Enable real-time provisioning in Identity Authentication to trigger immediate synchronization of user changes to target systems configured in Identity Provisioning.
-
You have created a technical user for accessing the real-time provisioning API and assigned it the Access Real-Time Provisioning API permission. This user must be an administrator of type System. You have also configured Secret for the technical user.
For more information, see Add System as Administrator.
For OAuth authentication scenario for tenants running on Neo environmen, you've made the required configurations in the SAP BTP cockpit. For more information, see Create OAuth Client Credentials in SAP BTP Cockpit.
-
You have created Identity Authentication source system in Identity Provisioning and connected it to target systems of your choice.
For more information, see Identity Authentication and Target Systems.
In this scenario you configure Identity Provisioning as a target system in Identity Authentication real-time configuration, and Identity Authentication as a source system in Identity Provisioning. As a result, when users are created, updated or deleted in Identity Authentication, the changes will be immediately provisioned to the target systems configured in Identity Provisioning.
Real-time provisioning is applicable for users that have been manually created or updated in Identity Authentication, using SCIM API (version 1 or 2), or via CSV file upload. It is not applicable for users updated by a provisioning job.
Users coming from a source (system A) which are created or updated in Identity Authentication target (system B) using a provisioning job, cannot be later synchronized from Identity Authentication to another target (system C) using real-time provisioning. This is a precaution behavior, preventing any data collisions if you later decide to run a provisioning job for the same systems: Identity Authentication source (system B) and target (system C). See the example below.
You enable real-time provisioning for Identity Authentication and configure it as a source system that points to SAP Marketing Cloud target system.
As a result, Identity Authentication users are immediately provisioned to SAP Marketing Cloud.
You configure Microsoft Active Directory as a source system that points to Identity Authentication target system and run a provisioning job.
As a result, Microsoft Active Directory users are provisioned to Identity Authentication. Even though new users are created in Identity Authentication, they are not provisioned further to SAP Marketing Cloud by real-time provisioning.
If you want to provision groups in real time, you need to use a REST client for initiating POST and DELETE requests to the Real-time provisioning API:
https://<tenantId>.<host>/ipsproxy/service/api/v1/systems/<system-id>/entities/group.
To configure real-time provisioning in Identity Authentication to trigger immediate synchronization of user changes to target systems configured in Identity Provisioning follow the procedure below:
-
Sign in to the administration console for SAP Cloud Identity Services.
-
Under Users & Authorizations, choose the Real-Time Provisioning tile.
This operation opens a list of the target systems.
-
Choose the +Add button to add a new target system and provide the following information:
New System
Field
Value
Target Configurations
Display Name
Provide a name for the target system. It can be identical with the source system you have created in Identity Provisioning.
Type
From the dropdown, select Identity Provisioning.
SCIM URL
Provide the SCIM URL in the following pattern:
https://<ias-tenant-host>/ipsproxy/service/api/v1/systems/<system-id>/entities/userThe <system-id> is the ID of the Identity Authentication source system you have added in Identity Provisioning. It is displayed at the end of the system URL.
Version
-
1
-
2
Defines the version of Identity Authentication SCIM API.
1 - the Identity Authentication SCIM API (in short, SCIM API version 1) is used.
2 - the Identity Directory SCIM API (in short, SCIM API version 2) is used.
The version that you specify here must be the same as the version of the
ias.api.versionproperty in Identity Authentication source system.Authentication Mechanism
OAuth
For tenants running on SAP Cloud Identity infrastructure, use the user ID and password of the Identity Authentication technical user. Provide an OAuth token URL following the pattern:
https://<ias-tenant-host>/oauth2/tokenOAuth authentication is only supported when calling the Real-Time Provisioning API. It cannot be configured in the administration console of SAP Cloud Identity Services.
For more information for tenants running on Neo environment, see Create OAuth Client Credentials in SAP BTP Cockpit.
Basic
If you choose this option, provide the following information:
In the Username field, enter the client ID of the technical user.
In the Password field, enter the client secret of the technical user.
For more information, see step 6 in Add System as Administrator.
Certificate
If you choose this option, proceed as follows:
-
Provide a common name and a password.
-
Generate and download the certificate.
-
Import it in the Configure System Authentication screen of the technical user for real-time provisioning, as described in step 6 in Add System as Administrator.
The maximum length of the CN is 64 characters. Once the certificate is generated, it is saved as a
.crtfile. The common name is in the format <common name>(<admin user ID>), where common name is the CN provided by the administrator, and admin user ID is the administrator's user id.Identity Authentication supports SAP Passport CA as trusted certificate authority (CA).
-
-
Save your changes.
If the operation is successful, the system displays the message: Target system <name of system> created.
-
Optional: Choose Test Connection before executing the provisioning.
If the setup is correct, the following message is displayed: Connection to the selected target system was established successfully.
-
Choose Provision.
Verify that the changes in Identity Authentication are provisioned to the target systems configured in Identity Provisioning. Each subsequently created or updated users will be provisioned instantly and automatically.
Related Information
Enable Real-Time Provisioning in Source Applications
Configure SAP Jam for Real-Time Provisioning