Technical Articles
Why Identity authentication is required for SAP SuccessFactors Application
Introduction:
In this blog post we will discuss scenarios where IAS is required for SAP SuccessFactors Application.
Major question:
SAP SuccessFactors itself supports Single Sign on (SSO) – Partners can enable SSO in provisioning and add assertion party in Manage SAML SSO setting. Then why we need IAS(Identity Authentication Service) – Isn’t it an additional work which we do bringing IAS in between?
Answer: Identity Authentication Service(IAS) provides a lot of flexibility and it can be used to remove the restriction of SAP SuccessFactors application
- Restriction on Unique identifier: SAP SuccessFactors accepts two values to identify the user logging in using SAML2. The most common is NameID. It also support the UserName attribute. Whichever method is used, the value is compared with the UserName in the SAP SuccessFactors application.
- In SAP SuccessFactors – Users can authenticate to only one corporate Identity providers.
- In SAP SuccessFactors, once SSO is enabled – all users will be redirected to corporate IDP directly and Users who want to authenticate using User-ID and Password need to access using different URL
With IAS into picture
- IAS can be used to perform the mapping between different identifiers supported by multiple applications and removes this restriction.
- In IAS you can configure conditional authentication and as per different email addresses, groups, IP ranges – users can be segregated and authenticated into different Corporate Identity Providers. So Different users can authenticate to different corporate IDPs accessing one single SAP SuccessFactors environment. This is not possible without IAS.
- We can configure 1 URL for all types of users – by using IAS(No need to maintain another URL)
- IAS is pre-requisite for People analytics upgrade, note: 2945740 – People Analytics Upgrade fails with error pointing that IAS is not configured on your instance ( Checklist to confirm if IAS is correctly enabled)
- I think in future all SAP SuccessFactors instances will be integrated with IAS to provide one platform to manage authentication(Same IAS can be used by other applications for authentication purpose – so one unified platform for all the Cloud applications)
Now lets discuss the scenarios which can be implemented without IAS – following Restrictions of SAP SuccessFactors.
1 SF application can connect to only one corporate Identity provider(lets take azure AD as an example)
For Corporate Employees – Implement Single Sign On (SSO) in SAP SuccessFactors – Following Unique identifier restriction there can be 2 approaches
Approach 1: Maintain a field in Azure AD which contains username(of SAP SF) and use it as unique identifier.
Approach 2: Suppose Azure AD team says that they will use email address as unique identifier and won’t maintain additional field and as SAP SuccessFactors application only support username as unique identifier. We can follow approach of maintaining email addresses in Username field in SuccessFactors. – So for all users created in SAP SuccessFactors – Username field will contain the email addresses.
For external vendors – Configure Partial SSO so that users can login with userID and password using a different URL after SSO is enabled – note 2088837 – [SSO] Partial Organization Single Sign-On – BizX Platform
IAS can be used to support the similar scenarios:
Select Corporate IDP (Azure AD) in Conditional authentication – in default identity provider – and all requests will be directed to Corporate IDP
For Corporate Employees:
Approach 1: Maintain a field in Azure AD with name username and use it as unique identifier.
Approach 2: Suppose Azure AD team says that they will use email address as unique identifier and won’t maintain additional field and as SAP SuccessFactors application only support username as unique identifier. We can follow approach of maintaining email addresses in Username field in SAP SuccessFactors. – So for all users created in SAP SuccessFactors – Username field will contain the email addresses.
For External Vendors:
With the migration to IAS, the Partial SSO is disabled and cannot be enabled with IAS.
Reason is that later features integrated with SAP SuccessFactors core using IAS will not work if a user log via PWD login Method. Follow the steps to enable partial SSO after IAS implementation.
Pre-requisite for this:
After this is configured, users will authenticate in IAS (acts as identity provider) and user details are required in IAS. User sync is mandatory to use this feature of partial SSO after IAS implementation)
2954556 – How to implement Partial SSO after IAS implementation on SAP SuccessFactors
However if we want to remove all the restrictions and use all IAS functionalities with SAP SuccessFactors
– like different unique identifier, Multiple corporate IDP(configure rules in conditional authentication), use 2 factor authentication in IAS – we need to sync the users from SAP SuccessFactors application to IAS.
SAP says:
User sync is critical when using the following services and features:
- Conditional Authentication: To set up with rules that authenticate based on email, user type, or group.
- Enablement of Partial SSO: If you intend to user partial sso, your users should exist in SAP Cloud Platform Identity Authentication service.
- Two-factor Authentication: Your users need to exist in SAP Cloud Platform Identity Authentication service so that you can take advantage of two-factor security features.
- People Analytics, Internal Career Site, and other SAP SuccessFactors product areas: User identifiers can change between product areas and the SAP Cloud Platform Identity Authentication Service can only map these identifiers correctly when your users are in SAP Cloud Platform Identity Authentication service.
- Global Assignment & concurrent employment: when users log on from different sources, SAP Cloud Platform Identity Authentication service needs to convert their identifiers so that SAP Cloud Platform Identity Authentication service understands them. That only happens when user sync has been done and the users are loaded into SAP Cloud Platform Identity Authentication service.
SAP provides IPS( Identity provisioning service) to automate the User sync from SAP SuccessFactors to IAS.
Last but not least:
Some SAP cloud products provide the Identity Authentication and Identity Provisioning services bundled in them (free of charge) — Example SAP SuccessFactors
If you not aware about the IAS and IPS details – You can reach out SAP or raise an incident to component: BC-IAM-IDS
I am briefing the above scenarios discussed in a flow chart shared below:
In this blog post, we have learned about current SAP SuccessFactors SSO scenarios and how IAS can remove all the restriction and revolutionize the process. Please let me know if there are any questions in comments. Will be happy to answer !
Thank you for your Blog!
Hi and thanks for the good post,
one question that I do not understand.
If we have the condition:
Do we really have to sync the users with *@conpany.com to the IAS? I have experience with S4Hana Cloud Essentials and there is no needto store the users. Just do not activate "Allow Identity Authentication users only"
So when we have the list:
Best regards
Mark
Hi Mark,
Good question ! Please find my reply below
>>
If we have the condition:
Do we really have to sync the users with *@conpany.com to the IAS? I have experience with S4Hana Cloud Essentials and there is no needto store the users. Just do not activate "Allow Identity Authentication users only"
<<
In case we don't sync the users - then you can't use rule based conditional authentication. This means that in conditional authentication - you will select your IDP as default identity provider(not IAS) - which disables the rule creations in conditional authentication
What does it mean - IAS is blind folded - having a board in its hand saying whatever requests comes - please go to IDP. (sorry for the bad example but it might help !)
now - all users (in your application) - will be going to IDP for authentication.
In case you want some external users to login to system using ID-password, then you enable an option in IAS and use a different URL for password users( partial SSO - in technical terms that is something called as identity provider initiated single sign on - In success factors case i have seen)
(restrictions of identifier(SAML2.0 terminology) , 1 corporate IDP. Similar scenario was there for SuccessFactors without IAS - why would you want IAS?)
Now lets discuss 2 conditions mentioned by you above -
what i understand is you want to use email address in rules in conditional based authentication for *@company.com and select default IDP as IAS(please let me know if my understanding is wrong).
SAP says user sync is mandatory for:
and logically - without users in IAS - how would IAS know that for users with this email address should go to some configured IDP.
technically - if you select IDP as default - rules are disabled automatically.
What is the main purpose of this option -
"Allow Identity Authentication users only"
it actually allows mapping between identifiers so that you can rise above the restrictions which different applications have.( this actually happens in authentication flow when authentication is successful in IDP and request comes back to application - if this option is disabled and if they have different identifier - if will fail)
If you disable it - it means your SAML identifier is same on both the sides(App and IDP). Its based on requirement and also applications and IDPs
I have written another blog - which answers this question also. Kindly give a read and let me know your thoughts on this !
Identity Authentication Service(IAS) Configuration approach with SAP SuccessFactors Application
Also please find more details about your other inputs on the below link - from SAP Standard guide:
SAP Guide
Syncing can be automated using IPS - with minimal manual intervention required when its setup.
PS:I have shared my observations - with respect to IAS implementation i have performed for SAP Success factors application.
Regards
Sushil K Gupta
Great 🙂 Thanks for your answer. That helped a lot to clarify things.
Hi,
Just adding a little info here: Considering if we go without the IAS option, In case of several UPNS for different sub domains under the same parent active directory , you can just use one such UPN belonging to any sub domain to connect to the IDP. i.e. users from different domain belonging to the same organization can still connect to one single IDP using one single UPN created in any of the subdomains.
Also please help me understand the statement :"So Different users can authenticate to different corporate IDPs accessing one single SAP SuccessFactors environment."
Will you be able to give a more real time example?
I am unable to fathom this point : why would a company have multiple corporate Ids? For example: if anybody is using Okta , why would I grant another IDP to few of the other users ?
Instead if I have users from japan and china member firms , I can just use one single sub domain User principal name to let both the china and japan member firms connect to the same success factors application.
Would love to know your thoughts
Hi,
Sure, It should actually be how you have explained. If you check my blogs (this blog is a part of series of blogs to explain the integration concepts) i have taken this into consideration (examples of users from different domains authenticating into 1 corporate IDP)
And if at the end there is only one corporate IDP - Scenarios can be implemented even without IAS (but that's also a matter of discussion - if you are planning to manage the identifier restriction - like explained above in blog).
However consider a scenario where a firm is using regional Active directories for multiple regions for user registrations and not a centralized one(Octa or Azure AD).
example - there is a firm which has offices in A, B , C.
Office in A uses a regional AD(some local corporate IDP - and they are registering users from a very long time and still not ready to switch to Octa or Azure AD or any global IDP).
Office B - Uses Octa (lets say)
Office C - also uses some regional AD.
Now Users want to login to SAP Success Factors application - by authenticating into their regional ADs ( and lets say they are in office network - they need not to enter any UserID -password and just login into SAP SF application - basically Single sign on)
How we will achieve it? Obviously for a long run - they can switch to a global IDP ( and sync all their users to one) - but that's another activity which may take a lot of time and they might don't want to switch as of now. - Also it might be a big change for them because they need to update their whole registration process of new users. (and they won't do it for SSO to one application)
In SAP SF application - you can configure only 1 Corporate IDP.
however in IAS you can configure multiple corporate IDPs(which is by the way one time activity) - once its setup - it can be used by many applications in IAS(like SAP SF and many more).
Now configure as many IDPs you want and delegate the authentication to their regional ADs. and in future lets say office D, E, F, ... (which also has regional ADs) also wants to use SAP SF application -- can also be integrated - by just setting up their corporate IDP in IAS and configuration conditional authentication.
Also kindly have a look at the blog post mentioned below to get a clear picture about this.
blog –IAS integration with SAP SuccessFactors Application – 1
It purely depends on the requirement. I believe application when they were built initially, had some restrictions (hard coded entries) now bringing IAS into picture we can open endless possibilities for the application - which was not possible earlier.
Scenario explained above can't be implemented without IAS. Let me know your thoughts on this and in case there are any questions!
Regards
Sushil K Gupta
Hi,
Generally, majority of the large scale multi dynamic organizations have global AD implemented , very few organizations have different corporate id footprints which is rare.
But I do understand and get the point now of leveraging IAS for the scenario based requirements as you have explained above. Thank you
Regards
Hi,
Just to add , I have delivered the solution to some large scale multi dynamic organizations with this kind of requirements( having local corporate IDPs as per the regions).
And in case they switch to global IDP in future - (which was used for some regions.) this switch will not be that complex process - for existing applications using SSO(in case they are using IAS).
Regards
Sushil K Gupta
Hello,
Thanks for your blog, it's really helpful.
Question from my client - Why do you need to sync all SF users into IAS via IPS? Can IAS work as proxy without user list synced? I can find some documentation about SAC needing users in IAS as a pre-requisite but nothing about SF.
Any thoughts?
Regards
Prasenjit.
Hi Prasenjit,
This is usually a question from many clients.
It depends on the requirement.
Answer to the question is Yes, Its possible however with restrictions. In this blog i have explained what scenarios are possible without user sync. (It will be mostly same how SSO was working without IAS. - then the question is why IAS is required). If you are not syncing the users - IAS is just something in between SAP SF application and Corporate IDP.
( think it of as - IAS is blind folded holding a board - send all request to Corporate IDP and send the response as it is to SAP SF application from corporate IDP)
To use most of the functionalities of IAS - User sync is mandatory. You can also have a look on this blog to understand configuration approaches - ( SAP also recommends to perform the user sync as a pre-requisites for IAS integration with SAP SF application) - remove different identifier restriction, use multiple corporate IDPs, 2 FA etc.
Identity Authentication Service(IAS) Configuration approach with SAP SuccessFactors Application
Also - mostly this question comes because - people are concerned about the user details getting synced to another application - because in preview / Production environment -- User have personal details and they don't want to sync the users due to security concern.
So to answer this concern -
Only few fields are synced to IAS - so that IAS can perform mapping
userid, username, status, email, firstname , lastname, lastmodifiedDateTime
No personal details are synced to IAS - and once details are synced , we can use all the functionalities of IAS.
To get a better understanding - please go through the series of blogs - you can start with:
IAS integration with SAP SuccessFactors Application – 1
Please let me know if there are any other questions.
Happy to help 🙂
Regards
Sushil K Gupta
Hi, Sushil
First of all, congratulations for your nice blog.
As you answered yes, How do I only use IAS as a proxy without syncing the users?
We are using AZURE for authentication. (I didn't see you explaining this scenario without syncing the users and using AZURE)
Hi Matheus,
Thank you for your comment !
For this particular integration, SAP suggest to Sync the users from SF to IAS. This can be helpful for Rule based conditional authentication, Risk based authentication , and Mapping of identifiers of multiple applications.
Now if these are not required, and we just want to perform the authentication - in Corporate Identity provider (like Azure AD) - similar to how it was working earlier without IAS. In this specific scenario - you can perform the authentication without use of IAS user store.
In this specific blog See the section below "IAS can be used to support the similar scenarios:" - Approach1 and Approach 2.
You will be able to use SSO to Azure AD for all the users, and Password based authentication will not work - as in this case users authenticate in IAS.
I would still suggest to sync the Users from SF to IAS - you will be able to use a lot of IAS features and will also may be needed when you move ahead with SAP Learning integration or People analytics etc - for which this integration is a pre-requisite.
Please let me know if it helps !
Regards
Sushil K Gupta