SAP BTP XSUAA SCIM Connector

The XSUAA SCIM Connector is designed to synchronize users and groups between SAP BTP XSUAA and EmpowerID, effectively managing roles and role collections. In the context of EmpowerID, groups in the XSUAA Authorization and Trust Management service correspond to role collections. This connector supports both inbound and outbound synchronization, adhering to the SCIM protocol for managing user and group schemas.

To enable access to the XSUAA API, you must configure an OAuth 2.0 client within the XSUAA service instance. This process involves enabling the API access plan for the service instance, allowing EmpowerID to securely interface with the XSUAA service.

Supported Functionality

The connector supports the following capabilities:

Inventory

  • User Inventory: Synchronizes user data from XSUAA to EmpowerID, ensuring that all user information in XSUAA is reflected accurately in EmpowerID.

  • Group Inventory: Synchronizes group (role collections) data from XSUAA to EmpowerID, allowing for effective role management.

  • Group Membership: Synchronizes group membership data from XSUAA to EmpowerID, maintaining up-to-date user group associations.

CRUD (Outbound)

  • User provisioning (Create): Enables user creation in XSUAA using EmpowerID’s provisioning policies and workflows. Ensure that attributes like Email, UserPrincipalName, and EmployeeType are correctly configured. The origin attribute must be set as part of the configuration parameters to route the user creation correctly.

  • User Update: Allows updating user attributes in XSUAA using EmpowerID workflows, enabling real-time synchronization of user information.

  • User de-provisioning (Delete): Manages user deletion in XSUAA through EmpowerID’s de-provisioning policies and workflows.

  • User Enable/Disable: Supports enabling or disabling users by toggling the active flag in XSUAA, managed through EmpowerID workflows.

  • Group Update: Allows updating group attributes in XSUAA (limited to the description attribute) using EmpowerID workflows.

  • Group Membership: Facilitates adding or removing group memberships in XSUAA via EmpowerID policies and workflows, ensuring that role assignments remain consistent across systems.

Prerequisites

Before establishing a connection between EmpowerID and the XSUAA SCIM Connector, the following prerequisites must be fulfilled:

System-Type Administrator Account

Create a system-type administrator account in the XSUAA service instance with sufficient privileges. The account should have the following permissions:

  • Manage Users: Allows for the creation, updating, and deletion of users.

  • Read Users: Enables read access to user data.

  • Manage Groups: Grants permissions to manage groups (role collections) within the XSUAA instance.

  • Access Real-Time Provisioning API: Required for real-time provisioning and synchronization between EmpowerID and XSUAA.

Required Information

Obtain the following information from your SAP BTP XSUAA instance to facilitate onboarding in EmpowerID:

  • Base URL: The base URL of the XSUAA service instance.

  • Access Token URL: The URL to obtain OAuth 2.0 access tokens for API access.

  • ClientID and ClientSecret: The credentials associated with the administrator account are used for authenticating API requests.

Inventory Objects and their corresponding components in EmpowerID

Connects to the SAP XSUAA API and retrieves user data.

Object in XSUAA Service Instance

Component in EmpowerID

Object in XSUAA Service Instance

Component in EmpowerID

SCIM Users

Account

SCIM Groups (role collections)

Group

Attribute Mapping

The following table outlines the attribute mappings between SAP XSUAA user attributes and EmpowerID person attributes, ensuring that user information is correctly synchronized between systems:

Personal Information

XSUAA User Attribute

EmpowerID Person Attribute

XSUAA SCIM Interface Technical Attribute

XSUAA User Attribute

EmpowerID Person Attribute

XSUAA SCIM Interface Technical Attribute

profileUrl 

AboutMe 

profileUrl 

description 

Description 

description 

email 

Email 

emails[?(@.primary==false)].value 

origin 

EmployeeType 

origin 

givenName 

FirstName 

name. givenName 

familyName 

LastName 

name. familyName 

middleName 

MiddleName 

name. middleName 

honorificSuffix 

GenerationalSuffix 

name.honorificSuffix 

title 

Title 

title 

photos 

PhotoURL 

photos[?(@.type=='work')].value 

locale 

PreferredLanguage 

locale 

active 

Status 

active 

verified 

ExtensionAttribute19 

verified 

zoneId 

ExtensionAttribute1 

zoneId 

userName

Login 

userName 

Next Steps

https://dotnetworkflow.jira.com/wiki/spaces/EAGV24R2/pages/3728080940