In part two of this blog series, we will look at how One Identity can support SAP environments from an Identity and Access Management (IAM) perspective. As SAP Identity Management (IDM) reaches its end-of-maintenance, customers will need to explore alternatives for their identity management landscapes. Here is a list of some key elements to consider.
1. Embracing industry standards
SAP Cloud Identity Services form the core of SAP’s IAM strategy, relying on industry standards such as Security Assertion Markup Language (SAML), OpenID Connect (OIDC), X.509 certificates and System for Cross-Domain Identity Management (SCIM). Any identity management solution considered should have strong support for these protocols and easily integrate with SAP Cloud Identity Services.
2. On-premises workload support
Given the diverse adoption levels and significant on-premises footprints among SAP IDM customers, strong support for on-premises workloads is a critical capability. Customers should also ensure that integration with SAP solutions is using supported and certified integration methods.
3. Migration expertise
Customers should look for partners with experience in migration from SAP IDM to the partner's solution, either through the partner’s professional services or through their network of partners.
Selecting a migration partner
Customers should look for partners with experience in migration from SAP IDM to the partnerspartner’s solution, either through the partner’s professional services or through their network of partners.
- Market research and analysis
- Vendor demonstrations
- Vendor meetings
- A live proof of concept
- SAP IDM migration concepts
The best solution: One Identity
Following thorough evaluation, One Identity emerged as a leading SAP partner and software vendor, endorsed by customer feedback and backed by SAP-dictated POC criteria. Here’s why One Identity Manager is just a strong SAP partner:
- One Identity Manager proved all use cases for both ABAP and SCIM based connectivity scenarios.
- One Identity Manager has a long track record of support for ABAP workloads using a certified connector, support for Cloud Identity with SCIM, and a broad network of partners with experience both in SAP solutions and with One Identity deployments.
- The One Identity Manager solution can manage the identity lifecycle of SAP users through the certified SAP Connector for ABAP-based SAP systems. Due to the deep integration and the resulting SAP expertise, customers can be supported not only in managing their SAP accounts on different SAP systems, either directly or indirectly via a CUA, but also in license measurement. It can assign accounts as well as the necessary SAP licenses, supporting customers in licensing SAP users. The certified connector of One Identity Manager is also able to synchronize HR data from an SAP HCM system. Current developments are also constantly considered and adopted, so that the One Identity Manager in a modern S/4HANA instance is aware of the business partner concept and fully supports them.
One Identity has several supported methods for interoperating with SAP products, including certified ABAP and SCIM connectors.
One Identity Manager can be deployed in the cloud or on-premises in a variety of ways.
The following set of graphics will show an S/4 HANA system being connected to One Identity’s IGA solution.
Figure 1: An S/4 HANA system is selected.
Figure 2: Appropriate clients are selected.
Figure 3: Within One Identity Manager, the SAP ABAP connector is selected.
Figure 4: The appropriate data model is selected. (Note: although R/3 is designated, S/4 is supported.)
Figure 5: One Identity Manager synchronizes client specific data as well as system specific information. The below screenshot shows the list of clients on this SAP S4/HANA system.
Figure 6: The One Identity Manager’s target system browser allows live browsing. The list of SAP users and their details are shown below.
Figure 7: The ABAP connector provides deep-level attribute mapping, as well as the ability to map custom attributes.
Figure 8: Once the S/4 HANA system has been successfully connected with the appropriate Client(s), Users, and attributes mapped, the data model is synchronized into One Identity Manager. Showing the system overview with the SAP clients
Figure 9: Once the S/4 HANA system has been successfully connected with the appropriate Client(s), Users, and attributed mapped, the data model is synchronized into One Identity Manager. This shows the details of one specific synchronized client.
Figure 10: A User’s SAP roles are synchronized.
Figure 11: All SAP S/4 HANA clients that were selected for synchronization are viewable.
Figure 12: User information for each SAP S/4 HANA client is synchronized.
Figures 13a and b: Changes made in One Identity Manager can be reflected back into S/4.
Integration with SAP NetWeaver AS Java
SAP systems based on SAP NetWeaver Application Server Java (AS Java), such as SAP IDM, can be connected via custom integration and the User Management Engine (UME). The User Management Engine provides an abstraction layer via persistence adapters to different data sources for user and authorization management on a NetWeaver Application Server Java. This allows applications to be secured on a Java basis. One Identity Manager uses the SPML interface to support the identity lifecycle on these systems.
Compliance management
With the Compliance add-on for SAP, One Identity Manager has its own engine for checking rules for compliance and monitoring regulatory requirements, which can be integrated with SAP GRC. In this, rule sets of the auditors can be implemented, and rule violations can be handled automatically. The rule sets for checking are very similar to the rule sets that can be stored in SAP's own solution SAP Access Control. These rule sets in SAP Access Control can also be used if customers already have them in place. Due to the flexible workflow architecture of the One Identity Manager, compliance checks in SAP Access Control can be used for self-service requirements of employees in order to ensure a separation of functions.
Integration with SAP Access Control
SAP Access Control can be integrated in different forms and depths. SAP Access Control can be used as a workflow and provisioning engine, as a pure workflow engine or as a pure separation of duties info system. One Identity Manager also comes with a native connector for the SAP HANA database, thus providing the identity lifecycle for database users into an SAP HANA database.
Managing hybrid SAP environments and systems
Customers who are already in a hybrid world and are utilizing RISE to migrate services to the cloud have additional requirements for security, efficiency and reliability. These customers not only have SAP's classic on-prem products and solutions in place, but also cloud-based solutions.
Hybrid SAP customers use services from the SAP cloud in addition to on-premises solutions. In this case, One Identity Manager can manage the ABAP-based SAP S/4HANA cloud private instances through the certified SAP connector, just like the on-prem ABAP-based SAP systems. Also, for SAP S/4HANA Cloud Private Edition, the Compliance add-on for SAP of One Identity Manager can be used for compliance and monitoring of regulatory requirements.
Integration with cloud identity access governance
In a hybrid scenario, the modern and cloud-based SAP Cloud identity access governance, which extends the capabilities of SAP Access Control to SAP Cloud solutions, can also be integrated into One Identity Manager.
This allows not only the rule audits for ABAP-based on-prem and SAP S/4HANA Cloud Private Edition, but also to be extended to all solutions that are operated on the SAP Business Technology Platform (SAP BTP). For example, thus enabling an audit on the complete hybrid SAP infrastructure. This ensures a holistic audit and compliance across infrastructures. Different forms and depths of integration are also conceivable for SAP IAG integration. SAP IAG can be used as a workflow and provisioning engine, as a pure workflow engine or as a pure separation of functions info system.
Integration options
One Identity Manager can not only integrate SAP IAG, but also directly integrate applications on the SAP Business Technology Platform (SAP BTP). For this purpose, a SCIM-based standard connector is provided via their Starling Connect service, which enables integration via SAP Cloud Identity Services.
For customers utilizing SAP SuccessFactors, SAP Concur, SAP Ariba and other cloud hosted solutions, they can also be managed with One Identity Manager, ensuring holistic governance for our customers landscapes as they move forward.
Conclusion
One Identity Manager will help facilitate a transition from SAP IDM to SAP Cloud solutions by supporting both ABAP and SCIM as well as other systems that customers have in their environments to help them satisfy their security requirements.
