Tutorial: Configure SAP Cloud Identity Services for automatic user provisioning

This tutorial aims to demonstrate the steps for configuring Microsoft Entra ID (Azure AD) and SAP Cloud Identity Services. The goal is to set up Microsoft Entra ID to automatically provision and deprovision users to SAP Cloud Identity Services.

Note

This tutorial describes a connector built on top of the Microsoft Entra ID User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID.

Prerequisites

The scenario outlined in this tutorial assumes that you already have the following prerequisites:

• A Microsoft Entra ID tenant
• A Cloud Identity Services tenant
• A user account in SAP Cloud Identity Services with Admin permissions.

Note

This integration is also available to use from Microsoft Entra ID US Government Cloud environment. You can find this application in the Microsoft Entra ID US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

Assigning users to SAP Cloud Identity Services

Microsoft Entra ID uses a concept called assignments to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users that have been assigned to an application in Microsoft Entra ID are synchronized.

Before configuring and enabling automatic user provisioning, you should decide which users in Microsoft Entra ID need access to SAP Cloud Identity Services. Once decided, you can assign these users to SAP Cloud Identity Services by following the instructions here:

• Assign a user to an enterprise app

Important tips for assigning users to SAP Cloud Identity Services

• It's recommended that a single Microsoft Entra ID user is assigned to SAP Cloud Identity Services to test the automatic user provisioning configuration. More users may be assigned later.

• When assigning a user to SAP Cloud Identity Services, you must select any valid application-specific role (if available) in the assignment dialog. Users with the Default Access role are excluded from provisioning.

Set up SAP Cloud Identity Services for provisioning

1. Sign in to your SAP Cloud Identity Services Admin Console. Navigate to Users & Authorizations > Administrators.

   

2. Press the +Add button on the left hand panel in order to add a new administrator to the list. Choose Add System and enter the name of the system.

   Note

   The administrator user in SAP Cloud Identity Services must be of type System. Creating a normal administrator user can lead to unauthorized errors while provisioning.

3. Under Configure Authorizations, switch on the toggle button against Manage Users.

   

4. You'll get an email to activate your account and set up a password for the SAP Cloud Identity Services Service.

5. Copy the User ID and Password. These values are entered in the Admin Username and Admin Password fields respectively. This is done in the Provisioning tab of your SAP Cloud Identity Services application.

Add SAP Cloud Identity Services from the gallery

Before configuring SAP Cloud Identity Services for automatic user provisioning with Microsoft Entra ID, you need to add SAP Cloud Identity Services from the Microsoft Entra ID application gallery to your list of managed SaaS applications.

To add SAP Cloud Identity Services from the Microsoft Entra ID application gallery, perform the following steps:

1. In the Azure portal, in the left navigation panel, select Microsoft Entra ID.

   

2. Go to Enterprise applications, and then select All applications.

   

3. To add a new application, select the New application button at the top of the pane.

   

4. In the search box, enter SAP Cloud Identity Services, select SAP Cloud Identity Services in the search box.

5. Select SAP Cloud Identity Services from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Configuring automatic user provisioning to SAP Cloud Identity Services

This section guides you through the steps to configure the Microsoft Entra ID provisioning service to create, update, and disable users in SAP Cloud Identity Services based on users assignments in Microsoft Entra ID.

Tip

You may also choose to enable SAML-based single sign-on for SAP Cloud Identity Services, following the instructions provided in the SAP Cloud Identity Services Single sign-on tutorial. Single sign-on can be configured independently of automatic user provisioning, though these two features complement each other

To configure automatic user provisioning for SAP Cloud Identity Services in Microsoft Entra ID:

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

2. Browse to Identity > Applications > Enterprise applications

   

3. In the applications list, select SAP Cloud Identity Services.

   

4. Select the Provisioning tab.

   

5. Set the Provisioning Mode to Automatic.

   

6. Under the Admin Credentials section, input https://<tenantID>.accounts.ondemand.com/service/scim in Tenant URL. Input the User ID and Password values retrieved earlier in Admin Username and Admin Password respectively. Click Test Connection to ensure Microsoft Entra ID can connect to SAP Cloud Identity Services. If the connection fails, ensure your SAP Cloud Identity Services account has Admin permissions and try again.

   

7. In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - Send an email notification when a failure occurs.

   

8. Click Save.

9. Under the Mappings section, select Synchronize Microsoft Entra ID Users to SAP Cloud Identity Services.

   

10. Review the user attributes that are synchronized from Microsoft Entra ID to SAP Cloud Identity Services in the Attribute Mapping section. The attributes selected as Matching properties are used to match the user accounts in SAP Cloud Identity Services for update operations. Select the Save button to commit any changes.

    Attribute	Type	Supported for filtering	Required by SAP Cloud Identity Services
    userName	String	✓	✓
    emails[type eq "work"].value	String		✓
    active	Boolean
    displayName	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager	Reference
    addresses[type eq "work"].country	String
    addresses[type eq "work"].locality	String
    addresses[type eq "work"].postalCode	String
    addresses[type eq "work"].region	String
    addresses[type eq "work"].streetAddress	String
    name.givenName	String
    name.familyName	String
    name.honorificPrefix	String
    phoneNumbers[type eq "fax"].value	String
    phoneNumbers[type eq "mobile"].value	String
    phoneNumbers[type eq "work"].value	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber	String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization	String
    locale	String
    timezone	String
    userType	String
    company	String
    urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute1	String
    urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute2	String
    urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute3	String
    urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute4	String
    urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute5	String
    urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute6	String
    urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute7	String
    urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute8	String
    urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute9	String
    urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute10	String
    sendMail	String
    mailVerified	String

11. To configure scoping filters, refer to the following instructions provided in the Scoping filter tutorial.

12. To enable the Microsoft Entra ID provisioning service for SAP Cloud Identity Services, change the Provisioning Status to On in the Settings section.

    

13. Define the users that you would like to provision to SAP Cloud Identity Services by choosing the desired values in Scope in the Settings section.

    

14. When you're ready to provision, click Save.

    

This operation starts the initial synchronization of all users defined in Scope in the Settings section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Microsoft Entra ID provisioning service is running. You can use the Synchronization Details section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Microsoft Entra ID provisioning service on SAP Cloud Identity Services.

For more information on how to read the Microsoft Entra ID provisioning logs, see Reporting on automatic user account provisioning.

Connector limitations

• SAP Cloud Identity Services's SCIM endpoint requires certain attributes to be of specific format. You can know more about these attributes and their specific format here.

More resources

• Managing user account provisioning for Enterprise Apps
• What is application access and single sign-on with Microsoft Entra ID?

Next steps

• Learn how to review logs and get reports on provisioning activity