SAP Cloud

Centralized Identity and Access Management across SAP Cloud Applications

Mr.Mohammed Samsuthin, SAP Integration Consultant, Smartsoft.

Business Scenario

A large business company uses various SAP Cloud applications and SAP BTP based applications for Intelligent, sustainable enterprises. Examples,

  • SAP S/4 HANA Cloud
  • SAP Analytics Cloud
  • SAP SuccessFactors
  • SAP BTP Based Applications
  • etc,.

To manage their employee, business partner and other user’s identity and access for SAP cloud applications a company needs to do it separately on their different SAP Solutions. It’s hard to have unified user identity information across every SAP Solution. To overcome this a company needs Centralized Identity and Access Management. So, SAP came up with one SAP BTP service called SAP Cloud Identity Service.

Overview of SAP Cloud Identity Service

SAP Cloud Identity Services are a group of services of SAP Business Technology Platform (SAP BTP), which enable you to integrate identity and access management between systems. The goal is to provide a seamless single sign-on experience across systems while ensuring that system and data access are secure.

Identity Authentication

Identity Authentication offers secure cloud-based access to business processes, applications, and data. It enhances the user experience with various authentication methods, single sign-on, integration with on-premise systems, and user-friendly self-service features.

Benefits of Identity Authentication

Authentication: All SAP cloud applications can offer their users the same authentication mechanisms​, as well as strong authentication with configurable multi-factor (MFA) enforcement; easy separation mechanism for multiple user stores and flexible configuration where to validate user’s credentials.

Single Sign-On: Identity Authentication offers a central SSO endpoint for all SAP cloud applications and pre-configured or semi-automated trust configuration​.

Integrating SAP applications: Identity Authentication offers common identity for users, as well as a unified way for user management and security token service for protection of ​system-to-system communication. Data across applications can be correlated ​(precondition for central foundation services)​.

Identity Provisioning

Identity Provisioning simplifies and secures the management of identity lifecycles through provisioning and deprovisioning services. It allows customers to streamline and enhance the efficiency of user onboarding and offboarding processes.Identity Provisioning supports a centralized lifecycle of corporate identities in the cloud. In addition, it can handle automated provisioning of existing on-premise identities to cloud applications

 Identity Directory

Identity Directory is the persistence layer of SAP Cloud Identity Services. It offers a central place for storing and managing users and groups. Its SCIM 2.0 REST API allows customers to define their own custom schemas with their own attributes. The directory generates the Global User ID attribute – the unique user identifier across the landscape. This attribute is distributed by Identity Provisioning to SAP cloud applications, like SAP Task Center, which need the common user identifier in their integration scenarios.

Authorization Management.

Authorization Management enables you to refine authorization policies that give access to resources in enabled SAP BTP-based business applications. Restrict policies based on the values of user or business object attributes. Assign policies to users with the group management capabilities of the identity directory. Use the corresponding user interfaces of SAP Cloud Identity Services or the SCIM API of the identity directory.


SAP Cloud Identity Management Service provides single place identity and access management with help of Identity Authentication, Identity Provisioning, Identity Directory and Authorization.