In this blog I will go through the steps to Integrate IAG with IAS.
SAP Cloud Identity Access Governance is a cloud-based service for creating self-service requests to applications for on-premise and cloud source applications and systems. By connecting to the SAP Cloud Identity Access Governance solution, it enables Identity Authentication users to initiate access requests, which are then provisioned to target applications.
Prerequisite: IAG Administrator, IAS & IPS administrator or knowledge in IAS & IPS is preferred to do this setup.
Make sure you completed initial setup for IAG (IAS and IPS enablement) in IAG before following the below steps.
Process Overview
There are four overall steps to enable integration between Identity Authentication Service (SAP IAS) and the SAP Cloud Identity Access Governance solution and its services:
-
Connect Identity Provisioning with IAG
- Create Proxy System for IAS In the IPS
-
Create an instance for Cloud Foundry in the IAG
-
Run the repository synch job to sync user data and provision access requests.
1.Connect Identity Provisioning with IAG
The following step is applicable for an Identity Provisioning bundle tenant was created or updated on the SAP Cloud Identity (SCI) platform for use with SAP Cloud Identity Access Governance.
The URL for Identity Provisioning is as follows:
https://UNIQUEID.accounts.ondemand.com/ips
-
Login to the IAS > User & Authorizations > Administrators > Add System user and provide the Access Proxy System API access. Note down the Client ID and Secret ( Once Secret is generated, you cannot retrieve or change it.)
- Login to the IAG BTP Subaccount and create a destination with the name IPS_PROXY as shown in the table below.
-
Enter the Properties listed in the table below for the destination. All properties must be entered. Some properties must be added as Additional Properties. Copy the names of all properties as displayed. Property names and values are case sensitive.
-
Check the Use default JDK truststore checkbox.
- Save your entries.You can test the destination in the BTP Cockpit. However, the URL does not point to a valid API for Identity Provisioning, and shows green status, but HTTP 301 or similar.
| Name | IPS_PROXY |
| Type | HTTP |
| Description | IPS Destination |
| URL | https://<<YOUR_IPS_URL_BUT_WITHOUT_THE__ips>> (For example: https://UNIQUEID.accounts.ondemand.com |
| Proxy Type | Internet |
| Authentication | BasicAuthentication |
| User | <<CLIENT_ID_FROM_STEP_1_ABOVE>> |
| Password | << SECRET_FROM_STEP 1_ABOVE>> |
| Accept | application/scim+json |
| GROUPSURL | /Groups |
| serviceURL | /ipsproxy/service/api/v1/scim/ |
| USERSURL | /Users |
2.Create Proxy System for IAS In the IPS
Need to create a proxy system to enable Identity authentication service to connect with the IAG Subaccount. Before creating proxy system, please set up the technical user (of type System) in Identity Authentication and assign this user the necessary authorizations.
2.1) How to create a technical user in IAS?
- In SAP Cloud Identity Services admin console, navigate to .
- Add an administrator user of type System and configure the basic authentication method for this user.
Please note down the Client Id, Secret from the system user once it created.
2.2) Create a Proxy System
-
Open your Identity Provisioning Launchpad.
-
Copy the external system ID and use it to set up the Cloud Foundry instance in the Systems app.
-
Add a proxy system for IAS and choose Save. The Type should be Identity Authentication
Type Identity Authentication System Name <Free text> Destination Name Description <Free text> -
Enter the Properties as shown in below table
Type=HTTP
Authentication=BasicAuthentication
ProxyType=Internet
URL= Specify the URL of the Identity Authentication tenant of your company.
For example: https://mytenant.accounts.ondemand.com
User=<<CLIENT_ID_FROM_STEP_2.1_ABOVE>>
Password=<< SECRET_FROM_STEP 2.1_ABOVE>>
ias.api.version=2
ias.support.patch.operation=true
ips.trace.failed.entity.content=false
3.Create an instance for IAS in the IAG
-
Log into the SAP Cloud Identity Access Governance launchpad and open the Application app.
-
Create a system for IAS. For System Type, select IAS.
- Enter the external system ID mentioned in step 2.2 in the section Create Proxy system and Save.
4.Run the repository synch job to sync user data and provision access requests.
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category dropdown list, schedule the following jobs:
- Repository Sync to synchronize the relevant data from Identity Authentication.
- In the System Type dropdown list, select Identity Authentication V2.
- In the System dropdown list, select the configured Identity Authentication V2 system.
Note:
If you are using IAG Standard edition and users are maintained in the IAS group IAG_WF_MANAGER, then they can be selected as managers in the access request.
But if a user’s manager is directly maintained in ‘Employee Information’ – ‘Manager’, then it is not automatically retrieved in the access request.
Example: The user TESTUSER has user MANAGER maintained as a manager. But MANAGERis not automatically populated in the access request in manager field.
If managers are assigned manually to users in IAS, IAS needs to be set as User Source in IAG and the repository sync job needs to be run against IAS for retrieving user information such as email address, employee’s manager..Please follow the below steps to make IAS as user source
- Maintain IAS system in IAG in System app.
- Open the Configuration app and in Application Parameters, enter the IAS system under the Parameter Value for the UserSource.
- Run the repository sync against IAS
- Run the SCI User group sync
Conclusion
These steps complete the Integration of IAS with IAG. Please check the help.sap.com for SAP Cloud Identity Access Governance for more detailed document on how to integrate IAS with IAG
References
SAP Documentation for IAS integration with IAG
Manager from IAS not populated in Access Request
Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance.
