SAP Community - SAP Cloud Identity Services

Manage group to team assignments for SAC within Identity Provisioning

2025-12-01T14:53:10.472000+01:00

Hi experts,

For our BTP landscape and SAP Cloud we have set up a central Cloud Identity Service (CIS) tenant to centralize the user management.

Now, for SAP Analytics Cloud (SAC) we have configured our central CIS tenant as bundled Cloud Identity Service tenant based on SAP help link:
Authentication Options | SAP Help Portal.

Following this procedure a source and target system in the Identity Provisioning are automatically created. We just adapted the properties of the source system to include "idds.group.filter" and "idds.user.filter". On the target system we set the user and password according to the OAuth client created in SAC and added properties "ips.delete.threshold.groups" and "ips.delete.threshold.users".

Within the CIS we have following groups maintained for SAC:

CIS Group	SAC team
Technical name: sac_dev_admin Display name: SAC Administrators (on Dev)	sac_admin
Technical name: sac_dev_planning_user Display name: SAC Planning User (on Dev)	sac_planning_user
Technical name: sac_dev_reporting_user Display name: SAC Reporting User (on Dev)	sac_reporting_user

Now, we want to adapt the transformation within the target system for SAC to ensure that all users assigned to the CIS groups will be assigned to the according SAC teams (example: users in group "sac_dev_reporting_user" should be assigned to the "sac_reporting_user" team in SAC)

We tried following:

{
	"user": {
		"condition": "isValidEmail($.emails[0].value) && (('%sac.group.prefix%' === 'null') || ($.groups[?(@.display =~ /%sac.group.prefix%.*/)] empty false))",
		"mappings": [
			...,
			{
				"sourcePath": "$.groups[*].value",
				"preserveArrayWithSingleElement": true,
				"optional": true,
				"targetPath": "$.groups[?(@.value)]",
				"functions": [
					{
						"function": "replaceString",
						"target": "sac_dev_admin",
						"replacement": "sac_admin"
					},
					{
						"function": "replaceString",
						"target": "sac_dev_planning_user",
						"replacement": "sac_planning_user"
					},
					{
						"function": "replaceString",
						"target": "sac_dev_reporting_user",
						"replacement": "sac_reporting_user"
					}
				]
			},
			...
		]
	},
	"group": {
		...
	}
}

Unfortunately, this was not working. Instead all team and role assignments were removed from all users.

How can we handle CIS group to SAC team assignments within the Identity Provisioning when group and team name differ?

It must be ensured that not only the initial assignment can be handled via Identity Provisioning but updates as well (such as changes in the CIS group assignments as well as removal from CIS groups).

regards

René

How can I user power query to get data from sap Cloud Identity Service (IAS)?

2025-12-02T15:50:13.847000+01:00

Hello experts!

I am trying to use to Excel and Power Query to create a refreshable Excel sheet to export the full list of users from IAS.

Thus far I have been able to use the "From Web" get data option in Excel pointing to our IAS Tenant (https://my.accounts.ondemand.com/scim/Users).

Power Query is able to connect where it downloads a file and processes is as JSON. However, instead of the users' data, I get a summary. Does anyone have some experience with this that can help?

Integrate Sailpoint with SAP CIS to provision to S4HANA public cloud?

2025-12-03T06:27:47.233000+01:00

I am looking for integration guidance connecting Sailpoint with SAP CiS to manage user provisioning to S4HANA Public cloud. I understand SCIM may be supported. What are the best practises and connectors available to enable this integration?

Migration of Cloud Identity Services Tenants in BTP NEO

2025-12-04T12:38:18.837000+01:00

Dear SAP colleagues,

I have a question regarding Cloud Identity Services tenants and would like to share the context to get some help.

Current Situation

We currently have a Cloud Identity Services structure as a legacy service in the SAP BTP NEO environment.
This service will be discontinued by the end of 2028.

My Question

Is it possible to create a new Cloud Identity Services (IAS/IPS) structure in BTP Cloud Foundry without having to migrate the existing tenant from NEO, thus avoiding potential impacts on connected systems

Additional Context

The company recently purchased SAP S/4HANA Rise Private Edition to replace the legacy SAP ECC.
We do not have detailed documentation on how the services were configured in Cloud Identity Services within the NEO environment.
Our idea is to create a new IAS/IPS structure directly in Cloud Foundry, with separate environments for DEV and PRD, to connect and configure the new systems and products of S/4HANA Rise Private Edition.

Has anyone faced this situation or can confirm if this approach is possible?
Thank you in advance for your help!

How can we connect our SAP IAS system to SAP to our BTP system

2025-12-09T10:22:39.585000+01:00

We are trying to follow the steps as per SP User Information | SAP Help Portal but unable to connect due to 401 not authorized error. we tried providing our admin user credentials from the IAS server but the error persists. Please advise on this issue.

We need this connection for one of our SAP BTP application where activation date details are required as data for the report.

SAP IAS Admin Console

2025-12-09T20:09:22.861000+01:00

Hello everyone,

What would be the best way to secure the SAP IAS Administration Console?

Is it a good idea to restrict access to a specific IP range (e.g. only the company network)? I’m concerned about locking myself out in case the IP address changes.

Or would it be better to implement 2FA for an admin group containing all admins? In that case, there’s also the risk of locking myself out.

I would appreciate your experiences and tips!

Many Thanks

Best Regards

change Loginname in SAC

2025-12-12T00:19:18.930000+01:00

Dear Community,

I have configured SSO with IAS in SAC. When a user logs in via SSO, they are welcomed with a P-number (e.g., "Hello P00001!") in SAC.

How can I change this so that the user is greeted by their first or last name (e.g., "Hello Max!" instead P-Number ?

Thanks in advance for your help!!!

Best regards

Group-Assignment via Entra ID in SAP Cloud Identity Services

2025-12-12T10:18:12.149000+01:00

Dear SAP Community,

We are currently building a business application in Entra ID that provisions users into the Identity Directory of the SAP Cloud Identity Services. At this stage, we are not using source or target transformations; instead, we are pushing users and attributes directly from Entra ID into the Identity Directory of our SAP Cloud Identity Services tenant.

In SAP Cloud Identity Services, we have several groups that were created either by SAP Support or by various SAP applications. For example, SAP Joule for Consultants requires a license group called SAP_JOULE_PREMIUM_CONSULTANT, which is created by SAP Support.

Users should be added to these groups automatically based on their group membership in Entra ID. Using the SCIM API, it should be possible to add members to an existing SAP Cloud Identity Services group.

Our target scenario looks like that: A user requests permissions for a specific (SAP-)application via our Entra ID Service Portal. After approval by the user’s manager, the user is added to an Entra ID group. During the next provisioning cycle, the transformation should work as follows: If the user is a member of Entra ID group “X”, then they should be added to group “Y” in SAP Cloud Identity Services. If they are no longer part of this group, they should be removed from it again.

Has anyone successfully implemented a similar setup and can share how they approached it?

Custom Schema for the Groups in IAS

2025-12-15T06:18:28.403000+01:00

I created a custom schema for groups and added an attribute named managedBy, but the new attribute does not appear under the Custom Attributes tab for each group in the UI.]

Does anyone know what I'm missing?Are there any extra steps required to make group attributes visible

SAC SSO: Merging existing users without losing content

2025-12-18T07:38:29.547000+01:00

Hi Experts,

we have IAS configured as a proxy. Users are provisioned from a custom IdP to IAS and then created dynamically in SAC (attribute = User ID) via SSO .

In SAC, there are already manually created users with existing content.
The SSO users and the manually created users in SAC have different User IDs, which is historical.

Our goal is to switch fully to SSO and replace or merge the existing SAC users without losing user content (stories, private objects, settings).

Currently, we face the following issues:

SAC does not allow duplicate email addresses when a new SSO user is created (different User ID, but same email address).
When we assign roles manually in SAC to an SSO user, they are removed at the next login.

Our questions:

What is the recommended approach to dynamically create SSO users in SAC and transfer or replace existing content from the old user to the new SSO user?
Is there a simple or supported way to migrate or merge existing SAC users with the new SSO users?
How are Owner property handled when SSO is activated, and what should be considered to avoid issues with access or content ownership?

Thank you very much for your help and experience.

Best regards

Partner TDD with new IAS/IPS

2025-12-24T08:45:21.296000+01:00

Hi,

We are planning to purchase Cloud test, demo, and development for SAP S/4HANA Cloud Public Edition, one-system landscape.
We already use S/4HANA Cloud, Public Edition and IAS/IPS for test tenant, but we would like to use it as a separate tenant.

Can we buy or create new IAS/IPS and connect it with TDD?

Thank you.
Ayaka

Unable to Deploy Joules Skills in SAP BPA - ClientNotFound

2025-12-24T16:07:08.258000+01:00

Hello, I have an error when I try to deploy or test Joule in SAP BPA.

"The project cannot be deployed by the component "Integration Gateway". Error while trying to connect to Joule - JouleClientService - invalid_client - Client Not Found"

I have the roles for das-application but it still doesn't reaches. Also, when I try to test, the environments don't show up.

Here some examples:

IAS Login Name dependencies

2026-01-14T14:56:45.075000+01:00

Hi everyone,

Quick question about the Login Name field in IAS:

Does it matter what I enter here? I often see an email address, but could I also use an employee ID or a short name?

Are there SAP applications or scenarios that require the "Login Name" to be a specific attribute (e.g. Email), or is the field completely flexible?

I want to avoid SSO issues with specific apps if the value is wrong. Does anyone have experience with dependencies for this field?

Many Thanks

Best Regards

Email verification for provisioned users - IAS

2026-01-22T21:36:53.281000+01:00

Hi everyone,

I am provisioning users from a custom IdP (SCIM system) to IAS via IPS.

After users are provisioned and created in IAS, their email status is "Not Verified" in IAS. No verification email is being sent out to these provisioned users.

My questions:

How can I ensure that users are automatically marked as "Verified" in IAS during the provisioning process?
Alternatively: How can I trigger the verification email to be sent to these provisioned users during the provisioning process?

Thanks for your tips !

Best Regards

How to prevent IAS admins from being deleted during IPS Re-Sync after an instance refresh?

2026-01-25T21:52:07.201000+01:00

I will soon perform an Instance Refresh of our SAP SuccessFactors Dev environment.
After the refresh, I plan to run the IPS Re-Sync, as recommended by SAP.

The last time I did this (during a Preview refresh), I temporarily added a username filter in IPS so that no users were matched. This caused all existing users in IAS to be considered “orphaned.” After removing the filter and running the Re-Sync again, many users were recreated successfully — but most IAS administrators were deleted in the process.

My questions are:

How can I avoid IAS administrators being deleted during an IPS Re-Sync after a refresh?
Is it really necessary to delete existing IAS users before re-running the sync?
If deletion is required, what additional steps can I take to ensure that IAS admins are not removed?

Thank you in advance!

Does Sap Cloud Identity Services (CIS) - IAS/IPS support position based security?

2026-01-30T14:48:03.146000+01:00

I am interested to know if the new age SAP Cloud Identity solutions suppor the position based security for S/4HANA (HCM on S/4HANA)?
I could not find any mention of this anywhere on sap help documentations.

Joule in Ariba Guided Buying: “Open in App” fails – sap.ushell.Container undefined, Fiori 3 CSS

2026-02-10T20:49:40.386000+01:00

Hi everyone,

I’m seeing an issue with Joule “Open in App” in SAP Ariba Guided Buying and wanted to check if anyone has faced this before.

What I’m doing:
From Joule, I see a list of recent Purchase Requisitions. When I click Open in App on a PR, it should take me to the full Guided Buying PR screen.

What happens instead:
I get an error saying “The application could not be opened”, and nothing opens.

What I noticed while checking in browser tools:

Console shows messages like:
- Unable to handle navigation with payload
- No sap.ushell Container found
A CSS file does not load:
/gb/sap_fiori_3_fonts.css
This request returns 500 Internal Server Error and JSON instead of CSS.

My questions:
- Is this a known Guided Buying / Joule issue?
- Does “Open in App” require any specific tenant or shell configuration?
- Has anyone seen this issue and found a fix, or is raising an SAP ticket the only option?
  
  I have Added the screenshots in the following
Any pointers would be really helpful.
Thanks in advance!

IAG–S/4HANA User ID Mapping Requirement

2026-02-15T09:05:25.737000+01:00

I have requirement regarding an integration involving SAP Identity Access Governance (IAG), SAP Cloud Identity Services (IAS/IPS), and our on-premise SAP S/4HANA system.

We are currently provisioning users from Microsoft Entra ID into SAP Cloud Identity Services, where users will create and assigned P-User IDs. Once the User IDs created in CIS, We are maintaining “Login Name” as our required naming convention (XXYYZZNN) for S/4 HANA system.

As per SAP Recommendation we are creating user IDs as P user IDs in BTP-IAG Subaccount. However, our S/4HANA system requires user IDs to follow a specific internal naming convention (XXYYZZNN). We need guidance and confirmation on the recommended approach to ensure that:

1.SAP IAG provisions users into S/4HANA with our required naming convention (XXYYZZNN) instead of the IAS P-User ID.

2. Attribute mapping and transformation rules between IAS, IPS, IAG, and S/4HANA. We would appreciate assistance advising on the correct configuration steps for attribute mapping and user ID transformation within IAG.

How to enable Joule for the SAC Tenant Owner in S4 public cloud?

2026-02-18T12:58:22.797000+01:00

Dear experts,

I'm looking for a solution of the problem I'm currently facing.

I went through the whole Blog and got it done to setup the connection between SAC and Joule in S4 Public Cloud.... but only for a regular user (with BI Admin and Admin role), but not for the SAC tenant Owner (who has no roles).

The first time, this was the result of reading the users, like described in step 4.5 Schedule User and Group Provisioning (optional)

Not sure what the real root cause was... I had the feeling that only users with roles are processed, so I put myself (the owner) into a Team and assigned the Admin roles to the team.

In the second try, it looks like also my user got processed:

However, in S4 public Cloud, when I try to get answer from a SAC model by Joule, I'm asked if my question is related to Ledger 0L and which Company Code ... and that get the information that Joule would not be able to access any SAC tenant.

In contrast to that, my colleague is able to get analytical answers from SAC.... so the whole setup basically works!

Did anybody experience the same issue and did find a solution?

Addition: No, I have no API Access Users in my tenant. This is a fresh TDD SAC, where only 2 Users and 1 Team exists.

Thanks a lot, Martin

Performing a OAUTH token exchange from a PKCE generated token on client x to another client y

2026-02-19T01:18:41.635000+01:00

I have a set of APIs from a CAP application which are available behind the AppRouter. I want to access these APIs from an application which will be using PKCE to authenticate.

The identity provider for CAP application with the APIs is based on IAS authentication as a private client. The PKCE application is also based on IAS authentication but is a public client to use the PKCE authentication flow.

All of the existing SAP documentation regarding the token exchange process refers to the exchange with XSUAA involved but I am not using XSUAA and will only be using IAS for authentication.

I am attempting to use a 'Destination' with an authentication of type 'OAuth2UserTokenExchange':

When I initiate a call via the destination providing the PKCE token with the intent of accessing the CAP application APIs, I am receiving the error:

Error: The destination tried to provide authorization tokens but failed in all cases. This is most likely due to misconfiguration.
Retrieval of OAuthToken failed due to: Unable to fetch refresh token from the specified token service URL. Response was: Bad credentials

I have confirmed I have provided the correct client ID and Secret as extracted from the 'Secret' I created in Trust -> Application APIs for the registered client for the CAP application via IAS.

Question:

1. Is it feasible to perform a token exchange from IAS to IAS on different clients?

2. Is this destination configuration correct?

3. Is this the correct location to get the client ID and client secret?