Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IAS integration with SAP SuccessFactors Application – 1

sushilgupta857
Active Participant
‎03-28-2021 3:56 PM

Introduction:


All SAP SuccessFactors systems can use the SAP Cloud Platform Identity Authentication service. SAP plan for all SAP SuccessFactors systems to be migrated to the service in the future.

In case you are wondering why Identity authentication service(IAS)is used for SAP Success Factors Application: Kindly read this :

If SAML2.0, SSO , IAS, Identity Provider  are new terms for you, kindly read this:

Prerequisites:



  • You will need a valid customer S-User ID to perform this activity

  • Admin access to Upgrade center in SAP SuccessFactors Application.

  • Admin access in SAP SuccessFactors application (to perform activities like create and manage roles, reset password)

  • Request metadata files from Corporate IDPs to establish trust communication(in case of SSO to Corporate IDPs)

  • Users in SAP SuccessFactors should have unique email address


Scenario


Architecture


I have taken this little complicated architecture so that i can cover most of the functionalities of IAS. You can add or remove Applications, Corporate IDPs as per your requirement.

Important


We perform 2 upgrades in SAP SuccessFactors application in this activity

First upgrade will provide you details of IAS and IPS and automatically do some initial setup.

Second upgrade - Don't perform this upgrade - until all the configurations are completed because there is no going back once this upgrade is completed. After completion - IAS becomes the default identity provider for SAP SuccessFactors application and all the requests will by default go to IAS.

In case you want to integrate an existing IAS in your landscape with SAP SuccessFactors Application - make sure that both are in same region.

Strongly recommend to read Admin Guide

and note: 2791410 - Integrating SuccessFactors with SAP Cloud Identity Authentication Through the Upgrade Cent...

 

Steps



  • Perform first upgrade in upgrade center in SAP SuccessFactors application - Initiate the integration between IAS and SAP SuccessFactors.

  • Perform IAS admin console Tasks

  • Provide Authorizations to IPSADMIN user In SAP SuccessFactors application

  • Perform IPS admin console Tasks

  • Perform Source system configuration, Password migration configuration

  • Perform Second upgrade in upgrade center in SAP SuccessFactors application - Activate the integration between IAS and SAP SuccessFactors


 

Lets get Started !

Perform First Upgrade: "Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration"



  1. Login to SAP SuccessFactors Application. Access the SAP SuccessFactors Upgrade Center.

  2. Select the optional upgrade “Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration” and begin the upgrade process

  3. Enter Customer Suser-ID and Password

  4. Select one of the existing IAS or you can request a new IAS tenant.

    • In case the required IAS(existing in your landscape is not visible - it can be because your SAP SuccessFactors Application is in different region than your IAS

    • Solution - Raise a ticket to SAP mentioning the details and request them to remove the flag so that you can select the required IAS for integration



  5. You can check the upgrade status in monitoring tools for IAS/IPS until upgrade is completed


Monitoring




Perform IAS admin console Tasks


Generate metadata file from IAS and provide it to corporate Identity Providers to establish the trust communication.



  • Click on “Tenant Settings” section under the “Applications & Resources” tab

  • Extract the metadata file by accessing the “SAML 2.0 Configuration” section and selecting “Download Metadata File"


Configure Corporate Identity Providers


In our scenario we are considering 2 corporate Identity Providers. and in future lets say we are expecting more corporate IDPs - as per different regions - like India, US, UK, etc - you can follow same steps to add new corporate IDPs in future - if required.

  • Corporate IDP 1 - India (some local corporate IDP)

  • Azure AD


 

Create Corporate IDP 1

  • Under Identity Providers section - click add - enter the name: Corporate IDP 1 - India

  • Upload the metadata file received from Corporate IDP - by clicking on SAML2.0 Configuration - browse and upload

  • Select SAML 2.0 Compliant in Identity Provider type

  • Save the configuration


Create Azure AD

  • Under Identity Providers section - click add - enter the name: Azure AD

  • Upload the metadata file received from Azure AD - by clicking on SAML2.0 Configuration - browse and upload.

  • Select Identity Provider Type: Microsoft ADFS/AzureAD (If you don't select this - you will get error at the time of testing)

  • As we are doing mapping for Azure AD users in IAS - considering the different identifier requirement - Enable Identity authentication user store


  • Save the configuration


Create User Groups


Create User Groups for your different corporate IDPs

  • Access the user groups in the “User Groups” section under the “Users & Authorizations” tab and create 2 groups DEV_IDP1 , DEV_AzureAD


DEV_IDP1 - user in this group will authenticate in Corporate Identity Provider 1 - india


DEV_AzureAD - user in this group will authenticate in Azure AD




Configure SAP SuccessFactors applications and conditional Authentication



  • Access the SAP SuccessFactors configuration under the “Applications” section of the “Applications & Resources”

  • Select the SAP SuccessFactors application created automatically as part of the SAP IAS upgrade process.

  • Select “Conditional Authentication” under the “Trust” tab to define conditional authentication rules.

  • Select IAS as default identity provider.

  • Create conditional authentication rules for each created user group to route users to the respective Identity Provider systems.

  • As per the groups - users will be redirected to different corporate Identity providers and in case user don't quality any rule - user will be authenticated in IAS(Default identity Provider).


Configure Application Logo



  • Click on Branding and layout and select logo




Configure Password Policy




Check if Admin System user is created for IPS API access



 

Provide Authorizations to IPSADMIN user In SAP SuccessFactors application



  1. Log in to the SAP SuccessFactors environment and access the Admin Center.

  2. Select the “Password & Login Policy Settings” option under the “Company Settings”.

  3. Create a new policy under the “Set API login exceptions” option. Select the “Add” option.

  4. Create a new user security setting for the IPS administrator account and enter -

    1. Username: IPSADMIN

    2. MAX PASSWORD: -1

    3. IP ADDRESS RESTRICTIONS: Region specific IP restrictions




Grant IPS permissions to IPS administrator account



  1. Access the Admin Center. Select the “Manage Permission Roles” option under “Set User Permissions”.

  2. Create a new permission role by selecting the “Create New” option. Enter the role name and description for the created role.

  3. Select the “Permission” option and assign the following permissions to the created role:

    1. Manage Integration Tools Allow Admin to Access Odata API

    2. Manage User Account

    3. Manage User - Employee Export



  4. Select the “Add” option and assign the created role to the IPS administrator account


Reset password of IPS administrator account



  • Access the Admin Center. Select the “Reset User Passwords” option

  • Provide the new password and click on reset password



 

We will continue the next steps in our next blog ! Happy Learning !

 

Frequent questions from users:


How do we establish trust between Success factors and IAS?

When you perform first upgrade - it automatically create an application - SAP SuccessFactors in IAS and perform the initial setup like - exchange of certificate - Setting of Identifiers -Login name (Identifier)

Username in SAP SuccessFactors is LoginName in IAS

 

Does password policy of IAS tenant apply for users which are getting redirected to Corporate IDPs?

No , Password policy applies for all the users existing in IAS user store only. It don't apply for users getting authenticated in corporate IDPs. It includes users - manually created in IAS , Users - synced from different applications using IPS or imported using CSVs

 

Do we need to perform any manual steps to enable single sign on in SAP SuccessFactors application - there are blogs available where we manually enable the SSO in manage SAML SSO  page. 

I would say, don't change the SSO settings manually - enable SSO (even for testing) - because

  • It will be automatically taken care by Second upgrade - in upgrade center (once everything is done, you can perform the upgrade and do some pre-testing before doing the activation)

  • If you are a super admin in SAP SuccessFactors and you change the setting to SSO - then till the time you switch it back or someone do it, all the login access will be blocked (if correct assertion parties are not set and configured)


 

What is the use of IPS ? why we need IPS as in conditional authentication - we have options to redirect authentication to different corporate IDPs as per user groups, email address or IP addresses?

Here's the catch ! If you don't sync the users between SAP SuccessFactors and IAS using IPS then you can't use any of the mentioned above. IAS will need user details to perform this segregation based on groups, email address etc.

IPS helps to ease the process of syncing the users between IAS and SAP SuccessFactors application.

 

What is the difference between IAS Non-Production and Production. How do we know which one is Non_Prod and which one is Prod environment. Can i use IAS Prod with SAP SucessFactors Bizx - Non Prod?

Its recommended to use SAP SF - BIzx - Non prod with IAS Non Prod and both should exist in same region. Same goes for production.

However if you want to integrate an IAS which is in different region than you SAP SF Bizx then You willl need to raise a ticket to SAP and request them to remove the flag so that other region IAS (or other types- prod, non prod) are visible at the time of first upgrade when we get option to choose IAS.

From Technical perspective i haven't found any difference while doing configuration on IAS Non-Prod and IAS production. You can request SAP to give you details about - which IAS is production type and which IAS is non Prod type.

 

In this blog post you have learn how to initiate the integration of IAS with Success Factors application, IAS admin console activities and Setting up API user in SAP SuccessFactors application to migrate users from SAP SuccessFactors application to IAS using IPS.

See you in next blog post !

Click below to move to next step:

IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Serv...
21 Comments
Vaishnavi_10
Participant
‎05-21-2021 4:52 AM
0 Kudos
Hi Sushil,

The blog is very useful thanks for that!

When we try to run second upgrade there is an error stating SSO is not enabled.
sushilgupta857
Active Participant
‎05-21-2021 6:58 AM
0 Kudos
Hi vaishnavi,

Thank you.

Please note , when we run second upgrade:

  • It ask us to perform testing - If all the steps were completed successfully( users synced to IAS properly, other configurations are completed), it should perform authentication (ask you for credentials) and once authentication is successful- then only it will give you option to go-ahead with the upgrade(final upgrade).

  • for more detail regarding this: IAS integration with SAP SuccessFactors Application – 3 (Activation and Testing)


In case after successful authentication, you trigger the upgrade and it fails - kindly raise a ticket to SAP regarding this( on high or very high priority). Its an automated steps which gets completed at the backend by this SAP Upgrade . (once you trigger second upgrade - usually it don't take more than 2-3 minutes)

What actually happens in the backend is - a switch in Success Factors SSO settings - which makes IAS as default identity provider and after upgrade all the requests goes to IAS and IAS decides whether to forward the request to any corporate IDP (act as proxy) or act as identifier -- depends on the requirement and configuration.

Please let me know if there is any other concern.

Regards

Sushil K Gupta
singhharshita
Discoverer
‎09-22-2021 11:01 AM
0 Kudos
Hi Sushil, One question. Is there a separate license that client has to take from SAP for this ?
sushilgupta857
Active Participant
‎09-22-2021 2:18 PM
0 Kudos

Hi Harshita,

If you are performing implementation specific to SAP Success Factors application - No - IAS and IPS are bundled free with your SAP SF license. While performing the first upgrade - you can request IAS and IPS - absolutely free. If you face any issues, you can raise a ticket with SAP.

They have an amazing support team for this integration !

Also IAS and IPS are bundled free with multiple SAP Cloud Products. you need to just ask for it and they can guide you with the process.

Please have a look at the below information from Standard Guide:

Obtain a Bundle Tenant - SAP Help Portal

>>>

There will be certain restrictions on these tools (IPS - source system and target system - which  we can use) but for specific Application - it will work absolutely fine.

Example - you ask SAP for bundled license with SAP SF application - In IPS - You can choose -- SAP SF as source and IAS as target. 

You won't be able to use it for any other application.

<<<

 

If you want to integrate other applications- which are not included in bundled licenses - 

You can purchase separate license for IAS.

For IPS --

<<<

SAP Says:

Effective October 20, 2020, Identity Provisioning can no longer be purchased as a standalone product...

>>>

Let me know if there are any other doubts !

Happy to help.

 

Thanks and Regards

Sushil K Gupta

Tjoosten
Explorer
‎01-05-2022 3:51 PM
0 Kudos
How long should this process take to upgrade to IAS?
sushilgupta857
Active Participant
‎01-09-2022 5:52 AM
0 Kudos

Hi Terri,

There are two upgrades we run - first is to initiate the configuration which gives us IAS and IPS details(in case it don't exist - it request new tenants).

Second is Activation of the configuration (after performing all the pre steps and checks).

 

First upgrade shouldn't take more than Few hours ( in case there is no error at the backend)

Second upgrade takes less than 2 minutes when you click on activate button

  • this upgrade includes testing also - once testing is successful then only it gives to activate the configuration - now it depends on you how much time you take to perform testing.

 

If you are asking about the whole process of configuration from starting till delivery of system. - I kept 2 weeks for every instance ( there were 3 instances - DEV, PREVIEW, PROD in my case).

- it includes some buffer time also which i had kept to perform cleanup of user which were failing in Sync job.

 

Let me know if it answers your question.

 

PS: Make sure you have all the requirements before starting the configuration.

Regards

vk8893
Explorer
‎04-01-2022 3:48 PM
0 Kudos

What happens on IAS when the Login name (userName in SF) gets changed for the same user ?

Do we need to take extra actions on IAS ? Like reset account on IAS ?

Is " performing cleanup of user which fail in Sync job " an important task for the other updates on users to follow ? Or can the cleanup be postponed like a monthly activity ?

sushilgupta857
Active Participant
‎04-03-2022 4:44 PM
0 Kudos

Hi Vishnu,

Please find my inputs below:

1)What happens on IAS when the Login name (userName in SF) gets changed for the same user ?

Inputs:

Username in SF - gets synced to IAS and becomes Login Name for user in IAS.

now lets say Username is changed - technically it should sync the new username(in SF) to IAS(loginname) and update the entry.

Also please note - username also acts as the SAML identifier in SAP SF so in scenario where you are using corporate IDP:

  • and you have not done mapping in IAS - usually there is a field maintained at AD level which is mapped - so it should be updated there also otherwise authentication may fail.
  • If mapping is enabled in IAS ( use IAS user store tab is on) it might not have any impact.
  • check this blog for more information related to this:Why Identity authentication is required for SAP SuccessFactors Application

I would suggest to test it to be sure about the behaviour of the application. Capture the SAML trace to get more details.

 

2)" performing cleanup of user which fail in Sync job " an important task for the other updates on users to follow ? Or can the cleanup be postponed like a monthly activity ?

Inputs:

Please note:

  • The users which fails in sync job won't be able to perform authentication or login after IAS activation with SAP SF.
  • If they are just test users (lets say in DEV env) - you are sure that these users won't perform authentication, you can postpone it.

If its QA or PROD environment - i would suggest to perform the cleanup and fix all the users.

Reason why syncing the users ( performing cleanup) is a pre-requisite and not a post step - Whatever users which fails in sync job won't be able to perform any role in authentication and once IAS activation is completed - system will be live - even a small change in transformations may cause issues( i recommend to avoid it ).

 

Regards

Sushil K Gupta

sureshbandaru83
Explorer
‎08-23-2022 11:29 AM
0 Kudos
Hi Sushil,

We want to bring Employee class and LMS flag which currently exist in Job information of an employee. When running a OData API query from CPI or from Post man we are getting values for these fields using below query.

https://api2preview.sapsf.eu/odata/v2/User?$select=empInfo/jobInfoNav/employeeClassNav/localeLabel,u... eq 'XXXXXX'

But when i have updated the below code in IAS, job is running successfully but the value is not appearing in user management->user record->custom attributes

Code that I have configured in different areas

Source System:

sf.user.attributes: userId,username,status,email,lastName,firstName,lastModifiedDateTime,personKeyNav,empInfo/jobInfoNav/employeeClassNav/localeLabel,empInfo/jobInfoNav/customString14Nav/localeLabel

sf.user.attributes.expand: personKeyNav,personKeyNav/userAccountNav,empInfo/jobInfoNav/employeeClassNav,empInfo/jobInfoNav,empInfo

transformation:

{

"sourcePath": "$.empInfo.jobInfoNav.employeeClassNav.localeLabel",

"targetPath": "$.employeeClass"

},

{

"sourcePath": "$.empInfo.jobInfoNav.customString14Nav.localeLabel",

"targetPath": "$.LMSFlag"

}

TargetSystem:

{

"sourcePath": "$.employeeClass",

"optional": true,

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][9]['value']"

},

{

"condition": "$.employeeClass EMPTY false",

"constant": "customAttribute10",

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][9]['name']"

},

{

"sourcePath": "$.LMSFlag",

"optional": true,

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][8]['value']"

}

{

"condition": "$.LMSFlag EMPTY false",

"constant": "customAttribute9",

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][8]['name']"

}

Am I missing somethings?

Thank you in advance.

Suresh
sushilgupta857
Active Participant
‎08-24-2022 12:23 PM
0 Kudos
Hi Suresh,

Currently i don't have access to the environments so i can't test it however based on the details shared - please find my inputs below:

Understanding: You are trying to sync the users from

Source - SuccessFactors

Target- IAS

You want to update the custom attributes of the user in IAS using some Success factors attribute values.

Question:

From the query i understand - you are trying to fetch the details from SF and you are able to receive it using postman.

Can you try to update the custom attribute field for a user using postman tool in IAS - if you are able to successfully update this field using API access.

If it works then there is some issue in your IPS transformation.

Try to troubleshoot in IPS transformation:

In case you are working in a test envrionment you can try steps to find the logs

Even if job is running successful and custom attributes are not updated - i understand transformation is not working as expected -

try to put block of code like this

sourcePath: dummy

targetPath: dummy

(After your updated transformation code)

This should intentionally fail the sync job and capture the logs. Try to check if you can find details in the logs.

 

In case nothing works - share all your findings with SAP IPS support team and request for support.

Thanks and Regards

Sushil K Gupta
DeepikaB
Explorer
‎11-07-2022 6:57 AM
0 Kudos
Hi Sushil,

 

I want to reflect the parameters such as " Manager Name " "Department" Company" and Country and Region in IAS when the sync job runs from SF.

Please let me know what to include in JSON transformation in IPS and do we need to add these parameters in SF.user.filter parameter as well. Appreciate your help.

 

Deepika

 
sushilgupta857
Active Participant
‎11-17-2022 4:52 AM
0 Kudos
Hi Deepika,

Just saw your comment, Yes you will need to add these parameters to Sf.user.filter.

To sync these parameters you will need to modify both source transformation - SAP Success factors and Target transformation - SAP Identity authentication.

Check api.sap.com for exact variable names you will need to put in IPS transformation code:

https://api.sap.com/api/IAS_SCIM/schema

https://api.sap.com/products/SAPSuccessFactors/apis/packages

Thanks and Regards

Sushil K Gupta
Haridha_P
Participant
‎04-21-2023 2:37 PM
0 Kudos
Good one!!
batoul_kserawy
Explorer
‎08-17-2023 10:00 AM
0 Kudos
Hi sushilgupta857,
thank you for the excellent blog! 🙂
One question, hope you can help me with.

If SF is already connected with an IAS, but now we want to switch it to another IAS we ordered, is such a switch possible? Should we just repeat the first step and just choose the other IAS we want?

Thank you in advance. 🙂
sushilgupta857
Active Participant
‎08-21-2023 6:43 AM
0 Kudos
Hi Batoul Kserawy,

Please check if below SAP Documentation helps with your query:

Remapping an Identity Authentication Tenant


Option to check in upgrade center:

Change SuccessFactors Identity Authentication Service Integration and click Learn More & Upgrade Now

Please let me know if it helps !

Thanks and Regards

Sushil K Gupta
batoul_kserawy
Explorer
‎08-21-2023 10:10 AM
0 Kudos
Hi Sushil,
if it was already upgraded in SF before, then I think it is not possible to do it again, right?
Because I can see that has been already upgraded before, and I can't upgrade (change IAS configuration) anymore.
sushilgupta857
Active Participant
‎08-21-2023 12:14 PM
0 Kudos
Hi Batoul,

i see this statement in documentation
>>>

In the Upgrade Center, you can remap tenants that have already been initiated, activated, or configured with SAP Cloud Identity Services Identity Authentication.

<<<

initiated - first upgrade

activated - second upgrade.

I understand from the statement that it should be possible now.

When i performed this activity(2 year back) it was not possible, however i think now  SAP has provided the functionality.

In case you are unable to find the option in upgrade center, or getting any error , would suggest to raise a ticket - and check with the Product team. They will be able to fix it from backend.

Regards

sushil
ahmedmohammedragab
Discoverer
‎08-23-2023 11:59 AM
0 Kudos
Thank you Sushil for this insightful blog.

I currently have SuccessFactors setup on IAS and AzureAD as corporate IDP, but there are some employees that don't have email addresses on AzureAD and so they can't login to their SF account. My question is if there is a way to have those users login to SuccessFactors with their login name and password without being redirected to AzureAD authentication.
sushilgupta857
Active Participant
‎08-23-2023 8:25 PM
0 Kudos
Hi Ahmed,

You can use IAS as identity provider for all the external users who don't have email ids in your Azure AD or you don't want to create their accounts in AzureAD.

In this - Users and their passwords are maintained in IAS.

Now you can have 2 scenarios -

One is You are using IAS as proxy to Azure AD - and not using rule based conditional authentication option( means in default option you are selecting your Azure AD directly). In this case a check box will be visible to enable  - which will provide you a URL which can be used by all external users to login to successfactors with their login name and password which is managed in IAS.

You will need to maintain different urls for SSO and external users - like it was earlier in succes factors environment. this is also called as partial SSO.

Another Scenario - you have created rule in conditional authentication - to redirect users with specific domain name to Azure AD and kept default option as IAS. In this case - all users get prompt to enter their email ID or login name in first screen and then as per rule it takes to Either Azure AD or as to enter password (for external user case when you manage their user in IAS).

This one have advantage that no additional URL is required to be maintained. But on first login users get a prompt to enter email.

Check this SAP Note for more details -

https://userapps.support.sap.com/sap/support/knowledge/E/2954556

Regards

Sushil K Gupta
ahmedragabraptors
Newcomer
‎08-24-2023 1:07 PM
0 Kudos
Thank you for the explanation Sushil.

In the second scenario you said users can login into AzureAD with their emailID or login name but it seems to me users can login only using their emailID. Is this an option to use loginID as the unique identifier that the user can login with and get mapped to SF.

Regards,

Ahmed.
sushilgupta857
Active Participant
‎08-24-2023 7:46 PM
0 Kudos
Hi Ahmed,

I didn't understand your second statement when you mentioned about loginID - AzureAD - and Unique identifier and Mapping to SF. Please share more details on this.

Please do note that SNI(Subject name identifier) which is used to perform the mapping in SAML - SSO scenario and  what users uses to login can be different.

What i mentioned is - In second scenario - As per the rules configured by you - Users can authentication either in Azure AD (they login how they login in Azure AD - nothing changes here) else they will be presented to enter password (users maintained in IAS).

IAS has option to enable login Aliases ( check IAS documentations) - this can help users to login in IAS using password with more than one option - like email, LoginID, Firstname etc - you can enable as per your requirement.

Let me know if you have any more doubts ! Happy to help !

Thanks and Regards

Sushil K Gupta
Labels in this area
Popular Blog Posts