Companies are increasingly sourcing software solutions from the cloud instead of providing them on-premise on their own servers. This has significant consequences for user and authorization processes. They must also work for cloud solutions and reliably map the increasingly complex IT landscapes.
SAP also provides new, innovative functionalities preferentially for its cloud offerings. It is striking that the strategy is not geared to mapping existing on-premise solutions one-to-one in the cloud. Instead, SAP is creating a kind of construction kit of services from which companies can then select the elements they need individually. This also applies to the solutions for identity management, single sign-on and access control, as a closer look at the current portfolio makes clear.
In the “Secure Access” product family, SAP Identity Authentication Service (IAS) is the almost congruent counterpart to the on-premise variant SAP Single Sign-On. It enables simple SAML 2.0-supported authentication against cloud systems. In the “Manage users and permissions” product family, on the other hand, the scenario is more differentiated. Here, there is no really suitable counterpart to the on-premise solutions SAP Identity Management (SAP IdM) and SAP Access Control. However, SAP Identity Provisioning (IPS) and SAP Cloud Identity Access Governance (IAG) cover at least some of the functionality.
SAP IPS is used to push users from a source to a target, transforming attributes. It is about performing the right actions to create, modify and delete users. SAP IAS runs in the background and is executed during login actions. The service represents the central point for logins and trust between systems. SAP IAG covers functionalities that SAP Access Control holds in the area of risk assessment on the on-premise side. In addition, this service will likely take over identity management workflow functionalities in the future.
At this point in time, SAP does not offer a pure IdM solution in the cloud, but pursues a hybrid strategy – and that is a good thing. SAP Identity Management handles complex workflows on-premise and then transfers them to the cloud via various interfaces. Since both on-premise and the cloud are currently central worlds and have their respective justification, it is only logical to provide both worlds with hybrid scenarios in the best possible way. Already today, there are many integration possibilities between different cloud services and on-premise products. Since SAP is investing heavily in this area, further functionalities are probably only a matter of time.
Systems on cloud platforms can be activated as a proxy system and used directly in identity management to transparently provision or remove users. SAP IAG uses the provisioning service to perform the risk assessment. Here it becomes clear once again that there will be fewer fixed products in the cloud, but rather a range of services that perform specific tasks and can be easily combined with each other. The combination of such services ultimately leads to a solution that covers the functionalities of a previous on-premise variant.
SAP IPS also supplies non-SAP systems. The service offers various use cases, i.e., scenarios that can be covered with it. One such exemplary use case is the synchronization of data from Microsoft Azure and subsequent distribution to various target systems through SAP IPS. The on-premise solution SAP Identity Management can be connected to SAP IPS, which in this case acts as a proxy.
Source systems, target systems and proxy systems are mapped in SAP IPS. Since this is a technical tool, the user interfaces are kept functional. New users can be created in the Microsoft Azure Active Directory. The provisioning service has various subareas that map the source system.
Attributes are transformed from the source system to the attribute names of the target systems
Here the settings for the source system are made. It is important to set the correct attributes
A job must be started to finally import the system.
The same sub-areas can be found in the target system:
The source attributes are read, buffered in an intermediate attribute and written to the correct target attribute.
To be able to write to the target system, the user must also make the correct settings there.
After the job is started in the source system, the data is read. In our case study, SAP IPS reads data from Azure Active Directory. When writing to the target system, the provisioning service uses delta mechanisms to calculate whether users have changed, new users have been added or users are to be deleted. In the target systems, it is possible to determine in which source systems changes should be reacted to. The job log in SAP IPS provides an overview of the activities.
Especially the transformations are a powerful part of the provisioning service, because they can theoretically be misused for manipulations in the attributes. Rule-based role or group orders can be written. For example, a group from the source system can be assigned a specific role in the target system.
SAP IPS is a comprehensive tool. More functionalities are added every month. The real complexity of the provisioning service only becomes apparent in the details: When connecting a new system, the settings must be correct. The transformations map logic that exists in on-premise IdM for moving attributes back and forth. IT professionals are needed to navigate these aspects. They are concerned with what the data looks like and how it needs to be transformed so that systems are able to process it in an automated way.
Presumably, SAP IPS will remain a cloud service in the context of a connector and will not become a fully comprehensive IdM solution as known from the on-premise world. The provisioning service receives data, modifies it so that other systems can do something with it, and passes it on to the target system. This is therefore a pure data transformation.
According to SAP, SAP IAG will not remain a pure tool for risk assessment, but will also be equipped with certain IdM functionalities. And SAP IAS will continue to do what the service already does today: take care of authentication. It will be used to start workflows and access requests that are then distributed via SAP IPS.
The Customer Data Cloud is not yet integrated into the three products IAS, IPS and IAG. However, it can be assumed that this integration will take place in the future. This would enable SAP to manage customer data centrally in the sense of customer identity management. The Customer Data Cloud can be used to map B2C and, to some extent, B2B scenarios, i.e., to perform central login processes or attribute mappings, for example.
In 2024, the current IdM version will be phased out of maintenance. So far, however, it appears that support will be extended. At the same time, SAP is pushing ahead with plans for the future of the IdM landscape. It is a fact that identity management will shift even more to the cloud and hybrid scenarios will play an important role. Overall, the topics of user management, authorizations and security enjoy a high priority at SAP. It is less a question of the fate of individual solutions and more a question of aligning the general strategy to coherently combine various services and solutions in the sense of a larger whole.