HCM and NetWeaver Identity Management Integration Tips

The landscape document from SAP that explains how to export from HCM to VDS to Identity Center has sections that are less than clear so I thought I would list common issues that have caused problems in the past.  First the architecture.  The way the export works is as follows:

  1. A report is run in SAP HCM which extracts the necessary data formated as LDAP data.
  2. SAP connects to the VDS and pushes the data.
  3. VDS connects to the Identity Center information store and uploads the data.

A couple common problems I have seen.

  • The field names inside SAP are misnamed or the export names to LDAP are.
  • The LDAP libraries in SAP Basis are not installed.
  • VDS Template:  The one you want to use is this one “HR Export to IdM Identity Center.xml” this one will not work “HCM LDAP EXTRACT for IDM.xml”
  • Bad credentials or passwords (of course)
  • VDS Tree for HCM is broken in some way.  If in doubt recreate your setting from the template.

Troubleshooting Tips.

  • First determine where you are broken.
  • Turn on verbose logging at VDS and see if HCM is even connecting.
  • If you are connecting to VDS but no data is reaching the Identity Store then check the LDAP extract for misspellings.   One error in your path and the whole thing breaks.
  • If VDS shows database errors then check the error logs in the identity center for problems with the task configuration

Finally, because HCM does not support event triggers — which can be tricky — I usually filter at HCM LDAP report for the data I want.  In most cases a nightly run is sufficient.  SAP recommends a full upload every time but this is not practical for large numbers of employees.

VDS Logging

The astute observer will notice that the most recent releases of SAP’s NetWeaver Virtual Directory Server are missing the logging control buttons. There is a  very good reason for this seemingly missing functionality.  Much like NetWeaver Identity Management, VDS is also merging into the NetWeaver, specifically NetWeaver’s logging framework.  This means that there is not a need to have VDS offer internal logging.

However, VDS also offers the ability to run in a “Standalone mode” which allows for VDS to run independently of NetWeaver.  If you plan on running in this mode you’ll need to take advantage of the following configuration tweak in order to access the logs:

Update the file standalonelog.prop that can be found in the Configurations folder.  If you do not have this file, information can be found in the SAP NetWeaver Idenity Management Operations Guide. This document can be found on SDN. The file is a basic text file that includes setting the log level and desired location of the log file.

Once this file is configured it needs to be placed in the Work Area folder (typically underneath the Configurations folder.  Note that creating this file will not bring the buttons back, it will only create the logs in the paths specified in standalonelog.prop.

From what I understand the internal log viewer will be back in the next Service Pack for VDS.  It will be good to have it back.

Identity Management 2.0

I saw an interesting article that discusses the concept of Identity Management 2.0.

The article starts with a good recap of current, or Identity Management 1.0 capabilities, that we are all familiar with, access management, LDAP, Provisioning, etc.

Where the article gets really interesting, of course is when the Author delves into what he considers to be the revolution of Identity Management.  As the article states:

The core platform of Identity Management 1.0 capabilities such as authentication, authorization, user provisioning, password management and the like has provided a base for improving security and automating manual processes to drive down operational costs. Identity Management 2.0 extends the core platform to offer stronger forms of authentication, risk-based authorization and fine-grained entitlements, user provisioning based on roles and relationships, as well as the ability to virtualize identities, all in an effort to address the next generation of requirements and threats.

What, to me, is even more interesting is that an old IdM technology, Virtual Directory, is considered to be a core component of IdM 2.0.  Dubbed “Identity Virtualization,” the article likes using this technology for creating customized user repositories for applications. Maybe the oft-quoted “Year of the Virtual Directory” is finally coming to pass.

It should be interesting to see how this concept matures over the next 12-18 months, particularly as we’re going into what many consider to be tight times in the IT world.

Installing VDS as a Service

Here is a quick step by step guide for installing a VDS configuration as a service.  This goes into more detail than the help file.

  • Once you have the server up and fully tested you will want to install it as a service.  First stop the server.  Right click the Virtual Directory Server root in the left hand pane and select Properties.
  • Virtual Directory Servier Properties

    Virtual Directory Servier Properties

  • From the General Tab select the NT Service radio button.
  • Selecting the NT Service Radio Button

    Selecting the NT Service Radio Button

  • In the Serivce Name dialog box type a meaningful name in this case an HCM connection then click Apply.
  • Service Name

    Service Name

  • Next click the the Install Service button and the click OK.
  • Install Service

    Install Service

  • You can now either start the service from the application or do it from the services in the control panel.
  • Start


  • Check the lower status bar to make sure it’s working. Note that Application Name will change to Service Name. Your finished.  This is the sequence that has produced a consistent result.
  • Status Bar

    Status Bar

Connecting HCM to Virtual Directory Server

In working with Virtual Directory Server with the latest patches and HCM this past week, I ran into a fairly annoying problem.  In order to recieve data from SAP HCM you run a simple wizard, select the template and then save all your choices as an xml file.  Loading this file defines your server.  What I noticed with the server is once it is in place if you make any changes with the GUI such as changing a username or password, adding a feature and removing it, is that it breaks the configuration everytime so either I am not doing something correctly or there is a big bug in the GUI.  Making the same changes directly in the xml file with notepad does not break the configuration.  When I get more time I will dig a little deeper.