Introduction
In this blog post I have shared my experience about how to perform the SuccessFactors SSO configuration by integrating SAP Cloud Platform Identity Authentication (IAS), SAP Cloud Platform Identity Provisioning Service (IPS) and Azure AD account.
This upgrade will disable Partial SSO and your PWD users will need to login through a different URL and an IAS feature is needed to be enabled.
1.4 Search in optional upgrades "Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration" and click Learn More & Upgrade Now.
Note: If you don't find in optional upgrades then check in "View Recently Completed Upgrades" or if you have triggered the system refresh (Example: System1->System2) please perform the changes as per note 2954491 - IAS Integration Upgrade post refreshes issue.
1.5 Click on Upgrade Now
1.6 Enter your S-User & Password and click on Validate button
1.7 Maintain SAP Cloud Platform Identity Authentication(IAS) tenant URL and click on the Submit button
1.9 The upgrade process can take over 2 hours to be completed.
1.10 We can check the upgrade status in Admin Center -> Upgrade Center -> Completed Upgrades
Note: You will receive an email with your IPS information once the upgrade completed or if you already have an IPS, you can check on the setup on Source for when it creates a new Source and Target for your SF and IAS tenants it will be completed.
Step 2: Azure Active Directory integration with SAP Cloud Platform Identity Authentication
2.1 There is a detailed step-by-step tutorial from Microsoft regarding how to create Azure AD
2.4 SAML 2.0 configuration – Upload the metadata XML file
2.5 Identity Provider Type – Set it to “Microsoft ADFS/Azure AD”
Note: If you want to add additional accounts you can follow the Steps 2 again. Example: TEST@com and TEST.in
Step 3: Conditional Authentication Configuration
Tenant administrator can control the access to an application by defining different rules for the authenticating identity provider. Based on these rules users are authenticated either via a corporate identity provider or via SAP Cloud Platform Identity Authentication.
When you upgrade to Identity Authentication, the flag for partial SSO is disabled, by default. You can use partial SSO by sending users in your system through the Identity Authentication Service
Option 1: E-Mail Domain
3.1.1 Log on to your Identity Authentication console as an Identity Authentication Admin.
3.1.2 Select -> Applications & Resources -> Applications -> Choose your SAP SuccessFactors application -> Conditional Authentication
3.1.3 Click on "Add Rule"
Select the Identity Provider and update the Email Domain
Note: If you want to add additional Rule you can follow the Steps 3.1 again. Example: .com and .in
3.1.4 Default Authenticating Identity Provider
To use Authentication rules you need to select "SAP Cloud Platform Identity Authentication".
Option 2: User Group
If we want to ignore the e-mail dependency we can go with User Group option .
3.2.1 Log on to your Identity Authentication console as an Identity Authentication Admin.
3.2.2 We need to create the user groups manually in IAS. Select Users & Authorizations -> User Groups -> Add
3.2.6 Click on "Add Rule"
Select the Identity Provider and update the User groups detail. Example: TEST
Step 4: Setting Up an SAP SuccessFactors API user(IPSADMIN) for Sync Jobs
In IPS, SuccessFactors is set as a source system, and Identity Authentication Service (IAS) is set as target system.
The API user created during the upgrade process is called IPSADMIN.
4.1 Log on to your SAP SuccessFactors system as SF Admin.
4.2 Go to the Admin Center.
4.3 Select Company Settings Password & Login Policy Settings .
4.4 Select API Login Exceptions.
4.5 Select Add
4.6 Enter the Username IPSADMIN, unless you've created another username.
4.7 Set Maximum Password Age in days to -1 (The password for this user should NOT expire. )
4.8 Refer the note 2791410 IP address restrictions
5.4.2 First Logon Behavior : Choose if a user whose password does not meet the password policy requirements of the application must reset or change it after the first successful logon
5.4.3 Authentication Configurations : Update the Authentication URL(We can copy the API URL form source system URL details from IPS), Technical User(IPSADMIN)@COMPANYID and password
5.5 Save your configuration.
5.6 Choose Test Connection to test the source system configuration.
Step 6: User sync between SAP SuccessFactors and Identity Authentication
6.1 Login to your IPS instance
6.2 Click Source Systems tile
6.3 select the "SuccessFactors - CompanyID - source" and click on properties
6.3.1 On IPS, update sf.user.filter field as this is a filter of the users that will be read by IPS on SuccessFactors
6.3.2 If you want to sync all status users filter we can use the value " status in 'active','inactive','active_external','inactive_external','active_external_suite','inactive_external_suite' "
6.5 Check the job logs
6.5.1 Once the job completed with status success we can check the changes in IAS User Management with additional users.
6.6 To schedule up the sync job to run, follow the steps below
6.6.1 Click Source Systems tile -> Jobs -> Schedule
6.6.2 Enter the period that the sync will run (in minutes between executions)
Step 7: Enable SAP SuccessFactors to SAP Cloud Platform IAS Integration
7.1 Go to Admin Center
7.2 Access Upgrade Center
7.3 Find the upgrade Activate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration;
7.4 Click Learn More & Upgrade Now
7.5 Click Upgrade Now
7.6 Click on "Test Now"
7.7 Enter the SuccessFactors username and password in IAS redirected URL.
7.8 Once the Authentication Success please go back to upgrade center
7.9 Downtime is recommended before you click on Yes
7.10 Click ok
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
37 | |
10 | |
7 | |
5 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 |