1. Configuring the SAP S/4 HANA Cloud Application
  2. Creating an Application by Using the Connector

2 Creating an Application by Using the Connector

Learn about onboarding applications using the connector and the prerequisites for doing so

Topics

2.1 Process Flow for Creating an Application By Using the Connector

From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment is handled using the application onboarding capability of Identity Self Service.

Figure 2-1 is a flowchart depicting high-level steps for creating an application in Oracle Identity Governance by using the connector installation package.

Figure 2-1 Overall Flow of the Process for Creating an Application By Using the Connector

Description of Figure 2-1 follows
Description of "Figure 2-1 Overall Flow of the Process for Creating an Application By Using the Connector"

2.2 Downloading the Connector Installation Package

You can obtain the installation package for your connector on the Oracle Technology Network (OTN) website.

To download the connector installation package:
  1. Navigate to the OTN website at http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html.
  2. Click OTN License Agreement and read the license agreement.
  3. Select the Accept License Agreement option.
    You must accept the license agreement before you can download the installation package.
  4. Download and save the installation package to any directory on the computer hosting Oracle Identity Governance.
  5. Extract the contents of the installation package to any directory on the computer hosting Oracle Identity Governance. This creates a directory named CONNECTOR_NAME-RELEASE_NUMBER.
  6. Copy the CONNECTOR_NAME-RELEASE_NUMBER directory to the OIG_HOME/server/ConnectorDefaultDirectory directory.

2.3 Copying Third-Party Jar Libraries

You can either use third-party jars from the S4HANA-12.2.1.3.0 /lib folder shipped with the connector package or download any latest, stable, and secure version. Please follow the below procedure to include third-party jars:

Copy the third-party library jars for the S4HANA Apps connector to the computer hosting Oracle Identity Governance.
  1. Create a directory named S4HANA-12.2.1.3.0 for the S4HANA Apps connector in the following directory:

    OIM_HOME/server/ConnectorDefaultDirectory/targetsystems-lib/

    From the installation media copy SAP S/4HANA Cloud third-party libraries <S4HANA-12.2.1.3.0\lib> to the above created new directory.
    The files in this directory are not shared with any other connectors, which avoids version conflicts among shared libraries.
  2. If you are using Connector Server, from the installation media copy SAP S/4HANA Cloud third-party libraries <S4HANA-12.2.1.3.0\lib> to the CONNECTOR_SERVER_HOME/lib directory

    Table 2-1 Third-party jars

    Jar Name Type
    commons-codec-1.15.jar These files are 3rd and 4th party dependent JARs for S4HANA Target.
    commons-logging-1.2-1b97e70.jar
    httpclient5-5.1.3.jar
    httpcore5-5.1.3.jar
    jackson-annotations-2.13.3.jar
    jackson-core-2.13.3.jar
    jackson-databind-2.13.3.jar
    slf4j-api-2.0.0.jar

2.4 Creating an Application By Using the SAP S/4HANA Cloud Connector

You can onboard an application into Oracle Identity Governance from the connector package by creating a Target application. To do so, you must log in to Identity Self Service and then choose the Applications box on the Manage tab.

Note:

For detailed information on the steps in this procedure, see Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
  1. Create an application in Identity Self Service. The high-level steps are as follows:
    1. Log in to Identity Self Service either by using the System Administration account or an account with the ApplicationInstanceAdministrator admin role.
    2. Ensure that the Connector Package option is selected when creating an application.
    3. Update the basic configuration parameters to include connectivity-related information.
    4. If required, update the advanced setting parameters to update configuration entries related to connector operations.
    5. Review the default user account attribute mappings. If required, add new attributes or you can edit or delete existing attributes.
    6. Review the provisioning, reconciliation, organization, and catalog settings for your application and customize them if required. For example, you can customize the default correlation rules for your application if required.
    7. Review the details of the application and click Finish to submit the application details.
      The application is created in Oracle Identity Governance.
    8. When you are prompted whether you want to create a default request form, click Yes or No.
      If you click Yes, then the default form is automatically created and is attached with the newly created application. The default form is created with the same name as the application. The default form cannot be modified later. Therefore, if you want to customize it, click No to manually create a new form and attach it with your application.
  2. Verify reconciliation and provisioning operations on the newly created application.

See Also:

  • Configuring the Connector for details on basic configuration and advanced settings parameters, default user account attribute mappings, default correlation rules, and reconciliation jobs that are predefined for this connector

  • Configuring Oracle Identity Governance for details on creating a new form and associating it with your application, if you chose not to create the default form

2.5 Creating a Target System User Account for the SAP S/4HANA Cloud Target

The following topics describe the procedures to create a target system user account for the SAP S/4HANA Cloud target:

2.5.1 Create a Communication User

  1. Log in to SAP S/4HANA Cloud application with administrator credentials.
  2. Under Communication Management, click Maintain Communication Users.
  3. Click New to create a new communication user.

    The Create Communication User page appears.

  4. Enter User Name, Description, and password.
  5. Click Propose Password to get a system-generated password.

    Note:

    Keep a note of the User Name and password for your communication user.
  6. Click Create.

2.5.2 Create a Communication System

Perform the following steps to create a communication system and assign a communication user to the communication system.

  1. Log in to the SAP S/4HANA Cloud application with administrator credentials.
  2. Under Communication Management, click Communication Systems.
  3. Click New to create a new communication system.
  4. Enter System ID and System Name, then click Create.
  5. Under Technical Data, enter the Host Name of your SAP S/4HANA Cloud tenant in the following format: <tenant ID>.s4hana.ondemand.com
  6. Click User for Inbound Communication tab, then click the add (+) icon.
  7. Assign the communication user you create and select the authentication method as User ID and Password.
  8. Click Save.

2.5.3 Create a Communication Arrangement

  1. Log in to SAP S/4HANA Cloud application with administrator credentials.
  2. Under Communication Management, click Communication Arrangements.
  3. Click New to create a new communication arrangement.
  4. Select communication scenario SAP_COM_0193, enter an arrangement name, and click Create.
  5. Select Communication Arrangement in the list.

    The inbound communication user is automatically assigned.

  6. Under Inbound Services, the endpoint URLs to call the SOAP service is found in the following format:
    • https://<S4HANA tenant ID>-api.s4hana.ondemand.com/sap/bc/srt/scs_ext/sap/managebusinessuserin
    • https://<S4HANA tenant ID>-api.s4hana.ondemand.com/sap/bc/srt/scs_ext/sap/querybusinessuserin
    • https://<S4HANA tenant ID>-api.s4hana.ondemand.com/sap/bc/srt/scs_ext/sap/querybusinessusermetadatain
  7. Click Save.

    WSDLs can be downloaded from this arrangement once saved.

The same SAP S/4HANA user can be used as a communication user in Oracle Identity Governance to perform all the connector operations.

2.6 Create System Account for SAP Identity Authentication Service (IAS)

This account is used to connect to SAP IAS to verify user existence. The User ID must exist here to provision it to S4/HANA Cloud and manage users credential. For more information refer to, Add System as Administrator under SAP Cloud Identity Services - Identity Authentication in SAP Help Portal.

To add a person as a new tenant administrator, proceed as follows:

  1. Access the tenant's administration console for Identity Authentication by using the console's URL.
  2. Choose the Administrators tile.

    Note:

    The URL has the following pattern:

    https://<tenant ID>.accounts.ondemand.com/admin

    Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation e-mail with a URL in it. This URL contains the tenant ID. For more information about your tenants refer to Viewing Assigned Tenants and Administrators under SAP Cloud Identity Services - Identity Authentication in SAP Help Portal.

    If you have a configured custom domain, the URL pattern is: <your custom domain>/admin.

    This operation opens a list of all administrators in alphabetical order.

    Note:

    The list also includes the SAP BTP system, which by default has authorizations to set up the trust with Identity Authentication.
  3. Press the +Add button on the left-hand panel to add a new administrator to the list.
  4. Choose Add User.
  5. Make the appropriate entries in the Email, First Name, and Last Name fields for the user you want to add as an administrator.

    The E-mail must be unique for the tenant.

    The First Name, and Last Name fields are pre-filled automatically for users who already exist in system.

    Note:

    Once the administrator is created, the First Name, Last Name, and Email fields are not editable from the administrator section. If you want to change the information you must go to the User Management section. For more information refer to List and Edit User Details under SAP Cloud Identity Services - Identity Authentication in SAP Help Portal.
  6. Assign the required administrator roles for the user. To be a tenant administrator, a user must be assigned at least one of the following roles.

    Table 2-2 Administrator Roles

    Authorization Description
    Manage Applications This role gives the tenant administrator permission to configure the applications via the administration console.
    Manage Corporate Identity Providers This role gives the tenant administrator permission to configure the identity providers via the administration console.
    Manage Users This role gives the tenant administrator permission to manage, import, and export users via the administration console.
    Read Users This role gives the tenant administrator permission to retrieve user data and import users via the administration console and the SCIM REST API of Identity Authentication.
    Manage Groups This role gives the tenant administrator permission to create, edit, and delete user groups via the administration console.
    Manage Tenant Configuration This role gives the tenant administrator permission to manage tenant configuration and authorization assignment to users. Tenant administrators with that role can add additional roles to themselves or to other administrators.

    Note:

    By default, all administrator roles are assigned.
  7. Configure the method for authentication when the system is used.
    • Set Password

      Note:

      You must set password for basic authentication when Identity Authentication is used. The client ID is in the universally unique identifier (UUID) format and will be automatically generated. For example, 1ab7c243-5de5-4530-8g14-1234h26373ab. The password must meet the following conditions:
      • Minimum length of 8 characters.
      • Characters from at least three of the following groups:
        • Lower-case Latin characters (a-z)
        • Upper-case Latin characters (A-Z)
        • Base 10 digits (0-9)
        • Non-alphabetic characters (!@#$...)
      • Must not include space and the %, +, \, !, #, $, &, ‘, (, ), *, ,, ;, <, >, ^, `, {, |, and } characters.
      • The password is locked for 60 min after 5 failed attempts with wrong value.
  8. Save your changes.

2.7 Application Post Configuration

Post the configuration of application, it is a must to add business roles to OIG.

Note:

This step is not appliable if you are using S4HANA-12.2.1.3.0A or a later version.
To add business role in target export, follow the below steps:
  1. Login to S/4 HANA cloud tenant.
  2. Search for Maintain Business Roles.
  3. Select Business Role ID.
  4. Click Download Business Roles.
In OIG, add data for Lookup.S4HANA.Roles. Do the following:
  1. Login to OIG Identity System Administration console as sysadmin.
  2. Navigate to System Configuration>Lookups
  3. Search for Lookup.S4HANA.Roles.
  4. Click Actions.
  5. Select Edit.
  6. Add entries as shown in the following example.

    Table 2-3 Example Data Table

    Code Decode/Meaning
    5~BR_GRANT_RESPONSIBLE S4HANA1~Grant Responsible

    5~BR_GRANT_SPECIALIST

    		S4HANA1~Grant Specialist

Note:

  • The code <IT Resource Key>~<Business Role ID>Decode/Meaning: <Application Name>~<Business Role Description>.
  • IT Resource Key is provided using svr table,and svr_key column data.
  • The above steps are applicable for all S4HANA OIG Applications. You must also run the entitlement list for scheduled job.