In this blog post we will discuss scenarios where IAS is required for SAP SuccessFactors Application.
SAP SuccessFactors itself supports Single Sign on (SSO) – Partners can enable SSO in provisioning and add assertion party in Manage SAML SSO setting. Then why we need IAS(Identity Authentication Service) – Isn’t it an additional work which we do bringing IAS in between?
Answer: Identity Authentication Service(IAS) provides a lot of flexibility and it can be used to remove the restriction of SAP SuccessFactors application
- Restriction on Unique identifier: SAP SuccessFactors accepts two values to identify the user logging in using SAML2. The most common is NameID. It also support the UserName attribute. Whichever method is used, the value is compared with the UserName in the SAP SuccessFactors application.
- In SAP SuccessFactors – Users can authenticate to only one corporate Identity providers.
- In SAP SuccessFactors, once SSO is enabled – all users will be redirected to corporate IDP directly and Users who want to authenticate using User-ID and Password need to access using different URL
With IAS into picture
- IAS can be used to perform the mapping between different identifiers supported by multiple applications and removes this restriction.
- In IAS you can configure conditional authentication and as per different email addresses, groups, IP ranges – users can be segregated and authenticated into different Corporate Identity Providers. So Different users can authenticate to different corporate IDPs accessing one single SAP SuccessFactors environment. This is not possible without IAS.
- We can configure 1 URL for all types of users – by using IAS(No need to maintain another URL)
- IAS is pre-requisite for People analytics upgrade, note: 2945740 – People Analytics Upgrade fails with error pointing that IAS is not configured on your instance ( Checklist to confirm if IAS is correctly enabled)
- I think in future all SAP SuccessFactors instances will be integrated with IAS to provide one platform to manage authentication(Same IAS can be used by other applications for authentication purpose – so one unified platform for all the Cloud applications)
Now lets discuss the scenarios which can be implemented without IAS – following Restrictions of SAP SuccessFactors.
1 SF application can connect to only one corporate Identity provider(lets take azure AD as an example)
For Corporate Employees – Implement Single Sign On (SSO) in SAP SuccessFactors – Following Unique identifier restriction there can be 2 approaches
Approach 1: Maintain a field in Azure AD which contains username(of SAP SF) and use it as unique identifier.
Approach 2: Suppose Azure AD team says that they will use email address as unique identifier and won’t maintain additional field and as SAP SuccessFactors application only support username as unique identifier. We can follow approach of maintaining email addresses in Username field in SuccessFactors. – So for all users created in SAP SuccessFactors – Username field will contain the email addresses.
For external vendors – Configure Partial SSO so that users can login with userID and password using a different URL after SSO is enabled – note 2088837 – [SSO] Partial Organization Single Sign-On – BizX Platform
IAS can be used to support the similar scenarios:
Select Corporate IDP (Azure AD) in Conditional authentication – in default identity provider – and all requests will be directed to Corporate IDP
For Corporate Employees:
Approach 1: Maintain a field in Azure AD with name username and use it as unique identifier.
Approach 2: Suppose Azure AD team says that they will use email address as unique identifier and won’t maintain additional field and as SAP SuccessFactors application only support username as unique identifier. We can follow approach of maintaining email addresses in Username field in SAP SuccessFactors. – So for all users created in SAP SuccessFactors – Username field will contain the email addresses.
For External Vendors:
With the migration to IAS, the Partial SSO is disabled and cannot be enabled with IAS.
Reason is that later features integrated with SAP SuccessFactors core using IAS will not work if a user log via PWD login Method. Follow the steps to enable partial SSO after IAS implementation.
Pre-requisite for this:
After this is configured, users will authenticate in IAS (acts as identity provider) and user details are required in IAS. User sync is mandatory to use this feature of partial SSO after IAS implementation)
However if we want to remove all the restrictions and use all IAS functionalities with SAP SuccessFactors
– like different unique identifier, Multiple corporate IDP(configure rules in conditional authentication), use 2 factor authentication in IAS – we need to sync the users from SAP SuccessFactors application to IAS.
User sync is critical when using the following services and features:
- Conditional Authentication: To set up with rules that authenticate based on email, user type, or group.
- Enablement of Partial SSO: If you intend to user partial sso, your users should exist in SAP Cloud Platform Identity Authentication service.
- Two-factor Authentication: Your users need to exist in SAP Cloud Platform Identity Authentication service so that you can take advantage of two-factor security features.
- People Analytics, Internal Career Site, and other SAP SuccessFactors product areas: User identifiers can change between product areas and the SAP Cloud Platform Identity Authentication Service can only map these identifiers correctly when your users are in SAP Cloud Platform Identity Authentication service.
- Global Assignment & concurrent employment: when users log on from different sources, SAP Cloud Platform Identity Authentication service needs to convert their identifiers so that SAP Cloud Platform Identity Authentication service understands them. That only happens when user sync has been done and the users are loaded into SAP Cloud Platform Identity Authentication service.
SAP provides IPS( Identity provisioning service) to automate the User sync from SAP SuccessFactors to IAS.
Last but not least:
Some SAP cloud products provide the Identity Authentication and Identity Provisioning services bundled in them (free of charge) — Example SAP SuccessFactors
If you not aware about the IAS and IPS details – You can reach out SAP or raise an incident to component: BC-IAM-IDS
I am briefing the above scenarios discussed in a flow chart shared below:
In this blog post, we have learned about current SAP SuccessFactors SSO scenarios and how IAS can remove all the restriction and revolutionize the process. Please let me know if there are any questions in comments. Will be happy to answer !