise the initiating
system will be SAP IdM.
Prerequisites
Existing business partners created from IAS in S/4 HANA on-premise.
Execution Plan
Step 1 Configure the connection between on-premise and Cloud
Step 2 Create a proxy system within IPS
Step 3 Import the proxy system in SAP IdM and run the initial load
Step 4 Assign privileges and check newly created users in S/4HANA SU01
Protocol RFC
a) Navigate to your Cloud connector subaccount which you configured in the previous
exercise and click the + icon to add a new mapping from a virtual to an internal system.
b) On the wizard screen, for Back-end Type, select ABAP system. Click Next.
c) Continue through the wizard by selecting the values from the table.
d) Enter a description, and on the Summary screen, mark the Check Internal Host
checkbox and click Finish.
You should see the new virtual host and the internal host with the green Reachable status.
2. Add accessible resources to the virtual system. The following RFCs need to be added:
● BAPI_USER_ACTGROUPS_ASSIGN
● BAPI_USER_CREATE1
● BAPI_USER_DELETE
● BAPI_USER_GETLIST
● BAPI_USER_GET_DETAIL
● IDENTITY_MODIFY
● PRGN_ACTIVITY_GROUPS_LOAD_RFC
● PRGN_ROLE_GETLIST
a) Click + icon in the second table: Resource Accessible while your virtual host is selected
in the first table.
b) Enter the RFC name into the Function Name field, mark the Enabled checkbox and click
Save.
c) Repeat the process for each of the RFCs in the above list.
Type RFC
Note:
For the user and password, enter the information provided by the instructor.
4. Setup the S/4HANA system as the proxy system in IPS, enter the Name as ABAP and use
the following for defining the abap filters.
abap.role.filter ^(\\?)SAP_BC.*
abap.user.filter ^S4100.*
a) Navigate to the IPS service and create a proxy system, enter the Name as ABAP.
Make sure that the selected destination is the same as the one you configured in the
previous step.
b) Since all connection parameters are defined in the destination, we just need to apply
the filter in IPS. Search for roles that start with SAP_BC and only for users starting with
S4100.
Refer to the table above for defining the abap filter.
c) Export the system as CSV as you did for the SuccessFactors system in the previous
exercise.
A dedicated OAuth client is required using our Neo subaccount. Use the following data:
Field Value
Name idm_abap
Subscription sapiam/ipsproxy
ID idm_abap
a) Create the OAuth Client, enter the details from the table.
Note:
Note the ID and Secret as they will be needed during setup in SAP IdM.
Note:
Don't forget to enter the prefix oauth_client_.
Figure 81: Create OAuth Client for the Connection to SAP IdM
6. Import the S/4HANA proxy to SAP IdM and run the initial load.
The process is repeating from the previous exercise when we imported the
SuccessFactors proxy system.
a) Using the exported CSV from IPS, click Import within the /idm/admin UI of SAP IdM
and create a new repository. Maintain the auth_user and password, the proxy host and
port and do not forget to change the assignment method from PATCH to PUT.
You should see the loaded users and roles according to the filter in IPS.
8. After a short provisioning cycle, login to S/4HANA and check your SuccessFactors user in
the SU01 transaction.
a) After a short provisioning cycle, login again to S/4 HANA. Run the SU01 transaction
and check for the CCAMPBELL username.
You will see also that the requested privilege is assigned as a role in S/4HANA.