SAP's Identity and Access Landscape: What You're Actually Buying
SAP's identity and access management portfolio spans three distinct service layers, each with separate pricing logic and contractual hooks. Understanding what you own versus what you're renting is the first defense against over-licensing.
SAP Identity Authentication Service (IAS)
IAS is SAP's cloud-based single sign-on and multi-factor authentication platform. It handles authentication events — the moment a user logs in or a system validates credentials. This is mission-critical for protecting SAP environments, but SAP's licensing model creates opacity around actual consumption.
SAP Identity Provisioning Service (IPS)
IPS automates user and role lifecycle management: creating accounts, updating attributes, deprovisioning. It bridges on-premises identity sources (Active Directory, LDAP) with SAP Cloud systems. Licensing here follows per-tenant models rather than per-user models, which creates different cost dynamics than IAS.
SAP Cloud Identity Services
This umbrella includes IAS, IPS, and SAP Authorization Management (bundled into BTP entitlements). Most enterprise customers deploy this stack as part of RISE with SAP or standalone BTP consumption deals. The pricing varies dramatically depending on whether you're buying bundled access or à la carte.
Key distinction: SAP doesn't bill these services consistently. IAS and IPS can be purchased as standalone cloud services or bundled into BTP consumption. The same functionality costs 3-5x more when bought standalone versus negotiated as part of a broader platform commitment.
How SAP Licences Identity Services: BTP Entitlements, Tenants, and Users
SAP's shift to cloud-native licensing via BTP (Business Technology Platform) has fragmented identity licensing into multiple vectors. Enterprises must understand how consumption is measured, because SAP's definitions don't match traditional licensing semantics.
BTP Consumption Models
SAP offers cloud services through BTP in three ways: bundled entitlements (with RISE or ELP), free tier allowances, and metered consumption on top. Most enterprises don't realize that their BTP subscription includes free authentication events and user provisioning capacity before metered charges begin.
A typical RISE with SAP deal includes:
- Free tier: 1,000 authentication events per month (IAS)
- Free tier: up to 500 user identities (IPS)
- Additional consumption charged per 10,000 authentication events or per 100 additional provisioned users
Per-Tenant vs Per-User Models
IPS follows a per-tenant model: you pay for the identity provisioning service instance, not the number of users flowing through it. A single IPS tenant can manage 50,000 user identities without additional per-user licensing. This is where many enterprises waste budget: they assume IPS scales linearly with headcount and buy more than they need.
IAS follows a consumption-based model tied to authentication events. Every login triggers consumption. In a 5,000-person organization with two daily logins per user, you're consuming 10,000 authentication events daily — 300,000 monthly. If your RISE entitlement covers 1,000/month free, you're buying consumption for the remaining 299,000. At SAP's standard rates, this can run £30,000-50,000 annually for a single facility.
SAP Identity Authentication Service: Free Tier Limits and What Triggers Charges
The "free tier trap" is SAP's most profitable licensing mechanic in cloud identity services. SAP markets IAS as "included" or "free" for many customers, then charges per-event for any usage exceeding stated limits.
The Free Tier Illusion
RISE with SAP customers receive 1,000 free authentication events monthly. For a 100-person organization with 2-3 daily logins per user, this threshold is crossed within the first week. SAP doesn't warn you — consumption simply meters into billable territory. Most enterprises discover this at renewal when SAP presents a £40,000-60,000 charge for "overages" they never tracked.
The problem compounds with API integrations. Third-party systems connecting to SAP via IAS (CRM, HRIS, procurement portals) trigger authentication events per transaction. A daily integration sync running 5 authentication calls generates 150 monthly authentications for a single connection. Scale this to 20 integrations and you're at 3,000 monthly events before human logins register.
Hidden Authentication Triggers
SAP doesn't count all authentication equally. Single Sign-On token refreshes, passwordless logins via SAP Mobile Start, Fiori tile loads with re-authentication — all trigger consumption. Service-to-service authentication between SAP Cloud systems (S/4HANA Cloud to Concur, for example) counts as authentication events. Most CIOs don't discover this until a post-implementation audit reveals 2x their projected consumption.
Forensic defense: Demand consumption reports for IAS prior to any renewal negotiation. SAP's standard reporting is minimal; require 90-day granular authentication logs by source system. This data becomes your negotiation anchor: "We're consuming 450,000 monthly authentications due to integrations you recommended. This is unsustainable at metered rates; we need this bundled."
Access Control vs Cloud Identity Services: When You Need Both
Many enterprises over-license by purchasing both SAP Access Control (on-premises GRC tool) and cloud identity services. Understanding when each is required prevents wasted spend.
SAP Access Control: The Legacy Play
SAP Access Control manages segregation of duties (SoD) and access governance in S/4HANA and traditional ERP. It's licensed per named user (Access Control Administrator, Auditor, Superuser). Most enterprises on perpetual maintenance maintain legacy Access Control even after deploying BTP identity services, often unknowingly overlapping functionality.
Cloud Identity Services: The Modernized Alternative
SAP Authorization Management (bundled in BTP) handles modern SoD enforcement and access reviews. It's designed for cloud-native architecture and integrates natively with S/4HANA Cloud and BTP-deployed services. It's cheaper, more flexible, and audit-friendly.
When You Need Both
Hybrid estates (S/4HANA Cloud + legacy ERP systems, or multiple SAP versions) often require both. However, most enterprises can consolidate to cloud-only SoD within 18-24 months post-migration. Continuing to license Access Control beyond this timeline is audit risk and wasted budget.
Optimisation tactic: During RISE with SAP or S/4HANA Cloud contracts, negotiate sunsetting of Access Control named user licenses. Many customers secure 50% reductions by committing to retire legacy access control within a defined period.
The SSO Decision: SAP vs Third-Party Identity Providers
SAP IAS competes with Okta, Microsoft Azure AD, and Ping Identity. The licensing arbitrage between SAP and third-party solutions is significant, and many enterprises over-licence SAP IAS by choosing it purely for brand alignment rather than cost.
SAP IAS: Bundled but Expensive at Scale
When purchased standalone, SAP IAS runs £20-30 per 10,000 monthly authentications for enterprise customers. For a 5,000-person organization with 300,000 monthly authentication events, this is £600-900 monthly (£7,200-10,800 annually). When bundled into RISE or BTP, these costs are bundled but rarely separated in invoices, making true cost difficult to extract.
Azure AD / Okta: The Cheaper Play
Microsoft Azure AD Premium (bundled with Microsoft 365 or Enterprise Mobility+Security) handles 100,000+ authentications monthly at no incremental cost when you already own Microsoft licenses. For organizations with existing Microsoft enterprise agreements, deploying Azure AD as SAP's primary SSO provider costs nothing additional. Okta's pricing is more transparent: £3-5 per user monthly for unlimited authentications, making it cheaper than SAP IAS for most mid-market organizations (500-3,000 users).
SAP's Negotiation Pressure
SAP will discount IAS aggressively if you threaten to adopt Okta or Azure AD. We've secured 40-60% reductions in standalone IAS pricing simply by presenting Okta quotes. SAP fears losing identity visibility into customer environments; it will price competitively to prevent third-party dominance.
Negotiation insight: Go to SAP renewal meetings with signed Okta pilot budgets or Azure AD implementation plans. SAP's motivation to "bundle" IAS discounts dramatically when facing third-party replacement.
How to Audit and Right-Size Your SAP IAM Footprint
Forensic audits of SAP identity services consumption reveal over-licensing across 80% of enterprises. This is deliberate on SAP's part — the service is relatively new, billing is opaque, and most CIOs lack visibility into per-system authentication consumption.
Consumption Reporting: What to Demand
Your SAP contract should entitle you to monthly consumption reports from IAS and IPS. If SAP claims these aren't available, escalate. The data exists in SAP's backend systems and is contractually yours to access. Demand reports showing:
- Daily and monthly authentication event counts by source system
- Peak consumption hours and integration batch windows
- Failed authentication attempts (often double-counted by mistake)
- IPS user provision/deprovision rates and tenant utilization
- API-driven authentications vs user-initiated logins
The 90-Day Assessment
Enable IAS detailed logging (requires no additional license) for 90 days. Extract authentication event streams. Categorize by system, time-of-day, failure rate, and user type. This granular data becomes your negotiation foundation at renewal. Most enterprises discover that 30-40% of their authentication consumption is redundant (batch jobs re-authenticating unnecessarily, inactive integrations still firing, duplicate MFA attempts).
IPS Right-Sizing
If you're managing fewer than 10,000 user identities across all cloud systems, one IPS tenant is sufficient. SAP often sells multiple IPS instances per customer (one per cloud application, one for on-premises sync, one for "failover"). This is unnecessary and costs £5,000-15,000 annually per redundant instance. Consolidate to single-tenant architecture where possible.
Negotiating SAP Cloud Identity Services as Part of BTP Deals
The leverage point in BTP negotiations is clarity: SAP's cloud service prices are opaque, and most customers accept whatever is bundled. Forensic negotiators challenge the composition of BTP entitlements.
Standard BTP Bundles (What SAP Proposes)
RISE with SAP tier 1 typically includes "unlimited IAS and IPS" in the bundle, along with other BTP services. This sounds generous until you discover the free tier caps (1,000 IAS events, 500 IPS users) and metering begins immediately thereafter. SAP doesn't advertise these limits clearly — they're buried in technical specifications.
Negotiation Tactics
Tactic 1: Separate Identity from Platform. Challenge SAP to itemize identity service costs separately in your proposal. Demand a "baseline" BTP price with identity services stripped, then price IAS and IPS separately. This forces transparency and prevents you from paying for bundled services you don't need.
Tactic 2: Commit to Okta / Azure Alternative. Tell SAP you're prepared to build your identity infrastructure on Okta or Azure AD, and you'd only include SAP IAS if it's competitively priced. SAP will move mountains to prevent this scenario. We've seen 50% reductions in IAS pricing using this pressure point.
Tactic 3: Demand Consumption Caps. Negotiate fixed consumption ceilings rather than metered growth. For example: "We commit to 500,000 monthly IAS authentications at £X; any overage is your problem, not ours." This forces SAP to right-size your entitlements at contract inception rather than upselling you into consumption tiers later.
Tactic 4: Bundle Discount for SoD. Propose a package deal: "Retire Access Control, move to cloud-only SoD (Authorization Management), and consolidate identity services into one IAS/IPS instance in exchange for 40% discount on RISE pricing." SAP will accept this because it advances their cloud migration agenda.
Optimize Your SAP IAM Licensing Today
Most enterprises waste £40,000-120,000 annually on overly complex or metered identity infrastructure. Our forensic audit identifies redundant entitlements, obsolete services, and negotiation leverage points. Get your complimentary consumption analysis in 2 weeks.
Schedule Your AssessmentFAQ: SAP Identity and Access Management Licensing
Yes, IAS is bundled in RISE with SAP, but with strict free tier limits. You receive 1,000 free authentication events monthly. Any additional consumption is metered at £0.02-0.03 per 10,000 events depending on commitment level. Most enterprises exceed this free tier within weeks of go-live. The challenge is that SAP doesn't charge this clearly — it's buried in BTP consumption bills alongside compute and storage.
Request 90 days of authentication event logs from your SAP instance. Count total events across all sources. Subtract your free tier allocation (1,000 monthly x 3 = 3,000 for 90 days). Multiply remaining consumption by SAP's per-event rate (varies by agreement, typically £0.02-0.03 per 10,000 events). Annualize this. If you don't have logs or SAP refuses to provide them, this is a red flag — escalate to your account team with a contractual data access demand.
Yes, absolutely. Many enterprises deploy Azure AD or Okta as their primary SSO and use SAP IAS only for specific SAP Cloud applications. This is often cheaper than SAP IAS standalone. However, SAP will push back at renewal, claiming integration complexity or "support gaps." Reality: Azure AD integrates with SAP Cloud natively, and Okta is industry-standard. Using third-party identity providers is a legitimate negotiation lever that forces SAP to discount IAS pricing.
If you're running S/4HANA Cloud exclusively, no — Authorization Management bundled in BTP replaces Access Control entirely. If you maintain legacy ERP systems on-premises, you may need Access Control for those while using cloud SoD for S/4HANA Cloud. Most hybrid migrations can deprecate Access Control within 18 months. Negotiate sunsetting of Access Control licenses in your RISE or S/4HANA Cloud contract — SAP often accepts 50% license reductions in exchange for your commitment to retire legacy tools.
SAP Identity Provisioning Service is per-tenant: one instance handles unlimited user provisioning (within reason). You don't pay more if you scale from 1,000 to 50,000 users in the same tenant. SAP Identity Authentication is per-event: you pay for each login. Named user licensing (like Access Control) is per-assigned user. Understanding these distinctions is crucial — many CIOs assume IPS scales linearly with headcount and waste budget on redundant tenants.
Want an Independent View of Your SAP Position?
Our advisors are former SAP insiders who now work exclusively for enterprise buyers. A free 30-minute discovery call will tell you whether independent advisory would materially change your commercial outcome.
Book a Free Consultation → Download Free SAP Audit Guide →Independent SAP Licensing Advisory
We are former SAP insiders working exclusively for enterprise buyers. Our advisory services cover audit defence, contract negotiation, licence optimisation, RISE advisory, and S/4HANA migration — all buyer-side, no SAP affiliation.
Book a Free Consultation →