Onboarding the SAP Netweaver application

Edit online

Provision users from Verify to On-Premises SAP Netweaver adapter.

Before you begin

  1. Configure the identity agent for authentication in Verify. See, Configuring through the Verify user interface.
  2. Deploy and configure the IBM® Verify Identity Brokerage On-Premises component.

Procedure

  1. Log in as administrator on Verify.
  2. Select Applications > Applications and click Add application.
  3. Search application type as the name set for the uploaded application profile from the menu and click Add application.
    For example, if the SAP Netweaver profile was uploaded with name SAPNW, then the application is found with SAPNW(custom).
  4. In the Add applications page, select the General tab specify the required details.
  5. Select the Account lifecycle tab.
  6. Specify the provisioning and deprovisioning policies.
    Parameters Description
    Provision accounts

    Provision accounts is Disabled by default, which means the account creation is performed outside of IBM Verify.

    Select the Enabled option to automatically provision an account when the entitlement is assigned to a user. Password generations and email notification features are available for accounts that are created with IBM Verify.
    Deprovision accounts

    Deprovision accounts is disabled by default, which means account removal is performed outside of IBM Verify.

    Select the Enabled option to automatically deprovision an account when entitlement is removed from a user.
    Account password
    Sync user's Cloud Directory password
    This option is available if Password sync is enabled on the Cloud Directory. It uses the Cloud Directory password when a regular user is provisioned to the application. Federated users receive a generated password when provisioned to the application.
    Generate password
    This option generates a random password for the provisioned account. The password is based on the Cloud Directory password policy.
    None
    This option provisions the account without a password.
    Send email notification This option is available when you select the Generate password option. When you select the Send email notification option, an email notification with the auto-generated password is sent to your email address after the account is provisioned successfully.
    Grace period (days) Set the grace period in days for which a deprovisioned account is kept as suspended before it is deleted permanently.
    Deprovision action Delete the account. This field is available only if the deprovision accounts field is enabled.
  7. In General section, select Application profile from the menu. If the profile does not exist, you must create one. For more information, see Managing identity adapter application profiles.
  8. Specify the API authentication details.
    Table 1. API authentication parameters
    Parameters Description
    Tivoli Directory Integrator location URL for the IBM Security Directory Integrator instance. For example, rmi://<ip-address>:<port>/ITDIDispatcher, where ip-address is the IBM Security Directory Integrator host and port is the port number for the RMI Dispatcher.
    Description Optional: Specify a description for this service.
    Target Client The SAP instance client number. This field is mandatory if no value is supplied for Optional RFC Connection Parameters.
    Login ID The SAP User account login ID that adapter uses to connect to the SAP instance. This field is mandatory if no value is supplied for Optional RFC Connection Parameters.
    Password Password for SAP User account. This field is mandatory if no value is supplied for Optional RFC Connection Parameters.
    SAP System (DNS hostname or IP) Hostname of the SAP server host computer only if DNS is set up correctly. Otherwise, use the IP address. This field is mandatory if no value is supplied for Optional RFC Connection Parameters.
    SAP Systems Number The SAP server system number. This field is mandatory if no value is supplied for Optional RFC Connection Parameters.
    SAP Logon Language The language ISO identifier to be used by the adapter. This parameter is optional.
    SAP Gateway (DNS hostname or IP) Hostname of the SAP gateway host computer only if DNS is set up correctly. Otherwise, use the IP address. This host is typically the same host that contains the SAP server. This parameter is optional.
    Optional RFC Connection Parameters

    This attribute allows for alternative SAP connectivity parameters to be specified. The value of this attribute is a formatted string of name-value pairs. Each pair must be separated by a single pipe (|) character. The name parts must be in lowercase characters. The general format of the value of this attribute is shown in this example:

    <name1>=<value1> <name2=value2> ... <nameN>=<valueN>

    For example, the following string value would set the SAP Message Server to messageserver.com with System ID PR0 and Group SPACE:

    mshost=messageserver.com|r3name=PR0|group=SPACE
    Enable TDI Debugging Flag to enable IBM Security Directory Integrator debugging trace output.
    Identity agent Select an Identity Agent of type provisioning from the menu. Use the application profile that was discovered.
    XSL Attribute Stylesheets These stylesheets are optional service attributes.
  9. Click Test Connection to test the connection to the SAP Netweaver adapter on premises. The connection needs to be successful to provision or reconcile accounts on the SAP Netweaver application.
  10. Map the target SAP Netweaver attributes to the Verify attributes as required. Select the Keep updated checkbox for the attributes that need to be updated on the target.
  11. Select the Account sync tab.
  12. In the Adoption policy section, add one or more attribute pairs that need to match for the account sync process to assign SAP Netweaver accounts to their respective account owners on Verify.
  13. In the Remediation Policies section, choose a remediation policy to remediate noncompliant accounts automatically.
  14. Click Save.
  15. After the application is saved, specify the authorization policy on the Entitlements tab.
    Note:

    The recon failure threshold is set as 15% by default. It ensures that if more than 15% of account found deleted between successive account sync, then the account sync result is discarded, and the operation is halted.

    If a higher % of deleted records exists (typically with smaller data volume - the smaller data change contributes to higher % deviation), adjust the value. By setting the failure threshold value to 100%, the % deviation is ignored, and the account sync operation is completed.

    You can change failure threshold value by adding environmental variable RECONCILIATION_FAILURETHRESHOLD_VALUE:"100” (the value can range from 0 to 100) under identity-brokerage environments section in docker-compose yml file. After it is done, respin the container if it is already running.

    For example, 
    
identity-brokerage:
image: ibmcom/identity-brokerage
container_name: identity-brokerage
depends_on:
- ib-init
- ibdb
environment:
LICENSE_ACCEPT: "yes"
HOSTNAME: "identity-brokerage"
DB_SERVICE_NAME: "ibdb"
TRACE: "enabled"
SCIM_USER: "<>"
SCIM_USER_PASSWORD: "<>"
RECONCILIATION_FAILURETHRESHOLD_VALUE: "75"