I am writing a short blog to highlight one recent change that came into effect with the latest SAP SuccessFactors Production release on December 9th, 2022. This relates specifically to Identity Authentication / Identity Provisioning so if you are working on this topic this will be relevant for you.
As of the December 9th, 2022 production release, any newly established integration between SuccessFactors BizX instance and SAP Identity Authentication/Identity Provisioning Services (IAS/IPS) will be using the X.509 certificate for authentication of integration between SuccessFactors HXM Suite and IAS/IPS instead of the previous basic authentication mechanism with just username and password. This change applies to both newly provisioned SuccessFactors BizX Instances that have an Identity Authentication and Identity Provisioning tenants bundled together and delivered at the same time, and to existing SuccessFactors BizX instances performing the Initiate IAS Upgrade or Change IAS tasks through the Upgrade Center.
What is X.509/mTLS
X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many internet protocols, including TLS (Transport Layer Security) /SSL. Mutual Transport Layer Security (mTLS) establishes an encrypted TLS connection, in which both parties use X.509 certificates to authenticate and verify each other.
mTLS prevents malicious third parties from imitating genuine applications and provides a more secure authentication option to its users.
When an application attempts to establish a connection with another application's secure web server, the mTLS protocol protects their communications, and verifies that the incoming server truly belongs to the application being called. When the client application requests access to a server application, the server application will provide its certificate to the client application and, in turn, ask the client application for its public certificate. This certificate will contain a public key, an identity, and a signature by a trusted certificate authority. Both entities will then look for the signature and climb the trust chain untill they find a mutual certificate authority validating the authenticity of both entities and creating a secure and encrypted channel.
Since both entities have to be validated, mTLS can reduce the chances of attacks, and provides a basis for zero-trust security framework, which is becoming increasingly important in cloud-based applications, and micro services deployments.
How can I find out whether I am using certificate-based authentication or basic authentication?
If your SuccessFactors BizX instance is already integrated with IAS/IPS, to find out whether you are using the previous basic authentication or the new X.509/mTLS certificate-based authentication, you can complete the following steps:
Log into the IPS Admin Console.
From IPS Admin console home page, click on the Source Systems tile.
From the list of source systems, select the desired SuccessFactors tenant's record.
Click on the Properties tab to check the value of the “authentication” parameter; if the value is BasicAuthentication, then basic authentication is used. If the value is ClientCertificateAuthentication, then X.509/mTLS certificate-based authentication is used.
Can I migrate my SF to IPS integration from basic to certificate-based authentication?
If your SuccessFactors BizX instance is already integrated with IAS/IPS and is currently using the basic authentication for communication between BizX and IAS/IPS, we recommend that you migrate to the X509/mTLS certificate-based authentication.
For steps of migration on the BizX side, please refer to our help doc.
To migrate from basic authentication to X.509/mTLS certificate-based authentication, take the following steps:
Step 1: Generate and download the certificate from IPS.
Log into the IPS Admin Console.
From the IPS Admin console home page, click on Source Systems tile.
From the list of source systems, select the desired SuccessFactors tenant as the provisioning system that you want to configure client certificate authentication for.
Select the Outbound Certificate tab and choose Generate.
If the certificate is generated successfully, the toast message ‘Certificate generated successfully' is displayed on the screen.
View the certificate information.
Each certificate contains fields specifying the subject, the name of the CA issuing the certificate, the algorithm used by the issuer to sign the certificate, validity period, key size and the certificate unique identifier.
Download the certificate.
Step 2: Register IPS for certificate-based incoming calls in BizX.
In BizX, go to Admin Center → Security Center → X.509 Public Certificate Mapping.
Complete the following fields in the table below
Click Save to save the changes.
Example: New X.509 Certificate Mapping
Select the name of your application from the drop-down menu.
Upload the corresponding file with a certificate file extension cer, pem, crt etc. and that follows the X.509 protocol.
The login name of a user that has permission to consume the SAP SuccessFactors API for its respective application. By default, a technical user would be created and used for IPS, so this field is optional and should be left blank.
Step 3: Configure IPS to use certificate-based authentication when communicating with BizX.
Return to the Identity Provisioning admin console, from Source Systems, select the SF BizX tenant record, and select the Properties tab.
Set the Authentication property to ClientCertificateAuthentication (vs "BasicAuthentication" previously using IPSADMIN, also no need to set User and Password properties)