1 About the SAP S/4 HANA Connector
The SAP S/4HANA connector integrates Oracle Identity Governance with the SAP S/4HANA target system.
The following topics provide a high-level overview of the SAP S/4HANA connector:
1.1 Introduction to the Connector
Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premises or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications.
The SAP S/4HANA Cloud connector lets you create and onboard SAP S/4HANA Cloud applications in Oracle Identity Governance.
Note:
In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application.From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment is handled using the application onboarding capability of Oracle Identity Self Service. This capability lets business users to onboard applications with minimum details and effort. The connector installation package includes a collection of predefined templates (XML files) that contain all the information required for provisioning and reconciling data from a given application or target system. These templates also include basic connectivity and configuration details specific to your target system. The connector uses information from these predefined templates allowing you to onboard your applications quickly and easily using only a single and simplified UI.
Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.
Note:
In this Guide, the term SAP S/4HANA Cloud is also referred to as the target system.1.2 Certified Components
These are the software components and their versions required for installing and using the SAP S/4HANA Cloud connector.
Table 1-1 Certified Components
Component | Requirement for AOB Application |
---|---|
Oracle Identity Governance |
You can use any one of the following releases:
|
Oracle Identity Governance JDK |
JDK 1.8 and later |
Target systems |
SAP S/4HANA CLOUD 2208 |
Connector Server |
11.1.2.1.0 or 12.2.1.3.0 |
Connector Server JDK |
JDK 1.8 and later |
1.3 Usage Recommendation
If you are using Oracle Identity Governance 12c (12.2.1.3.0) or a later version, then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.
New customers are recommended to use the S4HANA-12.2.1.3.0A version as the Roles Lookup Reconciliation feature is implemented.
- SAP S/4HANA On-Premise: The traditional upgraded release of SAP ERP 6.0, to which the customers are mostly migrating, has SAP GUI-based access to the system with access to Fiori launchpad as well. It is a fully customer-controlled environment with respect to administration/support/maintenance. Recommendation - use Oracle Identity Governance - SAP User Management Connector. For more information about it, see About the SAP User Management Connector.
- SAP S/4HANA Cloud Private Edition: Everything is similar to SAP S/4HANA On-Premise, but the entire system control/administration/maintenance is with SAP. It is offered under the “Rise with SAP” program only as a Service with SAP GUI access given to the end/business users, who have access to Fiori Launchpad as well. Recommendation - use Oracle Identity Governance - SAP User Management Connector. For more information about it, see About the SAP User Management Connector.
- SAP S/4HANA Cloud Public Edition/Essential Edition: Core SaaS offering for S/4HANA, where the instance is provisioned, which has browser-based access only to the end/business users; No SAP GUI access is valid/exposed for this cloud instance. Recommendation - use Oracle Identity Governance - SAP S/4 HANA Cloud Connector. For more information about it, see Introduction to the Connector.
1.4 Certified Languages
These are the languages that the connector supports.
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English
-
Finnish
-
French
-
French (Canadian)
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.5 Supported Connector Operations
These are the list of operations that the connector supports for your target system.
Table 1-2 Supported Connector Operations
Operation | Supported |
---|---|
User Management |
|
Create user |
Yes |
Update user |
Yes |
Enable user |
Yes |
Disable user |
Yes |
Delete user |
Yes |
Business Role Management | |
Add and Remove Roles to Users |
Yes |
1.6 Connector Architecture
The SAP S/4HANA Cloud connector is implemented by using the Identity Connector Framework (ICF).
The ICF is a component that is required in order to use Identity Connector. ICF provides basic reconciliation and provisioning operations that are common to all Oracle Identity Governance connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as, buffering, time outs, and filtering. ICF is distributed together with Oracle Identity Governance. Therefore, you do not need to configure or modify ICF.
Figure 1-1 shows the architecture of the SAP S/4HANA Cloud connector.
Figure 1-1 Connector Architecture
![This figure shows the architecture of the SAP S/4HANA Cloud connector. The description of the architecture is provided in the same section This figure shows the architecture of the SAP S/4HANA Cloud connector. The description of the architecture is provided in the same section](img/12c_sap_s4_connector_architecture_diagram.png)
The connector is configured to run in the Account management mode. Account management is also known as target resource management. In this mode, the target system is used as a target resource and the connector enables the following operations:
-
Provisioning
Provisioning involves creating, updating, or deleting users on the target system through Oracle Identity Governance. During provisioning, the Adapters invoke ICF operation, ICF inturn invokes create operation on the SAP S/4HANA Cloud Identity Connector Bundle and then the bundle calls the S/4HANA Cloud Webservice for provisioning operations. The webservice on the target system accepts provisioning data from the bundle, carries out the required operation on the target system, and returns the response from the target system back to the bundle, which passes it to the adapters
-
Target resource reconciliation
During reconciliation, a scheduled task invokes an ICF operation. ICF inturn invokes a search operation on the SAP S/4HANA Cloud Identity Connector Bundle and then the bundle calls the S/4HANA Cloud Webservice for the reconciliation operation. The Webservice extracts user records that match the reconciliation criteria and hands them over through the bundle and ICF back to the scheduled task, which brings the records to Oracle Identity Governance.
Each record fetched from the target system is compared with SAP S/4HANA Cloud resources that are already provisioned to OIM Users. If a match is found, then the update made to the SAP S/4HANA Cloud record from the target system is copied to the SAP S/4HANA Cloud resource in Oracle Identity Governance. If no match is found, then the UserName of the record is compared with the User Login of each OIM User. If a match is found, then data in the target system record is used to provision an SAP S/4HANA Cloud resource to the OIM User.
See Also:
Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for more information about ICF.
1.7 Supported Connector Features Matrix
Provides the list of features supported by the AOB application.
Table 1-3 Supported Connector Features Matrix
Feature | AOB Application |
---|---|
Full reconciliation |
Yes |
Limited (Filtered) Reconciliation |
Yes |
Provide secure communication to the target system through SSL |
Yes |
Use connector server |
Yes |
Clone applications or create new application instances |
Yes |
Transformation and validation of account data |
Yes |
Support for pagination |
Yes |
Test connection |
Yes |
1.8 Features of the Connector
The features of the connector include full and incremental reconciliation, limited reconciliation, transformation and validation of account data and so on.
- Support for Full Reconciliation
- Support for Limited (Filtered) Reconciliation
- Support for the Connector Server
- Transformation and Validation of Account Data
- Support for Cloning Applications and Creating Instance Applications
- Secure Communication to the Target System
- Configuring Action Scripts
- Support for Enabling and Disabling Accounts
1.8.1 Support for Full Reconciliation
In full reconciliation, all records are fetched from the target system to Oracle Identity Governance.
You can switch to full reconciliation at any time after you deploy the connector. For more information on performing full reconciliation runs, see Performing Full Reconciliation.
1.8.2 Support for Limited (Filtered) Reconciliation
You can reconcile records from the target system based on a specified filter criterion.
You can set a reconciliation filter as the value of the Filter Query attribute of the user reconciliation scheduled job. This filter specifies the subset of newly added and modified target system records that must be reconciled. The Filter Query attribute helps you to assign filters to the web services based on which you will get a filtered response from the target system.
For more information on performing limited reconciliation, see Performing Limited Reconciliation.
1.8.3 Support for the Connector Server
Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.
A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.
For information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
1.8.4 Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
For more information, see Transformation and Validation of Account Data in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.8.5 Support for Cloning Applications and Creating Instance Applications
You can configure this connector for multiple installations of the target system by cloning applications or by creating instance applications.
When you clone an application, all the configurations of the base application are copied into the cloned application. When you create an instance application, it shares all configurations as the base application.
For more information about these configurations, see Cloning Applications and Creating Instance Applications in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.8.6 Secure Communication to the Target System
To provide secure communication to the target system, SSL is required. You can configure SSL between Oracle Identity Governance and the Connector Server and between the Connector Server and the target system.
If you do not configure SSL, passwords can be transmitted over the network in clear text. For example, this problem can occur when you are creating a user or modifying a user's password.
For more information, see Configuring SSL.
1.8.7 Configuring Action Scripts
You can configure Action Scripts by writing your own Groovy scripts while creating your application.
For information on adding or editing action scripts, see Updating the Provisioning Configuration in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.8.8 Support for Enabling and Disabling Accounts
The attributes Valid From and Valid Through are the user attributes on the target system. For a particular user in SAP S/4HANA Cloud, if the Valid Through date is less than the current date, then the account is in the Disabled state, else , the account is in the Enabled state. The same behavior is duplicated in Oracle Identity Governance through reconciliation. In addition, you can set the value of the Valid Through date to a current date or a date in the past through a provisioning operation.