SAP on Azure Video Podcast | User Provisioning in a hybrid environment

Introduction

In episode 226 of our SAP on Azure video podcast we have Martin Raepple with us again – and this means authentication, principal propagation and identity management. A few months ago Martin had published a blog post about Identity and Access Management with Microsoft Entra and how to manage access to SAP BTP. Now he published part 2 where he extends the cloud only scenario with a hybrid identity setup that requires managing the user lifecycle across Microsoft Active Directory, Microsoft Entra, SAP BTP, SAP CIS, and an SAP system on-premise.

Find all the links mentioned here: https://www.saponazurepodcast.de/episode226

Reach out to us for any feedback / questions:

Robert Boban: https://www.linkedin.com/in/rboban/
Goran Condric: https://www.linkedin.com/in/gorancondric/
Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #SAPIDM #Identity #Authentication #MSEntra

Summary created by AI

Generated by AI. Be sure to check for accuracy. Meeting notes: Introduction of Martin Reppler: Holger introduced Martin Reppler, who has been with Microsoft for five years after spending 15 years at SAP. Martin is currently a technical program manager focusing on SAP and Microsoft collaboration, particularly in identity management and migration to Microsoft Entra. SAP Identity Management End of Life: Martin discussed the announcement made by SAP in 2024 about discontinuing maintenance of their SAP Identity Management product by 2027, with an extended maintenance option until 2030. This has led to a close collaboration between SAP and Microsoft to help customers migrate to Microsoft Entra for identity management scenarios. End of Life Announcement: In 2024, SAP announced at the DSAG Technology Days event that it would discontinue maintenance of its SAP Identity Management product by 2027, with an extended maintenance option until 2030. Customer Impact: This announcement caused significant concern within the SAP community, prompting customers to seek guidance on how to manage the transition. Collaboration with Microsoft: In response, SAP announced a close collaboration with Microsoft to help existing SAP Identity Management customers migrate to Microsoft Entra for their identity management needs. Integration of Microsoft Entra and SAP: Martin explained the integration between Microsoft’s Entra portfolio and SAP’s identity and access management solutions, including SAP Cloud Identity Services, SAP Identity Access Governance, and SAP Access Control. The collaboration aims to deepen the integration and provide a seamless experience for customers. Integration Goals: The goal of the integration is to deepen the collaboration between Microsoft’s Entra portfolio and SAP’s identity and access management solutions to provide a seamless experience for customers. Microsoft Entra Components: On the Microsoft side, the integration focuses on Entra ID Governance, which handles identity and access lifecycle management, including workflows and approval processes. SAP Components: On the SAP side, the integration involves SAP Cloud Identity Services, SAP Identity Access Governance, and SAP Access Control, which manage identity and access for both cloud and on-premise solutions. Existing Solutions: There are already existing solutions, such as the integration between Entra and SAP SuccessFactors, which will be further enhanced through this collaboration. Blog Post Series on Identity Management: Martin shared that he started a blog post series to provide guidance on specific identity management scenarios. The first part, published in September, focused on a cloud-only scenario, while the second part, published recently, covers user provisioning in a hybrid scenario. Blog Series Purpose: Martin started a blog post series to provide detailed guidance on specific identity management scenarios, addressing common customer questions and needs. Part One Focus: The first part of the series, published in September, focused on a cloud-only scenario, detailing the integration between Entra ID and SAP Cloud Identity Services without user provisioning. Part Two Focus: The second part, published recently, covers user provisioning in a hybrid scenario, addressing the need for user accounts in local directories for certain SAP applications. User Provisioning Scenario: Martin detailed a user provisioning scenario where a new user is created in the corporate Active Directory and synchronized to Microsoft Entra. The user is then provisioned to SAP systems and Microsoft 365 applications based on their department and company attributes. Scenario Overview: Martin described a scenario where a new user is created in the corporate Active Directory, synchronized to Microsoft Entra, and then provisioned to SAP systems and Microsoft 365 applications based on department and company attributes. Steps Involved: The process involves creating the user in Active Directory, synchronizing the user to Entra, assigning the user to appropriate groups based on attributes, and provisioning the user to SAP and Microsoft 365 applications. Technical Details: Technical details include the use of the cloud sync provisioning agent, access packages in Entra, and the integration with SAP Cloud Identity Services and the SAP backend system. Access Packages in Microsoft Entra: Martin explained the use of access packages in Microsoft Entra to automate user assignment to groups and permissions. Access packages are similar to business roles in SAP Identity Management and help streamline the provisioning process. Access Packages Purpose: Access packages in Microsoft Entra are used to automate the assignment of users to groups and permissions, streamlining the provisioning process. Comparison to SAP: Access packages are similar to business roles in SAP Identity Management, which also group technical resources and permissions for users. Policy Configuration: Policies within access packages define the rules for auto-assigning users based on attributes such as company name and department, ensuring users receive the correct permissions. Enterprise Application Configuration: Martin demonstrated the configuration of an enterprise application in Microsoft Entra that represents the SAP Cloud Identity Services tenant. This application handles user provisioning and attribute mapping, ensuring that users have the necessary attributes for single sign-on and other access requirements. Application Setup: Martin demonstrated setting up an enterprise application in Microsoft Entra, representing the SAP Cloud Identity Services tenant, to handle user provisioning and attribute mapping. User and Group Assignment: The enterprise application is assigned to specific user groups, ensuring that only users in those groups are provisioned to SAP Cloud Identity Services. Attribute Mapping: Attribute mapping within the enterprise application includes transforming and mapping user attributes, such as SNC mapping for single sign-on, to ensure users have the necessary access requirements. Cloud Identity Services and SAP Integration: Martin showed the integration between SAP Cloud Identity Services and the SAP backend system using the cloud connector. He explained the setup of destinations and the necessary credentials for provisioning users to the SAP system. Integration Overview: Martin demonstrated the integration between SAP Cloud Identity Services and the SAP backend system using the cloud connector, which facilitates secure communication and user provisioning. Destination Setup: The setup involves configuring destinations in the SAP Cloud Identity Services tenant to connect to the SAP backend system through the cloud connector, specifying details such as system ID and instance number. Credentials Management: Credentials for a technical user with the necessary authorizations are required to allow the provisioning service to perform user management operations in the SAP backend system. User Provisioning Process: Martin walked through the user provisioning process, including the synchronization of users from Microsoft Entra to SAP Cloud Identity Services and then to the SAP backend system. He highlighted the importance of maintaining attribute mappings and ensuring proper authorization management. Provisioning Steps: Martin detailed the steps involved in the user provisioning process, starting from synchronization in Microsoft Entra, passing through SAP Cloud Identity Services, and finally provisioning to the SAP backend system. Attribute Mapping: Maintaining accurate attribute mappings is crucial for ensuring that users have the correct access and permissions in the SAP backend system. Authorization Management: Proper authorization management involves assigning users to appropriate roles and groups, ensuring they have the necessary permissions to perform their tasks in the SAP system. Successful User Provisioning: Martin confirmed the successful provisioning of the user Tina Test from Microsoft Entra to the SAP backend system. The user was created in the SAP system with the necessary SNC mapping for single sign-on, demonstrating the effectiveness of the provisioning process. Provisioning Confirmation: Martin confirmed that the user Tina Test was successfully provisioned from Microsoft Entra to the SAP backend system, with all necessary attributes and mappings in place. SNC Mapping: The SNC mapping for single sign-on was correctly created, allowing Tina Test to securely access the SAP system using her credentials. Follow-up tasks:

Links

Video index

Search results

User Provisioning in a hybrid environment

Introduction

Summary created by AI