Configure SAP Cloud Platform Identity Authentication auto-provisioning

You can set up automated user provisioning (autoprovisioning) so that any changes you make to user accounts in Google Workspace are automatically synced with this third-party app.

Automated user provisioning operates only on active, suspended, or deleted users. It doesn't include archived users.

Before you beginSet up SSO for this app

Create a system user on your SAP account
  1. Sign in to your SAP Cloud Platform Identity Authentication admin console.
  2. On the left pane, click Users & Authorizations.
  3. Click Administrators > Add.
  4. Enter these settings:
    1. Administrator type: System
    2. System administrator: Google  
  5. Under Configure Authorizations, set Manage Users and Manage Groups to On.
  6. Click Save.
  7. On the System administrator details page, click Set Password for the new system administrator.
  8. Create a password, then click Save.
  9. Generate a user ID for the new system administrator.
  10. Save the administrator user ID and password for use in the next step.
Set up auto-provisioning for the SAP Cloud Platform Identity Authentication application
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Open the SAP Cloud Platform Identity Authentication application.
  4. In the Auto-provisioning section, click Configure auto-provisioning.
  5. Enter the user ID and password you created for the Google system administrator account on your SAP system.

    Important: You might have to reauthorize if the admin password for your SAP account changes. Changing the admin password will cause the original authorization to be revoked.

  6. Click Continue.
  7. Edit the Endpoint URL, replacing {YOUR-TENANT-ID} with the tenant ID for your SAP account.
  8. Verify that all mandatory SAP Cloud Platform Identity Authentication attributes (those marked with an *) are mapped to Google Cloud Directory attributes. If not, click the Down arrow  and map to the appropriate attribute.
  9. Click Continue.
  10.  (Optional) Restrict provisioning to specific groups:
    1. Enter all or part of a group name in the Search groups field.
      A list of available groups appears. Select a group to add it and open a new search field.
    2. If necessary, add more groups and choose a scope. 
    3. To remove any group you added, click  next to it.
  11. Once you’re done, click Continue.
  12. Choose how long deprovisioning actions should be delayed before taking effect. You can set the time to: within 24 hours or after one, 7, or 21 days. Select at least one of these options:
    • When an app is turned off for the user, suspend their account, hard delete their account, or both, after [number of days].
    • When a user is suspended on Google, suspend their account, hard delete their account, or both, after [number of days].
    • When a user is deleted from Google, suspend their account, hard delete their account, or both, after [number of days].
    • A suspended account is temporarily unavailable until it's restored.
    • A hard deleted account cannot be restored.

    Tip: Always set more time before hard deleting a user's account than for suspending a user's account.

  13. Click Finish.
  14. In the Auto-provisioning section, click the activation slider.

    Note: The activation slider is disabled if SAP Cloud Platform Identity Authentication isn’t turned on for any users. Click User access and turn the app on to enable the slider.

  15. In the confirmation dialog box, click Turn on.
Display auto-provisioning

Once provisioning is on, Google starts collecting usage information. You'll see the usage information in the Auto-provisioning section. There won't be any numbers next to the event names until you enable provisioning.

The following event names provide the usage information for the last 30 days:

  • Users created
  • Users suspended
  • Users deleted
  • Failures

For more information, see Monitor automated user provisioning.

Edit provisioning scope

You may want to restrict the scope of provisioning to members of groups you define. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Open the SAP Cloud Platform Identity Authentication application.
  4. Click the Auto-provisioning section to open the settings page.
  5. Under Provisioning scope, click Edit.
  6. Enter all or part of a group name in the Search groups field. A list of available groups appears.
    1. Select a group to add it and open a new search field.
    2. If necessary, add more groups and choose a scope. 
    3. To remove any group you added, click  next to it.

    If a group has users from a secondary domain or from outside the organization, those users are not provisioned.

  7. Once you’re done, click Update.

The next time you edit provisioning scope, the groups you added appear in the Provisioning scope window. If you turned on the SAP Cloud Platform Identity Authentication application for a set of organizational units, the provisioning scope is restricted to those users in the added groups who are also members of those organizations.

Deactivate auto-provisioning

To disable auto-provisioning for the SAP Cloud Platform Identity Authentication application without losing all the configuration information:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Open the SAP Cloud Platform Identity Authentication application.
  4. Do one of the following:
    • In the Auto-provisioning section, click the activation slider.
    • Click the Auto-provisioning section to open the settings page, then click Statusand thenTurn off.
  5. In the confirmation dialog box, click Turn off
Define deprovisioning timeframes

To define how long deprovisioning actions should be delayed before taking effect:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Open the SAP Cloud Platform Identity Authentication application.
  4. Click the Auto-provisioning section to open the settings page.
  5. Under Deprovisioning, click Edit.
  6. Choose how long deprovisioning actions should be delayed before taking effect. You can set the time to: within 24 hours or after one, 7, or 21 days. Select at least one of these options:
    • When an app is turned off for the user, suspend their account, hard delete their account, or both, after [number of days].
    • When a user is suspended on Google, suspend their account, hard delete their account, or both, after [number of days].
    • When a user is deleted from Google, suspend their account, hard delete their account, or both, after [number of days].
    • A suspended account is temporarily unavailable until it's restored.
    • A hard deleted account cannot be restored.

    Tip: Always set more time before hard deleting a user's account than for suspending a user's account.

  7. Click Update to save your edited deprovisioning configuration.
Remove auto-provisioning

To disable auto-provisioning for the SAP Cloud Platform Identity Authentication application and remove all the configuration information:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Open the SAP Cloud Platform Identity Authentication application.
  4. Click the Auto-provisioning section to open the settings page.
  5. Under Delete configuration, click Delete.
  6. Click Delete to both deactivate auto-provisioning and remove all the configuration information.
    Existing users on SAP Cloud Platform Identity Authentication will not be deprovisioned.
Important: If automatic provisioning stops and you need to reauthorize the application

If the admin password for SAP Cloud Platform Identity Authentication has changed, automatic provisioning will stop working. In this case, the original authorization is revoked by SAP Cloud Platform Identity Authentication, and you must reauthorize automatic provisioning.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenWeb and mobile apps.

  3. Click the SAP Cloud Platform Identity Authentication application.
  4. Click the Auto-provisioning section to open the settings page.
  5. Under App authorization, click Reauthorize.
  6. Enter your SAP Cloud Platform Identity Authentication username and password, then click Re-authorize.

After reauthorization completes, you're returned to the Auto-provisioning settings page in the Admin console.

Note: Your third-party application might revoke authorization for reasons other than the admin password changing. These reasons can include account inactivity, for example. Check with the documentation for the third-party application for scenarios in which authorization can be revoked.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu