Introduction:

In this blog post you will learn some tips which can be followed if you are working on an end to end integration project (IAS integration with SuccessFactors application). It can save a lot of time if you know this information before hand . Also it can help you to plan your timelines in a more effective manner.

(Not useful for any POCs performed for testing or demo purpose)

Prerequisites:

Kindly read the blogs shared below before so that you are aware about the technical terminologies used in this blog(not mandatory if you are aware about the configuration)

Blog 1:IAS integration with SAP SuccessFactors Application – 0

Blog 2:IAS integration with SAP SuccessFactors Application – 1

Blog 3:IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Serv...

Blog 4:IAS integration with SAP SuccessFactors Application – 3 (Activation and Testing)

Optional: To get better understanding about integration of IAS with SAP SuccessFactors(SF) application, please read the blogs mentioned below:

Blog 4:Why Identity authentication is required for SAP SuccessFactors Application

Blog 5:Identity Authentication Service(IAS) Configuration approach with SAP SuccessFactors Application

Information:

SAP SuccessFactors(SF) Application:

• Email address is not a mandatory field in SAP SF Application. It can be left empty, multiple users can have same email address.


• Username field is the identifier for SAP SF application.


• Username is unique for every user.

SAP Cloud Identity Services - Identity Authentication(IAS)

"New Updates on blog"

Email address can be set as required and unique.

User Identifier	Required	Unique
E-Mail	Yes/Configurable	Yes/Configurable

After SSO is configured - if you require users to be able to login with email address, you can keep email address as unique and configured. Below scenarios are only applicable only if email address is unique and required.

• 
  
  
  
  • Email address should be unique for every user.
  
  
  • User creation and Password creation are 2 activities in IAS
    
    
    
    • You can create active users in IAS without passwords configured (they can be used in mapping and not for login purpose)
    
    
    • When password is configured - user can then perform the authentication in IAS.
    
    
    
    
  
  
  
  

SAP Identity Provisioning Service(IPS)

• User sync process is divided in 2 parts
  
  
  
  • READ - from SAP SF application
  
  
  • Write - to IAS
  
  
  
  

Problem Statement 1:

Mostly in DEV or Preview environment of SAP SF application, users create multiple accounts for them with same email address(because its not a restriction in SAP SF application) or blank email address.

In IAS - if email address is set as unique and required.

When we sync the users from SAP SF application to IAS, first user - read by IPS will be created in IAS and all other users with same email address will fail in User sync.

Example: Users with duplicate email address

user - sushil gupta ,

username (in SF this is unique for every user)

sushil1 - email: test123@email.com

sushil2 - email: test123@email.com

sushil3 - email: test123@email.com

When IPS performs user sync - lets say it reads sushil1 first - in this case sushil1 user will be created in IAS with email address - test123@email.com,

now when it reads sushil2 -

• Read from SAP SF application is successful, however


• Write to IAS application fails - because user with same email address(test123@email.com) already exist. Same happens with user - sushil3

Multiple users can have this issue and after integration - they will only be able to login with only one user.

Issues which can be faced if its not discussed before/ fixed before activation.

• We don't know which user is critical for them and which one is created just for testing purpose.


• Users won't be able to login with other users which failed in sync job.


• Auto full sync won't run after every 5 read jobs ( as per the standard parameters set in IPS) - because IPS sync job is failing.

Solution:

3 kind of scenarios can happen

• Users don't have email address - blank email address


• Users have duplicate email address


• Users have dummy email addresses assigned to multiple users (dummy@email.com)

How to know how many users have the issue?

Login to SAP SF application, search export employee data, export all the users in excel and use filter in email address field.

IPS transformation comes to rescue in these scenarios. Use the below transformation

{

                "condition": "!($.email EMPTY false) || $.email == '' || $.email == ' ' || $.email == 'dummy@email.com' ",

                "sourcePath": "$.username",

                "targetPath": "$.emails[0].value",

                "functions": [

                    {

                        "type": "concatString",

                        "suffix": "@somethingRandom.com"

                    }

                ]

            },

Now for users with dummy email address , blank email address - IPS transformation will assign unique email address ( username + @somethingRandom.com)  - Make sure @somethingRandom.com - email address does not route to an actual email server- (SAP encourages to use @sap-test.de - .This test email address does not route to an actual email server)

 

For users with duplicate email address - ask them to either remove the email address(make it blank) or assign dummy email address - dummy@email.com

This way all the users will be synced to IAS once the sync job runs in IPS.

Suggestion:

• Initially take the export of users - using export employee data in SAP SF application and add cleanup of users as a task in our activities - keep 2-3 days because we need to do follow-ups with users or SF admin who manages the user accounts to do this cleanup.


• You can ask them to perform cleanup and in parallel you can do your IAS integration activities.


• In IPS logs - we can only see 10 failed logs - (which includes for SF- read and IAS- write both). Because of this restriction - finding the information for all failed users is not possible. You can fix the users in batch of 10 users, run the sync job and then fix other 10.

Problem Statement 2:

Person GUID or Person UUID or perPersonUuid (also known by Person unique user ID) is a unique ID gets generated when a user is created in SAP SF application. In some scenarios, this field is empty for users.

How can it happen ?

Observation - In SAP SF application , users can be created by tool - Import employee data

In this case - we can update the details of users in a csv file and upload the excel on Import employee data - and if the field PersonGUID is left empty then user will be created without this unique number(blank)

• How to avoid it - just remove the column of PersonGuid from csv and SAP SF application will auto generate the number by itself.

Issues which can be faced because of this:

If PersonGUID is empty for user, or First name or last name is empty for user in SAP SF application then

• User sync will fail in IPS while reading from SAP SF application


• Auto cleanup of the users from IAS won't work if there is any user failed to be read by IPS job.(state: Read from SAP SF application)
  
  
  
  • IPS uses hashing algorithms at the backend and it compares the users in SF and IAS, if user is there in IAS and not in SF - (created by IPS as a part of user sync) then it removes the user from IAS.
  
  
  • If it fails to read any user from SAP SF application - it will not perform the cleanup or delete the users.
  
  
  
  

• User is not synced - those users won't be able to login after IAS activation with SAP SF applicatoion.

Solution:

• Update first name and last name for all the users.


• Make sure no user have PersonGUID field empty, in case its found empty - request SAP SF admin to fix the user.
  
  
  
  • how do you know ? - which user have this field empty( use export employee data and put a filter on field - personGUID)
  
  
  • Even for first name and last name - if its empty update the users.
  
  
  
  

Suggestion:

• Filter the users for above criteria and make a plan to fix the users - have discussions with SAP SF admins.


• Keep this as a part of initial discussions(pre implementation or implementation phase) - if users are already fixed into SAP SF application - then we need not to take the pain of correcting the users at the time of testing - when we check if all the functionalities are working as expected.


• Plan your timeline accordingly.

Problem Statement 3:

Confusion over Partial SSO - For SAP SF instances where partial SSO is configured for external vendors, approach followed for user while user creation

• There is a filed loginMethod - which is configured.
  
  
  
  • its set SSO for SSO users - uses the same SF URL
  
  
  • its set PWD for PWD users - uses a different URL
  
  
  
  


• loginMethod - can be updated in GUI mode - if this field is enabled or Employee emport import can be used for mass user update.

Notes followed by users to configure it

2088837 - [SSO] Partial Organization Single Sign-On - BizX Platform | SAP Knowledge Base Article

2320766 - [SSO] Partial Organization Single Single-On: Data model configuration, tips & tricks from ...

Confusion - Questions ?

1. What will happen to Partial SSO after IAS activation?


2. If i set pwd user in SAP SF application - will it be a pwd user - similarly for SSO users?


3. Will loginMethod be a deciding factor for configuring different authentication mechanisms for different users?

Solution:

Partial SSO - in SAP SF application is disabled after IAS integration with SAP SF application is successful.

• All the authentication requests will directly go to IAS and IAS becomes the decision maker. If you have followed the approach of configuring rules based conditional authentication - you can configure multiple rules as per your requirement - for Password or SSO users.


• If you are following a different approach and using IAS as proxy - follow the note:
  
  
  
  • 2954556 - How to implement Partial SSO after Identity Authentication implementation on SuccessFactor...
  
  
  • In this approach what basically happens is - we set the default IDP as your corporate IDP for SSO, so all SSO users go to your corporate IDP for authentication
  
  
  • for Partial SSO after activation - we enable a check box - it gives a URL - which is an IAS URL only - and kind of IDP initiated SSO concept
  
  
  • where you authenticate in IAS and once authentication is successful -- controls are transferred to SAP SF application.
  
  
  
  

This blog can help you with deciding the approach to be followed -Identity Authentication Service(IAS) Configuration approach with SAP SuccessFactors Application

now lets answer the questions

Clarity - Answers !

1. Partial SSO (in SF application) is completely ruled out - its disabled.


2. No, IAS will be deciding which user will be SSO user or PWD user. SAP SF application don't have any control on deciding  authentication mechanism for different users. However we can do some configuration in IPS and IAS which can give some liberty to SAP SF application to perform decisions.


3. loginMethod - its just a field in SAP SF application which is of no use after IAS activation with SAP SF application (as partial SSO is disabled - and this field is mainly used for partial SSO for PWD users to login using credentials).
   
   
   
   • It doesn't matter you set it to SSO or PWD - whatever is set for that user in IAS, it will behave in that manner.
   
   
   
   

Like i said , there is a way we can still configure IPS and IAS in such a way that SAP SF admins can use loginMethod field to set the users as SSO or PWD users and it will work.

How?

Below information can help you in configuration:

Group Users Based on Login Method - SAP Help Portal

What is exactly happening in this configuration:

• We will filter the users as per loginMethod filed using IPS transformation to a group (lets say PassworD group)


• Put this group on top in rules of conditional authentication - and Set it to authenticate in IAS.


• this way - while user creation -- for external vendors - SF admins will set user as PWD
  
  
  
  • IPS will sync the user to PassworD group
  
  
  • IAS will redirect all the users in PassworD group to IAS for authentication.
  
  
  
  

This gives you an additional option to have control over external users.

Other options you have is filter the users as per email address(domain names) to specific groups and use rule based conditional authentication.

Please have a look at the SAP Standard Note -it can be really helpful:

How to use loginMethod for users to login to SAP SuccessFactors with SSO and PWD once the Upgrade ru...

Suggestion:

• Keep this as a discussion point of which approach team wants to follow.


• Remember IAS and IPS are just the tools , its you who will decide how configuration will look at the end of the day. So discussion with teams and decide accordingly.

Problem Statement 4:

Concerns related to Success factors mobile application access.

1. In a fresh implementation project (where success factors was just purchased and implementation has started) -
   
   
   
   • how to implement SSO for SAP SF mobile application?
   
   
   
   


2. In an already existing environment -
   
   
   
   • What will be the login process for new users after IAS activation with SAP SF application?
   
   
   • How will old users logging to the mobile application of SAP SuccessFactors application?
   
   
   
   

Solution:

SAP SF mobile application have 2 options to login -

• Scanning QR code - which you can scan from your online SAP SF portal - (after logging successfully using your credentials there)


• By entering the company ID - it takes you to the SF page(if IAS is not configured) enter your credentials and login.

Now After IAS implementation with SAP SF application

• Scanning QR code - works same how it worked earlier.
  
  
  
  • Just login to your web SAP SF portal -using credentials( or if SSO is configured for a corporate IDP- then perform authentication there)
  
  
  • Go to scan QR code option - scan it
  
  
  • and voila - you are logged into the SAP SF mobile application
  
  
  
  


• Another way - enter the company ID - it usually opens up SF screen in browser, however because IAS is activated - it will prompt you with IAS screen, enter the email address and perform authentication (either on IAS screen or in Corporate IDP) and once authentication is successful, it will log you into the application

Now lets answer the concerns

1. In a fresh implementation Project
   
   
   
   • Ask users to follow the same steps shared above( using QR code or perform authentication to corporate IDP) and then it will log users into applications
   
   
   
   


2. In an already existing environment
   
   
   
   • New users can follow the same steps shared above (using QR code or perform authentication to corporate IDP) to login to SAP SF application
   
   
   • same goes for old users
   
   
   
   

There is no separate configuration from Mobile application perspective.

IAS activation with SAP SF application just provide addition authentication mechanism to login to mobile app(in case corporate IDPs are configured in IAS for SAP SF application) - Users can now authenticate to their corporate IDPs in mobile phone and login to SAP SF application.

Few other tips:

This will make your life a little easy while going for testing:

• Use SAML tracer in browser to capture the trace - and understand about how authentication flow is happening and to troubleshoot in case of issues.


• Whenever you are performing testing ( and you are already logged into IAS) , make sure you do testing in another browser, or logout from IAS before doing testing, or use incognito mode.


• Enable SAML tracer in incognito mode( i didn't know it earlier - this will help you to get SAML traces in incognito mode also).

• Check the authentication logs in IAS in case you are facing issues while testing.


• Make sure users are properly created in your corporate IDP with correct email address or identifier maintained(correctly).


• If authentication fails while reaching to SAP SF application (after it passes from IAS) -its possible your user don't have a login authorization. Sometimes users are not created properly in SAP SF application (without proper authorizations) and it fails because of this.


• In rare cases - usually in SF prod - SF admins enable IP whitelisting and only users with specific IP addresses can login with credentials, If specific IPs are not whitelisted - users can't login to system, So after IAS activation with SAP SF application - we should ask them to remove this restriction and then perform activation of IAS with SF application. If required - after activation, we can create rules with specific IPs in conditional authentication in IAS.

In this blog post you have learn about the challenges we face while going for E2E implementation and learnt about the solutions and approaches which can be followed to tackle the challenges.

Happy Learning !

I see amazing updates from SAP on Standard guide and standard notes related to this configuration. Just want to say Good job SAP ! and thanks for having a really amazing support team out there for this integration. Keep up the good work !

ALWAYS READ SAP STANDARD GUIDE(online version - they keep updating) and SAP STANDARD NOTE BEFORE STARTING THE IMPLEMENTATION