How to integrate SAP Customer Data Cloud (CDC) within SAP Identity Management (IDM)

 

You already have an on-premises SAP Identity Management System (SAP IDM) and want to map your B2C/B2B scenarios via SAP Customer Data Cloud (SAP CDC)? Then this is the right place for you!

 

Some companies already have an on-premises IDM and are considering how they can map B2C/B2B login and registration scenarios. The SAP CDC solution is suitable for this purpose. CDC is a Customer Identity Access Management (CIAM) tool. That means with CDC, customer data can be captured and easily managed. It offers many advantages, such as predefined registration processes, Single Sign-on (SSO), Identity Federation, openID Connect and Security Assertion Markup Language (SAML). The solution was also previously known as Gigya.

 

Going on, we’ll explain how to connect SAP IDM and CDC.

Why connect IDM and CDC? 

Both systems bring their own advantages. By connecting them, these advantages can be combined. For example, the SAP e-commerce platform Hybris can be connected to CDC. This allows customer data to be exchanged between Hybris and IDM via CDC. From here, this data can be forwarded to other systems connected to IDM to provide access for customers.

Figure 1: Synergy of the connection of IDM with CDC

 

It is also possible to integrate a CDC into an existing system landscape with an IDM. With a connection of the two systems, user data can be easily synchronized. A fast integration of CDC is thus feasible.

Preparations in IDM

In order to trigger provisioning in IDM, it is necessary to fulfill several requirements.

  1. Create a privilege that stands for CDC.
  2. Create an account attribute in which the UID of CDC is stored with the purpose of finding users directly in CDC.
  3. Create three provisioning tasks. These tasks must be responsible for creating, modifying, and deleting a user in CDC. These tasks use the REST endpoints provided by CDC.

CDC Profiles and Data Schema

CDC provides a ready-made profile scheme with the usual fields, such as first and last name or email. For this, there is the REST endpoint accounts.set schema, which can e.g. mark mandatory fields or control access.

 

If you want to store information about a user in CDC and no predefined field exists yet, the schema has to be adapted. With this endpoint, it is possible to add new data fields in the Data object to the existing profile. These can then be filled, read and modified in the registration and also later with other endpoints.

Address interface

CDC provides a REST interface. Using these endpoints, users can be created, modified, read, and deleted from the IDM in CDC. The URL of the endpoints is composed as follows:

 

https://accounts.<Data_Center>/accounts.<End_point>

 

For <Data_Center>, the corresponding data center must be used. If it is located in the EU (European Union), for instance, you need to use eu1.gigya.com. For <End_point>, you need to work with the corresponding endpoint. You can read about important endpoints for managing users in the following section.

Register user in CDC

A user can be registered in CDC in three steps. This can also be shortened to two steps if no further user data is to be set.

Initiate registration

  1. Call the accounts.initRegistration endpoint.

= This call returns a regToken. The regToken is required for all further calls until the registration is completed.

Carry out registration

  1. Call accounts.register with the known regToken.
  2. Set the email, an initial password and a username. Optionally, you can also specify additional information. Alternatively, you can fill the fields with the additional call to the accounts.setAccountInfo endpoint.

Info: The supplied information is stored in the CDC profile. If other fields have been added to the data object in the schema, these can also be filled with this call.

 

Note: If all mandatory fields are already filled with the call of the accounts.register endpoint, the registration can also be completed with this call by setting the finalizeRegistration = true parameter and thus an additional step is saved.

Finalize registration

  1. Set finalizeRegistration = true.

Info: Here you can specify whether the use of regTokens should be possible. The regToken is generated by the linking of the accounts. More information can be found in the official CDC documentation under accounts.finalizeRegistration.

 

= The registration is completed.

Adjust account information

With the accounts.setAccountInfo endpoint it is possible to modify data of the profile or data object. Here the rules of the schema are applied. Thus, no mandatory fields can be deleted or invalid values can be entered. If the schema is dynamic, new, yet to be defined fields can also be created here in the data object.

Delete account

If a user loses the CDC privilege in IDM, he must also be removed in CDC via the accounts.deleteAccount endpoint. The corresponding CDC UID, which was stored in the account attribute in the IDM, must be specified here. However, multiple accounts can be linked to one. Therefore, it must be checked whether there are other accounts attached to the CDC UID that should not be deleted. In this case, it must be ensured that only information exclusive to the user in IDM is deleted in CDC. Like for example the email via the attribute removeLoginEmails in the endpoint accounts.setAccountInfo.

Find account

The accounts.search endpoint can be used to search for accounts in CDC. To determine whether a user already exists in the system, this can also be determined via this endpoint. For this purpose, a query must be specified as a parameter. In the following case, it is checked whether a user with the email address [email protected] already exists on CDC. The following query can be used:

 

SELECT profile.firstName, profile.lastName FROM accounts WHERE profile.email=”[email protected]

Conclusion

Using the REST interface, CDC can be easily connected to the IDM. An uncomplicated connection of CDC can be implemented with little time expenditure. This makes it possible to use the advantages of both systems and benefit from the additional functions. It is also possible to combine several accounts of one person into one in CDC. However, additional checks must be built in here when creating and deleting an account. This can prevent deleting accounts in CDC that are still referenced by other accounts in IDM.

 

You were still puzzling over whether the two systems could be easily connected before reading this article? Now you should have a rough overview. If you need help to start with a proof of concept then contact us. We are happy to support you!

Weitere Artikel

Getting Identities from Active Directory to Omada in a Nutshell 
Passwordless Login via Fido2 – The next level of authentication