Service offering

SAP Cloud Identity Services

SAP Cloud Identity Services — comprising Identity Authentication (IAS), Identity Provisioning (IPS), and the Identity Directory (IdDS) — form the mandatory identity foundation for every SAP cloud landscape. We design, configure, and harden IAS/IPS implementations that integrate cleanly with your corporate IdP, automate user lifecycle management, and enforce consistent security policy across all SAP applications.

Identity Authentication (IAS)Identity Provisioning (IPS)Identity Directory (IdDS)SAML 2.0OIDC / OAuth 2.0SCIM 2.0MFA / Risk-Based AuthEntra ID · Okta · GoogleCorporate IdP Proxy

The Three Components of SAP Cloud Identity Services

SAP Cloud Identity Services is not a single product — it is a suite of three tightly integrated services, each with a distinct responsibility in the identity architecture.

IAS

Identity Authentication

Authentication broker · SAML 2.0 · OIDC / OAuth 2.0 · Risk-based policies · MFA

Central SSO hub for all SAP cloud applications
Federates with corporate IdPs (SAML / OIDC proxy)
Terminates auth flows and issues new application tokens
Enforces MFA, conditional access, and login policies
Pre-configured trust with all SAP SaaS applications

IdDS

Identity Directory

Central user store · Attribute management · Group assignments · Cross-app correlation

Stores user identities, groups, and role assignments
Merges corporate IdP attributes into IAS-issued tokens
Enables cross-application identity correlation (Task Center, Joule)
Required when “Use Identity Authentication user store” is enabled
Source of truth for user attributes in hybrid scenarios

IPS

Identity Provisioning

SCIM 2.0 · Source & target connectors · Transformation rules · Lifecycle automation

Automates user and group sync across connected systems
200+ pre-built source and target connectors
Attribute transformation and filtering via proxy rules
Handles provisioning, deprovisioning, and updates
Supports real-time and scheduled job execution

Trust Architecture

SAP Cloud Identity Services acts as the single authentication interface for all SAP cloud applications — sitting between your corporate identity provider and every SAP application in your landscape. This layered proxy model means each application trusts only IAS, while IAS handles federation with your existing enterprise IdP.

IAS Trust Topology — three-layer architecture

Layer 1 — Corporate / External Identity Providers

Microsoft Entra IDOktaGoogle WorkspacePing IdentityADFSAny SAML/OIDC IdP

↕ SAML 2.0 / OIDC federation

Layer 2 — SAP Cloud Identity Services (IAS + IdDS + IPS)

IAS — Authentication brokerIdDS — Central user storeIPS — SCIM provisioning engineRisk-based auth · MFA · Login policiesToken enrichment from IdDS attributes

↕ SAML 2.0 / OIDC (pre-configured trust)

Layer 3 — SAP Cloud Applications (Service Providers)

SAP BTP (CF · Kyma · ABAP)SAP S/4HANA CloudSAP SuccessFactorsSAP AribaSAP ConcurSAP Build Work ZoneSAP Task Center · JouleCustom CAP applications

Each SAP SaaS application ships with a pre-configured trust to IAS — reducing the setup effort for SSO from days to hours. All applications in Layer 3 trust only IAS, which means a single IAS configuration change (e.g. adding an MFA policy) propagates to every connected application instantly.

Authentication Flow — SP/RP-Initiated SSO

IAS supports both SP-initiated (application starts) and RP-initiated (IAS starts) authentication flows. In both cases, IAS terminates the inbound flow from the corporate IdP and issues a fresh, application-specific token — enabling centralized policy enforcement regardless of upstream IdP behaviour.

Web Application SSO — SP-initiated SAML / OIDC flow with corporate IdP proxy

User (Browser)Accesses app URL

→

SAP ApplicationNo active session · redirects

→

IASChecks app config · IdP forwarding?

→

Corporate IdPEntra ID / Okta · authenticates user

→

IASMerges IdP + IdDS attrs · issues new token

→

SAP ApplicationAccepts SAML / OIDC token · session established

SAP GUI Single Sign-On — X.509 certificate flow

User (SAP GUI)Launches SAP Logon

→

IASAuthenticates user · issues OIDC token

→

SAP Secure Login ServiceConverts OIDC → short-lived X.509 cert

→

SAP System (ABAP)Authenticates via X.509 · no password prompt

Key design principle: IAS always terminates the upstream authentication flow and issues a brand-new token to the target application. The application never sees the corporate IdP’s token directly — IAS enriches it with IdDS attributes (group memberships, custom attributes, role assignments) before forwarding. This architecture enables consistent policy enforcement even when the corporate IdP doesn’t support certain attributes or protocols.

OIDC preferred over SAML for BTP: SAP Note 3521979 documents the deprecation of SAML for user-interactive authentication in BTP accounts. New implementations should use OIDC-based trust between IAS and SAP BTP.

Identity Directory (IdDS) — Central User Store

The Identity Directory is the persistent user store that powers cross-application identity correlation in modern SAP SaaS scenarios. Without users in IdDS, features like SAP Task Center (cross-application task aggregation) and Joule (SAP’s AI assistant) cannot function — they require a stable, cross-application user identity.

Attribute Merging

Token Enrichment from IdDS

When a user authenticates via a corporate IdP, IAS looks up the user in IdDS and merges additional attributes (custom fields, group memberships, role assignments) into the outgoing token — even if the upstream IdP doesn’t carry those attributes.

Corporate IdP asserts email → IAS finds user in IdDS → adds department, cost centre, application groups to token

Cross-Application Correlation

Required for SAP Task Center & Joule

SAP Task Center aggregates tasks from S/4HANA, SuccessFactors, Ariba, and other systems. To correlate a user across all these systems, a stable identity in IdDS is required. The same applies to Joule’s personalisation and context-awareness features.

Enable “Use Identity Authentication user store” · IPS provisions users into IdDS · Task Center reads IdDS user ID

User Persistence Strategy

Shadow Users vs IdDS Persistence

IAS can operate with shadow users (created on first login via Just-in-Time provisioning) or with pre-provisioned users via IPS. For production landscapes with Task Center, Joule, or complex attribute requirements, full IdDS persistence via IPS is required — JIT alone is insufficient.

IPS provisioning job → IdDS · SCIM 2.0 · scheduled or real-time sync · deprovisioning supported

Group & Role Management

Centralised Role Assignments in IdDS

Groups defined in IdDS can be mapped to application-specific roles in IAS’s application configuration. This allows centralised role governance — adding a user to an IdDS group automatically grants access to the mapped application role without touching each SAP application’s user management.

IdDS Group → IAS Application Group → SAML attribute / OIDC claim → Application role

User Provisioning with IPS

SAP Identity Provisioning automates the full user lifecycle — provisioning, attribute updates, and deprovisioning — across all connected SAP and non-SAP systems via the SCIM 2.0 protocol. IPS reads users from source systems and writes them to target systems according to configurable transformation rules.

IPS Provisioning Architecture — source systems → IPS → target systems

Source SystemsMicrosoft Entra IDSAP SuccessFactors (HCM)SAP S/4HANA On-PremiseOktaLDAP / Active DirectoryHR system (custom SCIM)

→

IPS EngineReads via SCIM 2.0Attribute transformationFiltering & conditionsScheduled or real-time jobsProvisioning & deprovisioning

→

Target SystemsSAP Identity Directory (IdDS)SAP BTP (platform users)SAP S/4HANA CloudSAP SuccessFactorsSAP AribaSAP HANA DB

IPS transformation rules (written in JSONata or the IPS rule language) let you reshape attributes between source and target — mapping an Entra ID department attribute to an SAP group, filtering out service accounts, or splitting a full name into first/last name fields. Every provisioning run is logged in the IPS audit journal with user-level granularity.

What We Deliver

IAS Tenant Configuration & Trust Setup

IAS tenant activation, custom domain configuration, and certificate setup. Application registration for every SAP cloud product in your landscape. Trust configuration with your corporate IdP (Entra ID, Okta, Ping, ADFS) via SAML 2.0 or OIDC. OIDC trust between IAS and SAP BTP (aligned to SAP Note 3521979).

Corporate IdP Proxy Architecture

IAS configured as a SAML/OIDC proxy in front of your existing corporate identity provider. Conditional forwarding rules per application — some apps authenticate directly via IAS, others proxy through Entra ID or Okta. Token enrichment configuration to merge IdDS attributes into the outgoing assertion.

IPS Provisioning Flows

Source-to-target provisioning job design, SCIM connector configuration, and attribute transformation rule authoring. User and group synchronisation from your HR system or corporate directory into IdDS, BTP, S/4HANA, and SuccessFactors. Deprovisioning automation aligned to your joiner-mover-leaver process.

MFA, Risk-Based Auth & Login Policies

Multi-factor authentication configuration — TOTP authenticator apps, email OTP, FIDO2/WebAuthn (passkeys), and SMS. Risk-based authentication policies that escalate to MFA based on IP range, location, or user risk score. Application-specific login policies: password rules, session timeouts, self-registration controls.

IdDS User Store & Cross-App Readiness

IdDS population strategy, group hierarchy design, and attribute schema extension for application-specific requirements. “Use Identity Authentication user store” enablement and validation. Cross-application user correlation setup for SAP Task Center and Joule — including the IPS job chain that keeps IdDS in sync with the authoritative HR source.

Audit, Monitoring & Security Hardening

IAS audit log activation and export to your SIEM. Login attempt monitoring, failed authentication alerting, and suspicious activity detection. Security hardening: token expiry tuning, CORS policy, allowed redirect URIs lockdown, and administrator access governance. Compliance alignment for GDPR and ISO 27001.

How Customers Benefit

1 IdP

For Every SAP Cloud Application

IAS ships with pre-configured trust to all SAP SaaS products. One trust setup in IAS propagates SSO across S/4HANA, SuccessFactors, Ariba, BTP, and every custom CAP application without per-application IdP configuration.

Zero

Password Exposure to SAP Applications

IAS terminates authentication at the corporate IdP boundary and issues new application tokens. SAP applications never receive or store corporate directory credentials — passwords stay in your existing identity provider.

200+

Pre-Built IPS Connectors

IPS ships with over 200 source and target connectors covering SAP and non-SAP systems — removing the need for custom SCIM adapter development for most enterprise directory and HR system integrations.

Task Center

& Joule Ready from Day One

A correctly configured IdDS user store is the prerequisite for SAP Task Center’s cross-application task aggregation and Joule’s user-aware AI assistance. Getting IdDS right at foundation stage avoids costly remediation later.

Centralised

MFA & Security Policy Enforcement

MFA policies, session timeouts, and risk-based authentication rules defined once in IAS apply to every connected SAP application. Security changes don’t require per-system configuration — IAS is the single enforcement point.

Automated

Joiner-Mover-Leaver Lifecycle

IPS provisioning jobs triggered by HR system changes automatically create, update, and deprovision users across all connected SAP systems — eliminating manual IT tickets and reducing the window between a leaver’s last day and access removal.

How We Work

Identity Landscape Assessment

We audit your current identity setup: existing corporate IdPs, connected SAP systems, user stores, provisioning gaps, MFA coverage, and compliance requirements. Output: an identity architecture gap report with risk-ranked findings and a recommended target topology.

Architecture Design

Trust topology design (direct trust vs proxy), protocol selection (SAML / OIDC per application), IdDS population strategy, IPS source-to-target provisioning model, attribute mapping design, MFA policy framework, and group-to-role assignment model — all documented before any configuration begins.

IAS & IdDS Foundation

IAS tenant setup, custom domain and certificate configuration, corporate IdP federation (SAML/OIDC), application registrations for all SAP products, login policy baseline, and IdDS group hierarchy. OIDC trust with SAP BTP configured per SAP Note 3521979.

IPS Provisioning Implementation

Source and target connector setup, provisioning job design, attribute transformation rule authoring (JSONata), group membership sync, and deprovisioning flow validation. End-to-end testing of the full joiner-mover-leaver lifecycle across all target systems.

MFA, Hardening & Compliance

MFA method rollout (TOTP, FIDO2, email OTP), risk-based authentication policy tuning, audit log activation and SIEM export, token security hardening, and compliance documentation for GDPR and ISO 27001 evidence packages.

Governance & Knowledge Transfer

Operational runbooks for IAS administration, IPS job monitoring, and incident response for authentication failures. Live workshops with your IAM and security teams, architecture documentation, and a validated testing checklist for future application onboarding.

Ready to secure your SAP landscape?

Let’s build your identity foundation.

Tell us about your current identity setup, SAP cloud footprint, and compliance requirements — we’ll design a secure, scalable IAS/IPS architecture that works for your entire enterprise.

Get in touch →