### SAP BTP OAuth2TokenServiceURL Examples Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/target-sap-btp-account-members-neo Examples of OAuth2TokenServiceURL for SAP BTP, varying by region. ```text https://api.hana.ondemand.com/oauth2/apitoken/v1 ``` ```text https://api.us3.hana.ondemand.com/oauth2/apitoken/v1 ``` -------------------------------- ### Example URL for SAP Build Work Zone, advanced edition Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-build-work-zone-advanced-edition Use this format for the URL property when configuring the source system. ```text https://.workzone.ondemand.com ``` -------------------------------- ### OpenID Connect Token Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/integration-configure-identity-federation This JSON web token example demonstrates claims for a subject identifier ('sub') and an email address ('mail'). ```json {"sub": "P012345", "mail": "dona.moore@test.com", ...} ``` -------------------------------- ### Transformation Mapping Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/additional-information A basic transformation mapping example showing how to map a source path to a target path, with an optional function to resolve entity IDs. ```json { "sourcePath": "$.members[*].value", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "function": "resolveEntityIds" } ] } ``` -------------------------------- ### Example SCIM Filter for Users Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-build-work-zone-advanced-edition An example of a SCIM-based search criteria for filtering users, used in the workzone.user.filter property. ```text userName eq "SmithJ" and addresses.country eq "US" ``` -------------------------------- ### SCIM Target System URL Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/target-scim-system Specify the service URL for the SCIM system. This is a mandatory property. ```text http://.com/api/uaa/ ``` -------------------------------- ### Example Policy with Qualified References Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/package-definition Demonstrates using a fully qualified name to reference a policy in the 'sales' package and a local policy. ```DCL POLICY allAdmins { USE sales.salesOrders; // fully qualified name to 'salesOrders' in package 'sales' USE readAll; // local policy } ``` -------------------------------- ### SAP BTP Account Members Target System URL Examples Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/target-sap-btp-account-members-neo Examples of URLs for the SAP BTP Account Members target system, varying by region. ```text https://api.hana.ondemand.com/authorization/v1/platform/accounts/abc123xyz ``` ```text https://api.jp1.hana.ondemand.com/authorization/v1/platform/accounts/abc123xyz ``` -------------------------------- ### Example SCIM Filter for Users Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-data-custodian Use this filter to specify which users from SAP Data Custodian should be read. This example filters by userName 'Smith.J'. ```json userName eq "Smith.J" ``` -------------------------------- ### Example Group Prefix Configuration Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-data-custodian This property distinguishes SAP Data Custodian groups by prepending a prefix. The example value 'DC_' will result in group names like 'DC_' in the target system. ```text DC_ ``` -------------------------------- ### Google G Suite Source System Configuration Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/google-g-suite This is an exemplary configuration for connecting Google G Suite as a source system. Ensure all mandatory properties are correctly set, including authentication details and URLs. ```properties ProxyType=Internet Type=HTTP Authentication=BasicAuthentication URL=https://www.googleapis.com/admin/directory User=1234567890-compute@developer.gserviceaccount.com Password=-----BEGIN PRIVATE KEY----- 123ABCDEFG123456789... … /123456789ABCDEFG123= -----END PRIVATE KEY----- OAuth2TokenServiceURL=https://www.googleapis.com/oauth2/v4/token jwt.subject=john.smith@me123.accounts.ondemand.com jwt.scope=https://www.googleapis.com/auth/admin.directory.user ``` -------------------------------- ### SAP Commerce Cloud User Filter Examples Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-commerce-cloud Examples of filter expressions for the `cc.user.filter` property to select specific users based on their attributes. ```string userName eq "johnbrown" and externalId eq "P000252" ``` ```string userName eq "johnbrown" and emails.value eq "johnbrown@email.com" ``` ```string userName eq "johnbrown" and emails.value eq "johnbrown@email.com" and externalId eq "P000252" ``` -------------------------------- ### Complete Group Resource Mapping with Description Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/additional-information An example of a complete 'group' resource mapping that includes provisioning the source group's ID and Description to the target system's displayName and description. ```json "group": { "mappings": [ { "sourcePath": "$.ID", "targetPath": "$.displayName", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.Description", "optional": true, "targetPath": "$.description" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, ... ``` -------------------------------- ### Example SCIM Filter for Groups Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-build-work-zone-advanced-edition An example of a SCIM-based search criteria for filtering groups, used in the workzone.group.filter property. ```text displayName eq "Project123" ``` -------------------------------- ### DCL Policy Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/formats Example of a DCL policy defining read access on a product with a country condition. String constants are enclosed in single quotes. ```dcl POLICY salesOrdersProduct { GRANT read ON product WHERE Country = 'US'; } ``` -------------------------------- ### Revoke Token Endpoint Request Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/call-identity-authentication-revoke-token-endpoint This example shows the required parameters for revoking a token. Ensure 'token' and 'client_id' are provided in the request body. ```http token=0ab12345978c51ffe7c4e9a2b1158bb4 ``` -------------------------------- ### Example Token for Technical Communication Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-api-from-another-application This is an example of a token returned by Identity Authentication, containing relevant claims such as 'ias_apis' and 'aud' (audience). ```json { "ias_apis": [ "apiPermissionGroup" ], "sub": "3ab1ba0e-c573-4ad5-20a4-28aa4e587a19", "aud": "77f42d85-7da7-1aa1-84a2-e65a76308cd3", "azp": "3ab1ba0e-c573-4ad5-20a4-28aa4e587a19" } ``` -------------------------------- ### SAP Commerce Cloud Group Filter Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-commerce-cloud An example of a filter expression for the `cc.group.filter` property to select specific groups. ```string displayName eq "ProjectTeam1" or "Students2018" ``` -------------------------------- ### Exemplary Destination Configuration Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/target-sap-btp-abap-environment An example of an HTTP destination configuration, including authentication, proxy type, URL, user credentials, and specific properties for date format and role/bulk operation settings. ```properties Type=HTTP Authentication=Basic AuthenticationProxyType=Internet URL=https://12345-aaaaa-3333.abap.hana.ondemand.com User=MyABAPEnvUser Password=************ ips.date.variable.format=yyyy-MM-dd a4c.user.roles.overwrite=false a4c.support.bulk.operation = true a4c.bulk.operations.max.count = 50 ``` -------------------------------- ### OAuth2 Token Service URL Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/target-scim-system If using OAuth authentication, provide the URL to the access token provider service. This is an optional property. ```text https://.com/api/oauth2/v2.0/token ``` -------------------------------- ### SAP Business Network User Filter Examples Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-business-network Use these examples to filter SAP Business Network users based on specific criteria. Ensure the filter expression matches the expected format. ```text userName eq "Julie Armstrong" ``` ```text userName sw "J" ``` ```text emails eq "julie.armstrong@example.com" ``` -------------------------------- ### SAP Revenue Growth Management SCIM API Filter Examples Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-revenue-growth-management Examples of filter expressions for user and group synchronization. These filters can be applied to `rgm.user.filter` and `rgm.group.filter` properties to control which data is provisioned. ```text userName eq "johnbrown" and externalId eq "c167254d-25fd-5fac-af32-0b8c35e0de27" ``` ```text userName sw "J" and externalId eq "c167254d-25fd-5fac-af32-0b8c35e0de27" ``` ```text userName eq "johnbrown" and emails.value eq "johnbrown@email.com" ``` ```text userName eq "johnbrown" and emails.value eq "johnbrown@email.com" and externalId eq "c167254d-25fd-5fac-af32-0b8c35e0de27" ``` ```text urn:sap:cloud:scim:schemas:extension:custom:2.0:Group:name eq "ProjectTeam1" or "Students2018" ``` -------------------------------- ### SAP S/4HANA for procurement planning OAuth 2.0 Token Service URL Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-s-4hana-for-procurement-planning Enter the OAuth 2.0 Token Service URL. This is a mandatory property for configuring the source system. ```text https://procplansecurity.authentication.eu10.hana.ondemand.com/oauth/token ``` -------------------------------- ### Exemplary Destination Configuration for SAP Marketing Cloud Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-marketing-cloud This is an example of how to configure the destination properties for connecting to SAP Marketing Cloud. It includes authentication, URL, and specific properties for handling archived data and role filtering. ```properties Type=HTTP Authentication=BasicAuthentication ProxyType=Internet URL=https://my1234567-api.s4hana.ondemand.com User=MyMarketingCloudUser Password=************ ips.date.variable.format=yyyy-MM-dd marketing.skip.read.archived=truemarketing.cloud.roles.filter=startswith(ID, 'EMPLOYEE_LEVEL_3') eq truemarketing.cloud.roles.page.size=30 ``` -------------------------------- ### Response Payload Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/call-identity-authentication-certificate-endpoint This is an example of the JSON Web Key (JWK) payload returned by the certificate endpoint, containing public keys for signature verification. ```JSON { "keys": [{ "kty": "RSA", "x5t#S256" : "kAQDSY3vl3BuRFLOl-6CaB_VlIWWzcupzYjnWV4BHow", "e": "AQAB", "use" : "sig", "kid" : "VEwv92eXR9jDN9o94GXL8pkWa9Y", "x5c" : [ "MIIDFjCCAf6gAwIBAQIGAWm+n1AfMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNVBAYTAkRFMQ8wDQYDVQQKEwZTQVAtU0UxKjAoBgNVBAMTIXNjaS1kb2N1LmFjY291bnRzNDAwLm9uZGVtYW5kLmNvbTAeFw0xOTAzMjcxMDA4MjVaFw0yOTAzMjcxMDA4MjVaMEoxCzAJBgNVBAYTAkRFMQ8wDQYDVQQKEwZTQVAtU0UxKjAoBgNVBAMTIXNjaS1kb2N1LmFjY291bnRzNDAwLm9uZGVtYW5kLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqMOaHOUai+p9wUPO5kARMRkExJfyUwrwHYLCfoGtvdos74MseRWUdMcMTxlSaVyOSX4eGv9cRW1yQNarounGkTrVhmAkLdhFVcIytdOd1DOKAEvLFGjHX P5tR0HsFvmGaRQzSS1nTfmW+qvEU6H8GPXnIypx/8wNXBFO52CS3Bx4IioaMSLWY3qJFRHt2paw1VY/9L8rHGyMAjE458kHjhGXCf1S4iw5Yf79ruIno6PlNx1+QlR90BSy5BheNrDaTqNalnRNmaPt555Z4ptSooFumi5Ixw2ngqwtrdCRM6FIWYYLm8/SBzeRWm7N40f3EWbQsLaNyojnBWjIgXGEcCAwEAAYICAAAwDQYJKoZIhvcNAQEFBQADggEBADNDQvM7ly5LSeYC+a/RfcumB2UnEaw9YZ3o2ymFywWNstNsfZ3HTRikAxmtB12wHlKwZLhUaEf3gMAGarPbh+kFbnRHoWOYLQEl+x+Aj7krdul58LnACXwwTnGeRoZ5M/LlWqTZPDc+lNCIuubwU3F/LIUvXRZOLu/5T3ltjVV3yZ0bM/yxCvXxmX9pv2BmeHvUYmH9bP7mJcGhbp/puUe9f5YmAur4GbveVDZaL4N2+4qC++dRad1kGzOqIhwXIHzNKt81Hwgll3DuQcuKvM+I+I9nGXzwpTHB06HmVBNgSofS26bUzi20rD6StOdOIAPFmiimy/r1D6Nmw/Mk50=" ] }] } ``` -------------------------------- ### JSONPath for Source and Target Paths Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/validate-provisioning-jobs Use this JSONPath syntax to define source and target paths for attribute mapping in provisioning transformations. This example shows mapping the first email to the userName. ```json { "sourcePath": "$.emails[0].value", "targetPath": "$.userName" } ``` ```json { "sourcePath": "$.userName", "targetPath": "$.userName" } ``` -------------------------------- ### SAP Enable Now User Filter Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-enable-now Use the `en.user.filter` property to specify a filter expression for selecting SAP Enable Now users. This ensures only matching users are read. ```text userName eq "SmithJ" ``` -------------------------------- ### Example Token for Principal Propagation Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-api-from-another-application An example of a token received from Identity Authentication for principal propagation, including user-specific claims and the provider application's client ID in the 'aud' claim. ```json { "ias_apis": [ "apiPermissionGroup" ], "sub": "P123456", "mail": "donna.moore@example.com", "last_name": "Moore", "aud": "7ab2cd3e-c573-4ad5-9007-28aa4e587a19", "scim_id": "1a2345bc-4f6b-456b-9bfb-5d58beb97fb7", "user_uuid": "1a2345bc-4f6b-456b-9bfb-5d58beb97fb7", "azp": "e7c7e327-86c0-48a6-af57-a1234b567869", "first_name": "Donna", … } ``` -------------------------------- ### Exemplary Destination Configuration for Cloud Foundry UAA Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/cloud-foundry-uaa-server This is an example of the destination configuration string for connecting to the Cloud Foundry UAA Server. Ensure all properties are correctly set according to your Cloud Foundry environment. ```properties Type=HTTPAuthentication=BasicAuthenticationProxyType=InternetURL=https://api.authentication.hana.ondemand.comOAuth2TokenServiceURL=https://MyCFaccount.authentication.hana.ondemand.com/oauth/tokenUser=MyCFuserPassword=************uaa.origin=my_UAA_locationuaa.origin.filter.enabled=true ``` -------------------------------- ### Default SAP HANA Database Transformation Configuration Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-hana-database-beta This JSON configuration defines the default transformation rules for provisioning users to SAP HANA Database. It includes mappings for user attributes, password generation, and various permissions. Use this as a starting point and customize it to match your SAP HANA Database setup. ```json { "user": { "condition": "$.userName EMPTY false", "mappings": [ { "sourcePath": "$.userName", "targetPath": "$.username" }, { "targetPath": "$.password_option.password", "scope": "createEntity", "functions": [ { "type": "randomPassword", "passwordLength": 24, "minimumNumberOfLowercaseLetters": 1, "minimumNumberOfUppercaseLetters": 1, "minimumNumberOfDigits": 1, "minimumNumberOfSpecialSymbols": 0 } ] }, { "ignore": true, "constant": true, "targetPath": "$.password_option.no_force_first_password_change", "scope": "createEntity" }, { "constant": true, "targetPath": "$.deactivate", "scope": "deleteEntity" }, { "sourcePath": "$.userName", "targetPath": "$.username", "scope": "deleteEntity" }, { "constant": false, "targetPath": "$.deactivate" }, { "constant": true, "targetPath": "$.reset_connect_attempts" }, { "ignore": true, "constant": true, "targetPath": "$.force_password_change" }, { "ignore": true, "constant": true, "targetPath": "$.enable_password_lifetime" }, { "ignore": true, "constant": true, "targetPath": "$.disable_client_connect" }, { "constant": "NOW", "targetPath": "$.valid_from" }, { "constant": "FOREVER", "targetPath": "$.valid_to" }, { "ignore": true, "constant": "1970-01-01 00:00:00.0", "targetPath": "$.valid_from" }, { "ignore": true, "constant": "1970-01-01 00:00:00.0", "targetPath": "$.valid_to" }, { "ignore": true, "constant": "role", "targetPath": "$.catalog_permissions[0].type" }, { "ignore": true, "constant": "MONITORING", "targetPath": "$.catalog_permissions[0].name" }, { "ignore": true, "constant": "ADMIN", "targetPath": "$.catalog_permissions[0].option" }, { "ignore": true, "constant": "object_privilege", "targetPath": "$.catalog_permissions[1].type" }, { "ignore": true, "constant": "SELECT CDS METADATA", "targetPath": "$.catalog_permissions[1].name" }, { "ignore": true, "constant": "SYS.USERS", "targetPath": "$.catalog_permissions[1].on" }, { "ignore": true, "constant": "role", "targetPath": "$.repository_permissions[0].type" }, { "ignore": true, "constant": "sap.appcore.auth.p::select_ACCESS_VIEWS_BY_USER", "targetPath": "$.repository_permissions[0].name" }, { "ignore": true, "constant": "application_privilege", "targetPath": "$.repository_permissions[1].type" }, { "ignore": true, "constant": "sap.hana.ide::Catalog", "targetPath": "$.repository_permissions[1].name" }, { "ignore": true, "constant": true, "targetPath": "$.repository_permissions[2].revoke" } ] } } ``` -------------------------------- ### SAP Enable Now Group Prefix Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-enable-now The `en.group.prefix` property distinguishes SAP Enable Now groups by prepending a specified prefix to their names when provisioned to a target system. This helps differentiate them from groups from other sources. ```text EN_ ``` -------------------------------- ### SAP Business Network Group Filter Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-business-network This example shows how to filter SAP Business Network groups by their display name. The filter must adhere to the specified format. ```text displayName eq "Employees" ``` -------------------------------- ### Example SCIM Filter for Groups Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-data-custodian Use this filter to specify which groups from SAP Data Custodian should be read. This example filters by the display name 'SAP_Data_Custodian_Auditor'. ```json displayName eq "SAP_Data_Custodian_Auditor" ``` -------------------------------- ### Example User Filter for SAP SuccessFactors Employee Central Payroll Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-successfactors-employee-central-payroll Use this property to filter SAP SuccessFactors Employee Central Payroll users based on specific criteria. Supported operators are 'eq' (equal) and 'sw' (starts with). ```text userName eq "JohnSmith" ``` ```text userName sw "J" ``` ```text emails.value eq "john.smith@example.com" ``` -------------------------------- ### SP User Deactivation Response Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sp-user-deactivation This is an example of a successful response when an SP user is deactivated. It indicates the user's status is now inactive for the specified service provider. ```xml accounts.sap.com The SP user [URI of the sp user] is with status inactive for Service Provider [example.com] ``` -------------------------------- ### SAP S/4HANA for procurement planning SCIM API URL Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-s-4hana-for-procurement-planning Specify the URL to the SCIM API of your SAP S/4HANA for procurement planning system without path information. This is a mandatory property for configuring the source system. ```text https://procplanning-api.cfapps.eu10.hana.ondemand.com ``` -------------------------------- ### JSON Response with Tokens Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/exchanging-identity-authentication-tokens-for-tokens-from-corporate-identity-providers This is an example of the JSON response received after a successful token exchange. It includes the access token, ID token, token type, and expiration time. ```json Content-Type: application/json { "access_token": "YTU1OGU0NzdjYzRkNjA4YzI3ODk4MWEzM2UyYmFlYTI w", "id_token": "eyJraWQiOiJUdDV0Wkt5RHlxSzV4em93VUhrdkNBS3c3bkE iLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJUMTIzNDU2Iiwic3ViIjoibWFuYWdlci IsIm1haWwiOiJkb25hLm1vb3JlQGV4YW1wbGUuY29tIiwiaXNzIjoiZG9tYS1tYW 4ubWFuLXVuaS51cy5ldS1wdC0xLmNsb3VkLmNvbSIsImxhc3RfbmFtZSI6Ik1vb3 JlIiwiZXhwIjoxNTQ4NjgzNzE4LCJpYXQiOjE1NDg2ODM0MTgsImZpcnN0X25hbW UiOiJEb25hIiwianRpIjoiZmIxMjM0YTUtMTIzYS0xYmQzLWExYWItMGExMjNiYz Q1ZDZlIn0.3ormYv_nxnimm6xB972qSGOk_YTc_gpE4wVhgaA7q0I", "token_type": "Bearer", "expires_in": 3569 } ``` -------------------------------- ### Identity Authentication Token Response Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-api-from-provider-application This is an example of a token response from Identity Authentication. It includes claims such as 'ias_apis' listing accessible APIs and 'aud' which is the client ID of the provider application. ```json { "ias_apis": [ "applications" ], "sub": "P123456", "mail": "donna.moore@example.com", "last_name": "Moore", "aud": "09b90b70-3e4c-4fbc-b4ac-ef66848b7fbc", "scim_id": "1a2345bc-4f6b-456b-9bfb-5d58beb97fb7", "user_uuid": "1a2345bc-4f6b-456b-9bfb-5d58beb97fb7", "azp": "8bbc6f92-0222-46f1-b9c5-b2b48825e78b", "first_name": "Donna", … } ``` -------------------------------- ### Exemplary SAP SuccessFactors Destination Configuration Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-successfactors An example configuration for an HTTP destination to the SAP SuccessFactors API, including authentication, user attributes, and filtering properties. ```properties Type=HTTP Authentication=Basic AuthenticationProxyType=Internet URL=https://apitest.successfactors.com/odata/v2 User=sfsf_admin@mycompany.com Password=************ sf.user.attributes=userId,username,status,email,lastName,firstName,lastModifiedDateTime,personKeyNav,position SkillMappings=personKeyNav,personKeyNav/userAccountNav,positionSkillMappings/skills sf.user.filter=department ne 'Manufacturing' sf.group.filter=groupType eq 'permission' sf.page.size=70 ``` -------------------------------- ### SAP Revenue Growth Management SCIM API - User Read Transformation Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-revenue-growth-management-69970c83bbc84862ac205b8c0b525198 This JSON configuration defines the read transformation for user entities from SAP Revenue Growth Management's SCIM API. It specifies mappings for schemas, entity IDs, user names, and metadata locations. ```json { "user": { "scimEntityEndpoint": "Users", "mappings": [ { "sourcePath": "$.schemas", "preserveArrayWithSingleElement": true, "targetPath": "$.schemas" }, { "sourcePath": "$.id", "targetPath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath":"$.userName", "targetPath":"$.userName", "correlationAttribute":true }, { "sourcePath": "$.meta", "targetPath": "$.meta" }, { "sourceVariable": "entityBaseLocation", "targetPath": "$.meta.location", "targetVariable": "entityLocationSourceSystem" } ] } } ``` -------------------------------- ### Forgot Password Request Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/forgot-password-rest-api Send a POST request to initiate a password reset. The request body must contain a JSON object with an 'identifier' field, which can be an email, loginName, or uid. ```json { "identifier": "dona.moore@example.com" } ``` -------------------------------- ### Example Group Filter for SAP SuccessFactors Employee Central Payroll Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-successfactors-employee-central-payroll Use this property to filter SAP SuccessFactors Employee Central Payroll groups based on specific criteria. Supported operators are 'eq' (equal) and 'sw' (starts with). ```text displayName eq "ProjectTeam1" ``` ```text displayName sw "P" ``` -------------------------------- ### Attribute Transformation Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/google-g-suite This transformation maps attributes from a source system to a target system, including filtering members based on type and status, renaming IDs to 'value', and removing other member attributes. ```json { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.name", "targetPath": "$.displayName" }, { "sourcePath": "$.members[?((@.type == 'USER') && (@.status == 'ACTIVE'))]", "targetPath": "$.members", "optional": true, "preserveArrayWithSingleElement": true }, { "targetPath": "$.members[*].status", "type": "remove" }, { "targetPath": "$.members[*].id", "type": "rename", "constant": "value" }, { "constant": "display", "targetPath": "$.members[*].email", "type": "rename" }, { "targetPath": "$.members[*].kind", "type": "remove" }, { "targetPath": "$.members[*].etag", "type": "remove" }, { "targetPath": "$.members[*].role", "type": "remove" } ``` -------------------------------- ### Create Identity Service Instance (kubectl) Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/getting-started-with-identity-service-of-sap-btp Use this kubectl command to create an instance of the Identity service with the 'application' plan. Ensure you replace {} and {} with your specific values. ```yaml cat <} namespace: {} spec: clusterServiceClassExternalName: identity clusterServicePlanExternalName: application EOF ``` -------------------------------- ### SAML 2.0 Assertion Attribute Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configure-master-data-texts-via-administration-console Shows how master data, such as 'salutation', is represented as an attribute within a SAML 2.0 assertion. This format is used when sending master data in assertions. ```xml 0002 ``` -------------------------------- ### SAP Field Service Management User Filter Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-field-service-management Use this filter to specify which SAP Field Service Management users should be read. It supports standard logical operators. ```string name.familyName eq "Smith" and addresses.country eq "US" ``` -------------------------------- ### Execute Bash Script via SSH with Parameters Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/ssh-server-beta Example of executing a bash script on a remote machine via SSH, passing entity JSON fields as parameters. Ensure the script path and parameters are correctly formatted. ```bash sudo su - vcap /home/myscript.sh $.userName $.email ``` -------------------------------- ### Create Identity Service Instance (cf cli) Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/getting-started-with-identity-service-of-sap-btp Use the Cloud Foundry CLI to create a service instance for the Identity service with the 'application' plan. Replace with your desired name. ```bash cf create-service identity application ``` -------------------------------- ### SAP Field Service Management Group Prefix Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-field-service-management This property distinguishes SAP Field Service Management groups by a specific prefix, which is prepended to group names during provisioning. ```string FSM_ ``` -------------------------------- ### POST Request to Corporate Identity Provider Endpoint Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/exchanging-identity-authentication-tokens-for-tokens-from-corporate-identity-providers Use this example to call the corporate identity provider endpoint for token exchange. Ensure to include the Content-Type and Authorization headers, along with the assertion and desired response types in the request body. ```http POST /oauth2/exchange/corporateidp Content-Type: application/x-www-form-urlencoded Authorization: Bearer eyJbiOi… response_type=token id_token& assertion=eyJ0eab… ``` -------------------------------- ### Define API Permission Group Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/provide-apis-for-consumption-by-other-applications Example of how to define an API permission group named 'sales-orders' for API access control. This configuration is used within SAP Cloud Identity Services. ```json "provided-apis": [ { "name": "sales-orders", "description": "Access sales orders" } ] ``` -------------------------------- ### Bind Service Instance to Application (kubectl) Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/getting-started-with-identity-service-of-sap-btp This kubectl command creates a ServiceBindingUsage resource to bind a service instance to your application's deployment. Configure 'envPrefix' as needed and replace placeholders like {}, {}, and {}. ```yaml cat <} namespace: NAMESPACE_NAME spec: serviceBindingRef: name: {} usedBy: kind: deployment name: {} parameters: envPrefix: name: "PREFIX_" EOF ``` -------------------------------- ### CSV Format for User Validation Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/validate-provisioning-jobs This CSV example shows the correct format for validating two users with attributes defined in the MS Entra ID source system, including user details and group memberships. ```csv userPrincipalName,id,mail,givenName,surname,groups[0].value,groups[1].value ChrisEvans,ec2c28da-a9fe-46c9-876e-564317f9a3af,chris@example.com,Christopher,Evans,Employee,Support MaryWatson,b016ecad-2c30-4fdf-8fb3-117db4911256,mary@example.com,Mary,Watson,Employee,Developer ``` -------------------------------- ### Configure SAML 2.0 Assertion Consumer Service Endpoint Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/auth-idp-enable-idp-initiated-sso-from-all-corporate-identity-providers This XML snippet shows an example of how to configure the assertion consumer service (ACS) endpoint in the metadata of a SAML 2.0 application. Ensure the index, binding, and location are correctly set for your application. ```xml ``` -------------------------------- ### User Creation Success Response Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/user-registration Upon successful user creation, the URI of the new user is returned in the 'Location' header. ```http Location: https://.accounts.ondemand.com/service/users/0800200c9a66 ``` -------------------------------- ### Bind Service Instance to Application (cf cli) Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/getting-started-with-identity-service-of-sap-btp Use the Cloud Foundry CLI to bind an existing service instance to your application. Replace and with your application and service instance names, respectively. ```bash cf bind-service ``` -------------------------------- ### Exemplary Destination Configuration for SAP BTP XS Advanced UAA Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-btp-xs-advanced-uaa-cloud-foundry This configuration demonstrates the required properties for connecting SAP BTP XS Advanced UAA as a source system. Ensure all properties are correctly set according to your SAP BTP environment. ```properties Type=HTTPAuthentication=BasicAuthenticationProxyType=InternetURL=https://api.authentication.eu10.hana.ondemand.comOAuth2TokenServiceURL=https://myaccount.authentication.eu10.hana.ondemand.com/oauth/tokenUser=sb-full-access!a76125Password=************xsuaa.origin=sap.customxsuaa.origin.filter.enabled=true ``` -------------------------------- ### Include SAP_IDS.js Library Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/add-logon-overlays-in-customer-applications Include the SAP_IDS.js library to your application's landing page. Use the provided pattern for the script source. ```html ``` -------------------------------- ### SAML 2.0 Assertion Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/integration-configure-identity-federation This SAML assertion XML shows how an email address is included in the AttributeStatement while the login name is in the Subject NameID. ```xml P012345 ... ... dona.moore@test.com ... ``` -------------------------------- ### Negative Condition: Array Elements Not Empty Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/additional-information Check if an array contains elements that do not meet a specific criteria. This example checks if there are any email addresses that are not of type 'work'. ```json "condition": "$.emails[?(@.type != 'work')].value != []" ``` -------------------------------- ### Identity Provisioning API Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/api-documentation Manage identity lifecycle processes for cloud and on-premise systems. ```APIDOC ## Identity Provisioning API ### Description Manage identity lifecycle processes for cloud and on-premise systems. ### Method GET, POST, PUT, DELETE ### Endpoint /api/identity-provisioning ``` -------------------------------- ### CSV Format for Invalid Field Count Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/validate-provisioning-jobs This CSV example demonstrates an incorrect format where the number of fields in a row does not match the number of headers, which will cause an error during import. ```csv col1,col2,col3,col4,col5 A,B,,D,E L,M,N,, P,Q, ``` -------------------------------- ### User Provisioning Mappings Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-field-service-management Defines mappings for user attributes during provisioning. Includes conditional concatenation for group prefixes. ```json { "condition": "'%fsm.group.prefix%' !== 'null'", "function": "concatString", "applyOnElements": true, "applyOnAttribute": "display", "prefix": "%fsm.group.prefix%" } ``` ```json { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "optional": true, "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']" } ``` -------------------------------- ### Call Identity Authentication Certificate Endpoint Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/call-identity-authentication-certificate-endpoint Use this GET request to retrieve public keys from the OpenID provider. The keys are encoded as JSON Web Keys (JWK). ```HTTP https://my-tenant.ondemand.com/oauth2/certs ``` -------------------------------- ### POST Request for User Registration Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/user-registration Use this endpoint to register new users. Ensure 'Content-Type' is set to 'application/x-www-form-urlencoded'. The email must be unique. ```http POST /service/users Content-Type: application/x-www-form-urlencoded name_id=johns&user_profile_id=p987654&email=john.smith@sap.com&first_name=John&last_name=Smith&language=en&valid_from=20110901120000Z&valid_to=20120901110000Z&source_url=http%3A%2F%2Fwww.myapp.com%2Fpublic.jsp&target_url=http%3A%2F%2Fwww.myapp.com%2Fprotected.jsp&spCustomAttribute1=Industry ``` -------------------------------- ### SAP Enable Now Default User Transformation Configuration Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-enable-now-e77702a9f53d4a1d93d94e585eb0252d This JSON configuration defines the default transformation rules for provisioning users to SAP Enable Now. It includes conditions for user validity and mappings for various user attributes. ```json { "user": { "condition": "($.userName EMPTY false) && isValidEmail($.emails[0].value) && (('%en.group.prefix%' === 'null') || ($.groups[?(@.display =~ /%en.group.prefix%.*/)] empty false))", "mappings": [ { "targetPath": "$.id", "sourceVariable": "entityIdTargetSystem" }, { "constant": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:sap:2.0:User" ], "targetPath": "$.schemas" }, { "sourcePath": "$.userName", "targetPath": "$.userName" }, { "sourcePath": "$.name", "targetPath": "$.name", "optional": true }, { "sourcePath": "$.active", "targetPath": "$.active", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "optional": true }, { "sourcePath": "$.emails", "targetPath": "$.emails", "preserveArrayWithSingleElement": true } ] }, "group": { ``` -------------------------------- ### Get Conflicting User URI in HTTP Response Header Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/user-registration When a user creation or update results in a conflict, the URI of the conflicting user is returned in the 'Location' header of the HTTP response. ```http Location: https://.accounts.ondemand.com/service/users/467345637aa ``` -------------------------------- ### SAP SuccessFactors Incentive Management Source System Configuration Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-commissions Exemplary configuration for connecting SAP SuccessFactors Incentive Management as a source system. Ensure all mandatory properties are correctly set. ```properties Type=HTTP Authentication=BasicAuthentication ProxyType=Internet URL=https://mycommissions.callidus.run/CallidusPortal User=MyCommissionsUser Password=************ ``` -------------------------------- ### Exemplary Destination Configuration for SAP BTP ABAP Environment Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-btp-abap-environment This configuration demonstrates the properties required for connecting SAP Cloud Identity Services to an SAP BTP ABAP environment system, including authentication and optional filtering. ```properties Type=HTTP Authentication=BasicAuthentication ProxyType=Internet URL=https://12345-aaaaa-3333.abap.hana.ondemand.com User=MyABAPEnvUser Password=************ ips.date.variable.format=yyyy-MM-dd a4c.skip.read.archived=true a4c.roles.filter=startswith(ID, 'EMPLOYEE_LEVEL_3') eq true a4c.roles.page.size=30 ``` -------------------------------- ### SAP Field Service Management Group Filter Example Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-field-service-management Use this filter to specify which SAP Field Service Management groups should be read. It supports logical operators like 'or'. ```string displayName eq "ProjectTeam1" or "Employees2020" ``` -------------------------------- ### SAP BTP Source System Configuration Properties Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-btp-java-html5-apps-neo These are the mandatory properties for configuring SAP BTP Java/HTML5 apps (Neo) as a source system. Ensure all fields are correctly populated for a successful connection. ```properties Type: HTTP URL: https://api./authorization/v1/accounts/ ProxyType: Internet Authentication: BasicAuthentication User: Password: OAuth2TokenServiceURL: https://api./oauth2/apitoken/v1 hcp.application.names: ,,: ``` -------------------------------- ### Group Provisioning Mappings Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/sap-field-service-management Configures mappings for group attributes. Supports setting application IDs, external names, and member lists. ```json { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" } ``` ```json { "sourcePath": "$.schemas", "preserveArrayWithSingleElement": true, "targetPath": "$.schemas" } ``` ```json { "condition": "'%ips.application.id%' !== 'null'", "constant": "%ips.application.id%", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['applicationId']" } ``` ```json { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['type']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['type']", "optional": true } ``` ```json { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['supportedOperations']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['supportedOperations']", "optional": true } ``` ```json { "sourcePath": "$.displayName", "targetPath": "$.displayName", "functions": [ { "condition": "'%fsm.group.prefix%' !== 'null'", "function": "concatString", "prefix": "%fsm.group.prefix%" } ] } ``` ```json { "sourcePath": "$.displayName", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['externalName']" } ``` ```json { "sourcePath": "$.members", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members" } ``` -------------------------------- ### User Provisioning Mapping Configuration Source: https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/target-sap-jam-collaboration Defines mapping rules for user attributes, including transformations like toLowerCaseString, concatString, and resolveEntityIds. It specifies source and target paths for attributes and conditional logic for transformations. ```json { "condition": "($.locale EMPTY false) && ($.addresses[?(@.type == 'work')].country EMPTY false)", "sourcePath": "$.locale", "targetPath": "$.locale", "functions": [ { "function": "toLowerCaseString" }, { "function": "concatString", "suffix": "_" }, { "function": "concatString", "suffix": "$.addresses[?(@.type == 'work')].country" } ] }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "optional": true, "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "functions": [ { "function": "resolveEntityIds" } ] } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.