Authentication and Identity


The client required a medication track and trace system at which SAP ATTP was core. The system architecture contained multiple SAP and non-SAP elements. Due to SAP licensing constraints in the region where the project was being delivered SAP CIS could not be used as an IdP. Client needed an Active Directory type solution within which users would be onboarded, identities managed, and authentication carried out. ​

Problem metrics

  • 30k users (mix of business to government and, individual medical professional to government)​
  • 500k+ individual user.


Xendl designed an architecture for the application where identity and user provisioning were delivered by azure active directory, utilising azure AD B2C and azure logic apps.

When data residency with the azure components became a problem, Xendl redesigned the entire authentication and identity solution to utilise an on-premise ad / ad fs solution, a custom user registration and id propagation solution (including secure LDAP) and authentication via a mixture of ad fs token exchange with sap principal propagation.

Customers comments

Getting the solution “live” was (as stated by mark in an earlier mail) a measure and feat of software engineering in the most difficult of environments that really shows how strong this project team was.


Xendl delivered

  • AD / AD FS as an IdP​
  • SAP Principal Propagation​
  • User creation / propagation through SAP and non-SAP systems​
  • Authentication through SAP and non-SAP systems​
  • User access model managed using AD groups harmonised with SAP roles​

Client Information

Business vertical / type

Government Ministry department (Health / Pharma)​

Business size & complexity

6k + employees​

Project included a SAP ATTP system, Azure, Portal accessed via Web and Mobile, Active Directory and Analytics platform, SAP BTP, SAP API Management and SAP CP

More Case Studies

SAP Access Design

Challenge Massive numbers of single, derived, composite roles, roles did not match positions, excessive access an issue, users often copied, bottle necks…

Managing SOD Access Risks

Challenge Massive numbers of single, derived, composite roles, roles did not match positions, excessive access an issue.  Ruleset did not contain custom transactions and…