SAP Cloud Identity Services (CIS) is a robust suite of tools designed to manage identity and access across the SAP ecosystem. This blog explores how CIS integrates with SAP SuccessFactors, focusing on hybrid integration patterns that enable seamless user authentication and identity provisioning in complex enterprise landscapes.

There are three primary flavors to integrating

1. Standard Integration (Recommended)
   
2. Proxy Integration using CIS(external IDP as authentication provider)
   
3. Hybrid Integration using CIS (external IDP or both external IDP and CIS as authentication provider) without SF being the source of user records to CIS

SAP SuccessFactors with SAP Cloud Identity Services:

Option 1: Integration Between SAP SuccessFactors and SAP CIS (Standard)

This is the most recommended method, fully aligned with SAP’s best practices for managing user identities. It involves the following steps:

1. Integrate SAP SuccessFactors with Identity Authentication: Run the upgrade job in the SAP SuccessFactors Upgrade Center to enable features and establish trust between SF and CIS.
   
2. Confirm that user sync is set up in Identity Provisioning in SAP Cloud Identity Services: Set up sync jobs with Identity Provisioning. Ensure that the user that is configured in the Identity Provisioning
   
3. Review the default configurations: Review the default configuration of the Identity Authentication service to determine if it meets your requirements or if additional configuration is required.
   
4. Additional configuration optional features:Configuration options in Identity Authentication include: Password policy settings, Single sign-on (SSO) etc
   
5. Activate Identity Authentication (IAS): Turn on the Identity Authentication service

This ensures standardized, low-effort configuration and a consistent integration experience.

Option 2: Using SAP CIS as a Proxy (Standard)

Many enterprises already use external identity providers (e.g., Azure AD, Okta) and want to continue doing so while adopting SAP applications.

By integrating the external IdP with CIS, organizations can:

• Maintain centralized identity governance.
  
• Enable secure authentication across SAP SuccessFactors, SAC, and Joule.

In this approach CIS acts as a proxy and user authentication is taken care by the external Identity provider like Entra, OKTA, etc. CIS may/may not have user records in its internal store (based on your requirements). Federation can be used if user records exist. Synching user records in CIS unlock features like SAC and future innovations such as SAP Joule, as they’re a key prerequisite for access. Ideal for customers wanting minimal disruption to existing identity infrastructure while gaining access to SAP’s innovation roadmap.

Option 3: Hybrid Integration — Using SAP CIS as a Proxy Without Standard SF User Sync.

Further details in this blog primarily focuses on this hybrid model.

Key Characteristics:

• SAP SuccessFactors is not the user provisioning source.
  
• CIS can act as a proxy or both proxy and IDP
  
• User profile data is synced to CIS from a different /external source to enable:
  
  • Access to services like SAP Analytics Cloud (SAC) and SAP Joule
    
  • Federated authentication via external IdPs

This method provides the flexibility to maintain external Identity manager to keep managing users in an enterprise while using SAP CIS to enabling access to SAP applications and to access new features and innovations.

Understanding Standard Integration Behavior

SAP’s standard SF-to-CIS integration includes two background jobs(in case if SAC exist):

Job 1: User Sync from SuccessFactors to IAS

• Reads user data from SF.
  
• Creates users in CIS.
  
• Generates a Global User ID, and store it in personKeyNav/GlobalUserId in SF.
  
• Populates CustomAttribute1 if the user has SAC access permissions.

Job 2: Sync to SAP Analytics Cloud (SAC)

• Reads user data from SF and syncs only users with access to embedded analytics to SAC
  
• Prevents SAC user creation for ineligible accounts.

Adapting the Integration for an External Data Source

If you’re not syncing users from SAP SF (i.e., using an external Data source like Identity manager), the standard jobs need to be customized to use IAS as the source and SAC as the target. It is very important to make sure that only users who have permission to embedded analytics should be synched to SAC. This step can be done either inside the cync job or can be taken care at source level (making sure to populate the custom attribute only if user has permission to access SAC)

To configure this job, you can modify the existing target or create a new one. If creating a new target, an SAP support ticket is required to set credentials (OAuth token URL, Client ID, and Secret).

Step-by-Step: Hybrid Integration with External Source

1. Integrate SAP SuccessFactors with Identity Authentication: Run the upgrade job in the SAP SuccessFactors Upgrade Center to enable features and establish trust between SF and CIS.
   
2. Review the default configurations: Review the default configuration of the Identity Authentication service to determine if it meets your requirements or if additional configuration is required.
   
3. Create Admin User for SCIM Access: Use SCIM APIs to push user records from the external system.
   
4. Retain Global User ID (Optional): If needed, set the Global User ID in CIS to a unique external ID or let the system generate one. This Global User Id needs to be updated in SF at (personKeyNav/GlobalUserId).
   
5. Sync to SAC
   Run a custom job (IAS → SAC) to:
   
   • Check SAC access rights.
     
   • Create users accordingly.

Addressing Common Technical Challenges in Hybrid Integration

1: Managing Different Subject Name Identifiers (SNI) Across Applications

In hybrid, multi-application environments, it’s common for login identifiers to vary across systems. SAP CIS supports multiple Subject Name Identifiers (SNI) per application, allowing flexibility. For scenarios where CIS login name is taken by another application as the identifier and it doesn’t have the same value as username in SF then any other field supported field can be used for SNI.

For SAP SuccessFactors (SF), it’s essential to ensure that the runtime value of the SNI must align with the SF username field to enable proper user identification.

Note: Expression-based SNI mapping is supported, but functionality is currently limited. Use with caution and review configuration thoroughly before implementation

2: Can SAP Analytics Cloud (SAC) Work Without a Direct Sync from SF to CIS?

Yes, Though it is recommended to sync it from SF SAC does not require a direct user synchronization from SF. However, there’s a critical requirement to enable user access:

Ensure CustomAttribute1 is correctly populated, as it is used to determine analytics access. Regardless of the data source, this attribute must be synced to SAC via CIS.

3: Can CustomAttribute1 Be Replaced with Another Attribute?

Absolutely. CustomAttribute1 is just a label. In SAP CIS, custom attributes are internally stored as an array, offering flexibility in how they’re used.

If you choose to use a different custom attribute:

• Ensure the transformation logic is updated accordingly, to confirm that consuming applications (e.g., SAC) are configured to read the new attribute.
• Update the SNI mapping to reference the correct custom attribute.

4: Connecting Multiple SF Tenants to a Single CIS Tenant (with SAC for Each SF)

While technically possible, connecting multiple SuccessFactors tenants to the same CIS tenant, each with its own SAC instance, but it is not recommended. This setup introduces significant complexity in Managing user states across tenants.

Conclusion

Integrating SAP SuccessFactors with SAP Cloud Identity Services offers flexibility, security, and alignment with SAP’s innovation roadmap. Whether through standard integration or a hybrid identity landscape using external IdPs, these methods empower organizations to centralize access control, reduce redundancy, and prepare for emerging technologies like SAP Joule.

The post Integrating SAP CIS with SAP SuccessFactors: A Guide to Standard and Hybrid Integration first appeared on ERP Q&A.

Effective user provisioning is essential for both organisational security and productivity in the context of digital operations. But controlling user access across many systems can be complicated and difficult at times. This blog article will discuss how IBM Verify SaaS integrates seamlessly with SAP NetWeaver and explain how this works together to improve overall operational efficiency, strengthen security, and streamline user provisioning processes.

SAP NetWeaver (on-premise) is a widely used platform that acts as the foundation for various SAP applications, including SAP ECC and S/4HANA. Users typically log in to these applications through the SAP NetWeaver interface.

IBM Security Verify SaaS adds an extra layer of security to the login process for SAP ECC and S/4HANA systems. By integrating with SAP NetWeaver, it allows users to log in securely using a web browser, but also requires an additional verification step (Multi-Factor Authentication or MFA) provided by IBM Security Verify. This MFA could be a code from a mobile app, a fingerprint scan, or another secure method.

SAP Netweaver on ABAP Stack vs SAP Netweaver on Java Stack

Development stacks for Java and ABAP are provided by SAP NetWeaver. Java offers open-source flexibility and meets the demands of contemporary development, while ABAP excels in fundamental business logic and connects with SAP with ease. Select Java for modern apps, scalability, and a larger talent pool, or ABAP for deep integration and current SAP expertise. Although it’s less prevalent, both allow interoperability and can coexist on a single server.

While IBM Security Verify offers an adapter for integrating with SAP NetWeaver applications on the Java stack, this blog focuses specifically on the integration process for SAP NetWeaver applications built on the ABAP stack with IBM Security Verify SaaS.

Architecture

IBM Security Verify SaaS can be integrated with a hybrid SAP landscape, including on-premise SAP Netweaver, cloud-based SAP BTP, and other SAP SaaS offerings (such as SAP SuccessFactors, SAP ARIBA, SAP Fieldglass). This centralized approach offers strong security with Multi-Factor Authentication and simplifies user experience through Single Sign-On. Users authenticate through IBM Security Verify, which then communicates with the relevant SAP application (Netweaver, BTP, or SAP SaaS offering) to grant access. This architecture enhances security and streamlines user experience for accessing SAP resources.

Prerequisites

• SAP NetWeaver
• IBM Security Verify
• A smartphone with IBM Security Verify App

Configurations and Settings in IBM Security Verify and SAP NetWeaver

IBM Security Verify Configuration :

Log in into IBM Security Verify as an administrator

You will be navigated to the home screen, as displayed below, after logging in.

Now, follow these steps:

1. On the left panel, click “Applications” under “Applications.”
   
2. On the right side of the screen, click the “Add application” button.
   
3. In the default applications list, search for “SAP NetWeaver” instead of creating a custom application.

As indicated below, complete the “General” section with the relevant information, then save it.

Select the “Sign on” tab and complete the fields as indicated by the screenshots below. The required data is available through your individual SAP NetWeaver account. Furthermore, adhere to the conditions listed in “Prerequisites” in order to receive the necessary information from SAP NetWeaver.

Now we need to upload “Metadata” file into SAP Netweaver which we can download from IBM Verify dashboard as mentioned in below steps.

1. Go to “Sign on” section of the application and scroll on the right side of the screen where you can find prerequisites
   
2. Scroll down as mentioned on below screenshots to the download metadata step and click on the link.
   
3. The metadata file will be saved to device which you can upload to in SAP NetWeaver Cloud as highlighted below:

Refer to SAP Netweaver user details to create a user in IBM Security Verify. Follow the instructions outlined below.

1. Log in to SAP Netweaver via SAP GUI.
2. Navigate to transaction code “SU01D”.
3. Choose the user for whom you want to create details in IBM Security Verify.
4. Gather user information, including first and last names, email addresses, etc.

For reference see below screenshot:

As we have completed the configurations in IBM Security Verify. Now, let’s add a user with the appropriate attributes in IBM Security Verify and check if it maps to the SAP NetWeaver dashboard.

1. Go to the “Users” tab under the “Directory” section on the left side of the IBM Security Verify dashboard.

Click on the “Add User” button as shown in the screenshot below.

Complete all required fields in the user information section depicted in the image below, then proceed to click on the “Save” button within the user tab interface.

Navigate downwards to access additional fields for adding further details about the user. In the provided screenshot, you can observe that we have included the email address for the user.

After completing the necessary user details, proceed to click on the “Save” button to ensure the user information is stored. Set up the SAP Netweaver configuration and then access the SAP NetWeaver application to ensure that the newly formed user is correctly mapped within the system.

SAP Netweaver Configuration

Establish a local SAML 2.0 provider: Enter into the SAP Netweaver login page using SAP GUI. Here, access the transaction “SAML2” by navigating to the command field at the top of the screen, as indicated below:

A web browser configuration screen will be displayed, requiring you to choose “Create SAML2.0 Local Provider” and press the “Next” button.

Enter “IBM_Security_Verify” as the provider name in the Initial settings.

Click “Next” since there is no need to modify the options in the “General Settings” box.

Select the “Finish” option, we’ll leave the “Service Provider Settings” as they are by default, as seen below.

You will now be taken to the screen below, where you can see the details that you customised in accordance with the previous instructions.

Upload Metadata File: As indicated below, click the “Trusted Providers” section. Then, click the “Add” button to bring up a drop-down menu, from which choose “Upload Metadata File” and upload the file which was downloaded from IBM Security Verify to local device.

There should be a new line item shown in the trusted providers list. You can configure in the “Endpoints” area as seen in the screenshot below.

Click “Add” after selecting the “Identity Federation” section, then enter the user’s email address under “Supported NameID Formats”. Additionally, as seen in the screenshot below, set “Email” as the User ID mapping mode and “email” for the “Assertion Attribute Name” field.

The following step will take us to a different section called “Signature and Encryption” where we will check the value of “Digest Algorithm” and, if it isn’t already, set it to “SH-256”. We will also check the values of the remaining fields, as indicated in the screenshot below:

We’ll now select the “Authentication Requirements” option and review the default settings as shown below:

Include a policy for web applications: To access “Policies,” follow the instructions in the screenshot below. After choosing “Web Applications Policies” press “Add”.

Name the policy “SSO” and describe it as such. And confirm the information as displayed in the screenshots below:

Let’s test :

Use the web browser to log in to SAP Netweaver as shown below. Please be aware that in order to access SAP Netweaver on a web browser, you must utilise a login link.

Here, I’ll use the IBMid for further login into the system.

Give your IBMid and click on “Continue”.

Select “w3id Credentials” as below :

Give your username and password details and click on “Sign in”.

You should be able to access the SAP Netweaver as below in your web browser.

Conclusion

The integration of IBM Verify with SAP NetWeaver presents a powerful synergy that not only simplifies user provisioning but also fortifies organisational security and enhances operational efficiency. By combining the robust authentication features of IBM Verify with the versatile platform of SAP NetWeaver, businesses can streamline user access management, reduce manual effort, and bolster security measures. This integration not only ensures compliance and consistency but also elevates the overall user experience. As organizations navigate the complexities of the digital landscape, leveraging this integration can provide a competitive edge while effectively managing user identities and access controls.

The post Boosting SAP Netweaver Security: A Guide to Integrating SAP Netweaver (ABAP Stack) with IBM Verify first appeared on ERP Q&A.

The Challenge of User Provisioning

User provisioning is the process of granting and controlling access to resources within an organisation’s information technology infrastructure. Historically, on-boarding or off-boarding users has been a laborious and time-consuming procedure that frequently required numerous processes across multiple systems. As businesses embrace cloud solutions, the complexity of user provisioning has grown, necessitating automated and integrated approaches.

Transitioning from IBM Verify to SAP Cloud Identity Services

IBM Verify is a comprehensive identity and access management system that includes multi-factor authentication (MFA) and adaptive access control, while SAP Cloud Identity Services offers identity lifecycle management, single sign-on (SSO), and access governance features. Integrating these two systems can help organisations automate and streamline user provisioning operations, while also improving security and user experience.

How does it work?

The diagram shows that IBM Security Verify acts as a central user management system. It creates user accounts and manages their attributes, and also provisions them (or creates them) in SAP Cloud Identity Services, potentially syncing relevant user attributes. Selected attributes from Verify are mapped to specific target attributes in SAP Cloud Identity Services, ensuring consistent user information across both systems. SCIM, a standardised protocol, enables communication between Verify and SAP Cloud Identity Services. On the left side of the diagram, IBM Security Verify acts as a SCIM server, receiving requests for user management and then modifying the target directory as needed. This streamlines user creation and ensures consistent user information across both systems.

Prerequisites

• SAP Cloud Identity Services
  
• IBM Security Verify
  
• A smartphone with IBM Security Verify App

Configurations and Settings in IBM Security Verify and SAP Cloud Identity Services

Log into IBM Security Verify as an administrator

When a user logs in, the home screen as shown below will be displayed.

On the left panel, click on “Applications” under “Applications”. On the right side of the screen, there is an “Add application” button. Click on it.

Fill in the necessary details under “General” section as below and save the details.

Before we go further, let’s log into SAP BTP account and you will be navigated on SAP BTP Cockpit. As suggested below, navigate to the “Instances and Subscriptions” tab which is under “Services.”

You have to enable the cloud identity services application.

Once enabled, it will look as below. Now, click on Cloud Identity Services application and you will be redirected to the login screen of the SAP authentication screen as shown below.

After a successful login, you can see the home screen of Cloud identity Services. Go to the “Identity Providers” as highlighted below :

Click on the Corporate Identity providers and create new identity provider.

Once the new identity provider is successfully added, click on the identity provider type and select SAML 2.0 compliant, as shown below:

Go to the SAML configuration section and fill in the information as shown below:

You can browse the “Metadata” file from your device once you download it from IBM Security Verify dashboard. Go to the “Sign on” section of the application and on the right side of the screen, download the file from the given URL and upload the same in SAP Cloud Identity Services as highlighted below:

Click on the Trusting application section and add SAP BTP trial subaccount.

Establish the trust configuration, which is under the “Security” section for the cloud identity application as shown in the below screenshots.

You will see the below steps once you click on establish trust. In the first step, choose tenant and click on the next.

After selecting a tenant, choose domain for your SAP Cloud Identity Services application.

Click on the next button and configure parameters as shown in the below screenshot.

Click on the next button and review the setup that you have done while establishing the trust. Finally, click on the finish button and save the details.

Once done, you can see the trust new active trust configuration as shown below:

Now go back to IBM Security Verify and click on “Sign-on” section, then select “Use metadata” checkbox. It will allow us to upload the metadata file which we have downloaded from SAP BTP as shown below:

Upload the metadata file which you have recently saved on your device to IBM Verify dashboard.

Now go to the “Account lifecycle” tab and add SCIM URL, Username and password detail as shown in below image. You can get all the details from SAP Cloud Identity Services application page.

To get SCIM URL, go to SAP CIS and get the URL details from the browser and add “SCIM” at the end of URL.

After adding the above details, scroll down and you can see “Attribute mapping” section. Click on the checkbox for which attribute you want to map from IBM Verify to SAP CIS and want to keep updated. Here we have checked email. Save this detail once changes are completed.

We have completed the configurations in IBM Security Verify and SAP Cloud Identity Services. Let’s add user with attribute into Verify and check if it is mapped to Cloud Identity Users dashboard.

Go to the Users tab under the “Directory” section on the left side of the verify dashboard and click on the “Add User” button as shown in below screenshot.

Fill out the necessary information for the user as mentioned in the below image and click on the “Save” user tab.

Scroll down and you can add more detail about the user. Here we have added an email ID, mobile number and user company details.

Once done, click on the Save button and the user detail will be saved.

Open the Cloud Identity Services application and go to the user section to check whether the newly-created user from Verify is mapped.

Click on the “Instance and subscription” section from the “Services” section on the left menu, and once the application list is shown, click on the Cloud Identity Services application as shown below.

When the new application is loaded, click on the “User Management” tile and all the user list will be displayed.

As you can see in the below screenshot, a new user is created, which is added from Verify and mapped into SAP Cloud Identity Services. Also, the user detail is mapped into Cloud Identity Services.

Conclusion

Effective user provisioning is critical to maintaining security, compliance, and operational efficiency. Centralising identity management, improving security, and streamlining administration activities enables organisations to successfully manage user identities and access controls across their entire IT infrastructure. Embracing integrated identity management solutions is more than just convenient – – it is a strategic need for businesses looking to flourish in an increasingly linked and security-conscious environment.

The post Streamlining User Provisioning from IBM Verify to SAP Cloud Identity Services first appeared on ERP Q&A.

Customer Order data is coming from sender using SOAP adaptor. CPI should generate order_no acc. to the given format. After generating order_no we need to add a field company_name. After this we need to check the action is Pending/Not_Available/Delivered.

If its pending then its end the flow, if its delivered then it direct to another IFlow using Process Direct in which we are generating TransactionId according to the given format. One its generated it should send the mail to the customer and the company admin mail, if its Not_Available it should end and send the mail to the customer and admin that your order is not available.

Order_no: random alphanumeric string of length 6 and concat it with quantity and Item as below.

Example: Item:- xyz, Quantity: 1 => Order_no = AB12CDxyz1

TransactionId:- Random alpha character string of length 10 and concat it with the Order_no.

Example: ABCDEFGHIJAB12CD1xyz

Steps:

1. Create an IFlow connect with sender using SOAP 1x adaptor as it is one way communication.

2. Add message mapping pallete and add source and target xsd as per the data.

Source XSD:

<?xml version="1.0" encoding="utf-8"?>

<!-- Created with Liquid Technologies Online Tools 1.0 (https://www.liquid-technologies.com) -->

<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">

  <xs:element name="Order_root">

    <xs:complexType>

      <xs:sequence>

        <xs:element maxOccurs="unbounded" name="Order">

          <xs:complexType>

            <xs:sequence>

              <xs:element name="Orderno" />

              <xs:element name="Cust_Name" type="xs:string" />

              <xs:element name="Cust_Add" type="xs:string" />

              <xs:element name="Item" type="xs:string" />

              <xs:element name="Action" type="xs:string" />

              <xs:element name="Quantity" type="xs:unsignedByte" />

              <xs:element name="Email" type="xs:string" />

            </xs:sequence>

          </xs:complexType>

        </xs:element>

      </xs:sequence>

    </xs:complexType>

  </xs:element>

</xs:schema>

Target XSD:

<?xml version="1.0" encoding="utf-8"?>

<!-- Created with Liquid Technologies Online Tools 1.0 (https://www.liquid-technologies.com) -->

<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">

  <xs:element name="Order_root">

    <xs:complexType>

      <xs:sequence>

        <xs:element maxOccurs="unbounded" name="Order">

          <xs:complexType>

            <xs:sequence>

              <xs:element name="Orderno" />

              <xs:element name="Cust_Name" type="xs:string" />

              <xs:element name="Cust_Add" type="xs:string" />

              <xs:element name="Item" type="xs:string" />

              <xs:element name="Action" type="xs:string" />

              <xs:element name="Quantity" type="xs:unsignedByte" />

              <xs:element name="Company" type="xs:string" />

              <xs:element name="Email" type="xs:string" />

            </xs:sequence>

          </xs:complexType>

        </xs:element>

      </xs:sequence>

    </xs:complexType>

  </xs:element>

</xs:schema>

3. Configure Message Mapping.

Custom Function Script:

import com.sap.it.api.mapping.*;
def String customFunc(String arg1){
  def chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
  def random = new Random();
  def sb = new StringBuilder(6);
  for (int i = 0; i < 6; i++) {
    sb.append(chars.charAt(random.nextInt(chars.length())));
  }
  return sb.toString();
}

4. Add Splitter to split the XML record and send to router.

Route 2 is ending as it is for Action Pending.

Route 3 is connecting to receiver using process direct adaptor.

Route 4 is connecting content modifier as we need customer mail id from the respective data.

Route 5 is default if the action not defined it should end the flow.

5. Configuring route 4 as below.

6. Configure Process-Direct.

7. Save and deploy this IFlow and create another IFlow for processdirect.

8. Configure Process Direct, give the same address as you give in previous flow.

9. Add mapping pallete and source and target xsd.

Source xsd should be same as the previous IFLOW Target xsd.

<?xml version="1.0" encoding="utf-8"?>

<!-- Created with Liquid Technologies Online Tools 1.0 (https://www.liquid-technologies.com) -->

<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">

  <xs:element name="Order_root">

    <xs:complexType>

      <xs:sequence>

        <xs:element maxOccurs="unbounded" name="Order">

          <xs:complexType>

            <xs:sequence>

              <xs:element name="Orderno" />

              <xs:element name="Cust_Name" type="xs:string" />

              <xs:element name="Cust_Add" type="xs:string" />

              <xs:element name="Item" type="xs:string" />

              <xs:element name="Action" type="xs:string" />

              <xs:element name="Quantity" type="xs:unsignedByte" />

              <xs:element name="Company" type="xs:string" />

              <xs:element name="Email" type="xs:string" />

            </xs:sequence>

          </xs:complexType>

        </xs:element>

      </xs:sequence>

    </xs:complexType>

  </xs:element>

</xs:schema>

Target XSD:

<?xml version="1.0" encoding="utf-8"?>

<!-- Created with Liquid Technologies Online Tools 1.0 (https://www.liquid-technologies.com) -->

<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">

  <xs:element name="Order_root">

    <xs:complexType>

      <xs:sequence>

        <xs:element maxOccurs="unbounded" name="Order">

          <xs:complexType>

            <xs:sequence>

              <xs:element name="Orderno" type="xs:string" />

              <xs:element name="Cust_Name" type="xs:string" />

              <xs:element name="Cust_Add" type="xs:string" />

              <xs:element name="Item" type="xs:string" />

              <xs:element name="Action" type="xs:string" />

              <xs:element name="Quantity" type="xs:unsignedByte" />

              <xs:element name="Company" type="xs:string" />

              <xs:element name="Transition_ID" type="xs:string" />

              <xs:element name="Email" type="xs:string" />

            </xs:sequence>

          </xs:complexType>

        </xs:element>

      </xs:sequence>

    </xs:complexType>

  </xs:element>

</xs:schema>

10. Configure Mapping.

Custom Function Groovy:

import com.sap.it.api.mapping.*;
def String customFunc(String arg1){
  def chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
  def random = new Random();
  def sb = new StringBuilder(10);
  sb.append(arg1);
  for (int i = 0; i < 8; i++) {
    sb.append(chars.charAt(random.nextInt(chars.length())));
  }
  return sb.toString();
}

11. Add Content modifier to store the customer email.

12. Configure XML to CSV convertor.

13. Configure Mail Adaptor.

14. Save and deploy the IFlow. Change the log of both IFlow to trace in monitoring.

15. Open SOAP UI to trigger the data.

16. Add sample data.

<Order_root>

<Order>

<Orderno></Orderno>

<Cust_Name>Sahil</Cust_Name>

<Cust_Add>xyz</Cust_Add>

<Item>Pen</Item>

<Action>Pending</Action>

<Quantity>1</Quantity>

<Email>abc@gmail.com</Email>

</Order>

<Order>

<Orderno></Orderno>

<Cust_Name>Dushyant</Cust_Name>

<Cust_Add>xyz</Cust_Add>

<Item>Notebook</Item>

<Action>Delivered</Action>

<Quantity>4</Quantity>

<Email>efg@gmail.com</Email>

</Order>

<Order>

<Orderno></Orderno>

<Cust_Name>Aman</Cust_Name>

<Cust_Add>xyz</Cust_Add>

<Item>Pencil</Item>

<Action>Not Available</Action>

<Quantity>2</Quantity>

<Email>ijk@gmail.com</Email>

</Order>

</Order_root>

17. Check the customer mail.

The post Test Scenerio – ProcessDirect first appeared on ERP Q&A.

To use passkeys on the iPhone, iOS 16 (or later) is required. Also, iCloud Keychain and two-factor authentication must be turned on.

I will also show you how to leverage SAP Cloud Identity Services (IAS) and its underlying Identity Authentication (IAS) as an Identity Provider supporting WebAuthn, the open standard behind Apple’s passkeys.

This blog post is an end-to-end guide on bringing those SAP products together to create a powerful user experience.

First, I will describe the necessary configuration to be performed by an administrator in:

• BTP subaccount
  
• IAS

Second, I will describe what the mobile app developer has to ensure.

Last, I will explain and illustrate the user’s experience creating a passkey from the IAS user profile web page on their Mac and then using the passkey for mobile app authentication on their iPhone.

You can follow along by using a free trial of the SAP Business Technology Platform (BTP).

Admin – Configuration in SAP BTP

Create a subscription for (1) SAP Mobile Services and (2) SAP Cloud Identity Service.

Then, establish trust between your BTP subaccount and SAP Cloud Identity Services. It only requires a few clicks.

Voila, you configured a custom identity provider for applications.

Admin – Configuration in SAP Cloud Identity Services

Enable Biometric Authentication for the XSUAA app used by SAP Mobile Services.

Please also enable Biometric Authentication for the User Profile self-service offered by IAS.

App Developer – Use OAuth2 with FioriASWebAuthenticationSessionPresenter

Use the SAP BTP SDK Assistant for iOS to create a sample app resulting in a local Xcode project and a remote app definition in SAP Mobile Services.

Make sure that the Redirect URL uses the format:<customURLScheme>:// <hostURL>in both places:

(1) in the security configuration of SAP Mobile Services

(2) and in the Xcode project.

You need to use OAuth2AuthenticationStep provided by the SAPFioriFlows framework with the FioriASWebAuthenticationSessionPresenter.

OAuth2AuthenticationStep(presenter: FioriASWebAuthenticationSessionPresenter())

The underlying ASWebAuthentionSession API from Apple will ensure that the passkey can be read from the iCloud keychain and sent to the IdP automatically. No matter if you use SAP Cloud Identity Services or a different product.

User – Create a passkey

The user can create a passkey by adding biometric authentication to their user profile.

The user created a passkey stored in Apple’s iCloud Keychain and available on all the user’s devices, including their iPhone.

User – Use passkey for passwordless authentication on their iOS app

Now, this is the part you probably waited for the most. How does this work in the iOS application? Once the user moves away from the Welcome Screen…

… the user must confirm the alert presented by the ASWebAuthenticationSession.

The user will choose the custom identity provider. Note: This step can be avoided by removing the default identity provider in the BTP subaccount.

The IdP website from IAS is presented. The user can choose biometric authentication because the admin allowed this form of authentication for the XSUAA.

The following dialogs to obtain the passkey from the iCloud keychain and send it to IAS are handled by the ASWebAuthenticationSession.

That’s it. The OAuth2AuthenticationStep got completed and the rest of the mobile app’s onboarding steps will be executed until onboarding is completed, and the user will see the app’s business content.

The post Passwordless Authentication (Passkeys) with SAP BTP SDK for iOS and SAP Cloud Identity Services first appeared on ERP Q&A.

In this blog post, we will be talking about an amazing feature which SAP just released in BTP Security which will decrease the manual efforts immensely.

This blog post will guide you to perform migration of trust configuration from SAML to OIDC.

Why we want to do it and how this will be helpful ?

There are certain functionalities (like some automated processes defined by SAP) which only works with OIDC. For example: Now if there is an OIDC trust between Subaccount and IAS- Developers can bind their applications to specific cloud identity service instances and it creates another IAS application(OIDC) which can provide more control and developers can control authentication at every application level they are binding to.

Now if we have performed trust setup using SAML protocol with IAS tenant and we have been using it for a while – there will be multiple users created against this Identity provider. and if we want to switch to OIDC, there will be certain steps to be performed.

• Export the list of users along with details of role collections.
  
• Cleanup of Users created against this Identity provider
  
• Delete the trust configuration
  
• Establish trust configuration again using “Establish trust button”
  
• Provision all the users again manually with new Identity provider.

All these manual activities can be performed with few set of BTP CLI commands and can make your simple a little simple with respect to BTP Security.

If we talk in terms of time – it will reduce the manual work of weeks to few minutes.

Now before you get started, let’s follow below pre-requisite steps to make sure we don’t get stuck in between …

Prerequisites:

• You should have Security Administrator Privileges inside subaccount in which you want to perform this migration.
• BTP CLI should be download and configured. We can’t perform this activity from UI layer and will need to run commands to perform the migration.
  • To configure BTP CLI kindly follow this documentations SAP Help Documentation
  • Download BTPCLI
• In the SAP BTP cockpit under Custom Identity Provider for Applications, there are no trust configurations with the OpenID Connect protocol.

let’s see how it looks before we perform the migration

Pre-Migration Trust Configuration Status

SAML trust configuration with origin key – samltrust

Users exist against this Identity provider.

When perform login using SSO to IAS – we can see SAML traces , assertions in SAML Tracer.

Now lets get started …

Steps to perform migration

Open Command prompt( in case of windows) or terminal (in case of linux and macOS) and Login to BTP using BTP CLI

btp login --sso

Press Enter

It prompts to open browser to perform login using your ID.

Click on Yes

Login Successful

List all subaccounts to find the subaccount id to login to specific subaccount

btp list accounts/subaccount

Perform login to specific subaccount by running below command

btp target --subaccount 32295e80-db37-4a83-a3a9-645c42b805ea

Check for available identity providers

btp list security/available-idp

Perform Migration from SAML to OIDC connectivity

btp migrate security/trust samltrust --idp ajnnqsktl.trial-accounts.ondemand.com

Let’s see how it looks once migration is performed

Post Migration Trust Configuration Status

It changes the origin key of old saml configuration to oidc-migration-backup and set it as inactive and perform trust configuration with OIDC and keeps the origin key same as older one.

You can update the details like link text for user logon by clicking on the change button

When you login using SSO to IAS – SAML tracer don’t capture any traces(SAML assertion) and we can see the oidc traces inside IAS troubleshooting logs.

The post Migrate trust configuration from SAML to OIDC in BTP subaccount first appeared on ERP Q&A.