SAP BTP XSUAA SCIM Connector
The XSUAA SCIM Connector is designed to synchronize users and groups between SAP BTP XSUAA and EmpowerID, effectively managing roles and role collections. In the context of EmpowerID, groups in the XSUAA Authorization and Trust Management service correspond to role collections. This connector supports both inbound and outbound synchronization, adhering to the SCIM protocol for managing user and group schemas.
To enable access to the XSUAA API, you must configure an OAuth 2.0 client within the XSUAA service instance. This process involves enabling the API access plan for the service instance, allowing EmpowerID to securely interface with the XSUAA service.
Supported Functionality
The connector supports the following capabilities:
Inventory
User Inventory: Synchronizes user data from XSUAA to EmpowerID, ensuring that all user information in XSUAA is reflected accurately in EmpowerID.
Group Inventory: Synchronizes group (role collections) data from XSUAA to EmpowerID, allowing for effective role management.
Group Membership: Synchronizes group membership data from XSUAA to EmpowerID, maintaining up-to-date user group associations.
CRUD (Outbound)
User provisioning (Create): Enables user creation in XSUAA using EmpowerID’s provisioning policies and workflows. Ensure that attributes like Email, UserPrincipalName, and EmployeeType are correctly configured. The
origin
attribute must be set as part of the configuration parameters to route the user creation correctly.User Update: Allows updating user attributes in XSUAA using EmpowerID workflows, enabling real-time synchronization of user information.
User de-provisioning (Delete): Manages user deletion in XSUAA through EmpowerID’s de-provisioning policies and workflows.
User Enable/Disable: Supports enabling or disabling users by toggling the active flag in XSUAA, managed through EmpowerID workflows.
Group Update: Allows updating group attributes in XSUAA (limited to the description attribute) using EmpowerID workflows.
Group Membership: Facilitates adding or removing group memberships in XSUAA via EmpowerID policies and workflows, ensuring that role assignments remain consistent across systems.
Prerequisites
Before establishing a connection between EmpowerID and the XSUAA SCIM Connector, the following prerequisites must be fulfilled:
System-Type Administrator Account
Create a system-type administrator account in the XSUAA service instance with sufficient privileges. The account should have the following permissions:
Manage Users: Allows for the creation, updating, and deletion of users.
Read Users: Enables read access to user data.
Manage Groups: Grants permissions to manage groups (role collections) within the XSUAA instance.
Access Real-Time Provisioning API: Required for real-time provisioning and synchronization between EmpowerID and XSUAA.
Required Information
Obtain the following information from your SAP BTP XSUAA instance to facilitate onboarding in EmpowerID:
Base URL: The base URL of the XSUAA service instance.
Access Token URL: The URL to obtain OAuth 2.0 access tokens for API access.
ClientID and ClientSecret: The credentials associated with the administrator account are used for authenticating API requests.
Inventory Objects and their corresponding components in EmpowerID
Connects to the SAP XSUAA API and retrieves user data.
Object in XSUAA Service Instance | Component in EmpowerID |
---|---|
SCIM Users | Account |
SCIM Groups (role collections) | Group |
Attribute Mapping
The following table outlines the attribute mappings between SAP XSUAA user attributes and EmpowerID person attributes, ensuring that user information is correctly synchronized between systems:
Personal Information
XSUAA User Attribute | EmpowerID Person Attribute | XSUAA SCIM Interface Technical Attribute |
---|---|---|
profileUrl | AboutMe | profileUrl |
description | Description | description |
emails[?(@.primary==false)].value | ||
origin | EmployeeType | origin |
givenName | FirstName | name. givenName |
familyName | LastName | name. familyName |
middleName | MiddleName | name. middleName |
honorificSuffix | GenerationalSuffix | name.honorificSuffix |
title | Title | title |
photos | PhotoURL | photos[?(@.type=='work')].value |
locale | PreferredLanguage | locale |
active | Status | active |
verified | ExtensionAttribute19 | verified |
zoneId | ExtensionAttribute1 | zoneId |
userName | Login | userName |