Skip to Content
Technical Articles
Author's profile photo Sushil Gupta

Why Identity authentication is required for SAP SuccessFactors Application

Introduction:

In this blog post we will discuss scenarios where IAS is required for SAP SuccessFactors Application.

 

Major question:

SAP SuccessFactors itself supports Single Sign on (SSO) – Partners can enable SSO in provisioning and add assertion party in Manage SAML SSO setting. Then why we need IAS(Identity Authentication Service) – Isn’t it an additional work which we do bringing IAS in between?

Answer: Identity Authentication Service(IAS) provides a lot of flexibility and it can be used to remove the restriction of SAP SuccessFactors application

  • Restriction on Unique identifier: SAP SuccessFactors accepts two values to identify the user logging in using SAML2. The most common is NameID. It also support the UserName attribute. Whichever method is used, the value is compared with the UserName in the SAP SuccessFactors application.
  • In SAP SuccessFactors – Users can authenticate to only one corporate Identity providers.
  • In SAP SuccessFactors, once SSO is enabled – all users will be redirected to corporate IDP directly and Users who want to authenticate using User-ID and Password need to access using different URL

With IAS into picture

  • IAS can be used to perform the mapping between different identifiers supported by multiple applications and removes this restriction.
  • In IAS you can configure conditional authentication and as per different email addresses, groups, IP ranges – users can be segregated and authenticated into different Corporate Identity Providers. So Different users can authenticate to different corporate IDPs accessing one single SAP SuccessFactors environment. This is not possible without IAS.
  • We can configure 1 URL for all types of users – by using IAS(No need to maintain another URL)
  • IAS is pre-requisite for People analytics upgrade, note: 2945740 – People Analytics Upgrade fails with error pointing that IAS is not configured on your instance ( Checklist to confirm if IAS is correctly enabled)
  • I think in future all SAP SuccessFactors instances will be integrated with IAS to provide one platform to manage authentication(Same IAS can be used by other applications for authentication purpose – so one unified platform for all the Cloud applications)

Now lets discuss the scenarios which can be implemented without IAS – following Restrictions of SAP SuccessFactors.

1 SF application can connect to only one corporate Identity provider(lets take azure AD as an example)

For Corporate Employees – Implement Single Sign On (SSO) in SAP SuccessFactors – Following Unique identifier restriction there can be 2 approaches

Approach 1: Maintain a field in Azure AD which contains username(of SAP SF) and use it as unique identifier.

Approach 2: Suppose Azure AD team says that they will use email address as unique identifier and won’t maintain additional field and as SAP SuccessFactors application only support username as unique identifier. We can follow approach of maintaining email addresses in Username field in SuccessFactors. – So for all users created in SAP SuccessFactors – Username field will contain the email addresses.

For external vendors – Configure Partial SSO so that users can login with userID and password using a different URL after SSO is enabled – note 2088837 – [SSO] Partial Organization Single Sign-On – BizX Platform

 

IAS can be used to support the similar scenarios:

Select Corporate IDP (Azure AD) in Conditional authentication – in default identity provider – and all requests will be directed to Corporate IDP

For Corporate Employees:

Approach 1: Maintain a field in Azure AD with name username and use it as unique identifier.

Approach 2: Suppose Azure AD team says that they will use email address as unique identifier and won’t maintain additional field and as SAP SuccessFactors application only support username as unique identifier. We can follow approach of maintaining email addresses in Username field in SAP SuccessFactors. – So for all users created in SAP SuccessFactors – Username field will contain the email addresses.

For External Vendors:

With the migration to IAS, the Partial SSO is disabled and cannot be enabled with IAS.

Reason is that later features integrated with SAP SuccessFactors core using IAS will not work if a user log via PWD login Method. Follow the steps to enable partial SSO after IAS implementation.

Pre-requisite for this:

After this is configured, users will authenticate in IAS (acts as identity provider) and user details are required in IAS. User sync is mandatory to use this feature of partial SSO after IAS implementation)

2954556 – How to implement Partial SSO after IAS implementation on SAP SuccessFactors

 

However if we want to remove all the restrictions and use all IAS functionalities with SAP SuccessFactors

– like different unique identifier, Multiple corporate IDP(configure rules in conditional authentication), use 2 factor authentication in IAS – we need to sync the users from SAP SuccessFactors application to IAS.

SAP says:

User sync is critical when using the following services and features:

  • Conditional Authentication: To set up with rules that authenticate based on email, user type, or group.
  • Enablement of Partial SSO: If you intend to user partial sso, your users should exist in SAP Cloud Platform Identity Authentication service.
  • Two-factor Authentication: Your users need to exist in SAP Cloud Platform Identity Authentication service so that you can take advantage of two-factor security features.
  • People Analytics, Internal Career Site, and other SAP SuccessFactors product areas: User identifiers can change between product areas and the SAP Cloud Platform Identity Authentication Service can only map these identifiers correctly when your users are in SAP Cloud Platform Identity Authentication service.
  • Global Assignment & concurrent employment: when users log on from different sources, SAP Cloud Platform Identity Authentication service needs to convert their identifiers so that SAP Cloud Platform Identity Authentication service understands them. That only happens when user sync has been done and the users are loaded into SAP Cloud Platform Identity Authentication service.

 

SAP provides IPS( Identity provisioning service) to automate the User sync from SAP SuccessFactors to IAS.

Last but not least:

Some SAP cloud products provide the Identity Authentication and Identity Provisioning services bundled in them (free of charge) — Example SAP SuccessFactors

Obtain a Bundle Tenant

If you not aware about the IAS and IPS details – You can reach out SAP or raise an incident to component: BC-IAM-IDS

 

I am briefing the above scenarios discussed in a flow chart shared below:

 

In this blog post, we have learned about current SAP SuccessFactors SSO scenarios and how IAS can remove all the restriction and revolutionize the process. Please let me know if there are any questions in comments. Will be happy to answer !

Assigned Tags

      12 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Antonio Ferreira Vicente
      Antonio Ferreira Vicente

      Thank you for your Blog!

      Author's profile photo Mark Mark
      Mark Mark

      Hi and thanks for the good post,

      one question that I do not understand.

      If we have the condition:

      • All users with email *@company.com go to corporate IDP and
      • All others go to IAS for Authentification

      Do we really have to sync the users with *@conpany.com to the IAS? I have experience with S4Hana Cloud Essentials and there is no needto store the users. Just do not activate "Allow Identity Authentication users only"

      So when we have the list:

      • Conditional Authentication - No need to have IAS Users for Corporate IDP in my opinion
      • Enablement of Partial SSO - Non Corporate IDP user should be in IAS, yes
      • Two-factor Authentication: For non Corporate IDP, yes... If your Corporate IDP already have 2FA, no need for the user to be in IAS userstore
      • People Analytics, Internal Career Site, and other SAP SuccessFactors product areas: User identifiers can change between product areas and the SAP Cloud Platform Identity - Can we have a complete list here?
      • Global Assignment & concurrent employment. Can you give an example here?

       

      Best regards

      Mark

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Mark,

      Good question ! Please find my reply below

      >>

      If we have the condition:

      • All users with email *@company.com go to corporate IDP and
      • All others go to IAS for Authentification

      Do we really have to sync the users with *@conpany.com to the IAS? I have experience with S4Hana Cloud Essentials and there is no needto store the users. Just do not activate "Allow Identity Authentication users only"

      <<

      In case we don't sync the users -  then you can't use rule based conditional authentication. This means that in conditional authentication - you will select your IDP as default identity provider(not IAS) - which disables the rule creations in conditional authentication

      What does it mean - IAS is blind folded - having a board in its hand saying whatever requests comes - please go to IDP. (sorry for the bad example but it might help !)

      now - all users (in your application) - will be going to IDP for authentication.

      In case you want some external users to login to system using ID-password, then you enable an option in IAS and use a different URL for password users( partial SSO - in technical terms that is something called as identity provider initiated single sign on - In success factors case i have seen)

      (restrictions of identifier(SAML2.0 terminology) , 1 corporate IDP. Similar scenario was there for SuccessFactors without IAS - why would you want IAS?)

       

      Now lets discuss 2 conditions mentioned by you above -

      what i understand is you want to use email address in rules in conditional based authentication for *@company.com and select default IDP as IAS(please let me know if my understanding is wrong).

      SAP says user sync is mandatory for:

      • Conditional Authentication: To set up with rules that authenticate based on email, user type, or group

      and logically - without users in IAS - how would IAS know that for users with this email address should go to some configured IDP.

      technically - if you select IDP as default - rules are disabled automatically.

       

      What is the main purpose of this option -

      "Allow Identity Authentication users only"

      it actually allows mapping between identifiers so that you can rise above the restrictions which different applications have.( this actually happens in authentication flow when authentication is successful in IDP and request comes back to application - if this option is disabled and if they have different identifier - if will fail)

       

      If you disable it - it means your SAML identifier is same on both the sides(App and IDP). Its based on requirement and also applications and IDPs

       

      I have written another blog - which answers this question also. Kindly give a read and let me know your thoughts on this !

      Identity Authentication Service(IAS) Configuration approach with SAP SuccessFactors Application

      Also please find more details about your other inputs on the below link - from SAP Standard guide:

      SAP Guide

      Syncing can be automated using IPS - with minimal manual intervention required when its setup.

       

      PS:I have shared my observations - with respect to IAS implementation i have performed for SAP Success factors application.

      Regards

      Sushil K Gupta

      Author's profile photo Mark Mark
      Mark Mark

      Great 🙂 Thanks for your answer. That helped a lot to clarify things.

      Author's profile photo S-Project Tech team
      S-Project Tech team

      Hi,

       

      Just adding a little info here: Considering if we go without the IAS option, In case of several UPNS for different sub domains under the  same parent  active directory , you can just use one such UPN belonging to any sub domain to connect to the IDP. i.e. users from different domain belonging to the same organization can still connect to one single IDP using one single UPN created in any of the subdomains.

       

       

      Also please help me understand the statement :"So Different users can authenticate to different corporate IDPs accessing one single SAP SuccessFactors environment."

       

      Will you be able to give a more real time example?

       

      I am unable to fathom this point : why would a company have multiple corporate Ids?  For example: if anybody is using Okta , why would I grant another IDP to few of the other users ?

       

      Instead if I have users from japan and china member firms , I can just use one single sub domain User principal name  to let both the china and japan member firms  connect to the same success factors application. 

       

       

      Would love to know your thoughts

       

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi,

      Sure, It should actually be how you have explained. If you check my blogs (this blog is a part of series of blogs to explain the integration concepts) i have taken this into consideration (examples of users from different domains authenticating into 1 corporate IDP)

      And if at the end there is only one corporate IDP - Scenarios can be implemented even without IAS (but that's also a matter of discussion  - if you are planning to manage the identifier restriction - like explained above in blog).

       

      However consider a scenario where a firm is using regional Active directories for multiple regions for user registrations and not a centralized one(Octa or Azure AD).

      example - there is a firm which has offices in A, B , C.

      Office in A uses a regional AD(some local corporate IDP - and they are registering users from a very long time and still not ready to switch to Octa or Azure AD or any global IDP).

      Office B - Uses Octa (lets say)

      Office C - also uses some regional AD.

      Now Users want to login to SAP Success Factors application - by authenticating into their regional ADs ( and lets say they are in office network - they need not to enter any UserID -password and just login into SAP SF application - basically Single sign on)

      How we will achieve it? Obviously for a long run - they can switch to a global IDP ( and sync all their users to one) - but that's another activity which may take a lot of time and they might don't want to switch as of now. - Also it might be a big change for them because they need to update their whole registration process of new users. (and they won't do it for SSO to one application)

       

      In SAP SF application - you can configure only 1 Corporate IDP.

      however in IAS you can configure multiple corporate IDPs(which is by the way one time activity) - once its setup - it can be used by many applications in IAS(like SAP SF and many more).

       

      Now configure as many IDPs you want and delegate the authentication to their regional ADs. and in future lets say office D, E, F, ... (which also has regional ADs) also wants to use SAP SF application  -- can also be integrated - by just setting up their corporate IDP in IAS and configuration conditional authentication.

       

      Also kindly have a look at the blog post mentioned below to get a clear picture about this.

      blog –IAS integration with SAP SuccessFactors Application – 1

       

      It purely depends on the requirement. I believe application when they were built initially, had some restrictions (hard coded entries) now bringing IAS into picture we can open endless possibilities for the application - which was not possible earlier.

      Scenario explained above can't be implemented without IAS. Let me know your thoughts on this and in case there are any questions!

       

      Regards

      Sushil K Gupta

      Author's profile photo S-Project Tech team
      S-Project Tech team

      Hi,

       

      Generally, majority of the large scale multi dynamic organizations have global AD  implemented  , very few  organizations have different corporate id footprints which is rare.

      But I do understand and get the point now of leveraging IAS for the scenario based requirements as you have explained above.   Thank you

       

      Regards

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi,

      Just to add , I have delivered the solution to some large scale multi dynamic organizations with this kind of requirements( having local corporate IDPs as per the regions).

      And in case they switch to global IDP in future - (which was used for some regions.) this switch will not be that complex process - for existing applications using SSO(in case they are using IAS).

       

      Regards

      Sushil K Gupta

      Author's profile photo Prasenjit Sarkar
      Prasenjit Sarkar

      Hello,

      Thanks for your blog, it's really helpful.

      Question from my client - Why do you need to sync all SF users into IAS via IPS? Can IAS work as proxy without user list synced? I can find some documentation about SAC needing users in IAS as a pre-requisite but nothing about SF.

      Any thoughts?

      Regards

      Prasenjit.

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Prasenjit,

      This is usually a question from many clients.

      It depends on the requirement.

      Answer to the question is Yes, Its possible however with restrictions. In this blog i have explained what scenarios are possible without user sync. (It will be mostly same how SSO was working without IAS. - then the question is why IAS is required). If you are not syncing the users - IAS is just something in between SAP SF application and Corporate IDP.

      ( think it of as - IAS is blind folded holding a board - send all request to Corporate IDP and send the response as it is to SAP SF application from corporate IDP)

      To use most of the functionalities of IAS - User sync is mandatory. You can also have a look on this blog to understand configuration approaches - ( SAP also recommends to perform the user sync as a pre-requisites for IAS integration with SAP SF application) - remove different identifier restriction, use multiple corporate IDPs, 2 FA etc.

      Identity Authentication Service(IAS) Configuration approach with SAP SuccessFactors Application

      Also - mostly this question comes because - people are concerned about the user details getting synced to another application - because in preview / Production environment -- User have personal details and they don't want to sync the users due to security concern.

      So to answer this concern -

      Only few fields are synced to IAS - so that IAS can perform mapping

      userid, username, status, email, firstname , lastname, lastmodifiedDateTime

      No personal details are synced to IAS - and once details are synced , we can use all the functionalities of IAS.

       

      To get a better understanding - please go through the series of blogs - you can start with:

      IAS integration with SAP SuccessFactors Application – 1

      Please let me know if there are any other questions.

      Happy to help 🙂

      Regards

      Sushil K Gupta

       

      Author's profile photo Matheus Andrade
      Matheus Andrade

      Hi, Sushil

       

      First of all, congratulations for your nice blog.

      As you answered yes, How do I only use IAS as a proxy without syncing the users?

      We are using AZURE for authentication. (I didn't see you explaining this scenario without syncing the users and using AZURE)

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Matheus,

      Thank you for your comment !

      For this particular integration, SAP suggest to Sync the users from SF to IAS. This can be helpful for Rule based conditional authentication, Risk based authentication , and Mapping of identifiers of multiple applications.

      Now if these are not required, and we just want to perform the authentication - in Corporate Identity provider (like Azure AD) - similar to how it was working earlier without IAS. In this specific scenario - you can perform the authentication without use of IAS user store.

      In this specific blog See the section below "IAS can be used to support the similar scenarios:" - Approach1 and Approach 2.

      You will be able to use SSO to Azure AD for all the users, and Password based authentication will not work - as in this case users authenticate in IAS.

      I would still suggest to sync the Users from SF to IAS - you will be able to use a lot of IAS features and will also may be needed when you move ahead with SAP Learning integration or People analytics etc - for which this integration is a pre-requisite.

      Please let me know if it helps !

      Regards

      Sushil K Gupta