Human Capital Management Blogs by SAP
Get insider info on HCM solutions for core HR and payroll, time and attendance, talent management, employee experience management, and more in this SAP blog.
cancel
Showing results for 
Search instead for 
Did you mean: 
haidongsong
Product and Topic Expert
Product and Topic Expert

I am writing a short blog to highlight one recent change that came into effect with the latest SAP SuccessFactors Production release on December 9th, 2022. This relates specifically to Identity Authentication / Identity Provisioning so if you are working on this topic this will be relevant for you. 

 As of the December 9th, 2022,  production release any newly established integration between SuccessFactors BizX instance and SAP Identity Authentication/Identity Provisioning Services (IAS/IPS) will be using the SCIM API to manage user/group information exchange instead of the old oDATA API. This change applies to both newly provisioned SuccessFactors BizX Instances that have an identify authentication and Identity provisioning tenant bundled together and delivered at the same time, and to existing SuccessFactors BizX instances performing the Initiate IAS Upgrade or Change IAS tasks through Upgrade Center.  

What is SCIM API 

SCIM stands for System for Cross-domain Identity Management (SCIM), it is an open standard designed to make managing user identities in cloud-based applications and services easier, and to facilitate automation of user provisioning and user life cycle management process. SCIM communicates user identity data between identity providers (such as SAP Identity Authentication / Provisioning Services, Microsoft Azure Active Directory etc) and service providers requiring user identity information (such as enterprise SaaS apps in ERP, HXM, CRM, procurement etc) 

Why SCIM API 

Adoption of SCIM API aims to help you better manage user accounts and user groups, it makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process. 

SCIM provides a way to synchronize user information between multiple applications. Since it is a standard, user data is stored in a consistent way and can be communicated as such across different apps. This enables administrators/IT to employee/contractors onboarding and off boarding process. The automation would also reduce mistakes and data inconsistencies between identity ecosystems. 

If you are using or planning to deploy SuccessFactors Onboarding 2.0 module, then we strongly recommend to migrate to SCIM API if not already done so to take advantage of the real time user sync capabilities that are only available with SCIM API not oDATA API.  

Also with SCIM API, you can sync users into People Stories only if the users have Reporting permissions, to streamline the setup of People Stories, and reduce the number of user records to be synced.

The use of SCIM API for SuccessFactors to IPS user sync does not prevent you from using oDATA API in other ways, for example existing integrations using oDATA to sync user information between SuccessFactors and other applications.

 How can I find out whether I am using SCIM or OData 

If your SuccessFactors BizX instance is already integrated with IAS/IPS, to find out whether you are using the previous OData API or the new SCIM API, you can follow the following steps:  

  • Log into the IPS Admin Console 
  • from IPS Admin console Home page, click on Source Systems tile 
  • from the list of source systems, select the desired SuccessFactors tenants record 
  • click on Properties tab to check the value of “sf.api.version” parameter: if the value is 1, then OData API is used, if the value if 2, then SCIM API is used.  

2023-04-05_17-29-04.jpg

 

Can I migrate my SF to IPS integration from OData to SCIM 

If your SuccessFactors BizX instance is already integrated with IAS/IPS, and is currently using the previous OData API for integration between BizX and IPS for user data integration, we recommend that you migrate to the new SCIM API,  

Note that SCIM does not support case sensitive usernames, To use SCIM APIs, please disable the setting  “Enable Non-Case-Sensitive Username” in Provisioning before you migrate from OData API to SCIM API.  

  • Before you enable the “Enable Non-Case-Sensitive Username option”, check for duplicate usernames under >Admin Center > Check Tool > System Health > User Management , check “There are no duplicate usernames in the noncase-sensitive mode” should have “No Issue Found” under Results column. 

2023-04-05_17-23-43.jpg

To migrate from OData API to SCIM API, take the following steps:  

  1. Log into the IPS Admin Console 
  2. from IPS Admin console Home page, click on Source Systems tile 
  3. from the list of source systems, select the desired SuccessFactors tenant record 
  4. click on Properties tab to then change the value of “sf.api.version” parameter from 1 to 2, and save the changes. 
  5. click on Properties tab, update the value of sf.user.filter property, and save the changes. Please note that the sf.user.filter property under SCIM is different than that under oDATA and supports different values. For detail of IPS properties, please refer to SAP SuccessFactors2023-04-05_17-29-04.jpg
  6. Click on the Transformations tab, update the transformations to conform to SCIM standards, referring to the following information: 
    1. Mappings between SCIM user and oDATA user 
    2. Default SCIM transformation: in the Code Syntax section under “Default transformation for SCIM API v2” section. 
    3. 2023-04-05_17-31-34.jpg
  7. Reset Identity Provisioning for the current SF tenant Source System, please follow steps in Reset Identity Provisioning System
    1. For the relevant target systems (such as IAS and SAC) that would use the user data from SF – the following property should be added (ips.delete.existedbefore.entities with value true) in order to allow IPS to further delete users created before the reset is done.
  8. Perform a full sync of applicable user records from SuccessFactors to IAS/IPS
    1. In IPS admin console, from the list of source systems, select the desired SuccessFactors tenants record 
    2. click Jobs tab 
    3. click the Run Now next to Read Job, or Schedule to schedule the job run in a later time 
    4. 2023-04-05_17-30-24.jpg
  9. Validate user sync completes successfully, and all user information are synchronized between BizX and IAS/IPS. 

Note: If you are already using Onboarding 2.0 then after this migration Onboarding new hires will be authenticated using IAS. 

Additional info on migration: Adoption of SuccessFactor SCIM Connector and X.509... - SAP Community

Resources:

Upgrade from ODATA IPS Connector to SCIM IPS Connector with SAP SuccessFactors HXM Suite | SAP Help ...

Upgrade to X.509 Certificate-Based Authentication for Incoming Calls | SAP Help Portal

KBA 3359245 - Migrating IPS and SF authentication from Basic Authentication to mTLS certificate usin...

KBA 3378362 - IPS transformations created by SuccessFactors Identity Authentication Service Integrat...

 

5 Comments
former_member143788
Discoverer
0 Kudos

Hello @haidongsong ,

Good day. Just a question regarding syncing Onboardee 2.0 user(s) in IAS using SCIM API..

We already upgraded our IAS to SCIM version. We have all the setup needed for this upgrade in IAS and we are using the default transformation logic for Source and Target systems for SCIM. Now we are simulating the IPS user sync job for one test onboardee and for some reason it is not being read in IPS. We have tried the default sf.user.filter: active eq "true" and userName eq "our_test_onboardee" but IPS still could not read. We have tried several filters to try to query this test onboardee but none seems to be working. The test onboardee has been verified to be existing in Successfactors so we should be able to read and fetch but we cannot pinpoint right now what we are missing in IAS side since we are just using the default configurations already set up by SAP.

We have also tried querying the onboardee using API tester/Postman:

First we tried using ODATA API and we are successful in querying the onboardee. With SCIM API though, we are only able to fetch data with userType: EMPLOYEE. We thought it might have something to do with the permission for SCIM API so we did a check on that as well but still not able to query ONBOARDEES. Any advice on how we can fetch data with userType: ONBOARDEE using SCIM API?

This is the URI we used for ODATA: https://api**.sapsf.com/odata/v2/User?$filter=status in 'e'

Result: Test Onboardee was fetched

This is the URI we are using for SCIM: https://api**.sapsf.com/rest/iam/scim/v2/Users

Result: ONLY userType: EMPLOYEE is fetched

This issue is only happening with onboardees. In IPS, regular employees are successfully read and synced with our current configuration. What could we be missing and what else can we check ?

Thanks for your help in advance!

Identity Provisioning SAP Cloud Identity Services SAP SuccessFactors Onboarding #SAP Successfactors Onboarding 2.0

pieterjanssens
Active Participant
0 Kudos

Does this work with IPS on Neo?

haidongsong
Product and Topic Expert
Product and Topic Expert
0 Kudos

@Former Member Yes SCIM works for both NEO and SCI IPS, the URL is a bit different under each: 

Configure Identity Provisioning Target Systems for Real-Time User Provisioning | SAP Help Portal

pieterjanssens
Active Participant
0 Kudos

 

DELETED

 

courtneypine
Discoverer
0 Kudos

When you migrate from OData API to SCIM API when the source is SF, are you also required to migrate a SAC target to v2?