SAP Cloud Identity Services
SAP Cloud Identity Services are our central solution for managing authentication, single sign-on, and the identity lifecycle. They improve system integration, provide a seamless user experience, and enhance security and compliance.
In the first quarter of 2025, we released several new features and enhancements for SAP Cloud Identity Services. This includes token attribute configuration capabilities, enhancements in identity federation for applications, and automatic renewal of expired SAML signing certificates. We also extended the Identity Directory service to trigger immediate provisioning of application-specific groups and added improvements to the provisioning job logs.
The Identity Authentication service of SAP Cloud Identity Services automatically updates expired SAML 2.0 certificates during the first failed sign-in attempt, given the metadata URL. This automatic update feature enhances security, improves the user experience, and reduces the administrative burden, making it an essential feature for any modern digital infrastructure.
This new blog post series aims to provide technical guidance on how to plan and implement IAM with SAP Cloud Identity Services and Microsoft Entra. In the first part, explore the implementation of a workflow-based access management solution to SAP BTP with Microsoft Entra ID Governance. In the second part, learn about a hybrid identity setup that requires managing the user lifecycle across Microsoft Active Directory, Microsoft Entra, SAP BTP, SAP Cloud Identity Services, and an SAP system on-premise.
Learn how to create application-specific groups in SAP Cloud Identity Services using Identity Provisioning. Whether you're starting from scratch with a greenfield approach or working with existing systems in a brownfield approach, you'll find everything you need to know about this special type of groups here.
This blog post focuses on the key role of SAP Cloud Identity Services in ensuring that the right users will get access to the right tasks in the SAP Task Center. It offers you some guidance through the myriad of configuration options, choices, and alternatives.
The Authorization Management service is a pivotal component within SAP Cloud Identity Services, providing a unified platform for managing authorizations across applications based on the SAP BTP and also the administration console of SAP Cloud Identity Services itself. Administrators can configure and assign policies through a centralized console, enhancing the efficiency and consistency of policy application across different services and users.
Explore how identity and access management (IAM) software from SAP supports building successful system integrations in cloud and hybrid environments. With SAP Cloud Identity Services and well-established IAM related industry standards, SAP improves system integration and helps provide a seamless user experience while also improving security and compliance.
Check out our new IAM reference architectures now available in SAP Discovery Center. They describe the authentication and identity lifecycle flows for SAP applications via SAP Cloud Identity Services; and how the different authorization technologies within the SAP portfolio can be used from a central point for the identity lifecycle.
Overview
SAP Cloud Identity Services are SAP’s central cloud IAM services for authentication, single sign-on, and identity lifecycle. SAP solutions integrate with SAP Cloud Identity Services and reuse its functionality where possible.
Authentication is delegated to Identity Authentication. User information is either directly read from the Identity Directory or the solution’s user store is integrated with SAP Cloud Identity Services via SCIM-based user provisioning. Newly built applications will use the Authorization Management service for policy-based authorization checks.
This standardizes the IAM setup, reduces duplicate functionality, and gives customers a clear setup and central IAM configuration and access point.
Solution overview presentation
Evolving Identity Authentication and Identity Provisioning into SAP Cloud Identity Services
SAP Cloud Identity Services – Why and How to Integrate Them for a Consistent Identity Lifecycle
Identity Authentication
Identity Authentication is a cloud service for authentication, single sign-on, and user management in SAP cloud and on-premise applications. It can act as an identity provider itself or be used as a proxy to integrate with an existing single sign-on infrastructure.
Identity Provisioning
Identity Provisioning offers a comprehensive, low-cost approach to identity lifecycle management in the cloud. It helps you provision identities and their authorizations to various cloud and on-premise business applications.
Identity Directory
The Identity Directory is the central component for persisting users and groups inside the SAP Cloud Identity Services. Using the Identity Directory not only simplifies the process of ensuring a proper user lifecycle, but also lays the foundation for integration with SAP cloud applications.
Authorization Management
The Authorization Management Service allows administrators to assign access based on policies centrally within SAP Cloud Identity Services. An access policy allows a user to perform certain actions on a resource, subject to restricting rules. These rules can be adapted by the administrator so that policies fit company requirements before being assigned to users.