Human Experience Management Blogs
View official SAP SuccessFactors (HXM) product and release information and resource updates.
Showing results for 
Search instead for 
Did you mean: 

I am writing a short blog to highlight one recent change that came into effect with the latest SAP SuccessFactors Production release on December 9th, 2022. This relates specifically to Identity Authentication / Identity Provisioning so if you are working on this topic this will be relevant for you. 

As of the December 9th, 2022 production release, any newly established integration between SuccessFactors BizX instance and SAP Identity Authentication/Identity Provisioning Services (IAS/IPS) will be using the X.509 certificate for authentication of integration between SuccessFactors HXM Suite and IAS/IPS instead of the previous basic authentication mechanism with just username and password. This change applies to both newly provisioned SuccessFactors BizX Instances that have an Identity Authentication and Identity Provisioning tenants bundled together and delivered at the same time, and to existing SuccessFactors BizX instances performing the Initiate IAS Upgrade or Change IAS tasks through the Upgrade Center.  

 What is X.509/mTLS 

X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many internet protocols, including TLS (Transport Layer Security) /SSL. Mutual Transport Layer Security (mTLS) establishes an encrypted TLS connection, in which both parties use X.509 certificates to authenticate and verify each other. 

Why X.509/mTLS 

mTLS prevents malicious third parties from imitating genuine applications and provides a more secure authentication option to its users. 

When an application attempts to establish a connection with another application's secure web server, the mTLS protocol protects their communications, and verifies that the incoming server truly belongs to the application being called. When the client application requests access to a server application, the server application will provide its certificate to the client application and, in turn, ask the client application for its public certificate. This certificate will contain a public key, an identity, and a signature by a trusted certificate authority. Both entities will then look for the signature and climb the trust chain untill they find a mutual certificate authority validating the authenticity of both entities and creating a secure and encrypted channel. 

Since both entities have to be validated, mTLS can reduce the chances of attacks, and provides a basis for zero-trust security framework, which is becoming increasingly important in cloud-based applications, and micro services deployments. 

 How can I find out whether I am using certificate-based authentication or basic authentication? 

If your SuccessFactors BizX instance is already integrated with IAS/IPS, to find out whether you are using the previous basic authentication or the new X.509/mTLS certificate-based authentication, you can complete the following steps:  

  • Log into the IPS Admin Console. 
  • From IPS Admin console home page, click on the Source Systems tile. 
  • From the list of source systems, select the desired SuccessFactors tenant's record. 
  • Click on the Properties tab to check the value of the “authentication” parameter; if the value is BasicAuthentication, then basic authentication is used. If the value is ClientCertificateAuthentication, then X.509/mTLS certificate-based authentication is used.  

Can I migrate my SF to IPS integration from basic to certificate-based authentication? 

If your SuccessFactors BizX instance is already integrated with IAS/IPS and is currently using the basic authentication for communication between BizX and IAS/IPS, we recommend that you migrate to the X509/mTLS certificate-based authentication.   

For steps of migration on the BizX side, please refer to our help doc 

 To migrate from basic authentication to X.509/mTLS certificate-based authentication, take the following steps:  

Step 1: Generate and download the certificate from IPS.  

  1. Log into the IPS Admin Console. 
  2. From the IPS Admin console home page, click on Source Systems tile. 
  3. From the list of source systems, select the desired SuccessFactors tenant as the provisioning system that you want to configure client certificate authentication for. 
  4. Select the Outbound Certificate tab and choose Generate. 
  5. If the certificate is generated successfully, the toast message ‘Certificate generated successfully' is displayed on the screen. 
  6. View the certificate information. 
  7. Each certificate contains fields specifying the subject, the name of the CA issuing the certificate, the algorithm used by the issuer to sign the certificate, validity period, key size and the certificate unique identifier. 
  8. Download the certificate.  


Step 2: Register IPS for certificate-based incoming calls in BizX. 

  1. In BizX, go to Admin Center → Security Center → X.509 Public Certificate Mapping. 
  2. Click Add. 
  3. Complete the following fields in the table below
  4. Click Save to save the changes.




Configuration Name 

Example: New X.509 Certificate Mapping 

Integration Name 

Select the name of your application from the drop-down menu. 

Certificate File 

Upload the corresponding file with a certificate file extension cer, pem, crt etc. and that follows the X.509 protocol. 

Login Name 

The login name of a user that has permission to consume the SAP SuccessFactors API for its respective application. By default, a technical user would be created and used for IPS, so this field is optional and should be left blank.  



Step 3: Configure IPS to use certificate-based authentication when communicating with BizX. 

  1. Return to the Identity Provisioning admin console, from Source Systems, select the SF BizX tenant record, and select the Properties tab. 
  2. Set the Authentication property to ClientCertificateAuthentication (vs "BasicAuthentication" previously using IPSADMIN, also no need to set User and Password properties) 
  3. Set the URL parameter to the API URL with cert, for example: 
  4. Click Add to add a new parameter “” if not already available on the Properties tab, and set the value to the SuccessFactors company id corresponding to this source. 
  5. Save your configuration. 



If you are using real time user sync for new hires between BizX and IAS/IPS, then please complete the following two steps: 

Step 4: Generate and download the certificate from BizX 

  1. In BizX, go to Admin CenterSecurity CenterX.509 Certificates: 
  2. Click Add to add a new entry, and enter the Configuration Name and Valid Until date. 
  3. Click Generate and Save. 
  4. Click Download, then select X509 Certificate. 
  5. When prompted by browser, save the file to your local file system. 






 Step 5: Register SF BizX as administrator in IAS using certificate. 

  1. In IAS Admin console, go to Users & Authorizations Administrators. 
  2. Click on Add, then select System. 
  3. Enter the system name and click Save. 
  4. Click on the system you just created in the previous step. 
  5. Click on Certificate, then click Browse to find the X.509 cert file you downloaded to your local file system. 
  6. Click Save. 









Galactic 3
Galactic 3
0 Kudos

Hello @haidongsong 

I have a couple of questions with this scenario:

1) I see certificates are valid for a year. I have configured email alerts to admins for certificate expiration in IAS. any ideas or best practices on this? is this just a manual process?

2) I'm also using certificate auth in Identity Provider->Source system for password migration from SFEC. This specific config has an auto renewal feature. Currently we're using the same cert for both configs (SF API v2 in source system and password sych). What are the recommendations here? is it recommended to use auto-renewal? should we use two different certificates?









1) at this point, cert update would be a manual process, we are investigating mechanisms to automate it. 

2) the cert used for password migration and for real time user sync are different, so should be managed separately. Auto renewal is recommended. 

Galactic 1
Galactic 1
0 Kudos

@haidongsong about the 2 point i see a problem: at the following link it is highlighted that you cannot maintain in IPS - Source System 2 Certificates active: only one must be active at time.

Can you help on this? how can we configure 2 separate certificates for password migration and real time users sync?




Galactic 3
Galactic 3

Hi @mamodei 

When you create your source system for password validation you enter a CN for the certificate. It should look something like below:


once you save the cert is created


You can the upload the cert in SF 


test the connection (note I changed the the URL since it has an error in the first screen)


Note that password validation in the SF scenario is intended to provide a smooth transition for PWD based users. If you think this carefully, you'll probably decide to eliminate this config in the long term and 1 year seems to be more than enough, so I'm not sure if I'd really want to renew the certificate in this case you are going to create new pwd-based users in SF, probably is not a good idea to keep this synch. instead I'd suggest to manage the pwd directly in IAS once the user is synched by IPS; this can be done manually by the admin or even you can add in the transformation the send mail when they meet the condition ("condition": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['loginMethod'] == 'PWD'").

Hope it helps