Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 2

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article provides step-by-step instructions for connecting EmpowerID to SAP Cloud Identity Service IASBTP XSUAA. By following this article, administrators can efficiently integrate the two systems, enabling seamless synchronization and management of user and group data. This integration ensures that identity and access management processes are streamlined and consistent across both platforms.

...

Before connecting EmpowerID to the SAP Cloud Identity Service IAS XSUAA SCIM Connector, ensure the following prerequisites are met: 

  1. System-Type Administrator Account: Create a system-type administrator account and secret in the SAP Cloud Identity Service XSUAA service instance with the following permissions:

    • Manage Users

    • Read Users

    • Manage Groups

    • Access Real-Time Provisioning API

  2. Required Information: Obtain the following details from SAP for onboarding the system in EmpowerID:

    • Base URL of the Instance

    • Access Token URL of the instance 

    • ClientID of the Admin User

    • ClientSecret of the Admin User

Procedure

Step 1 – Create an Account Store for SAP

...

BTP XSUAA

  1. Sign in to EmpowerID as an administrator.

  2. Expand Admin > Applications and Directories on the navbar and select Account Stores and Systems.

  3. Select the Actions tab and then click Create Account Store.

    image-20240724-205043.png

     

  4. Under System Types, search for SAP Cloud Identity ServiceAuthorization and Trust Management Service SCIM.

  5. Click the record for SAP Cloud Identity Service IAS SCIM Authorization and Trust Management Service SCIM to select the type and then click Submit.

     

    image-20240726-151230.pngImage Removed

    image-20240815-171821.pngImage Added


    This opens the Account Store Details form for the system.

    image-20240815-172048.pngImage Added

  6. Enter the following information in the form:

    • Name – Name of the account store

    • XSUAA Base URL – The base URL of the SAP IAS XSUAA service instanceClient Secret

    • Access Token URL – The URL to get the access token for XSUAA service instance 

    • Client Api Key – The Client Secret ID of the admin useruser 

    • Client IDSecret – The Client ID Secret of the admin user

  7. When ready, click Submit to create the account store.

...

  1. On the Account Store Details page for the SAP Cloud Identity Service IAS XSUAA account store, select the Attribute Flow Rules tab.

  2. Review the attribute flow and revise as needed. EmpowerID translates the attributes in SAP IAS XSUAA to SCIM for use with the connector and represents those attributes in EmpowerID as External Directory Attributes. You map these attributes to EmpowerID Person attributes to ensure that any changes occurring to user attributes in SAP IAS XSUAA flow to the EmpowerID Person and any other user accounts owned by the Person.

  3. To change the score for any available CRUD operations (Create, Update, and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.

...

  1. Click the Edit link on the Account Store Details page for the SAP Cloud Identity Service IAS XSUAA object to put the account store in Edit mode.

  2. Edit the settings shown below as needed and save your changes.

...

  1. On the Account Store Settings page, select the Inventory tab.

  2. Change the Inventory Schedule Interval as needed. By default, EmpowerID inventories account stores once every 10 minutes.

  3. Toggle Inventory Enabled.

  4. Click Save to save your changes to the account store.

...

Step 4 – Enable the Group Membership Reconciliation Job for the Account Store

  1. Select the Resource System tab on the Account Store Settings page and then select the Server Jobs subtab.

  2. Under Membership, toggle Enable Group Membership Reconciliation.

Step 5 – Enable the Account Inbox Permanent Workflow

  1. Expand Infrastructure Admin > EmpowerID Server and Settings on the navbar and select Permanent Workflows.

  2. On the Permanent Workflows page, click the Display Name link for Account Inbox.

  3. On the Permanent Workflow Details page that appears, click the pencil icon to put the workflow in edit mode.

     

  4. Check Enabled.

  5. Click Save to save your changes.

Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision XSUAA accounts for any person within your organization based on your policy requirements. When using Provisioning policies with XSUAA, “origin” must be added to the policy as a configuration parameter. If you need to provision users for multiple origins, you need to create multiple policies with the origin parameter set to the appropriate value. For more information, see Create Provisioning Policies for SAP XSUAA.