What is SAP IDP?

The IDP delivered by SAP is an add-on component running on top of SAP. Using SAP IDP can have some competitive advantages.

Enterprise Resource Planning and SAP

If you have ERP software installed for your company, it is unlikely that you will change your mind in a few years. When a company invests in enterprise resource planning (ERP) software, it is investing for the long term.

Even though cloud ERP has made switching platforms easier, transitioning to a new ERP solution is still time-consuming and costly. Because ERP is at the heart of a business, changing solutions necessitates adjusting business processes and migrating everything from data to employees to the new system.

With ERP software at the heart of your organization, you can’t just pick another product and go on.

Investing in an ERP solution, then, is also an investment in a long-term partnership with the software vendor. While knowing and trusting the vendor you will be relying on for years to come is important, so is knowing and trusting the specifics of a given ERP solution.

SAP is the market’s largest and most pervasive ERP vendor today. SAP will almost certainly be on your ERP solution shortlist, regardless of your industry or company size.

What is SAP?

SAP or Systems Applications and Products is a widely used enterprise resource planning (ERP) software. SAP develops a centralized system for businesses that allows each department to access and share common data, resulting in a better work environment for all employees.

SAP is the most widely used ERP software on the market, with hundreds of fully integrated modules covering almost every aspect of business management.

The integrated applications of the company connect all parts of a business into an intelligent suite on a fully digital platform, thereby replacing the process-driven, legacy platform. SAP now has over 230 million cloud users, over 100 solutions that cover all business functions, and the largest cloud portfolio of any provider.

What is SAP IdP, and why do I need to know about it?

With SAP becoming the industry standard in business administration and management, it is important to understand how SAP provides login and access security to its systems through the SAP Identity provider (IDP).

An identity provider (IdP) is a system component that provides an end-user or internet-connected device with a single set of login credentials that ensures the entity is who or what it says it is across multiple platforms, applications, and networks. For example, when a third-party website prompts end-users to log in with their Google Account, Google Sign-In is the identity provider.

Nowadays most companies have complex IT landscapes. The implementation of single sign-on (SSO) within a company and across companies involves systems from different vendors. In such environments, the usage of open standards is essential. The most widely used industry standard is Security Assertion Markup Language (SAML) 2.0.

SAP includes an implementation of a SAML 2.0 service provider in its on-premises and on-demand application platforms to respond to customer needs. Furthermore, as part of SAP Single Sign-On, it provides a SAML 2.0 identity provider (IDP) (SAP SSO).

Security Assertion Markup Language (SAML) version 2.0 is a standard for communication that includes how a user is authenticated, attributes associated with the user, and an authorization decision is given.

Benefits of SAML 2.0

–   SSO with SAML 2.0: SAML provides a standard for cross-domain Single Sign-On (SSO). Other methods exist for enabling cross-domain SSO, but they require proprietary solutions to pass authentication information across domains.

–   SLO with SAML 2.0: Single Log-Out (SLO) enables users to cleanly close all their sessions in a SAML landscape, even across domains. Not only does this save system resources that would otherwise remain reserved until the sessions time out, but SLO also mitigates the risk of the hijacking of unattended sessions.

–       Identity federation: Identity federation provides the means to share identity information between partners. Partners must be able to identify a user in order to share information about that user, even if they use different identifiers for the same user.

The name identifier (name ID) is defined as a means to establish a common identifier in the SAML 2.0 standard. The user is said to have a federated identity once the name ID has been established.

An identity provider and a service provider are the two main components of a SAML 2.0 landscape. The service provider is a system entity that provides common session management, identity management, and trust management to a group of Web applications.

The identity provider is a system entity that manages principals’ identity information and offers authentication services to other trusted service providers. To put it another way, the service providers delegate the task of authenticating the user to the identity provider. The identity provider keeps track of the service providers to which the user is logged in and forwards log-out requests to those service providers.

SAP IDP Competitive Advantages

Using SAP IDP can have some competitive advantages. The IDP delivered by SAP is an add-on component running on top of SAP NetWeaver (NW) Application Server (AS) Java. Services provided by the application platform such as user management, session management, trust management, high availability, and failover are leveraged by the IDP.

User Data Source

The IDP delivered by SAP supports various user data sources such as database, LDAP servers, and AS ABAP. The last of these is especially important if the users are centrally managed in an ABAP system, including Central User Administration (CUA). That is one of the advantages of the IDP delivered by SAP when integrating it into a landscape that includes SAP systems.

Authentication Methods

The IDP delivered by SAP supports the following authentication methods by default: username and password, client certificate, SPNEGO/Kerberos, and SAP logon ticket. Because of the extensibility provided by AS Java, additional authentication methods can be integrated as JAAS login modules.


With the IDP delivered by SAP, apart from the SAML 2.0 systems, you can also integrate non-SAML systems to perform single sign-on (SSO). With the IDP you can easily have SSO with older SAP systems by using SAP logon tickets.


Implementing IDP by SAP will mean that you can expect different systems to be interoperable. It is, however, important to set this up properly, and for vendors to perform tests with third-party products.

Identity Federation

Identity federation enables partners to share identity information in order for the user to be recognized. You can specify what information will be included in the assertion through the identity federation settings.

Furthermore, by implementing a custom attribute provider, additional attributes can be added to the assertion. The attribute provider is responsible for gathering the necessary data from various sources such as an LDAP server, an HR system, and a CRM system.

Cloud Integration

A typical integration with cloud applications focuses on single sign-on and single logout scenarios. An example of this type of scenario is the integration between SAP Portal and SuccessFactors. The identity provider component is installed on the SAP Portal system and supplements the SSO capabilities of the Portal.

Support and Lifecycle Management

SAP has well-established processes for support and lifecycle management of business-critical systems and applications. Those processes are also applicable for the IDP delivered by SAP. Besides the standard level of support, SAP also offers a higher level of support called SAP Enterprise Support. 

Leave a Comment