Week 1: Strategy and Innovations

Unit 4: Identity Access Management

Identity Access Management
The Intelligent Enterprise: the Recruit to Retire process is at the heart of it

BUSINESS NETWORK

BUSINESS
PROCESS Across All Functions
Lead to Cash
Recruit to Retire
Design to Operate
Source to Pay
EXPERIENCE MANAGEMENT

Intelligent Suite
APPLICATIONS SAP S/4HANA SAP Fieldglass Industry Cloud
SAP SuccessFactors HXM SAP Concur

SUSTAINABILITY MANAGEMENT

TECHNOLOGY Business Technology Platform

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

Identity Access Management
Recruit to Retire integration facilitates exceptional workforce experience

Recruit to Retire process

Understand, manage, and optimize all aspects of workforce (employees and external workers) in line with business
objectives and with clear financial impact – facilitating exceptional workforce experience and business transformation

Recruit to Retire Plan Staff Onboard Work Travel Pay & Close

▪ Get the workforce

engaged and productive,
Sub-processes

Hire to Retire Life Cycle of an Employee quickly

▪ Provide insights to make
better talent decisions –
Travel to Reimburse Worker Travel and Expense Management aligning to key business
and financial priorities
▪ Drive new and meaningful
External Workforce Life Cycle of an External Worker experiences that link
purpose to performance

SAP SAP S/4HANA SAP Analytics

SAP Concur SAP Fieldglass
SuccessFactors Cloud Cloud
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3
 Identity Access Management
End-to-end integrated Hire to Retire process
1. Plan 3. Onboard 5. Pay & Close
2. Recruit 4. Work
Onboarding & Recruiting

Screen and Rank and Measure

SAP SuccessFactors

Approve and
Post Job interview select recruiting
send offer
candidates candidates effectiveness*

Collect personal
Create new Post-hire Complete Measure
data and
hire tasks tasks onboarding onboarding*
compliance forms

Analyze Request job Job Process

Manage Record
SAP SuccessFactors

workforce
requisition requisition work & life Post payroll
demographics pending (working) Run payroll
to inform hiring for internal request events of results
hires times
Core HR

decisions* resource submitted employees

Payroll
Pre-payroll Post-payroll
processing
analytics* analytics*
analytics*
SAP S/4HANA

Assign Update
Cloud

Record Reimburse Book payroll

employees to financial
project times expenses results
project tasks statements

Digital workplace experience with SAP SuccessFactors Work Zone

SAP Business Technology Platform SAP Task Center SAP Cloud Identity Services SAP One Domain Model and SAP Master Data Integration service

Implementation, Configuration, and Operation Tools SAP Cloud ALM SAP Central Business Configuration
© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC * Requires Workforce Analytics (WFA) license 4
Identity Access Management
SAP Cloud Identity Services – Identity Authentication, Identity Provisioning

Authentication & Identity Lifecycle

Single Sign-On Management

Identity Identity
Authentication Provisioning

Identity Authentication Identity Provisioning

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5

 Identity Access Management
SAP Cloud Identity Services

SAP Cloud Identity Services SAP cloud business applications

Authentication &
Single Sign-On
SAP S/4HANA

End User SAP BTP

Identity Identity Lifecycle
Authentication Management SAP Customer
Identity Experience SAP SuccessFactors
Provisioning
…

Delegated
Authentication

Corporate
Identity Provider User Store

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6

Identity Access Management
SAP Cloud Identity Services – Identity Authentication

SAP Cloud Identity Services SAP and non-SAP

Business Applications

Identity Authentication
Username/password
Authentication X.509
Kerberos / SPNEGO SAML /
Business OpenID Connect
2FA (TOTP, RSA, SMS)
User Identity Federation
Corporate user store

Cloud
SAML Connector

Corporate Identity Provider On-Premise User Store

Microsoft Third-party AS MS Active

LDAP
ADFS / Azure IdP ABAP Directory

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 7

Identity Access Management
Delegated authentication toward multiple identity providers (conditional authentication)

Member of
User Group Partner Identity Providers

Partners

IP Address
Range

Externals
Identity
Email Authentication
Domain

User
Corporate Identity Provider
Type

Employees

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 8

Identity Access Management
SAP Cloud Identity Services – Identity Authentication

Capabilities
▪ IdP proxy – integration with existing IAM infrastructure
▪ Based on open security standards: SAML 2.0 and
OpenID Connect (OIDC)
▪ Delegated authentication to multiple identity providers
▪ Multi-factor authentication
▪ Configured password policies
▪ Risk-based authentication
▪ Protecting self-registration with Google reCAPTCHA
or phone verification
▪ Branding and customization, such as company logo
▪ Logon overlays
▪ User and group management

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9

Identity Access Management
Employee lifecycle management in the cloud

Onboarding Position change Promotion Offboarding

Create user
account De-provision
Update Update
user and
Assign authorizations authorizations
authorizations
authorizations

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 10

Identity Access Management
SAP Cloud Identity Services – Identity Provisioning

User Store SAP Cloud Identity Services SaaS Business Applications

Cloud/On-Premise Source Identity Provisioning Cloud Target/Proxy Systems
Systems

User Repository Identity Lifecycle Target / User Repository

Source Management Proxy
System
Manage System
User Management Connector User Management
Groups & Roles Connector
API API
Assignments

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 11

Identity Access Management
SAP Cloud Identity Services – Identity Provisioning

Capabilities
▪ Based on open security standard: SCIM 2.0
▪ Provides IPS system connectors of scopes:
Source, Target, Proxy
▪ Configurable properties and transformations
to:
− Merge identities from multiple sources
− Define policy-based assignments
− Map between identity models
− Filter identities to be read/written
▪ IPS system connectors of proxy scope to:
− Support hybrid system integration with
on-premise SAP Identity Management
− Support third-party IAM integration

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 12

Identity Access Management
SAP Cloud Identity Services – identity authentication demo

SAP Cloud Identity Services

Identity Authentication
Username/password
X.509
Authentication
Kerberos / SPNEGO
Business 2FA (TOTP, WebAuthn, RSA, SMS)
Identity Federation
User Corporate user store

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13

Identity Access Management
SAP Cloud Identity Services – Identity Provisioning Demo

User Store SAP Cloud Identity Services SaaS Business Applications

Source Systems Identity Provisioning Target Systems

Identity Lifecycle Target

Source Management Connector
Identity SAP Analytics
Connector (SAP
Authentication Manage Cloud
(IAS) Analytics
Groups & Roles Cloud)
Assignments

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14

Identity Access Management
SAP Cloud Identity Services – product road map

Browse our road map in the SAP Road Map Explorer​: The road map explorer is an important
tool to use in articulating the product vision and strategy.

SAP Cloud Identity Services

Browse Online

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 15

Identity Access Management
Summary

You have learned:

▪ Role of SAP Cloud Identity Services in the
Recruit to Retire scenario
▪ SAP Cloud Identity Services – Identity Authentication
supports authentication and single sign-on
▪ SAP Cloud Identity Services – Identity Provisioning
supports identity lifecycle management

© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 16

Thank you.
Contact information:

open@sap.com
Follow all of SAP

www.sap.com/contactsap

© 2021 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/trademark for additional trademark information and notices.