IDM Master Guide

MASTER GUIDE | PUBLIC
Document Version: 1.5 – 2019-04-11
SAP Identity Management Master Guide

© 2019 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN

Content
1 SAP Identity Management Master Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1 About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Related Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Further Useful Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Important SAP Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 SAP Identity Management Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

3.1 Introduction to SAP Identity Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Identity Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Logon Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2 Software Components of SAP Identity Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
License Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Identity Management Core Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Identity Management Runtime Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Identity Management Developer Studio. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Identity Management Developer Studio Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Identity Management User Interface Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Identity Management REST Interface Version 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Identity Management User Interface for HTML5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Virtual Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Identity Management Portal Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.3 Solution-Wide Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4 Overall Implementation Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.1 Installation Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5 SAP Identity Management Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5.1 Provisioning for SAP or Non-SAP Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2 Integration with SAP HCM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.3 Enhanced SAP Business Suite Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
5.4 Integration with SAP Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
5.5 Logon Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
5.6 Identity Federation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6 Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

2 PUBLIC Content
1 SAP Identity Management Master Guide
The SAP Identity Management Master Guide gives an overview of its architecture and components and also
contains a scenario overview and a description of the installation procedure.
Related Information
Getting Started [page 4]

SAP Identity Management Overview [page 8]
Overall Implementation Sequence [page 23]
SAP Identity Management Scenarios [page 26]
Appendix [page 42]

SAP Identity Management Master Guide PUBLIC 3
2 Getting Started
This section contains useful information about the document and references to other relevant documents.
Related Information
About this Document [page 4]

Related Information [page 6]
Important SAP Notes [page 7]
2.1 About this Document
This Master Guide is the central starting point for the technical implementation of SAP Identity Management.
You can find cross-scenario implementation information as well as scenario-specific information in this guide.
The Master Guide provides an overview of SAP Identity Management, its software units, and its scenarios from
a technical perspective. Use it to help you design your identity management system landscape before you start
the implementation phase. It refers you to the required detailed documentation, mainly:
● Installation guides for individual software components

● SAP Notes
● Configuration documentation
● Tutorials
 Note
Update information is included in the Identity Management Installation and Update Guide on Windows and
UNIX for the individual software components. The following documents are relevant.
Update and Upgrade Documents
Document Description
Updating SAP Identity Management on Windows This section in the Identity Management Installation and Up
date Guide describes how to update SAP Identity Manage
Updating SAP Identity Management on UNIX
ment components to a higher SP level.
Upgrading SAP Identity Management from 7.2 to 8.0 This document describes how you use the provisioning
framework for SAP systems to upgrade a production system
from SAP NetWeaver Identity Management 7.2 to 8.0.

4 PUBLIC Getting Started
The Master Guide consists of the following main sections:
● SAP Identity Management Overview

This section provides an overview of SAP Identity Management, including its software components, the
connectors and frameworks that are delivered, and information about the solution-wide capabilities that
apply to all scenarios. It also provides an overview of the system landscape and the overall implementation
sequence.
● SAP Identity Management Scenarios
This section provides an overview of the identity management scenarios:
○ Provisioning for SAP or non-SAP systems
○ Integration with SAP Human Capital Management (SAP HCM)
○ Enhanced SAP Business Suite integration
○ Integration with BusinessObjects Access Control
○ Federation
 Note
You can implement any or all of the scenarios in your landscape.
 Note
You can find the most current information about the technical implementation of SAP Identity Management
and the latest installation and configuration guides at SAP Identity Management 8.0.
We strongly recommend that you use the documents available here. The guides are regularly updated.
Constraints
● The business scenarios that are presented here serve as examples of how you can use SAP software in
your company. The business scenarios are only intended as models and do not necessarily run the way
they are described here in your customer-specific system landscape. Check your requirements and
systems to determine whether these scenarios can be used productively at your site. Furthermore, we
recommend that you test these scenarios thoroughly in your test systems to ensure they are complete and
free of errors before going live.
● This Master Guide primarily discusses the overall technical implementation of SAP Identity Management,
rather than its subordinate components. This means that additional software dependencies might exist
without being mentioned explicitly in this document. You can find more information on component-specific
software dependencies in the corresponding installation guides.
● Good data quality is a prerequisite for the successful implementation of an identity management system.
Before you start implementing SAP Identity Management, we recommend that you clean up the identity
data in the systems that you want to integrate.

Getting Started PUBLIC 5
2.2 Related Information
For more information about topics not covered in this guide, see the following content on SAP Help Portal:
Related Information
Content Location on SAP Service Marketplace or SCN
Latest version of installation guide SAP Identity Management Installation and Update Guide on
Windows
SAP Identity Management Installation and Update Guide on

UNIX
General information about SAP Identity Management SAP Identity Management Community
Sizing, calculation of hardware requirements SAP NetWeaver Identitity Management Identity Center Mini
mum System Requirements
Sizing Guide for SAP NetWeaver Identity Management

7.1/7.2
Released platforms and technology-related topics, such as Product Availability Matrix

maintenance strategies and language support
SAP on SQL Server Community
Other database and operating systems
Network security SAP Identity Management Security Guide
High Availability SAP Identity Management Solution Operation Guide
Information about Support Package Stacks, latest software SAP Support Portal
versions, and patch level requirements
Related Information
Further Useful Links [page 7]

6 PUBLIC Getting Started
2.2.1 Further Useful Links
The following table lists further useful links on SAP Service Marketplace.
Content Location on SAP Service Marketplace
Information about creating error messages Incidents
SAP Notes Search SAP Note & Knowledge Base Article Search
SAP Software Download Center (software down SAP Software Download Center
load and ordering of software)
SAP Online Knowledge Products (OKPs) – role- Get Involved Early

specific learning maps
2.3 Important SAP Notes
Read the following SAP Notes before you start the installation.
These SAP Notes contain the most recent information about installation, as well as corrections to the
installation documentation. Make sure that you have the up-to-date version of each SAP Note, which you can
find on SAP Service Marketplace.
SAP Note 2036858
Related Information
SAP Note & Knowledge Base Article Search

Getting Started PUBLIC 7
3 SAP Identity Management Overview
This section provides an overview of SAP Identity Management.
Related Information
Introduction to SAP Identity Management [page 8]

Software Components of SAP Identity Management [page 10]
Solution-Wide Capabilities [page 21]
3.1 Introduction to SAP Identity Management
Enterprises are under pressure to increase the speed of deploying new applications and systems across their
global networks, both internally and in the context of e-business with partners and customers. One of the
challenges involved in these processes is the difficulty in finding and bringing together information relating to
identities and resources that are distributed across multiple and often incompatible information sources.
Identity data is often stored in many different applications throughout the enterprise and maintained manually
in different locations. This is costly and, in addition to posing a security risk, can cause inconsistencies and low
data quality. The prime objective of SAP Identity Management is to centrally manage and keep all identity data
within the enterprise up-to-date.

8 PUBLIC SAP Identity Management Overview
This diagram illustrates a system landscape where SAP Identity Management is used to maintain identity data.
Identities are imported to the Identity Management identity store from SAP HCM based on available
authorizations.
Privileges are added from the back-end systems and identities are assigned to them. These privilege
assignments are then written back to the back-end systems.
Identity Federation is a separate component that is used for Single Sign-On (SSO) for SAP and non-SAP
systems. It supplies a SAML 2.0-compliant identity provider for Web-based access, and a security token service
for Web services SSO.
End users use one of the Identity Management User Interface options to perform self-service or other tasks on
the data in the identity store. If the client runs on Microsoft Windows, Logon Help is available to reset the
password.
3.1.1 Identity Federation

Identity federation includes a SAML 2.0 identity provider and a security token service (STS) using the WS-Trust
1.3 standard.
You can use the identity provider for single sign-on (SSO) with SAP or non-SAP service providers. As an identity
provider, SAP Netweaver Application Server (SAP NetWeaver AS) Java can provide cross-domain SSO in
combination with SAML 2.0 service providers and at the same time enable single log-out (SLO) to close all user
sessions in the SAML landscape. SAML 2.0 also enables identity federation by defining a name ID to be shared
between the identity provider and one or more service providers.

SAP Identity Management Overview PUBLIC 9
You can use the STS to provide cross-domain SSO for web service providers. The STS converts what are often
proprietary authentication methods from a Web service consumer into a security token consumable by the
web service provider. The STS supports X.509, SAML 1.1, and SAML 2.0 security token types.
The identity federation component runs separately from the rest of SAP Single Sign-On. It can be installed
together with the other components, but there are no technical dependencies between the identity federation
component and the other SAP Single Sign-On components.
You can deploy this software on SAP NetWeaver AS for Java release 7.2 SPS 2 with SAP Note 1471322
applied or SAP NetWeaver AS for Java release 7.2 SPS 3 or later. However, to use the security token service or
the newest user interface improvements in the identity provider, you must install the latest identity federation
software component archive (SCA) and upgrade the host SAP NetWeaver AS for Java to release 7.2 SPS 4 or
later.
Related Information
Identity Provider for SAP Single Sign-On and SAP Identity Management
Security Token Service for SAP Single Sign-On and SAP Identity Management
3.1.2 Logon Help
SAP Identity Management Logon Help is a client application for Microsoft Windows workstations that users can
use to reset their passwords.
Logon help performs the password reset in conjunction with the Password Reset Self-Service scenario of SAP
Identity Management Identity Center and a Microsoft Windows domain controller. Business users set their
security questions and answers as part of the self-service scenario. If the business users forget their password
for logging on to the Microsoft Windows domain on their workstation, business users can use the front-end
client, Logon Help, to enter answers to security questions and a new password. If the business users enter their
data correctly, Logon Help logs the business users on to the Microsoft Windows domain with the new
password.
Related Information
Logon Help for SAP Identity Management Implementation Guide
3.2 Software Components of SAP Identity Management
SAP Identity Management consists of several components. Some of the components run on SAP NetWeaver
AS for Java, for example, the Identity Management User Interface. Other components are stand-alone and are

installed separately. The complete set of software units that make up SAP Identity Management are
categorized as follows:
As of version 8.0 SP04 and higher, SAP Identity Management is installed using the Software Provisioning
Manager 1.0 installation tool. You can use the Software Provisioning Manager 1.0 tool to install all SAP Identity
Management components, except for SAP Identity Management Developer Studio client, SAP Identity
Management Logon Help and SAP Identity Management Password Hook. The installation procedure for these
components has not changed, that is, they must be installed manually.
Related Information
SAP Identity Management Installation and Update Guide on Windows

SAP Identity Management Installation and Update Guide on UNIX
3.2.1 License Keys
SAP Identity Management may be used by Licensee to integrate Licensee’s SAP applications as part of an
application-specific runtime license of SAP NetWeaver Foundation. For any other use (for example, integration
with third party applications or non-SAP applications), SAP Identity Management needs to be licensed.

Related Information
SAP Licenses
3.2.2 Identity Management Core Components
The Identity Management core component consists of the Identity Management database and the Identity
Management Keys Utility.
The Identity Management core components consists of the following parts:
The Identity Management Database
The Identity Management database contains different types of information:
● The identity store containing the identity data. The identity store provides a uniform view of the data,
regardless of the data’s original source. The data is retrieved from these various repositories, consolidated,
transformed into the necessary formats, and published back to the various decentralized repositories.
● The configuration of the solution with all necessary processes, forms, and jobs that are used to process the
identity data.
● The database procedures providing the business logic.
Configuration Packages
With SAP Identity Management 8.0 we introduce the configuration package concept. A configuration package
is a collection of configuration information including constants, scripts, repository types, processes, forms, and
jobs. Users are granted access to different packages, which allows multiple users to work on the configuration
and transport separately. These configuration packages are delivered as part of the SAP Identity Management
core component and imported into the SAP Identity Management database to provide a starting point for the
configuration of the solution.
The Identity Management Keys Utility
This utility is used to create the encryption keys that are used to secure the connection to the database and
passwords and other sensitive data in the identity store.
As of version 8.0 SP04 and higher, you install SAP Identity Management Core Components using the Software
Provisioning Manager 1.0 installation tool.

Related Information

3.2.2.1 Configuration Packages
A number of configuration packages are delivered as part of the Identity Management core components. These
packages contain frameworks and connectors that can be imported to the Identity Management database to
provide the basic functionality as provisioning and integration with SAP Access Control.
3.2.2.1.1 Provisioning Frameworks
In the context of Identity Management, the word framework is used to designate a set of reusable jobs, tasks,
and functions that are necessary when provisioning the various system types. See an overview in the table.
Framework Overview
Framework Description
SAP provisioning framework Provides the set of templates to use to connect SAP systems
to SAP Identity Management and to set up the jobs and
tasks for provisioning the corresponding users and the cor
responding assignments.
The connectors for this framework are delivered as separate

packages.
A set of default forms for the Identity Management user in

terface is delivered as a separate package.
Governance, Risk and Compliance (GRC) provisioning The GRC provisioning framework consists of a set of proc
framework esses and a configuration in the Virtual Directory Server that
enables the use of SAP Access Control for risk validation be
fore user provisioning.
SAP HCM staging area identity store This framework provides a staging area identity store and
framework to use when importing identity data from an SAP
HCM integration framework
HCM system. You can then work with the data in the staging
area before provisioning the corresponding SAP systems.
Notification framework The notification package contains the notification task and
the notification templates that are used to send notifications
from the SAP provisioning framework, approval and attesta
tion tasks.

The SAP HCM staging area identity store supplements the SAP provisioning framework by providing functions
used for the specific scenario. The GRC provisioning framework is a separate framework that is used explicitly
for integration with SAP Access Control. Although it is a separate framework, it can be configured and used
simultaneously with the other frameworks.
3.2.2.1.2 Connectors
There are a number of connectors for SAP and non-SAP systems available as separate packages with the SAP
provisioning framework.
 Note
The list of connectors shown below is subject to change as additional connectors become available.There
are also connectors available for connections to SAP or non-SAP systems that have been developed by
partners.
● For more information about the connector overview, see SAP Identity Management - Connector Overview
● For more information about the connector packages, see Package Content section in Provisioning
Framework for SAP Identity Management 8.0
Connector Overview of Connectors Provided with SAP Identity Management
Connector Applicable Product / Application Release/Platform Prerequisites
SCIM Connector SAP Cloud Platform Identity Provision Not applicable

ing service
Identity Authentication SAP Cloud Platform Identity Authenti Not applicable

cation service
It is formerly known as SAP Cloud Iden
tity (SCI).
SuccessFactors SuccessFactors Not applicable
AS Java AS Java / J2EE Engine applications AS Java / J2EE Engine Release 6.40
and higher
Third-party products that support
SPML
AS ABAP AS ABAP applications (SU01 users), AS ABAP: Release 4.6 and higher
SAP HCM employee data (export to
SAP HCM: Release 6.0 SPS 37
SAP Identity Management)

Connector Applicable Product / Application Release/Platform Prerequisites
Dual Stack AS Java / J2EE Engine applications SAP NetWeaver Dual Stack 6.40 and
higher
Third-party products that support
SPML
AS ABAP applications (SU01 users),

SAP HCM employee data (export to
SAP Identity Management)
AS ABAP for SAP Business Suite sys SAP Business Suite applications (provi SAP Enhancement Package 4 for SAP
tems sions SU01 users plus application-spe ERP 6.0
cific identity information such as busi
For application-specific dependencies,
ness partners)
see the table below
Microsoft Active Directory Microsoft Active Directory Microsoft Active Directory Versions with
Microsoft Windows Server
Microsoft Exchange
2000/2003/2008/2010 Platform: MS
Windows Server
2000/2003/2008/2010
Platform: MS Windows Server

2000/2003/2008/2010
Microsoft Exchange 2007/2010
SUN One Any LDAP directory server using the ge Platform: Supported platforms for the
neric LDAP API respective directory server Novell eDir
ectory or SunOne Directory: Any re
Novell eDirectory
lease
SunOne Directory
Special requirements for other direc

tory servers, for example, schema mod
ifications, on a project base
SAP HANA Connector SAP HANA Platform Edition SAP HANA Platform Support Package
Stack 04
Lotus Notes IBM Lotus Notes Lotus Domino server version 8.5.3

3.2.3 Identity Management Runtime Components
The Identity Management runtime components include the runtime engine, the dispatchers, and the SAP
Identity Management Dispatcher Utility.
SAP Identity Management Dispatcher Utility
This utility is used to create the dispatcher(s). You can also start and stop the dispatcher(s) with this utility. You
can use either the graphical user interface or the command line interface.
Dispatcher Engine and Runtime Engine
The dispatcher and runtime engines are responsible for processing both provisioning and synchronization
tasks. The runtime components require the SAP Java Virtual Machine (SAP JVM). If the runtime components
run on the same server as an SAP NetWeaver AS for Java system, then they can use the SAP JVM that is
provided with the AS Java system.
As of version 8.0 SP04 and higher, you install SAP Identity Management Runtime Components using the
Software Provisioning Manager 1.0 installation tool.
Related Information

3.2.4 Identity Management Developer Studio
The Identity Management Developer Studio is an Eclipse plug-in that provides the environment for developing
the configuration for the identity management solution. It uses the Developer Studio service running on SAP
NetWeaver AS for Java.
Related Information
Installing the Identity Management Developer Studio

3.2.5 Identity Management Developer Studio Service
The Identity Management Developer Studio service provides the connection between the Identity Management
Developer Studio and the Identity Management database.
This service is deployed and configured as part of SAP NetWeaver AS for Java.
The Identity Management Developer Studio service authenticates the users in the Identity Management
Developer Studio against the UME.
The connection to the Identity Management database is configured as part of this service.
As of version 8.0 SP04 and higher, you deploy SAP Identity Management Developer Studio service using the
Related Information

3.2.6 Identity Management User Interface Components
The Identity Management user interface components are the Identity Management user interface, the Identity
Management administration user interface, and the Identity Management REST API version 1.
The user interface components are deployed as one software unit on SAP NetWeaver AS for Java:
Identity Management User Interface
This is the end user interface providing functions for user registration and other self-service tasks, password
reset requests, and approval of assignment requests and other changes requiring approval.
Identity Management Administration User Interface
This is the user interface for system administrators and managers responsible for monitoring and maintaining
SAP Identity Management.

Identity Management REST API Version 1
This RESTful Web service consists of resources with three defined aspects: the base Uniform Resource
Identifiers (URIs) to access the functionality, the Internet media type of the data supported by the Web service,
and the set of operations supported by the Web service, for example, GET and POST.
As of version 8.0 SP04 and higher, you deploy SAP Identity Management User Interface using the Software
Related Information
SAP Identity Management REST API Version 1

3.2.7 Identity Management REST Interface Version 2
The Identity Management REST (Representational State Transfer) Interface Version 2 is a service API
(Application Programming Interface) that supports the new Identity Management User Interface for HTML5
and other new custom-made user interfaces.
Identity Management REST Version 2 implements the Open Data Protocol (OData) in version 2.0, and supports
(as does OData) both formats for representing the resources it exposes - the XML-based Atom format and the
JavaScript Object Notation (JSON) format.
As of version 8.0 SP04 and higher, you deploy SAP Identity Management REST Interface Version 2 using the
Related Information
SAP Identity Management REST Interface Version 2

3.2.8 Identity Management User Interface for HTML5
SAP Identity Management User Interface for HTML5 is a user interface based on HTML5 and JavaScript, and
developed using the SAP UI Development Toolkit for HTML5 (SAPUI5). It also uses SAP Identity Management
REST Interface Version 2.

SAP Identity Management User Interface for HTML5 can be used by all users to maintain their own profile
information and request new roles (self service). Authorizations are grouped into business roles, again made
available to end-users, who can request assignment of the business roles. SAP Identity Management User
Interface for HTML5 only supports assignment requests for business roles, that is, users cannot request
privilege assignments.
Managers and administrators can also use SAP Identity Management User Interface for HTML5 for role request
approvals. Although privilege assignment requests from the users are not supported, the My Approvals page
supports approving and declining both business role assignments and privilege assignments for managers and
administrators, to support cases in which approval workflows are set up for individual privileges, triggered
either by automated processes or other UIs or APIs.
SAP Identity Management User Interface for HTML5 does not support processing more than one approval
request at a time. You need to process each approval request separately.
SAP Identity Management User Interface for HTML5 does not support attestations, hence on the My Approvals
page are shown only approvals. The attestations are available only from the SAP Identity Management REST
Interface Version 2.
SAP UI Development Toolkit for HTML5 (SAPUI5)
The SAP UI Development Toolkit for HTML5 (SAPUI5) is SAP's new enterprise-ready HTML5 rendering library
for client-side UI rendering and programming. It combines the advantages of being open and flexible as well as
being enterprise ready, supporting all SAP Product Standards. While Web Dynpro is best suited to heavyweight
transactional applications for expert usage, SAPUI5 is designed for building lightweight consumer-grade UIs for
casual usage. It is aimed at developers at SAP and customers with web development skills (HTML, CSS3,
JavaScript). SAPUI5 provides extensible controls and powerful theming but is easy to consume, based on open
standards, and integrates with third-party JavaScript libraries. SAPUI5 applications run on a wide range of
devices (smartphone, tablet, and desktop) and on multiple server platforms.
As of version 8.0 SP04 and higher, you deploy SAP Identity Management User Interface for HTML5 using the
Related Information

3.2.9 Virtual Directory Server
The Virtual Directory Server acts as a single access point for clients retrieving or updating data in multiple data
repositories, since it provides a uniform view of the data in real time.
You can use it, for example, to consolidate multiple repositories into a single data source. You can then
provision and perform identity management functions on the repositories using the Virtual Directory Server.

The Virtual Directory Server implements a structure called a virtual directory tree. It is a structure that
organizes all managed applications so that each of them can be addressed through a unique identifier. A
unique identifier, in this context, corresponds to a distinguished name in the virtual directory tree, but is
mapped to a unique identifier within the application. In addition, the Virtual Directory Server has built-in
connectors (and an extensible connector framework) for a variety of the applications. Most important, the
Virtual Directory Server has a connector for the Identity Management database, so it can execute operations
directly in the identity store.
The Virtual Directory Server provides a range of additional services such as virtualization, name space
conversion, attribute and schema mapping, and attribute value modification. These services may be crucial for
resolving requirements when using identity services (see the solution-wide capabilities).
Architecture Overview
The following illustration gives a high-level overview over the architecture of the Virtual Directory Server:

The user interface that is used to maintain the configuration is installed on one server, while the configurations
are deployed on one or more servers running SAP NetWeaver AS for Java.
As of version 8.0 SP04 and higher, you install SAP Identity Management Virtual Directory Server using the
Related Information

3.2.10 Identity Management Portal Content
The Identity Management Portal Content integrates SAP Identity Management with the Universal Worklist
(UWL).
UWL gives users a unified and centralized way to access their work and relevant information in the portal. It
collects tasks from multiple provider systems in one list for easy access to all tasks. With this architecture, you
can also include tasks that originate from SAP Identity Management, for example, approvals.
As of version 8.0 SP04 and higher, you deploy SAP Identity Management Portal Content using the Software
Related Information
UWL Integration Configuration Guide

3.3 Solution-Wide Capabilities
The SAP HCM staging area identity store and SPML IDS identity store supplement the SAP provisioning
framework by providing functions used for the specific scenario.
The GRC framework is a separate framework that is used explicitly for integration with SAP Access Control.
Although it is a separate framework, it can be configured and used simultaneously with the other frameworks.

Additional Capabilities
Capability Description More Information
Identity Services The SAP Identity Management Identity Identity Services - Architectural Over
Services provide Web service access to view
identity information stored in an iden
Identity Services: Configuration Guide
tity store in the Identity Center or some
other application that can be accessed
from the Virtual Directory Server. The
identity services are Web services that
are created and configured on the Vir
tual Directory Server and deployed on
the AS Java.
Reporting (with SAP Business You can use SAP Business Warehouse Identity Reporting Using SAP Business
Warehouse) for reporting on identities. This option Warehouse
uses a BW connector on the Virtual Di
rectory Server for transferring the data
to the BW system.
Custom Implementation You may need to extend the capabilities SAP Identity Management Extension
of SAP Identity Management to meet Framework Implementation Guide
your own needs. For example, you may
Extending the SAP Provisioning Frame
want to provision additional attributes,
work
or you may want to trigger specific
events when an identity is created or
modified. For ABAP-based SAP sys
tems, you can implement the Business
Add-In (BAdI) interface IF_BADI_EX
TEND_IDENTITY. This interface is avail
able for use with the enhanced SAP
Business Suite use case for the SAP
provisioning framework.

4 Overall Implementation Sequence
The overall implementation sequence is set up in three main phases:
1. Planning phase
2. Implementation and test
3. Go-live
Planning phase
The first phase of the implementation sequence for SAP Identity Management is the planning phase. In this
phase, you should:
● Analyze your platform and system requirements and determine your system landscape. In addition to
taking into account system requirements like security, scalability, and performance, we recommend using
a staged approach. Do the initial implementation in a development system and move the configuration into
a quality system for testing, and finally into the production system.
● Take organizational steps to define the roles and responsibilities needed for the implementation phase.
● Define a role model that specifies how the various roles and privileges are represented and provisioned to
the various target systems.
 Tip
We recommend you take the opportunity to clean up superfluous or outdated roles and privileges in
your system. Consider using business roles to consolidate the authorization information into a central
point of administration.
● Identify data ownership. This involves determining the originating and target systems for all objects and
their attributes that are to be handled in the identity management landscape. This is the basis for
configuring attribute mappings in the initial load jobs, update jobs, and provisioning tasks. This also
provides you with an overview of which connectors and frameworks you require.
● Determine customer-specific requirements for workflows, approval tasks, reporting, or extending the
frameworks that are available out-of-the box.
● Be aware of the following factors that influence performance before proceeding with the next phase.
Implementation phase
The implementation phase could include the following steps:
1. Download and install the various components in the development environment.

2. Perform the initial configuration.
3. Familiarize yourself with the product at a technical level.
This reduces errors when proceeding with the implementation.

Overall Implementation Sequence PUBLIC 23
4. Import the packages containing the individual frameworks and connectors required for your system
landscape.
5. Configure and run the initial loads.
After this step, the identity data is collected in the identity store.
6. Clean up the data in the identity store.
7. Set up additional processes, for example, approvals, self-services, reporting, or custom jobs.
8. Implement an authorization concept for using and working with SAP Identity Management. This includes
setting up access to the user interfaces as well as specifying attribute owners or setting up access control
for specific processes and forms.
9. Install and configure all software components in the QA environment.
10. Test the complete implementation, normally in a separate QA environment.
Go-live
Once all tests are successful, move the implementation to the production environment.
1. Install and configure all software components in the production environment.

2. Copy the relevant packages to the production environment and verify that it works as expected.
Related Information
Installation Overview [page 24]
4.1 Installation Overview
The software components can be installed on the same server or on several servers, depending on the
requirements and purpose of the installation. For a smaller development environment, all components could be
installed on the same server.
In a production environment, the components are normally divided between several servers prepared for high
availability and high performance:
● The database server must be clustered to ensure high availability of the data. See High Availability
● The servers with SAP NetWeaver AS for Java for the Identity Management User Interface must be
clustered, to ensure high availability. Load balancing is handled by SAP NetWeaver AS for Java.
● The servers with the runtime components are duplicated by setting up two or more servers with identical
configurations. This will ensure high availability and load sharing of the processing. The runtime
components can also be distributed to the servers with SAP NetWeaver AS for Java.

24 PUBLIC Overall Implementation Sequence
All components of SAP Identity Management 8.0 are available for download from the SAP Software Download
Center on the SAP Support Portal. Install the prerequisites and the components in accordance with the
diagram above and the installation guides accompanying each of the components.
Related Information
Sizing Guide for SAP NetWeaver Identity Management 7.1/7.2

Software Components of SAP Identity Management [page 10]

Overall Implementation Sequence PUBLIC 25
5 SAP Identity Management Scenarios
This section describes some common implementation scenarios for SAP Identity Management.
Related Information
Provisioning for SAP or Non-SAP Systems [page 26]

Integration with SAP HCM [page 28]
Enhanced SAP Business Suite Integration [page 30]
Integration with SAP Access Control [page 33]
Logon Help [page 35]
Identity Federation [page 38]
5.1 Provisioning for SAP or Non-SAP Systems
Description
You can use SAP Identity Management for processing identity information in a variety of ways, depending on
your system landscape. You can use it in homogeneous or heterogeneous landscapes, either with or without
SAP systems. The identity store is the central storage location for the identity data, and when changes occur to
identity-related data, including roles, privileges, and the corresponding assignments, the identity-related
information is provisioned to the appropriate target systems.
Technical System Landscape
The figure below shows the basic system landscape to use for this scenario. The Identity Center is the central
component where you set up the provisioning tasks and jobs, as well as the connectivity to the target systems.
The Identity Center also hosts the role model and the data ownership model that are used to determine which
identity and privilege assignments and which attribute values are provisioned to which systems.
You can use the Virtual Directory Server to consolidate systems (as appropriate) and then connect the Virtual
Directory Server to the Identity Center. The Identity Management User Interface, where you make changes to
the identities and other identity-related information, runs on the AS Java.

26 PUBLIC SAP Identity Management Scenarios
See the figure below.
Software Units
The following components are used in this scenario:
● Identity Center
● Virtual Directory Server (optional)
● Identity Management User Interface
The following connectors are used in this scenario:
● SPML connector (for AS Java target systems, or non-SAP systems that use SPML)
● AS ABAP connector (for AS ABAP target systems)
● LDAP connector (for directory servers)
● Additional connectors (as appropriate for the target systems)
In addition, the SAP provisioning framework is used when connecting to SAP systems.
Implementation Sequence
For an overview of the implementation sequence, see the Overall Implementation Sequence.
The following documents provide more information about provisioning to SAP or non-SAP systems.

SAP Identity Management Scenarios PUBLIC 27
Related Information
Overall Implementation Sequence [page 23]

Connecting SAP Systems
Connecting Non-SAP Systems
5.2 Integration with SAP HCM
Description
In many cases, the primary source for identity information (employee master data) is the SAP HCM system.
When integrating SAP Identity Management with SAP HCM, identities are replicated to the Identity Center after
they are created in the SAP HCM system. Based on the role model that is set up in the Identity Center, SAP
Identity Management determines the user/role or user/group assignments that are provisioned to the various
target systems.
The data transfer from the SAP HCM system to SAP Identity Management takes place using the Virtual
Directory Server. The Virtual Directory Server exposes an LDAP interface towards the identity store, allowing
the SAP HCM system to write to the identity store using the LDAP capabilities of the AS ABAP. As in the basic
scenario for provisioning to SAP or non-SAP systems, the identities and privilege assignments are provisioned
to the target systems based on the role model that is set up in the Identity Center. See the figure below.

Software Units
● Identity Center
● Virtual Directory Server
● AS ABAP connector (or the AS ABAP for SAP Business Suite connector, if used in combination with the
enhanced SAP Business Suite integration scenario)
In addition, the SAP provisioning framework and the SAP HCM staging area identity store are used in this
scenario.

The following documents provide more information about integration with SAP HCM systems.
Related Information
Setting Up an SAP HCM System
5.3 Enhanced SAP Business Suite Integration
Description
In addition to SAP HCM, you can integrate many applications from the SAP Business Suite into the SAP
Identity Management landscape. In this case, application-specific processing such as the creation of a business
partner is performed in addition to the provisioning of standard AS Java or AS ABAP identities (SU01 users)
and their corresponding assignments. The corresponding connector is provided with the SAP provisioning
framework.
 Note
For many of the SAP Business Suite systems, for example, SAP CRM or SAP SRM, a central person is
created and used to link an identity to his or her business partners. When an identity is created and
provisioned with SAP Identity Management, this central person and the corresponding business partner is
also created in the SAP Business Suite system.
Another enhancement available in this scenario is that certain communication data for the employee can be
provisioned back to the SAP HCM system. This is not possible in the standard SAP HCM scenario. The table
below shows the applications that are supported by the AS ABAP for SAP Business Suite connector, additional
application-specific release prerequisites, if applicable, and the feature provided for the application.
SAP Business Suite Systems and Features Supported with Enhanced Business Suite Integration
SAP Business Suite Application Features Prerequisites
SAP Human Capital Management Sending of employee-related data from SAP HCM application component Per
SAP HCM to SAP Identity Management. sonnel Administration as of SAP En
Transfer of identity data, including com hancement Package 4 for SAP ERP 6.0
munication data, from SAP Identity
Management to SAP HCM.

SAP ERP Financials (Auditing) A user with the role SAP_PLM_AUDI CA-AUD (auditing) of SAP ERP cross-
TOR will also receive authorizations for application components as of SAP En
the transactions Audit Management hancement Package 4 for SAP ERP 6.0
and Audit Monitor, as soon as the user
and authorization distribution has been
completed.
SAP ERP Financials (Accounting) A new SAP Financials user automati A new SAP Financials user automati
cally receives access to all of the func cally receives access to all of the func
tions for the corresponding company tions for the corresponding company
code that apply to his or her responsi code that apply to his or her responsi
bility. bility.
SAP Transportation Management (SAP The combination of a user account, a SAP HCM application component Per
TM) business partner, and a central person sonnel Administration as of SAP En
is created automatically. hancement Package 4 for SAP ERP 6.0
(optional) SAP TM 7.0 or higher
SAP Extended Warehouse Management The combination of a user account, a SAP HCM application component Per
(EWM) business partner, and a central person sonnel Administration as of SAP En
SAP EWM 7.0 or higher with labor man
agement activated
SAP Supply Network Collaboration Triggers automatic generation of users SAP HCM application component Per
and business partners for SAP SNC. sonnel Administration as of SAP En
hancement Package 4 for SAP ERP 6.0
SAP SNC 7.0 or higher
SAP Service Parts Planning (SPP) Triggers automatic generation of users SAP HCM application component Per
and business partners for SAP SPP. sonnel Administration as of SAP En
(for the creation of users and business
partners for new employees)
SAP Product Lifecycle Management Users are created in PLM, based on em SAP HCM application component Per
ployee data from SAP HCM. sonnel Administration as of SAP En
The PLM Web User Interface (PLM Web
UI) is activated.
SAP Portfolio and Project Management The combination of a user account, a SAP HCM application component Per
business partner, and a central person sonnel Administration as of SAP En
SAP Customer Relationship Manage SAP Customer Relationship Manage SAP CRM 7.0
ment (SAP CRM) ment (SAP CRM)

SAP Supplier Relationship Manage The combination of a user account, a SAP ERP HCM as of SAP Enhancement
ment (SAP SRM) business partner, and a central person Package 4 for SAP ERP 6.0 SAP SRM
is created automatically. 7.0
The system landscape to use for this scenario is similar to the landscape for the other scenarios that involve
SAP systems. Typically, the SAP HCM system is set up as the starting point for maintaining identity data, which
is then provisioned to the target systems. The difference in this scenario is that the AS ABAP for SAP Business
Suite connector is used to connect to the corresponding SAP Business Suite systems instead of the AS ABAP
connector. This allows for the additional application-specific processing of the identity information.
In addition, certain SAP Business Suite applications (for example, by SAP CRM or SAP SRM) send identity-
related information to SAP Identity Management using identity services, which run on an AS Java.
See the figure below.

Software Units
● Identity Center
● Virtual Directory Server (assuming the SAP HCM is included in the system landscape)
● AS ABAP for SAP Business Suite connector (for SAP Business Suite target systems)
The following frameworks are used in this scenario:
● SAP provisioning framework

● SAP HCM staging area identity store
● SPML IDS identity store (for SAP CRM and SAP SRM applications)
The following documents provide more information about enhanced SAP Business Suite Integration.
Related Information
Overview of the supported SAP Business Suite integration scenarios
5.4 Integration with SAP Access Control
Description
The integration with SAP Access Control consists of a set of tasks in the Identity Center and a configuration in
the Virtual Directory Server that enables the use of SAP Access Control for risk validation before user
provisioning. Using this solution, SAP Identity Management can execute provisioning to multiple target
systems that are controlled by SAP Access Control to ensure compliance in accordance with the rules
implemented here.

When business requirements imply compliance and segregation of duties checks, SAP Identity Management
performs risk validation on SAP Access Control before assigning permissions.
There are two landscape configuration scenarios for the integration:
● Centralized provisioning
We recommend centralized provisioning as the default solution. This is a scenario where SAP Identity
Management is the only provisioning system, responsible for provisioning both the assignments requiring
and not requiring compliance checks to the systems (both SAP and non-SAP). SAP Identity Management
uses SAP Access Control to execute risk analysis.
● Distributed provisioning
This solution is recommended for use only in exceptional cases. The provisioning is performed both by SAP
Identity Management and SAP Access Control.
The figure below shows an overview of the system landscape when using centralized provisioning.
Software Units
● Identity Center
● Virtual Directory Server

In addition to the connectors for identity provisioning to the target systems, the SAP Access Control (GRC)
connector is needed in this scenario. In addition to the SAP provisioning framework, the GRC framework is
needed in this scenario.
If SAP Identity Management is to perform the provisioning tasks, set up provisioning to the target systems
based on the overall implementation sequence. In addition, set up the integration with SAP Access Control as
follows:
1. Create the corresponding configuration on the Virtual Directory Server.

2. Extend the Identity Center identity store schema.
3. Import the SAP GRC provisioning framework and corresponding service jobs into the Identity Center.
4. Adjust the Identity Center and Virtual Directory Server configurations.
5. Initialize the process by running the initial load jobs.
For more information about SAP Access Control integration, including detailed information about the
implementation steps, see the documents listed in the table below.
Related Information
Integration with SAP Access Control 10.0 or higher using the GRC 10.0 or higher Provisioning Framework
Version 2
5.5 Logon Help
SAP Identity Management Logon Help is a client application for Microsoft Windows.
Description
Logon Help enables users in a Microsoft Windows domain to reset their passwords from the Microsoft Windows
logon screen by answering a set of security questions. SAP Identity Management Identity Center checks that
the answers are correct and provisions the new password into the Microsoft Windows domain. Once complete,
Logon Help enables the user to log on to the Microsoft Windows domain. Logon Help empowers users to reset
their own passwords without having to resort to local call centers for a password reset.

Logon Help communicates with the Identity Center to get the required information to enable password resets
for users of Microsoft Windows.
The figure above illustrates a user logging on to the SAP Identity Management user interface to set security
questions and answers, which the Identity Center saves in the identity store. When a user forgets his or her
password, the user starts the Logon Help client from the Microsoft Windows logon screen. Logon Help retrieves
the security questions from the identity store through the Identity Center. The user then provides the required
answers and a new password. Logon Help passes the answers to the Identity Center, which checks them
against the hash values of the answers stored in the identity store. If they match, the Identity Center resets the
password and provisions the new password to the network. Logon Help then polls the domain controller until
the new password is available and logs the user on.
Software Units
The system landscape required for SAP Identity Management Logon Help assumes the following components:
● Microsoft Windows domain

You have a network of workstations in one or more Microsoft Windows domains with your users in an active
directory server (ADS).

● SAP Identity Management Identity Center 7.2 SP 06 or higher
The implementation sequence for Logon Help requires the following steps in addition to the overall
implementation sequence.
1. Configure the user management engine (UME) of the SAP NetWeaver AS Java to use the ADS as the data
source.
The mapping of the UME to the ADS enables your Microsoft Windows users to log on to the SAP Identity
Management user interfaces so they can set their security questions.
2. For the Identity Center to read data from the ADS into its identity store, the following prerequisites must be
met:
○ The Identity Center is configured to use the ADS as its data source.
○ To provision passwords to the Active Directory, you need to set up an SSL connection between the
Identity Center and the Active Directory. At least indicate the SSL port of the Active Directory in the
repository constants. For more information, see Repository Constants for Active Directory for
Provisioning Framework in SAP Identity Management Configuration Guide.
○ On the AS Java, the administrator has assigned the users of the Active Directory at least the UME
action to access the Identity Center UI.
Then execute the steps below:
○ Under Enterprise People Password Policy , enable Password Provisioning.
○ Configure the self-service password reset feature. This also includes defining a UI task to enable the
business users to enter the responses to the security questions. This is only possible after making the
task available to all users.
○ Use the Set Password On AD task as part of the provisioning framework.
3. Install and configure SAP Identity Management Logon Help on the client computers.
The following documents provide more information about Logon Help for SAP Identity Management.
Related Information
Repository Constants for Active Directory for Provisioning Framework

Setting Up a Microsoft Active Directory and Microsoft Exchange

5.6 Identity Federation
Description
Identity federation provides the means to share identity information across company boundaries. To share
information about a user, partners must be able to identify the user, even though they may use different
identifiers for the same user. The name identifier (name ID) is the means to establish a common identifier.
Once the name ID has been established, the user is said to have a federated identity. Identity federation
enables SSO for Web-based access and Web services across domains, such as between companies. SAP’s
solution relies on standards for interoperability between SAP and non-SAP systems. For Web-based access,
identity federation uses an identity provider that supports SAML 2.0. SAML 2.0 also enables Single Log-Out
(SLO). You can also use identity federation to transport profile attributes to create or update temporary or
permanent users between systems. You can even transport authorization attributes enabling you to change
user authorizations in a target system. For Web services, identity federation uses a security token service (STS)
that supports WS-Trust 1.3. The STS supports a number of authentication methods from a Web service
consumer and can convert these tokens into a security token that a Web service provider can use. The STS
supports X.509, SAML 1.1, and SAML 2.0 tokens. Like SAML 2.0 for Web-based access, the SAML 2.0 assertion
can transport profile and authorization attributes to the target Web service provider.
The figures below show an overview of example system landscapes when using federation.
 Tip
Protect all communication between systems with Secure Sockets Layer (SSL) especially those that carry
messages that are not already encrypted.

Identity federation for Web-based access relies on an identity provider that links a local account to a number of
user accounts on service providers with a name ID. When a user logs on to the service provider, the service
provider only needs the name ID to log the user on to the local account.

Identity federation for Web services relies on an STS to provide a security token to a Web service consumer.
Before the STS can issue a security token, it needs authentication credentials for the local user of the STS. The
STS provides the name ID (or subject for X.509 tokens) that the Web service consumer uses to authenticate
the user at the Web service provider. The figure above uses a Web service consumer and Web service provider
of an AS ABAP, but the solution is not limited to the AS ABAP or even SAP consumers and providers.
Software Units
For Web-based access, the primary component used for federation is the identity provider, which runs on the
AS Java. The target systems that are to be included in the federation scenario also need to be active service
providers.
For Web services, the primary component used for federation is the STS, which runs on the AS Java. The target
systems that are to be included in the federation scenario also need to be active Web service consumers and
Web service providers.
The implementation sequence for the federation scenarios differs from the overall implementation sequence.
● Web-Based Access
1. Download and install the federation software.
2. Configure the identity provider.
3. Enable the identity provider.
4. Configure the types of protocol bindings to support.

5. Identify and configure the trusted service providers.
● Web Services
1. Download and install the federation software.
2. Configure the STS.
3. Enable the STS.
4. Select the authentication types for Web services.
5. Trust the Web service providers.
6. Identify and configure the trusted Web service providers.
7. Identify and configure the Web service consumers.
For more information about identity federation, including detailed information about the implementation steps,
see the following documents:
Related Information

6 Appendix
The following list shows all documents mentioned in this Master Guide.
Related Information

SAP Identity Management Security Guide
SAP Identity Management Solution Operation Guide
SAP Identity Management - Connector Overview
Sizing Guide for SAP NetWeaver Identity Management 7.1/7.2
SAP Identity Management Configuration Guide
SAP Identity Management Developer Studio
Provisioning Framework for SAP Identity Management 8.0
Identity Reporting Using SAP Business Warehouse
SAP Identity Management Extension Framework Implementation Guide
SAP Identity Management REST Interface Version 2
Integration with SAP Access Control 10.0 or higher using the GRC 10.0 or higher Provisioning Framework
Version 2
Logon Help for SAP Identity Management Implementation Guide

42 PUBLIC Appendix
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

Important Disclaimers and Legal Information PUBLIC 43
www.sap.com/contactsap
© 2019 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.
THE BEST RUN

IDM Master Guide

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

IDM Master Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IDM Master Guide

Uploaded by

Copyright:

Available Formats

MASTER GUIDE | PUBLIC

Document Version: 1.5 – 2019-04-11

SAP Identity Management Master Guide

THE BEST RUN

1 SAP Identity Management Master Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3 SAP Identity Management Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

4 Overall Implementation Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5 SAP Identity Management Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

SAP Identity Management Master Guide

Getting Started [page 4]

SAP Identity Management Master Guide

About this Document [page 4]

2.1 About this Document

● Installation guides for individual software components

Update and Upgrade Documents

SAP Identity Management Master Guide

● SAP Identity Management Overview

You can implement any or all of the scenarios in your landscape.

SAP Identity Management Master Guide

Content Location on SAP Service Marketplace or SCN

SAP Identity Management Installation and Update Guide on

Sizing Guide for SAP NetWeaver Identity Management

Released platforms and technology-related topics, such as Product Availability Matrix

Other database and operating systems

Network security SAP Identity Management Security Guide

High Availability SAP Identity Management Solution Operation Guide

Further Useful Links [page 7]

SAP Identity Management Master Guide

Content Location on SAP Service Marketplace

Information about creating error messages Incidents

SAP Online Knowledge Products (OKPs) – role- Get Involved Early

2.3 Important SAP Notes

SAP Note 2036858

SAP Note & Knowledge Base Article Search

SAP Identity Management Master Guide

This section provides an overview of SAP Identity Management.

Introduction to SAP Identity Management [page 8]

3.1 Introduction to SAP Identity Management

SAP Identity Management Master Guide

3.1.1 Identity Federation

SAP Identity Management Master Guide

3.1.2 Logon Help

Logon Help for SAP Identity Management Implementation Guide

3.2 Software Components of SAP Identity Management

SAP Identity Management Master Guide

SAP Identity Management Installation and Update Guide on Windows

3.2.1 License Keys

SAP Identity Management Master Guide

3.2.2 Identity Management Core Components

The Identity Management core components consists of the following parts:

The Identity Management Database

The Identity Management database contains different types of information:

The Identity Management Keys Utility

SAP Identity Management Master Guide

SAP Identity Management Installation and Update Guide on Windows

3.2.2.1 Configuration Packages

3.2.2.1.1 Provisioning Frameworks

A set of default forms for the Identity Management user in

SCIM Connector SAP Cloud Platform Identity Provision Not applicable

Identity Authentication SAP Cloud Platform Identity Authenti Not applicable

Special requirements for other direc