Integrate SAP Cloud Identity Provisioning Service with SAP Build Work Zone, standard edition for federation of business content

You may have seen an option in SAP Build Work Zone, standard edition to connect Work Zone to SAP Cloud Identity Provisioning Service (IPS).  Did you ever wonder what this option was for and how it can be used when federating content from remote content providers into SAP Build Work Zone, standard edition?

When you click the Connect button it does couple things:

1. It will provision an SAP Cloud Identity Provisioning tenant if you don’t already have one.
2. Add target connectors in SAP Cloud Identity Provisioning Service to allow provisioning to SAP Build Work Zone standard edition.

Clicking the Connect button should show a Connected status on the screen.

If you see an error or are stuck in the connecting state, check to make sure prerequisites required for this integration are met.  The prerequisites are documented in the help guide.  Furthermore, it may still be possible to proceed even if the screen above shows an error message.  The main thing we require is access to SAP Cloud Identity Provisioning tenant that has SAP Build Work Zone, standard edition available as a target system for provisioning.  If either of these is not true for your case, log a support ticket under EP-WZ-PRV component.

To see how this integration can be used we need to setup a remote content provider for SAP Build Work Zone, standard edition.  For this blog, I am using SAP BTP ABAP Environment as the content provider and setup the integration using the steps documented in this tutorial.  When adding the content provider in Work Zone make sure “Use the Identity Provisioning service to provision user authorizations” option is enabled.  This is not covered in the tutorial but is required for the scenario I am covering in this blog.  Make note of the ID (eg. Tutorial) specified for your content provider as it’s also required later on when setting up SAP Build Work Zone as a target system in SAP Cloud Identity Provisioning Service.

In my SAP BTP ABAP environment, I’ve exposed a few business roles to the BTP environment.  For eg, the TRAINWORKZONE role is marked Exposed to SAP BTP.

The TRAINWORKZONE roles has access to Communication Management application.

The exposed roles show up in SAP Build Work Zone standard edition and can be assigned to site to provide access to users.  As you can see in the screenshot, besides the TRAINWORKZONE role I’ve exposed few additional roles as well.  Each back-end role provides access to certain business apps to users that are assigned those roles in the back-end system.

What you will notice is that these roles will not be visible as role collections in your SAP BTP subaccount so there won’t be an option to assign them to users through the BTP Cockpit.  This is expected since we enabled the “Use the Identity Provisioning service to provision user authorizations” option when adding SAP BTP ABAP environment as a content provider in SAP Build Work Zone.

You may be wondering than how do I manage access to what applications users can see when access the SAP Build Work Zone site?

To accomplish this we will need to setup Identity Provisioning service to read users and their roles from SAP BTP ABAP environment and provision to SAP Build Work Zone Standard Edition.  This process will ensure that users that access the Work Zone site can only see applications from SAP BTP ABAP environment that they are authorized to use.

Let’s look at the process to do just that.

Prepare SAP BTP ABAP Environment for use with SAP Cloud Identity Provisioning Service

1. Log into your SAP BTP ABAP Environment and search for Maintain Communication Users and access the application.
   
2. Click New and create a new communication user.  Specify a User Name, Description, and Password.  Click Create.
3. Access Communication Systems.
4. Click New and specify a System ID and System Name and click Create.
5. Specify a value for Host Name to match your IAS tenant hostname.  For eg. xxxxxxx.accounts.ondemand.com
6. Click + under Users for Inbound Communication.
7. Select the Communication user created earlier and click OK.
8. Save your Communication System.
9. Access Communication Arrangements.
10. Click New and choose the value help icon to open up the list of available communication scenarios.
11. Search for SAP_COM_0193 and select it from the list.  This communication scenario is relevant for Identity Provisioning integration.
12. Specify a name for the arrangement and click Create.
13. Use the value help icon and select the Communication System created earlier.  The User Name for inbound communication should automatically populate.  Save your configuration.
14. Make note of the API-URL as this is required to setup SAP BTP ABAP environment as the source system in SAP Cloud Identity Provisioning Service.
    

Add BTP ABAP Environment as Source System in SAP Cloud Identity Provisioning Service

1. Access your SAP Cloud Identity Services – Identity Provisioning (IPS) tenant.
2. Click on Source Systems.
3. Click Add.
4. Specify the following and click Save:
   • Type: SAP BTP ABAP Environment
   • System Name: <name of your choice>
5. Click Properties. You will see a list of pre-created properties.
6. Click Add to add new properties.  Use the Standard option for non-sensitive properties and Credential option for password fields.
7. Add the additional properties below and click Save. Take a look at the help guide for the complete list of properties that are possible with SAP BTP ABAP Environment as a source system.
   • Type: HTTP
   • ProxyType: Internet
   • URL: <API-URL copied from Communication Arrangement>
   • Authentication: BasicAuthentication
   • User: <Communication User create in SAP BTP ABAP Environment>
   • Password: <Communication User password>
     

Prepare SAP Build Work Zone for use with SAP Cloud Identity Provisioning Service

1. Log into your SAP BTP Subaccount where you have a subscription to SAP Build Work Zone Standard Edition.
2. Click Instances and Subscriptions and create and click the Create button.
3. Select SAP Build Work Zone, standard edition and choose standard instance plan.
   
4. Choose your Space and specify an Instance Name.
   
5. Click Next couple times and click Create.
6. Select the newly created instance and click Create to create a new service key.
7. Specify a Service Key Name and click Create.
8. Click the key name.
   
9. Make note of the following fields:
   • endpoints.portal-service
   • uaa.clientid
   • uaa.clientsecret
   • uaa.url
     

Setup SAP Build Work Zone as Target System in SAP Cloud Identity Provisioning Service

1. Access your SAP Cloud Identity Services – Identity Provisioning (IPS) tenant.
2. Click the Target System icon and click Add.
3. Specify the following and click Save:
   • Type: SAP Build Work Zone, standard edition
   • System Name: <name of your choice>
   • Source System: <your SAP BTP ABAP environment source system created earlier>
4. Under Properties, add the additional properties below and click Save. Take a look at the help guide for the complete list of properties that are possible with SAP Build Work Zone, standard edition as a target system.
   • • Type: HTTP
     • ProxyType: Internet
     • URL: <endpoints.portal-service copied earlier>
     • OAuth2TokenServiceURL: <uaa.url.  Add /oauth/token at the end >
     • Authentication: BasicAuthentication
     • User: <uaa.clientid>.
     • Password: <uaa.clientsecret>
     • cflp.providerId: <providerID>

Run the provisioning job

1. Access your SAP Cloud Identity Services – Identity Provisioning (IPS) tenant.
2. Click the Source System icon and click Add.
3. Select the SAP BTP ABAP environment source system created earlier.
4. Click the Run Now button.
   
5. Click Identity Provisioning >> Job Logs and select the job.  Confirm the job executes successfully and provision users and groups to SAP Build Work Zone.

When user accesses the SAP Build Work Zone site he/she should only see applications they are authorized to see in SAP BTP ABAP Environment.  In my screenshot below, I authenticated using a user who is assigned the TRAINWORKZONE role in BTP ABAP environment.  They are only able to see the apps that’s are exposed to users assigned the Communication Management business catalog.  If there are any changes to the authorizations made in the backend ABAP environment, they will be reflected in SAP Build Work Zone when the provisioning job is executed again.  The job can be scheduled on a periodic basis.

Enjoy!