This article provides step-by-step instructions for connecting EmpowerID to SAP Cloud Identity Service IAS. By following this article, administrators can efficiently integrate the two systems, enabling seamless synchronization and management of user and group data. This integration ensures that identity and access management processes are streamlined and consistent across both platforms.
Prerequisites
Before connecting EmpowerID to the SAP Cloud Identity Service IAS SCIM Connector, ensure the following prerequisites are met:
System-Type Administrator Account: Create a system-type administrator account and secret in the SAP Cloud Identity Service with the following permissions:
Manage Users
Read Users
Manage Groups
Access Real-Time Provisioning API
Required Information: Obtain the following details from SAP for onboarding the system in EmpowerID:
Base URL of the Instance
ClientID of the Admin User
ClientSecret of the Admin User
Procedure
Step 1 – Create an Account Store for SAP Cloud Identity Service IAS
Sign in to EmpowerID as an administrator.
Expand Admin > Applications and Directories on the navbar and select Account Stores and Systems.
Select the Actions tab and then click Create Account Store.
Under System Types, search for SAP Cloud Identity Service.
Click the record for SAP Cloud Identity Service IAS SCIM to select the type and then click Submit.
Enter the following information in the form:
Name – Name of the account store
Base URL – The base URL of the SAP IAS instance
Client Secret – The Client Secret of the admin user
Client ID – The Client ID of the admin user
When ready, click Submit to create the account store.
Step 2 – Configure Attribute Flow
On the Account Store Details page for the SAP Cloud Identity Service IAS account store, select the Attribute Flow Rules tab.
Review the attribute flow and revise as needed. EmpowerID translates the attributes in SAP IAS to SCIM for use with the connector and represents those attributes in EmpowerID as External Directory Attributes. You map these attributes to EmpowerID Person attributes to ensure that any changes occurring to user attributes in SAP IAS flow to the EmpowerID Person and any other user accounts owned by the Person.
To change the score for any available CRUD operations (Create, Update, and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.
Step 3 – Configure the SAP Cloud Identity Service IAS Account Store
Click the Edit link on the Account Store Details page for the SAP Cloud Identity Service IAS to put the account store in Edit mode.
Edit the settings shown below as needed and save your changes.
Account Store Settings | |
---|---|
Setting | Description |
Authentication and Password Settings | |
Password Manager Policy for Accounts without Person | Specifies the Password Manager Policy to be used for user accounts not joined to an EmpowerID Person. |
Provisioning Settings | |
Allow Person Provisioning (Joiner Source) | Specifies whether EmpowerID Persons can be provisioned from user accounts in the account store. |
Allow Attribute Flow | Specifies whether attribute changes should flow between the account store and EmpowerID. |
Allow Provisioning (By RET) | Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts, but have not yet had them provisioned. |
Allow Deprovisioning (By RET) | Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision. |
Max Accounts per Person | This specifies the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person. |
Business Role Settings | |
Allow Business Role and Location Re-Evaluation | Specifies whether Business Role and Location re-evaluation should occur for the account store |
Business Role and Location Re-Evaluation Order | This is an optional policy setting that can be used by provisioning workflows to determine which Account Store has priority when determining the roles and locations that should be assigned to a person. Account Stores with a higher value take precedence. |
Inventory Auto Provision OUs as IT System Locations | Specifies whether OUs in the external system are added as IT System locations in EmpowerID. If true, the OUs appear under the All IT Systems location node. |
Inventory Auto Provision External Roles as Business Roles | Specifies whether EmpowerID should provision Business roles for external account store roles If you are using Dynamic Hierarchy policies to generate custom external roles and locations, this options should be left disabled. |
Default Person Business Role | Specifies the default EmpowerID Business Role to be assigned to each EmpowerID Person provisioned from the user accounts in the account store. |
Default Person Location (leave blank to use account container) | Specifies the default EmpowerID Location to be assigned to each EmpowerID Person provisioned from the user accounts in the account store. |
Special Use Settings | |
Automatically Join Account to a Person on Inventory (Skip Account Inbox) | Specifies whether EmpowerID should attempt to join user accounts in the account store to an existing EmpowerID Person during the inventory process. When enabled, the Account Inbox is bypassed. |
Automatically Create a Person on Inventory (Skip Account Inbox) | Specifies whether EmpowerID should create new EmpowerID Persons from the user accounts discovered in the account store during the inventory process. When enabled, the Account Inbox is bypassed. |
Inventory Settings | |
Inventory Schedule Interval | Specifies the time span that occurs before EmpowerID performs a complete inventory of the account store. The default value is 10 minutes. |
Inventory Enabled | Allows EmpowerID to inventory the user information in the account store. |
Step 4 – Enable Inventory on the Account Store
On the Account Store Settings page, select the Inventory tab.
Change the Inventory Schedule Interval as needed. By default, EmpowerID inventories account stores once every 10 minutes.
Toggle Inventory Enabled.
Click Save to save your changes to the account store.
Now that inventory is enabled for the account store, the next step is to turn on the Account Inbox permanent workflow. This workflow is responsible for fetching and processing new user accounts.
Step 5 – Enable the Account Inbox Permanent Workflow
Expand Infrastructure Admin > EmpowerID Server and Settings on the navbar and select Permanent Workflows.
On the Permanent Workflows page, click the Display Name link for Account Inbox.
On the Permanent Workflow Details page that appears, click the pencil icon to put the workflow in edit mode.
Check Enabled.
Click Save to save your changes.