Status

  Approved

Owner

SANGOLOLA-ext, Dele 

Stakeholders

HEALY-ext, Michael MADASU-ext, Satya WENNINGER-ext, Sascha 

LeanIX LinkSAP Identity Access Governance (IAG)
SAP Identity Provisioning Service (IPS)
SAP Identity Authentication Service (IAS)

As more and more of Syensqo's systems are hosted in the cloud using SaaS models, the usefulness of traditional network-based access controls such as firewalls as the perimeter of Syensqo's IT landscape continues to decline. Increasingly, identity serves as the security perimeter to both on-premises and cloud applications: Regardless of whether or not an application is "behind the corporate firewall", users must hold a valid corporate identity in order to gain access to applications. The consistent identification of users across various systems thus becomes increasingly important to the management of user identities and thus the management of Syensqo's security perimeter. 

The design outlined in this document aims to achieve: 

  • Accurate User Identification: Ensuring that the same individual is recognized seamlessly to all in-scope Syway systems is fundamental to delivering secure authentication, appropriate authorization, and a unified user experience.
  • Consideration for systems with differing and diverse format requirements for user IDs. Some systems have a length limitations in the primary user ID and thus do not support the User Principal Name directly as the primary user ID (e.g. S/4HANA). 
  • Future-proofing for AI-driven capabilities: Consistency in user identity is also critical for AI-driven tools such as SAP Joule and SAP Task Center, both of which rely on harmonized user identities to operate effectively.
  • A single user ID ensures cross-system Segregation of Duties analysis is possible without any manual intervention and complex user mapping logic.

Global User ID integration

SAP introduced the concept of the Global User ID as common identified that ties together the varying user master records from its systems, and serves as a common identifier for cross-system integrated solutions, such as Joule and Task Center. The Global User ID is defined as a foreign key attribute on the user master record of a growing number of SAP systems, and defines as a string of up to 32 characters. In principle it could thus store a UUID. After considering a number of options for the source of this value, the Person ID (technical name person_id_external) from SuccessFactors was chosen for a number of reasons explained in the expansion section below: 

SuccessFactors is a single, global system that can serve as an authoritative source of values from a single number range scoped to include all personnel working at Syensqo. This presents the best-available design choice after alternatives, listed below, were eliminated: 

  • The Object ID of the User object in EntraID was considered as a source of this data, but the use of multiple Entra ID tenants (the existing Syensqo.com tenant, plus a separate Entra ID tenant hosted in Azure GovCloud for CMMC compliance, plus a potentially separate tenant in China), caused complication. ID values could potentially overlap, and when replicating user objects from one tenant to another, Object ID values would not be preserved: the Object ID of the replicated User object would be different, even if the user was the same. 
  • The User Principal Name cannot be used as the value of the Global ID, as it is longer than 32 characters in many cases. 
  • Another option that was considered was to generate a hash of the User Principal Name, and use this as the value of the Global ID.  The hash value would be a fixed-length string that would not differ between different Entra ID tenants, however it holds little meaning when observed in logs, and the opaque nature of hash values complicates handling by IT administrators. Due to the impact on usability, this option was discarded. 
  • SAP recommends to let the Identity Authentication Service determine the value of the Global User ID, however with potentially separate Entra ID tenants in China and Europe, this would not be practical as each tenant would draw from its own pool of ID values. 

By using the Person ID from SuccessFactors as the source of the Global ID field in SAP IAS/IdDS, we will be able to maintain a unique and human-readable user identifier across all downstream applications without the need to maintain complex local user mapping routines.


As a minimum, the below user attributes will be mapped from Entra through SCIM provisioning to SAP CIS (IAS/IdDS).

The transformation will also need to consider other attributes such as group association and other user attributes as these can be used for filtering, conditional authentication and other security policies.

Application

Field Name IAS

IAS Technical Name

Source

Entra

Example

SAP CIS

Global User ID

userUuid

Entra

Extension attr aDUEA009

57532243

SAP CIS

Status

active

Entra

accountEnabled

Active

SAP CIS

First Name

name.givenName

Entra

givenName

Mike

SAP CIS

Last Name

name.familyName

Entra

surname

Jones

SAP CIS

Email

emails

Entra

mail

Mike.jones@syensqo.com

The Global ID represents a single unique user identifier across all systems and platforms for the user. This is typically not the primary identifier in an application, but stored as an attribute on the user master. 

The transformation logic in IPS is crucial for creating and maintaining the global user ID. By mapping attributes consistently, IPS ensures that the correct global user ID is assigned and used, linking user identities and attributes across different systems, even if the user's username or email differs in each system.

Global ID Mapping Diagram


1 Comment

  1. HEALY-ext, Michael

    Reviewed, happy to proceed as both comments were reviewed and actions agreed.