SAP Cloud Identity Services

This connectivity package provides support for SAP Cloud Identity Services.

Supported objects and operations

System objects	Omada Identity Data Model	Operations
Users	Accounts	Create, read, update, delete
Passwords*	-	-
Groups	Resources	Read
Group memberships (users)	Resource Assignments	Create, read, update, delete
Group memberships (groups)	Resource Parent/Child	-

*Passwords are not used for regular accounts in Identity Authentication Service due to SSO (and hence no password is provisioned). Passwords in IAS are used for authentication of the contractor SAP SuccessFactors account, and since the account is created from SAP SuccessFactors, the password management is handled by SAP SuccessFactors/service desk.

Minimum required permissions

See the SAP documentation.

Implementation notes

N/A

Network requirements

Add the content type to perform tests in Postman:

Content-Type: application/scim+json

In Omada Identity, in Connection details, enter the following header:

{"Request":{"Content-Type":"application/scim+json"}}

Advanced settings configuration:

Provisioning settings (must include the content type header and all the header settings):

---

Prerequisites

SAP cloud authentication and authorization management is centered around the SAP Identity Authentication Service (IAS), which is the SAP component for federation and identity brokerage. As each SAP cloud solution has their own user and permission store, the information from IAS is provisioned to the individual SAP cloud solution with another SAP component: Identity Provisioning Service (IPS).

SAP has a dependency for accounts in IAS that are used to connect to SAP SuccessFactors (SAPSF) – the accounts must be created from SAPSF through IPS (not from Omada or any other component). The dependency is caused by an internal synchronization that updates the SAPSF account with an internal identifier from the IAS account on account creation. There is no supported interface for this update to be handled from Omada.