This is quick informational post based on a recent conversation about SAP Identity Provisioning Service (IPS) and “unavailable” connector bundles. In short: if your IPS tenant is missing a connector, check out the available connectors on the new IPS tenant on the SAP Identity Service Infrastructure.

About me (disclaimer)

In my role at SAP, I help our customers to wrap their heads around the security of SAP Cloud Products. As I am doing that in a presales capacity for many years, I have been part of many deals, discussion and architecture talks. But as I am NOT a consultant who tinkers with those SAP Systems every day, I can and will not provide any type of recommendations. All of my writings are purely my own opinion. So you need to read the respective sources and documents that I may have interpreted (wrongly) and come up with your own educated decisions.

Identity Provisioning Service (IPS)

The IPS is part of the SAP Identity Services (IAS+IPS). It does transport User Identities and their assigned roles from one system to an other. In order to do that, IPS does bring a bunch of so called connectors and it also exposes a SCIM interface.

IPS flavors

IPS does have a bit of a history and in consequence there are two flavors available. The main differentiating factor is the infrastructure they are deployed upon which can be

• BTP NEO
• SAP Identity Services Infrastructure

IPS tenant on BTP NEO

These IPS tenants are deployed as a BTP NEO service. That means handling them should be mostly like any other BTP NEO service. e.g. Login via Cloud Cockpit, rights assignment etc.

The connectors of these tenants are tied to the so called “Bundles”. And you will most likely already have experienced what the documentation is describing

“… if your bundle tenant is running on SAP BTP, Neo environment, a limited number of connectors are enabled by default.”

So depending on what SAP Cloud Service your company has signed up for, this or that bundle will be applicable and with that the “bundle connectors” will be more or less available to you. As the various bundles have been created with different scenarios in mind and some intended bundles never got to see the light of day, there have been “a few” cases where customers might have gotten stuck with being unable to get a connector.

IPS on SAP Identity Services Infrastructure (new)

As part of evolving the IAS & IPS into the SAP Cloud Identity Services, any newly provisioned IPS tenant is deployed on the SAP Cloud Identity Services Infrastructure since March 15th 2022.

The (new) IPS tenants bring most of the available system connectors out of the box right away. Let`s look at this particular part of the documentation (as of 02/26/2023) below. If you read carefully, it says all connectors are available just not those listed in this table.

IPS SAP Help: Most connectors are available

How do I find out if my IPS tenant is “New” or still on BTP NEO?

You might want to try the IAMTENANTS interface. That system should give you a list of all your available IAS & IPS tenants and when they have been created. The creation date is a very good indicator of what IPS deployment type you are facing – anything deployed after March 15th 2022 should be a IPS tenant on SAP Cloud Identity Infrastructure. And thus should contain most of the connectors right away.

You can also check if you can access the IPS tenant like any other BTP NEO service. If yes, you obviously got a BTP NEO IPS tenant.

IPS tenants with this service URL syntax should be on the new infrastructure

https://<tenant_id>.accounts.ondemand.com/ips/

How to get access to all those bundle connectors in my IPS?

You could consider migrating your existing IPS Neo tenant to the SAP Identity Service infrastructure. Please read the documentation carefully and do not trigger a migration lightly. Remember the good old mantra “never touch a running system”.

There are still connectors missing in my IPS?

Revisit the documentation if connector you are missing is not officially excluded.

Then check in the connector documentation if this particular connector might only be available in an IPS Stand Alone Tenant. An IPS Stand Alone tenant is currently only commercially available as part of SAP Identity Access Governance.

And unfortunately, not all SAP Cloud Systems are yet integrated with IPS. You might want to check with the respective product sources and road maps about potential plans to support IPS.

Abbreviations

• BTP: SAP Business Technology Platform
• BTP NEO: SAP Business Technology Platform NEO
• IAS: SAP Cloud Identity Services – Identity Authentication
• IPS: SAP Cloud Identity Services – Identity Provisioning
• aka: Also known as – auch bekannt als
• SCIM: System for Cross-domain Identity Management
• SAP: Systemanalyse Programmentwicklung