Introduction

sushilgupta857 · ‎04-04-2021

Introduction

Configurations for IAS(Identity Authentication Service) integration with SAP SuccessFactors is completed. In case you want to understand what steps are followed to do the configuration, kindly refer the blog post mentioned below:

Blog 1:IAS integration with SAP SuccessFactors Application – 0

Blog 2:IAS integration with SAP SuccessFactors Application – 1

Blog 3:IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Serv...

Optional: To get better understanding about integration of IAS with SAP SuccessFactors(SF) application, please read the blogs mentioned below:

Blog 4:Why Identity authentication is required for SAP SuccessFactors Application

Blog 5:Identity Authentication Service(IAS) Configuration approach with SAP SuccessFactors Application

In this blog post we will discuss about Activation of the Configuration and will perform testing of different scenarios

Important

To activate the configuration - We will perform the second upgrade in upgrade center in SAP SF application

Once you activate the configuration - Activate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration

All the requests will be by default redirected to IAS and as per the configurations performed in IAS - Users will authenticate in IAS or in different Corporate Identity Providers(in our scenario - Corporate IDP 1 -India region, or Azure AD)

Once configuration is activated successfully, you can't go back

I strongly recommend not to perform the second upgrade if you haven't performed the pre-requisites.

Lets get started !

Testing Scenario

We will test 3 scenarios for which we have performed the configuration:

Password user

SSO to Azure AD

SSO to Corporate IDP 1 - India region

Continue Implementation Steps

Perform Second upgrade in upgrade center in SAP SuccessFactors application - Activate the integration between IAS and SAP SuccessFactors

Testing is a part of this upgrade and only when testing is successful, it will give you option to go-ahead with the upgrade.

You can test only 1 scenario - and if its successful - it will give option to activate the configuration.

You can cancel it on last screen and re-perform the same steps to test all the scenarios. Make sure not to activate the configuration once all scenarios are tested otherwise that scenario won't work after activation and you will need to fix it after activation.

Testing 1: Password user scenario

Login to SAP SF application

Goto upgrade center and select platform

Click on upgrade - Activate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration

Click on upgrade now

Click on Test Now

It will redirect you to IAS screen - This screen exactly look like how users will see after activation is completed. Enter the Username or email address of user and click continue

Enter the Password and continue

Authentication Successful

Click on Yes if you want to continue. You can click cancel and test other scenario

Testing Scenario 2: For Azure AD users

In this scenario - mapping is enabled in IAS(option is enabled - USE IAS USER STORE) , Username and email address is different in SAP SF application

Clear browser cookies and close the browser

Login to SF and perform the upgrade again and click on test now.

enter the email address of user (Azure AD user - test@def.com)

It will redirect you to Azure AD screen - if you are already logged into your azure AD(in case you are in VPN) it will directly log you into SAP SF application. In case you are not logged into your Azure AD account. It will ask you for password

Authentication successful

Now you can activate the configuration by clicking on yes or cancel it to test the other scenario

Testing Scenario 3: For Corporate IDP - India Region users

In this scenario - mapping is no enabled in IAS, Username and email address are same in SAP SF application

Clear browser cookies and close the browser

Login to SF and perform the upgrade again and click on test now.

enter the email address of user (Corporate IDP -India region user - test@def.com)

User is redirected to Corporate IDP.

Authentication successful

Now you can activate the configuration by clicking on yes

Usually it don't take more than 1 or 2 minutes to activate the configuration.

Post activation of the configuration - you can try all the testing scenarios again to be confirmed that everything is working as expected.

All types of users are getting authenticated using only 1 URL

For more information about the approach - please read -Identity Authentication Service(IAS) Configuration approach with SAP SuccessFactors Application

Password users authenticate in IAS. This is successful means password migration and IPS user sync is working fine.

SSO users authenticate in respective Corporate IDPs.

Frequent questions from Users

How to check the error in case testing fails?

You can install a google chrome extension called SAML tracer

and then start capturing the trace while reproducing the issue. This can help you in troubleshooting.

What will happen in case upgrade failed? Will users be able to login?

In case upgrade failed - you can fix the issue and re-trigger it in next 30 days. till the time upgrade is not successfully completed. User will authenticate how they were getting authenticated earlier without any issues.

In this blog post you have learnt about the steps to be performed while activating the IAS integration with SAP SF and testing !

Please let me know your thoughts about the blogs in comment section.

Thank you !

Its not over yet, Give a read to this blog to save a lot of time during the implementation and testing phase.

IAS integration with SAP Success Factors Application – Tips and Tricks | SAP Blogs

S0020730532 · ‎04-04-2021

Hi!!!

Thanking you for your guidance, I have a question, in my case we are implementing an IdP of our own development in the company, but it has not been able to communicate with IAS. What characteristics should the IdP have so that it can be related to IAS? If you had a note (KBA) or a guide, I would appreciate it very much.

Regards

Miguel

sushilgupta857 · ‎04-04-2021

Hi Miguel,

Only compatibility concern can be - Your Identity Provider should support SAML 2.0 (which IAS uses for SSO configuration).

Please find the standard note and document - which you can follow:

Central note for IAS integration with SAP Success Factors:

2791410 - Integrating SuccessFactors with SAP Cloud Identity Authentication Through the Upgrade Center

https://launchpad.support.sap.com/#/notes/2791410

Guide:

https://help.sap.com/viewer/568fdf1f14f14fd089a3cd15194d19cc/2011/en-US/fb069584363a4df08aad42315ceb...

Do let me know if you have any other questions !

Regards

Sushil K Gupta

bojun · ‎04-05-2021

Hi Sushil Gupta

Thank you for you excellent blog!!

Always helps a lot in IAS field.

Could you please confirm if my unserstanding is correct?

So even the url is same, these three group users will login through different Login Screen? (I understand only the first time require all user to login IAS firstly.)

for the Azure authentication and Corporate IDP india authentication users, the password is not saved and managed in IAS?

if yes, is the password policy different?

if yes, is the emial template differnent when a user change their password?

if yes, is the authentication identifier different too? for example, Azure user login using email but IAS user login through user name

Look forward to hearing from you.

Have a wonderful day!!

bojun

S0020730532 · ‎04-05-2021

Hi sushilgupta857

Thanking you for your answer, I tell you that we reviewed at the technical provider level and it tells me that they now have communication, but when trying to test the following error is generated:

"None of the subject confirmations in the SAML2Assertion is valid.None of the subject confirmations in the SAML2Assertion is valid" related the issue of synchronization of hours between portal people and IAS with the values of "issue instan", "notBefore", " notOnOrAfter "

Although the values are within the ranges of the image, it still cannot be synchronized with IAS, please review and correct. The range between notBefore and notOnOrAfter may be very long. notOnOrAfter.

Do you have any idea what could be happening?

Thanking you for your help

Miguel

sushilgupta857 · ‎04-09-2021

Hi Miguel,

If configurations are performed correctly and your IDP supports SAML2.0 then it should work.

Never seen this error(might be Identity provider specific). Kindly raise a ticket with SAP regarding this. They may help you with this query.

You can try using SAML tracer (extension in Chrome) for better troubleshooting.

Regards

Sushil K Gupta

sushilgupta857 · ‎04-09-2021

Hi Bojun,
Please find my inputs below:

So even the url is same, these three group users will login through different Login Screen? (I understand only the first time require all user to login IAS firstly.)

Users will be presented IAS screen(with some custom changes which you can perform- like logos etc) - and once user enter the email address(or loginname) user will be redirected to IDPs(configured) -- next time IAS screen won't come untill user clears the browser cookies.

for the Azure authentication and Corporate IDP india authentication users, the password is not saved and managed in IAS?

yes correct

if yes, is the password policy different?

Yep- whatever is used at IDP level

if yes, is the emial template differnent when a user change their password?

it will be specific to IDP level , you can check with identity provider- no password is managed in IAS.

if yes, is the authentication identifier different too? for example, Azure user login using email but IAS user login through user name

you can enable different logins (attributes) in IAS - in tenant settings in Logon Alias ( then you can enter email address or login name -- as per your choice - it will work same).

because IAS has email address also - so all users can use their email address -- even on IAS screen - so that they need not to remember SF username(login name in IAS). Users will just know their email address - once they enter it - it will authenticate with their accounts in azure AD.

Hope it was helpful !

Regards

Sushil K Gupta

S0020730532 · ‎04-10-2021

Thanks Sushil

former_member339935 · ‎04-13-2021

Hi Sushil,

We have implemented IAS and IPS and in Preview instance only but due to some data challenges we are still finding our ways with the Transformations to accommodate that.

However I would like to challenge one of your statement that the functionality cannot be rolled back once activated.

So as per my understanding, SAP provides 30 days window to roll back any upgrade done via upgrade center, after which you cannot roll it back. So that's standard process.

However with regards to IAS/ IPS, we have observed that if we remove the Token from the Provisioning --> SSO Settings then we are able to achieve the roll back or kind of Switch to Toggle between IAS and normal legacy login window.

Please share your views and correct me if I am wrong.

The whole intention is to understand we are not mistaken and not stuck once we go live in Production.

Thanks & Regards

Varun

sushilgupta857 · ‎04-14-2021

Hi Varun,

Good question.

My understanding comes from the statement from SAP Standard guide - Click here for more detail

>>

If the upgrade fails for some reason, use the Undo option in Upgrade Center, within 30 days, to rerun the upgrade after you’ve resolved the cause of the failure. If you're not sure why the upgrade failed or how to fix it, contact SAP Cloud Support.

<<

In case you are getting the option to undo it after successful integration- we should report it to SAP so that they can update their standard guide. I haven't got the option to undo the changes once i have performed the upgrade.

Also my understanding is -

we should not do the changes manually until the upgrade fails due to some reason.

I think initially it was performed manually and a lot users have got many issues - that's why SAP has simplified the process to perform it using upgrade center. ( and no super admin privilege is required for this - like we require for SSO provisioning)

I do one question -

In case after successful integration you perform changes and remove the Token from the Provisioning --> SSO Settings. (i beleive you have already performed the second upgrade(activation) )

Then is the second upgrade visible in upgrade center to perform the integration again? or you will need to manually switch it back to IAS? and after switching it back -

does it work fine in case you have configured multiple corporate IDPs in IAS? (because i feel after integration all corporate IDPs are visible as assertion parties in SAP SF and IAS take the decisions using conditional authentication).

Reason for this question is -

For customers that already upgraded using only 2 IAS tenants, SAP as of this moment is not retrofitting instances to allow 1SF-1IAS integration on already migrated instances.

SAP Note

This can be helpful for these customer who are facing this.

Let me know your thoughts on this !

PS: My purpose of writing the blogs was to explore more on this topic. and i think now its serving the purpose 🙂

Regards

Sushil K Gupta

former_member339935 · ‎04-14-2021

Hi Sushil,

Thanks for all your deep analysis and sharing useful information.

Actually we never experienced failure while activating the feature via Upgrade Centre and now it shows in Completed Upgrades without an Undo option.

So SAP and You were quite right that once activated you cannot roll back, but that was just about the feature.

However this all IAS thing, at least for our instance where SSO is enabled via Token based, we are able to deactivate the whole setup by just removing the Token and can re-enable once we put that same token In.

This doesn't impact any configuration we have done in IAS/IPS or the Feature Enablement in the BizX - Upgrade Centre at all, so may be the Token in Provisioning just bypass the whole IAS setup, if keyed in and when keyed out works perfectly as feature is already enabled.

Hope that answers and clarifies, for your other areas, I will have a look, Review and will then come back.

But Thank you so much for the clarification.

Cheers

Varun

ab13 · ‎06-23-2021

Hello,

Thank you for your blog, it is helpful to learn things when it is explained with visuals.

My questions are..

1) let’s say you have a going live and we’ll follow the guide. When do users actually get the email/notification on what their passwords will be?

a) those with IAS as the IdP, so after the user is created in Sf, then they get replicated or provisioned in IAS, then is there a button to press to send mass emails? what if you create an additional user in SF (maybe a few days later somebody is hired), so when will he get the password and how?

b) those with a corporate Idp such as Azure, will the emailing of the password (or setting initial password) be something done in Azure side ? how about other Idps? what’s the usual set up?

Thanks!

sushilgupta857 · ‎07-01-2021

Hi Abby,

Sorry for the late reply. Please find my inputs below:

1) let’s say you have a going live and we’ll follow the guide. When do users actually get the email/notification on what their passwords will be?

Answer:

See it depends on the configuration you want to perform - you can enable users (using IPS transformations)

to login with their existing passwords in SF - to use in IAS. We need to do Source system configuration for this. For new users also once users are synced they can use the same initial password to login. Do note that once user performs the first login - then password will be synced to IAS and IAS will take care of the future password reset requests.
You can set one unique password for all users and share it with them.( again it depend how you want to do the config)

We usually disable the email notification for users when users are synced from SF to IAS using the transformation in Target system - IAS. ( We don't want to shock thousands of users with emails of user creation)

{

                "constant": "false",

                "targetPath": "$.sendMail",

                "scope": "createEntity"

            },

Please follow this blog for more information regarding this

IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Serv...

a) those with IAS as the IdP, so after the user is created in Sf, then they get replicated or provisioned in IAS, then is there a button to press to send mass emails? what if you create an additional user in SF (maybe a few days later somebody is hired), so when will he get the password and how?

Answer:

There will be a sync job which you can configure in IAS( minimum time is 30 minutes) - so that at every 30 min(or interval of time which you chose) your users will be synced to IAS. and Lets say a user is created - then after 30 minutes user can perform the login.

Kindly give a read to this blog:

IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Serv...

It will answer all your concerns.

b) those with a corporate Idp such as Azure, will the emailing of the password (or setting initial password) be something done in Azure side ? how about other Idps? what’s the usual set up?

Answer:

Yep - you are on right track. If authentication is done by other IDPs - azure or someOtherIDP. Then Azure or otherIDP will take care of the process of reset password or Initial password.

In case you are wondering how onboarding will look like after the setup - let me try to explain with an example.

User is created by SF team in SAP SF application.

If user is an external vendor - password user - then user can perform the login after it gets synced to IAS( depends on sync job which you configure - lets say 30 minutes). SAP SF team shared the initial password with users.

If user is a SSO user - then user will authenticate in that IDP(lets say azure) -- So in this scenario - User will be created in SF application and then there will be a notification sent to Azure Team to create a user for you in Azure AD( and add it to IAS enterprise application -- azure AD team configures) -- once all this is done. user can login.

In this scenario - Azure AD( Or IDP) team will share the password with user. If he already has account in Azure AD then he will be SSO without any issue to SAP SF application.

please let me know if you have any other doubts. happy to help !

Do let me know your thoughts on this !

former_member38119 · ‎03-22-2022

Thank you for your blogs on IAS. This has been very helpful in understanding the feature.

PrinceThomas · ‎12-12-2022

Hello sushil.gupta

I just want to check. Will activating IAS impact existing Deep links in the system.

Do we need to change any of the existing deep links after upgrade to IAS?

Regards,

Prince

sushilgupta857 · ‎12-14-2022

Hi Prince,

It just changes the authentication mechanism and don't impact any other links or URLs.

Once you activate the IAS integration with SF, IAS becomes your default IDP and now all the requests hitting SF will go to IAS - and IAS will decide user needs to be authenticated to corporate IDP or in IAS.

There are no other changes happens with other existing APIs.

Just to be sure, check with SAP once - share the deep links with SAP and confirm before activating the configuration.

Thanks and Regards

Sushil K Gupta

PrinceThomas · ‎12-14-2022

Thank you Sushil,

With this I understand that the links in external documents like PDF files or help guides which are hosted elsewhere in SharePoint or e-space should also work?

Regards,

Prince Thomas

sushilgupta857 · ‎01-01-2023

Hi Prince,

Yes, It should work.

Regards

Sushil K Gupta

codylpatterson · ‎07-27-2023

We have IAS activated on our instance. One issue that we see is that a user must be authenticated for the deep link to work. If the user has not been authenticated, they attempt to go the deep link, they are taken to the home screen after authentication. We are looking for a way to bypass this so that when the user is authenticated, they can continue on to the desired destination.

sushilgupta857 · ‎11-09-2023

Hi Cody,

Somehow i missed your comment. I just found it. I don't have much experience on Deep-Links however please check below information in case it helps.

We have Trust configuration between SF and IAS. Once authentication is successful, there are redirection URLs in SAML configuration in IAS which usually point to one URL which is taking us to home page. You can try updating it with desired URLs.

Open IAS - Select SF application - Click on SAML configuration - check for redirection URLs.

Let us know if this helps or you were able to resolve the issue following some other process.

Thanks and Regards

Sushil K Gupta

IAS integration with SAP SuccessFactors Application – 3 (Activation and Testing)

Introduction

Important

Testing Scenario

Continue Implementation Steps

Perform Second upgrade in upgrade center in SAP SuccessFactors application - Activate the integration between IAS and SAP SuccessFactors

Testing 1: Password user scenario

Testing Scenario 2: For Azure AD users

Testing Scenario 3: For Corporate IDP - India Region users

Frequent questions from Users

IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Serv...

IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Serv...

SAP PI for Beginners

ABAP 7.40 Quick Reference

Fiori: technical installation and configuration of one app from A - Z