The SAP Cloud Identity Service IAS XSUAA SCIM Connector is designed to integrate SAP’s Identity Authentication Service (IAS), also known as Identity Directory, with EmpowerID. This connector uses the SCIM 2.0 protocol to facilitate the synchronization and management of user and group data between SAP IAS and EmpowerID, ensuring seamless identity and access management across both platformssynchronize users and groups between SAP BTP XSUAA and EmpowerID, effectively managing roles and role collections. In the context of EmpowerID, groups in the XSUAA Authorization and Trust Management service correspond to role collections. This connector supports both inbound and outbound synchronization, adhering to the SCIM protocol for managing user and group schemas.
To enable access to the XSUAA API, you must configure an OAuth 2.0 client within the XSUAA service instance. This process involves enabling the API access plan for the service instance, allowing EmpowerID to securely interface with the XSUAA service.
Supported Functionality
The connector supports the following capabilities:
Inventory
...
User Inventory: Synchronizes user data from XSUAA to EmpowerID, ensuring that all user data from SAP IAS to EmpowerID.
User Lifecycle Management: Manages user provisioning, updating, and deprovisioning.
Group Inventory: Synchronizes group data from SAP IAS to EmpowerID.
Group Membership: Manages user group memberships in EmpowerID based on data from SAP IAS.
Prerequisites
information in XSUAA is reflected accurately in EmpowerID.
Group Inventory: Synchronizes group (role collections) data from XSUAA to EmpowerID, allowing for effective role management.
Group Membership: Synchronizes group membership data from XSUAA to EmpowerID, maintaining up-to-date user group associations.
CRUD (Outbound)
User provisioning (Create): Enables user creation in XSUAA using EmpowerID’s provisioning policies and workflows. Ensure that attributes like Email, UserPrincipalName, and EmployeeType are correctly configured. The
origin
attribute must be set as part of the configuration parameters to route the user creation correctly.User Update: Allows updating user attributes in XSUAA using EmpowerID workflows, enabling real-time synchronization of user information.
User de-provisioning (Delete): Manages user deletion in XSUAA through EmpowerID’s de-provisioning policies and workflows.
User Enable/Disable: Supports enabling or disabling users by toggling the active flag in XSUAA, managed through EmpowerID workflows.
Group Update: Allows updating group attributes in XSUAA (limited to the description attribute) using EmpowerID workflows.
Group Membership: Facilitates adding or removing group memberships in XSUAA via EmpowerID policies and workflows, ensuring that role assignments remain consistent across systems.
Prerequisites
Before establishing a connection between EmpowerID and the XSUAA SCIM Connector, the following prerequisites must be fulfilled:
System-Type Administrator Account
...
Create a system-type administrator account
...
in the
...
XSUAA service instance with sufficient privileges. The account should have the following permissions:
Manage Users: Allows for the creation, updating, and deletion of users.
Read Users: Enables read access to user data.
Manage Groups: Grants permissions to manage groups (role collections) within the XSUAA instance.
Access Real-Time Provisioning API: Required for real-time provisioning and synchronization between EmpowerID and XSUAA.
Required Information
...
Obtain the following
...
information from your SAP
...
BTP XSUAA instance to facilitate onboarding in EmpowerID:
Base URL: The base URL of the
...
ClientID of the Admin User
...
XSUAA service instance.
Access Token URL: The URL to obtain OAuth 2.0 access tokens for API access.
ClientID and ClientSecret: The credentials associated with the administrator account are used for authenticating API requests.
Inventory Objects and their corresponding components in EmpowerID
Connects to the SAP IAS XSUAA API and retrieves user data.
Object in |
---|
XSUAA Service Instance | Component in EmpowerID |
---|
SCIM Users | Account |
SCIM Groups (role collections) | Group |
Attribute Mapping
The following table below shows outlines the attribute mappings of SAP IAS users to EmpowerID. between SAP XSUAA user attributes and EmpowerID person attributes, ensuring that user information is correctly synchronized between systems:
Personal Information
Next Steps
...
XSUAA User Attribute | EmpowerID Person Attribute |
---|
City
(Personal Address Information Not Managed)
XSUAA SCIM Interface Technical Attribute |
---|
UserID (readonly)
userId
Global User ID (readonly)
id
SCIM ID (readonly)
id
Status
Status
active
User Type
EmployeeType
userType
Company Relationship
(Not currently mapped; can be if needed)
urn:ietf:params:scim:schemas:extension:sap:2.0:User
.companyRelationship
Valid From
urn:ietf:params:scim:schemas:extension:sap:2.0:User
.validFrom
Valid To
urn:ietf:params:scim:schemas:extension:sap:2.0:User
.validTo
profileUrl | AboutMe | profileUrl |
description | Description | description |
emails[?(@. |
primary== |
false)]. |
ZIP/Postal Code
(Personal Address Information Not Managed)
addresses[?(@.type=='home')].postalCode
Country/Region
(Personal Address Information Not Managed)
addresses[?(@.type=='home')].country
State
(Personal Address Information Not Managed)
addresses[?(@.type=='home')].region
Street Address
(Personal Address Information Not Managed)
addresses[?(@.type=='home')].streetAddress
Street Address2
(Personal Address Information Not Managed)
urn:ietf:params:scim:schemas:extension:sap:2.0:User
.addresses[?(@.type=='home')].streetAddress2
Salutation
name.honorificPrefix
First Name
FirstName
name.givenName
Last Name
LastName
name.familyName
Login Name
Login
userNameLogin
Display Name
displayName
Telephone
BusinessPhone
value | ||
origin | EmployeeType | origin |
givenName | FirstName | name. givenName |
familyName | LastName | name. familyName |
middleName | MiddleName | name. middleName |
honorificSuffix | GenerationalSuffix | name.honorificSuffix |
title | Title | title |
photos | PhotoURL | photos[?(@.type=='work')]. |
value |
locale |
MobilePhone
phoneNumbers[?(@.type=='mobile')].valueMobilePhone
Fax
Fax
phoneNumbers[?(@.type=='fax')].value
emails[?(@.type=='work')].value
Language
locale
Time Zone
timezone
Employment Information
...
SuccessFactors Attribute
...
EmpowerID Person Attribute
...
SAP SCIM Interface Technical Field
...
Employee Number
...
EmployeeID
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.employeeNumber
...
Cost Center
...
CostCenter
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.costCenter
...
Department
...
Department
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department
...
Division
...
Division
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.division
...
Manager Id
...
Manager
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value
...
Manager Display Name (readonly)
...
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.displayName
Company Information
...
SuccessFactors Attribute
...
EmpowerID Person Attribute
...
SAP SCIM Interface Technical Field
...
Industry
...
(Not currently mapped; can be if needed)
...
urn:ietf:params:scim:schemas:extension:sap:2.0:User.industry
...
Company
...
Company
...
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
.organization
...
City
...
City
...
addresses[?(@.type=='work')].Locality
...
ZIP/Postal Code
...
PostalCode
...
addresses[?(@.type=='work')].postalCode
...
Country/Region
...
Country
...
addresses[?(@.type=='work')].country
...
State/Province
...
State
...
addresses[?(@.type=='work')].region
...
Street Address
...
StreetAddress
...
addresses[?(@.type=='work')].streetAddress
...
Street Address2
...
StreetAddress2
...
urn:ietf:params:scim:schemas:extension:sap:2.0:User
.addresses[?(@.type=='work')].streetAddress2
Custom Attributes
...
SuccessFactors Attribute
...
EmpowerID Person Attribute
...
SAP SCIM Interface Technical Field
...
Custom Attribute 1
...
...
urn:sap:cloud:scim:schemas:extension:custom:2.0:User
.attributes[?(@.name=='customAttribute1')].value
...
Custom Attribute 2-9: same
...
Custom Attribute 10
...
CustomAttribute10
...
urn:sap:cloud:scim:schemas:extension:custom:2.0:User
.attributes[?(@.name=='customAttribute10')].value
PreferredLanguage | locale | |
active | Status | active |
verified | ExtensionAttribute19 | verified |
zoneId | ExtensionAttribute1 | zoneId |
userName | Login | userName |