Identity Management

SAP IDM 8.0 – what’s following?

The end of the SAP Netweaver platform also heralds the end of SAP IDM 8.0. The maintenance phase ends in 2027 with the option to extend until 2030. SAP will not provide an official IDM successor. We give you an initial overview of the options available and whether it is possible to obtain everything from a single source from the SAP universe.

Identity Services – the gateway to the SAP cloud world

SAP Identity Services is a collection of tools with which you can map the most important identity management processes.

Specifically, these include

  • Identity Directory Service (SAP IDDS)
  • Identity Provisioning Service (SAP IPS)
  • Identity Authentication Service (SAP IAS)

Identity Directory Service

An SAP directory service in which all user and group assignments are stored (analogous to e.g.AD/AAD) 

Identity Provisioning Service

A service that provisions group assignments in the backend system, including attribute mappings and transformations

Identity Authentication

Service The IdP from SAP. This can be used to implement MFA and SSO scenarios or forwarded to the Cooperate IdP as a proxy.

Variant 1: Customer IAM in use

  1. HR master data from SAP SuccessFactors (or another HR system) is sent to the IDM system used by the customer.
  2. IDM sends the user accounts or group assignments for all SAP cloud systems to the SAP IdDS.
  3. IDM sends the user accounts or group assignments for all NON-SAP cloud systems directly to the affected system.
  4. With the help of the SAP IPS, the user attributes are transformed and mapped to the backend attributes of the respective system.
  5. The IPS provisions the appropriate attributes to the backend system.

Variant 2: Without Customer IAM

  1. HR master data is sent from SAP SuccessFactors (or another HR system) to the SAP BTP service “SAP Master Integration”.
  2. SAP Master Data Integration creates the corresponding user accounts on the SAP IdDS.
  3. Changed master data or group assignments are automatically triggered in SAP IPS for provisioning.
  4. Mappings are used to provision the attributes from the SAP IPS for (SAP) cloud systems directly to the backend.
  5. On-premise SAP systems are supplied with attribute changes or group/authorization assignments via the SAP Cloud Connector.
  6. For non-on-premise SAP systems, the corresponding interfaces must be specifically examined.