Provisioning SFDC via IAG Using SCIM

Recently we integrated SAP IAG with Salesforce through System for Cross-domain Identity Management (SCIM). SCIM protocol is a powerful way to streamline identity and access management processes. This document provides a detailed guide on how to achieve seamless integration, covering all necessary steps and considerations.

What is SCIM?

SCIM is an open standard designed to simplify the management of user identities in cloud-based applications and services. It offers a standardized protocol for automating the exchange of user identity information between systems, ensuring consistency and reducing administrative overhead.

Why Now?

• Integrating SAP IAG with SFDC through SCIM offers several benefits:
• Single System of Truth: Enables IAG as an enterprise identity governance tool for both SAP & non-SAP landscape
• Improved Efficiency: Automates user provisioning and deprovisioning processes, reducing manual effort and errors.
• Enhanced Security: Ensures that user access rights are consistently managed across systems, reducing the risk of unauthorized access.
• Compliance: Helps maintain compliance with regulatory requirements by ensuring accurate and up-to-date user identity information.
• Streamlined Workflows: Enables seamless integration of identity management processes with IT service management workflows in ServiceNow.

Prerequisites

Before beginning the integration, ensure have the following:

• Access to SAP IAG and ServiceNow instances.
• Administrator privileges for both systems.
• Understanding of SCIM protocol and its implementation.

Integration Flow –

Step 1: Configure SCIM in SAP IAG

1. Log in to the SAP IAG admin – application tile.
2. Configure SCIM application as SFDC
3. Save and activate the SCIM configuration.

Step 2: Set Up SCIM in SFDC

1. Activate / configure the end points for users and group management.

Step 3: Configure IPS Proxy

1. Update the IPS Proxy with SCIM end points of SFDC
2. Define the transformation for read & write

Step 4: Activate Repo & Provision job

1. Run the repo sync to get all the users & group from SDFC
2. Run the IAG provisioning job to update / create the users

Best Practices

• Consistent Attribute Mapping: Ensure that user attributes are consistently mapped between SAP IAG and SFDC to avoid synchronization issues.
• Regular Audits: Conduct regular audits of user accounts and access rights to ensure compliance and security.
• Documentation: Maintain thorough documentation of the integration process and any configurations made in both systems.
• Testing: Thoroughly test the integration in a staging environment before deploying it to production.