PUBLIC

2024-02-07

Identity Provisioning in SAP Cloud for

Customer using System for Cross-Domain Identity
Management (SCIM)
© 2024 SAP SE or an SAP affiliate company. All rights reserved.

THE BEST RUN

Content

1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Business Case. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Technical Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Systems Involved in Integration between SAP IAS and SAP Cloud for Customer. . . . . . . . . . . . . . . . . 3
Systems Involved in Direct Integration between SAP IAG and SAP Cloud for Customer. . . . . . . . . . . . .5

2 Identity Provisioning: IPS-CPI-C4C. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

2.1 Configuration in SAP Identity Provisioning Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Configuration in Cloud Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
SCIM Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 Configuration in SAP Cloud for Customer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4 Data Verification in SAP Cloud for Customer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4 Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.1 Abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
2 PUBLIC Content
1 Overview

1.1 Business Case

Having central administered user management and access management is a key for any customer. It helps
customer in avoiding maintenance of users in multiple systems across a heterogeneous landscape and avoid
tedious administrative tasks.

SAP Identity Provisioning Service takes care of identity provisioning with the integration flow in SAP Cloud
Integration. The SAP Identity Provisioning Service system executes scheduled job to read employee/identity data
from source system and provision it to the target system.

1.2 Technical Overview

1.2.1 Systems Involved in Integration between SAP IAS and SAP

Cloud for Customer

Employee/Identity Source system maintains user data or group data. SAP Identity Authentication Service, SAP
Identity Access Governance, Employee Central, etc. can be Employee/Identity Source.

SAP Identity Provisioning System

Retrieves required employee/identity details from source system and transfer to target system.

• Source systems
• Target systems
• Proxy systems
• Schedule Jobs
• Job Logs
Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
Overview PUBLIC 3
SAP Cloud Integration

Provides integration flows to parse the request coming from the source system and adjusts the payload to
accommodate the operation, format, and data structure that is understandable by the target system. The SAP
Cloud Integration package for Identity Provisioning:

SAP Cloud for Customer Integration- https://api.sap.com/package/

IdentityProvisioninginSAPCloudforCustomerviaSCIM?section=Overview

SAP Cloud for Customer

Receives authorization request and updates to the respective user. All recent changes to the user identity are
updated in SAP Cloud for Customer.

1.2.1.1 Integration Scenario

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
4 PUBLIC Overview
The System for Cross-Domain Identity Management (SCIM) Identity Provisioning path is demonstrated by User
Provisioning via SCIM Path. The SCIM Integration aims to achieve Identity Provisioning from Employee/Identity
Source system such as Employee Central (EC) to a target system such as SAP Cloud for Customer.

The SAP Identity Provisioning Service is key to the integration. Jobs are scheduled in the SAP Identity Provisioning
Service system to provision user/group data from source system to the target system. Multiple parameters such
as filters can be set in the source system configuration to be considered while Identity Provisioning via SAP IPS
system.

SAP Cloud Integration is used to complete orchestration of data from SAP Identity Provisioning Service to SAP
Cloud for Customer structure.

 Note

For an alternate integration scenario, which is without SAP IPS, see Systems Involved in Direct Integration
between SAP IAG and SAP Cloud for Customer [page 5].

1.2.2 Systems Involved in Direct Integration between SAP IAG

and SAP Cloud for Customer

The SAP Identity Access Governance (SAP IAG), SAP Cloud Integration (SAP CI), SAP Cloud for Customer systems
are involved.

Systems involved:

• SAP IAG (source)

• SAP CI (middleware)
• SAP C4C (provider)

SAP Cloud Integration

Provides integration flows to parse the request coming from the source system and adjusts the payload to
accommodate the operation, format, and data structure that is understandable by the target system. The SAP
Cloud Integration package for Identity Provisioning:

SAP Cloud for Customer Integration- https://api.sap.com/package/

IdentityProvisioninginSAPCloudforCustomerviaSCIM?section=Overview

SAP Cloud for Customer

Receives authorization request and updates to the respective user. All recent changes to the user identity are
updated in SAP Cloud for Customer.
Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
Overview PUBLIC 5
1.2.2.1 Integration Scenario

Related Information

3278934 - Identity Provisioning between SAP Cloud for Customer and SAP Cloud Identity Access Governance

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
6 PUBLIC Overview
2 Identity Provisioning: IPS-CPI-C4C

As a part of Intelligent Enterprise Suite, SAP Cloud Platform Identity Provisioning Service (SAP IPS) can be used to
provision the identity via SAP Identity Provisioning Service to all cloud applications.

Typical systems involved are:

• SAP IAS – SAP Identity Authentication Service or another Identity Management system
• SAP IPS – SAP Identity Provisioning Service
• SAP CI – SAP Cloud Integration
• SAP C4C – SAP Cloud for Customer

Configuration in SAP Identity Provisioning Service [page 7]

Configuration in Cloud Integration [page 7]

Configuration in SAP Cloud for Customer [page 12]

Data Verification in SAP Cloud for Customer [page 15]

2.1 Configuration in SAP Identity Provisioning Service

See SAP Cloud Identity Services - Identity Provisioning.

Parent topic: Identity Provisioning: IPS-CPI-C4C [page 7]

Related Information

Configuration in Cloud Integration [page 7]

Configuration in SAP Cloud for Customer [page 12]
Data Verification in SAP Cloud for Customer [page 15]

2.2 Configuration in Cloud Integration

See SCIM Configuration [page 8].

Parent topic: Identity Provisioning: IPS-CPI-C4C [page 7]

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
Identity Provisioning: IPS-CPI-C4C PUBLIC 7
Related Information

Configuration in SAP Identity Provisioning Service [page 7]

Configuration in SAP Cloud for Customer [page 12]
Data Verification in SAP Cloud for Customer [page 15]

2.2.1 SCIM Configuration

2.2.1.1 SCIM Endpoints

SCIM Endpoints

The artifacts User Replication via SCIM and Group Replication via SCIM, use HTTP adapter on SAP Cloud
Integration to process SCIM requests, the base URL (<BASE_URL>) for both resource types is of format:

• <CPI-Runtime-URL>/http/
• End point for user replication: <BASE_URL>/Users/
• End point for group replication: <BASE_URL>/Groups/

2.2.1.2 Supported Operations

Users
• GET
• Supported Queries:
• Retrieve a user by id: <BASE_URL>/Users/<id>
• Retrieve all users: <BASE_URL>/Users

 Note

Use a page filter to limit the size of the resulting query, for example, <BASE_URL>/Users?
startIndex=100&count=25.

• Paging: <BASE_URL>?startIndex=m&count=n (where m and n can be any positive integer numbers)

• Supported Filters
• By Username: <BASE_URL>/Users?filter=userName , eq: XX25092001
Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
8 PUBLIC Identity Provisioning: IPS-CPI-C4C
 • By Email: <BASE_URL>/Users?filter=email eq [email protected]
• By Employee No: <BASE_URL>/Users?filter=employeeNumber eq: 56910
• By Country Code: <BASE_URL>/Users?filter=addresses.country eq
“USA”&startIndex=1&count=4 (without pagination the first 100 matching users are returned)
• POST
• <BASE_URL>/Users/
• PUT
• <BASE_URL>/Users/<id>
• DELETE
• <BASE_URL>/Users/<id>

Groups

• PATCH
Supported Operations:
• Modify member resource via Add and Remove operation.
• Remove all member resource.
• Remove all existing members resource and add new members.
• PUT
• Replace all existing members resource with new members.
• Remove all members.
• GET
Supported Queries:
• Retrieve a specific group by id: <BASE_URL>/Groups/<id>
• Retrieve all groups with member assignments: < BASE_URL_>/Groups
Supported operations:
• Supported filter attribute: displayName attribute is supported with support for only eq: operator.
Ex: <BASE_URL>/Groups?filter=displayName eq: SALES_REP
• Paging: <BASE_URL>/Groups?startIndex=m&count=n (where m and n can be any positive integer)

2.2.1.3 Expected Response with Status Code

Users

Method POST

Expected Status Code Request Expected Response Additional notes

201 Request body has all required Created user and its attributes Header location contains the
and additional supported at- URL for newly created re-
tributes source

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
Identity Provisioning: IPS-CPI-C4C PUBLIC 9
Expected Status Code Request Expected Response Additional notes

400 Request body has a missing
required attribute
SCIM compliant error re- For SAP Cloud for Customer
sponse body SCIM adapter mandatory
attributes are userName
(Max 40-character length),
familyName

409 Request body for creating a SCIM compliant error re- userName and Custom at-
user with duplicate unique at- sponse body tribute employeeNumber (if
tribute (check for all unique available) must be unique
attributes)

Method GET

• /Users:

Expected Status Code Request Expected Response Additional notes

200 If there are users present, If no users are present,

they're returned along with empty list is returned.
“totalResults” Additionally, startIndex
and itemsPerPage are re-
turned if the SCIM API query
contains pagination.

• /Users/<user_id>: Get Single user

Expected Status Code Request Expected Response Additional notes

200 The specified user exists Returned user

404 The specified user doesn't No response body

exist or deleted user

Method PUT

(/Users/<user_id>)

Expected Status Code Request Expected Response Additional notes

200 The specified user exists Returned user Except username

and Custom attribute
employeeNumber (if availa-
ble) all other attributes can be
updated

404 The specified user doesn't ex- No response body

ist or deleted user

Method DELETE

(/Users/<user_id>)

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
10 PUBLIC Identity Provisioning: IPS-CPI-C4C
 Expected Status Code Request Expected Response Additional notes

204 The specified user exists No response body

404 The specified user doesn't ex- No response body

ist.

Groups

Method POST

Expected Status Code Request Expected Response Additional notes

501 Not Implemented We don't support creation

of Group from outside SAP
Cloud for Customer System

Method DELETE

Expected Status Code Request Expected Response Additional notes

501 Deletion of groups isn't al-

lowed from outside SAP Cloud
for Customer system

Method GET

• /Groups:

Expected Status Code Request Expected Response Additional notes

200 If there are Groups present, If no Groups are

they're returned along with present, empty list is re-
totalResults, along with turned. startIndex and
current members itemsPerPage are re-
turned if the SCIM API query
contains pagination.

Assignment to the Groups

• / Groups /<group_id>: Get Single Group

Expected Status Code Request Expected Response Additional notes

200 The specified group exists Contain SCIM compliant

Group resource with mem-
bers

404 The specified group doesn't In SCIM compliant error re-

exist sponse body is sent

400 Request containing invalid In SCIM compliant error re-

group-id sponse body is sent

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
Identity Provisioning: IPS-CPI-C4C PUBLIC 11
Method PUT

• (/Groups/<group_id>)

Expected Status Code Request Expected Response Additional notes

200 The specified group exists Updated Group details along- If empty member array is
with current member assign- sent, then group is updated
ments by removing all currently as-
signed members.

404 The specified group/mem- No response body

ber doesn't exist.

400 Invalid request body No response body

Method PATCH

• (/Groups/<group_id>)

Expected Status Code Request Expected Response Additional notes

200 Group exists Operations: Updated Group details along- Combination of multiple op-
add, remove are supported with current member assign- erations add/remove, is sup-
ments ported.

404 If group or member doesn't No response body

exist.

400 Invalid payload body No response body

409 Reassigning already existing No response body

member

2.3 Configuration in SAP Cloud for Customer

Configure Single Sign-On

To enable Single Sign-On (SSO) for the replicated users from the IAS/IPS bundle to the SAP Cloud for Customer
tenant, do the following:

1. Navigate to work center view and go to Administrator Common Tasks Configure Single Sign-On Identity
Provider .
2. In the Trusted Identity Provider section, select the IAS tenant.
3. Click on Actions and select Set to Default.
Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
12 PUBLIC Identity Provisioning: IPS-CPI-C4C
Set Up Communication System

1. Navigate to work center view and go to Administrator General Settings .

2. Go to Integration and choose Communication Systems.
3. To define the communication system, choose New and create the following settings:

Field Value Comment

ID Enter System ID

SAP business Suite No

Host Name Enter SAP CPI system URL

System Access Type Internet

Internal Comment Optional

System Instance ID Enter System ID

Preferred Application 5-Web Service

4. Maintain the person responsible for system maintenance under Contact.

5. Choose Save and then choose Actions Set to Active .
6. Choose Close.

Configure Communication Arrangements

1. Navigate to work center view Administrator General Settings

2. Go to Integration, choose Communication Arrangement.
3. Choose New to create a communication arrangement.
4. In the communication scenario table, select the communication scenario OData Services for Business Objects.
5. Choose Next.
6. Choose the system instance ID from the value help. To see the Communication System ID refer to Set Up
Communication System .
7. Go to Inbound Communication Basic Settings.
8. Select the Authentication Method as User ID and Password.
9. Select the OData service from the Services Used section employeeanduser and identitybusinessrole.
10. Choose Next and Finish.
11. Choose Close.

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
Identity Provisioning: IPS-CPI-C4C PUBLIC 13
Parent topic: Identity Provisioning: IPS-CPI-C4C [page 7]

Related Information

Configuration in SAP Identity Provisioning Service [page 7]

Configuration in Cloud Integration [page 7]
Data Verification in SAP Cloud for Customer [page 15]

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
14 PUBLIC Identity Provisioning: IPS-CPI-C4C
2.4 Data Verification in SAP Cloud for Customer

SAP Cloud for Customer Administration

Administrators can verify the replicated information, under work center Administrator and Work center view
General Settings. Links to access Business User, Business Role can be found.

Business User

Business User screen shows the combination of user information and Business Role access information.

• In the General Settings work center view, Click on Users icon.

• Select Business Users from the multiple user types listed under this icon.
• Lists the business user information as shown.
• In the search area, enter username part of the Role assignment.

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
Identity Provisioning: IPS-CPI-C4C PUBLIC 15
Business Roles

Business Roles screen shows the different business role configured within system depending on type of activity
handled by business users. Allows us to assign different work center and work center view to manager different
business role as per customer requirement.

• In the General Settings work center view, there's an icon named Users.
• Select Business Roles from the multiple user types listed under this icon.
• Lists the business role information as shown.

• In the search area, enter business role name.

Assignment of Business Role to Business Users

Follow the steps to evaluate the assignment of business role that defines the user authorization in SAP Cloud for
Customer.

• Open replicated business user for which business role assignment replication is executed.
• Click on down arrow next to Edit.
• Select Access Rights from the listed action list.

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
16 PUBLIC Identity Provisioning: IPS-CPI-C4C
 • Business Role Assignment tab screen shows the Business
Role assignment information for an individual business user.

Parent topic: Identity Provisioning: IPS-CPI-C4C [page 7]

Related Information

Configuration in SAP Identity Provisioning Service [page 7]

Configuration in Cloud Integration [page 7]
Configuration in SAP Cloud for Customer [page 12]

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
Identity Provisioning: IPS-CPI-C4C PUBLIC 17
3 FAQs

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
18 PUBLIC FAQs
4 Appendix

4.1 Abbreviations

A list of abbreviations used in this document:

• SCIM – System for Cross-Domain Identity Management (SCIM)

• C4C – Cloud for Customer
• IPS – Identity Provisioning Service
• IAS – Identity Authentication Service
• IAG – Identity Access Governance
• SAP Cloud Integration

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
Appendix PUBLIC 19
Important Disclaimers and Legal Information

Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:

• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements
with SAP) to this:

• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.

• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using such links,
you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the
control or responsibility of SAP.

Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the
experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback
(e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and
phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example
code unless damages have been caused by SAP's gross negligence or willful misconduct.

Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities, genders,
and abilities.

Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
20 PUBLIC Important Disclaimers and Legal Information
Identity Provisioning in SAP Cloud for Customer using System for Cross-Domain Identity
Management (SCIM)
Important Disclaimers and Legal Information PUBLIC 21
www.sap.com/contactsap

© 2024 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.

Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.

THE BEST RUN