The SAP Cloud Identity Service IAS XSUAA SCIM Connector is designed to integrate SAP’s Identity Authentication Service (IAS), also known as Identity Directory, with EmpowerID. This connector uses the SCIM 2.0 protocol to facilitate the synchronization and management of user and group data between SAP IAS and EmpowerID, ensuring seamless identity and access management across both platformsprovision users from identity providers and manage roles and role collections with EmpowerID. Groups in the Authorization and Trust Management service are mapped to role collections. This API adheres to the SCIM (System for Cross-domain Identity Management) protocol for the users/groups schema, and the connector is implemented to sync data inbound and outbound.
Overview
The XSUAA SCIM Connector is designed to synchronize users and groups between SAP BTP XSUAA and EmpowerID, managing roles and role collections effectively. In the context of EmpowerID, groups in the XSUAA Authorization and Trust Management service correspond to role collections. This connector supports both inbound and outbound synchronization, adhering to the SCIM protocol for managing user and group schemas.
To enable access to the XSUAA API, you must configure an OAuth 2.0 client within the XSUAA service instance. This process involves enabling the API access plan for the service instance, thereby allowing EmpowerID to interface with the XSUAA service securely.
Supported Functionality
The connector supports the following capabilities:
Inventory
...
User Inventory: Synchronizes user data from SAP IAS to EmpowerID.
User Lifecycle Management: Manages user provisioning, updating, and deprovisioning.
Group Inventory: Synchronizes group data from SAP IAS to EmpowerID.
Group Membership: Manages user group memberships in EmpowerID based on data from SAP IAS.
Prerequisites
XSUAA to EmpowerID, ensuring that all user information in XSUAA is reflected accurately in EmpowerID.
Group Inventory: Synchronizes group (role collections) data from XSUAA to EmpowerID, allowing for effective role management.
Group Membership: Synchronizes group membership data from XSUAA to EmpowerID, maintaining up-to-date group associations for users.
CRUD (Outbound)
User provisioning (Create): Enables user creation in XSUAA using EmpowerID’s provisioning policies and workflows. Ensure that attributes like Email, UserPrincipalName, and EmployeeType are correctly configured. The
origin
attribute must be set as part of the configuration parameters to correctly route the user creation.User Update: Allows updating user attributes in XSUAA using EmpowerID workflows, enabling real-time synchronization of user information.
User de-provisioning (Delete): Manages user deletion in XSUAA through EmpowerID’s de-provisioning policies and workflows.
User Enable/Disable: Supports enabling or disabling users by toggling the active flag in XSUAA, managed through EmpowerID workflows.
Group Update: Allows updating group attributes in XSUAA (limited to the description attribute) using EmpowerID workflows.
Group Membership: Facilitates adding or removing group memberships in XSUAA via EmpowerID policies and workflows, ensuring that role assignments remain consistent across systems.
Prerequisites
Before establishing a connection between EmpowerID and the XSUAA SCIM Connector, the following prerequisites must be fulfilled:
System-Type Administrator Account
...
Create a system-type administrator account
...
in the
...
XSUAA service instance with sufficient privileges. The account should have the following permissions:
Manage Users: Allows for the creation, updating, and deletion of users.
Read Users: Enables read access to user data.
Manage Groups: Grants permissions to manage groups (role collections) within the XSUAA instance.
Access Real-Time Provisioning API: Required for real-time provisioning and synchronization between EmpowerID and XSUAA.
Required Information
...
Obtain the following
...
information from your SAP
...
BTP XSUAA instance to facilitate onboarding in EmpowerID:
Base URL: The base URL of the
...
ClientID of the Admin User
...
XSUAA service instance.
Access Token URL: The URL to obtain OAuth 2.0 access tokens for API access.
ClientID and ClientSecret: The credentials associated with the administrator account, used for authenticating API requests.
Inventory Objects and their corresponding components in EmpowerID
Connects to the SAP IAS API and retrieves user data.
Object in SuccessFactorsXSUAA Service Instance | Component in EmpowerID |
---|---|
UserSCIM Users | Account |
SCIM Groups (role collections) | Group |
Attribute Mapping
The following table below shows outlines the attribute mappings of SAP IAS users to EmpowerID. between SAP XSUAA user attributes and EmpowerID person attributes, ensuring that user information is correctly synchronized between systems:
Personal Information
Next Steps
...
SAP XSUAA User Attribute | EmpowerID Person Attribute | SAP XSUAA SCIM Interface Technical Attribute | ||
---|---|---|---|---|
UserID (readonly) |
|
| ||
Global User ID (readonly) |
|
| ||
SCIM ID (readonly) |
|
| ||
Status | Status |
| ||
User Type | EmployeeType |
| ||
Company Relationship | (Not currently mapped; can be if needed) |
| ||
Valid From |
|
| ||
Valid To |
|
| ||
City | (Personal Address Information Not Managed) | addressesprofileUrl | AboutMe | profileUrl |
description | Description | description | ||
emails[?(@. | typeprimary== | 'home'false)]. | Locality||
ZIP/Postal Code | (Personal Address Information Not Managed) | addresses[?(@.type=='home')].postalCode | ||
Country/Region | (Personal Address Information Not Managed) | addresses[?(@.type=='home')].country | ||
State | (Personal Address Information Not Managed) | addresses[?(@.type=='home')].region | ||
Street Address | (Personal Address Information Not Managed) | addresses[?(@.type=='home')].streetAddress | ||
Street Address2 | (Personal Address Information Not Managed) |
| ||
Salutation |
| name. | ||
First Name | FirstName | name.givenName | ||
Last Name | LastName | name.familyName | ||
Login Name | Login | userNameLogin | ||
Display Name |
|
| ||
Telephone | BusinessPhone | phoneNumbersvalue | ||
origin | EmployeeType | origin | ||
givenName | FirstName | name. givenName | ||
familyName | LastName | name. familyName | ||
middleName | MiddleName | name. middleName | ||
honorificSuffix | GenerationalSuffix | name.honorificSuffix | ||
title | Title | title | ||
photos | PhotoURL | photos[?(@.type=='work')]. | valuevalue | |
locale | MobilePhone | phoneNumbers[?(@.type=='mobile')].valueMobilePhone | ||
Fax | Fax | phoneNumbers[?(@.type=='fax')].value | ||
emails[?(@.type=='work')].value | ||||
Language |
|
| ||
Time Zone |
|
|
Employment Information
...
SuccessFactors Attribute
...
EmpowerID Person Attribute
...
SAP SCIM Interface Technical Field
...
Employee Number
...
EmployeeID
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.employeeNumber
...
Cost Center
...
CostCenter
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.costCenter
...
Department
...
Department
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department
...
Division
...
Division
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.division
...
Manager Id
...
Manager
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value
...
Manager Display Name (readonly)
...
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.displayName
Company Information
...
SuccessFactors Attribute
...
EmpowerID Person Attribute
...
SAP SCIM Interface Technical Field
...
Industry
...
(Not currently mapped; can be if needed)
...
urn:ietf:params:scim:schemas:extension:sap:2.0:User.industry
...
Company
...
Company
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
.organization
...
City
...
City
...
addresses[?(@.type=='work')].Locality
...
ZIP/Postal Code
...
PostalCode
...
addresses[?(@.type=='work')].postalCode
...
Country/Region
...
Country
...
addresses[?(@.type=='work')].country
...
State/Province
...
State
...
addresses[?(@.type=='work')].region
...
Street Address
...
StreetAddress
...
addresses[?(@.type=='work')].streetAddress
...
Street Address2
...
StreetAddress2
...
urn:ietf:params:scim:schemas:extension:sap:2.0:User
.addresses[?(@.type=='work')].streetAddress2
Custom Attributes
...
SuccessFactors Attribute
...
EmpowerID Person Attribute
...
SAP SCIM Interface Technical Field
...
Custom Attribute 1
...
...
urn:sap:cloud:scim:schemas:extension:custom:2.0:User
.attributes[?(@.name=='customAttribute1')].value
...
Custom Attribute 2-9: same
...
Custom Attribute 10
...
CustomAttribute10
...
urn:sap:cloud:scim:schemas:extension:custom:2.0:User
.attributes[?(@.name=='customAttribute10')].value
PreferredLanguage | locale | |
active | Status | active |
verified | ExtensionAttribute19 | verified |
zoneId | ExtensionAttribute1 | zoneId |
userName | Login | userName |