Skip to Content
Technical Articles
Author's profile photo Sushil Gupta

IAS integration with SAP SuccessFactors Application – 1

Introduction:

All SAP SuccessFactors systems can use the SAP Cloud Platform Identity Authentication service. SAP plan for all SAP SuccessFactors systems to be migrated to the service in the future.

In case you are wondering why Identity authentication service(IAS)is used for SAP Success Factors Application: Kindly read this :

If SAML2.0, SSO , IAS, Identity Provider  are new terms for you, kindly read this:

Prerequisites:

  • You will need a valid customer S-User ID to perform this activity
  • Admin access to Upgrade center in SAP SuccessFactors Application.
  • Admin access in SAP SuccessFactors application (to perform activities like create and manage roles, reset password)
  • Request metadata files from Corporate IDPs to establish trust communication(in case of SSO to Corporate IDPs)
  • Users in SAP SuccessFactors should have unique email address

Scenario

Architecture

I have taken this little complicated architecture so that i can cover most of the functionalities of IAS. You can add or remove Applications, Corporate IDPs as per your requirement.

Important

We perform 2 upgrades in SAP SuccessFactors application in this activity

First upgrade will provide you details of IAS and IPS and automatically do some initial setup.

Second upgrade – Don’t perform this upgrade – until all the configurations are completed because there is no going back once this upgrade is completed. After completion – IAS becomes the default identity provider for SAP SuccessFactors application and all the requests will by default go to IAS.

In case you want to integrate an existing IAS in your landscape with SAP SuccessFactors Application – make sure that both are in same region.

Strongly recommend to read Admin Guide

and note: 2791410 – Integrating SuccessFactors with SAP Cloud Identity Authentication Through the Upgrade Center

 

Steps

  • Perform first upgrade in upgrade center in SAP SuccessFactors application – Initiate the integration between IAS and SAP SuccessFactors.
  • Perform IAS admin console Tasks
  • Provide Authorizations to IPSADMIN user In SAP SuccessFactors application
  • Perform IPS admin console Tasks
  • Perform Source system configuration, Password migration configuration
  • Perform Second upgrade in upgrade center in SAP SuccessFactors application – Activate the integration between IAS and SAP SuccessFactors

 

Lets get Started !

Perform First Upgrade: “Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration”

  1. Login to SAP SuccessFactors Application. Access the SAP SuccessFactors Upgrade Center.
  2. Select the optional upgrade “Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration” and begin the upgrade process
  3. Enter Customer Suser-ID and Password
  4. Select one of the existing IAS or you can request a new IAS tenant.
    • In case the required IAS(existing in your landscape is not visible – it can be because your SAP SuccessFactors Application is in different region than your IAS
    • Solution – Raise a ticket to SAP mentioning the details and request them to remove the flag so that you can select the required IAS for integration
  5. You can check the upgrade status in monitoring tools for IAS/IPS until upgrade is completed

Monitoring

Perform IAS admin console Tasks

Generate metadata file from IAS and provide it to corporate Identity Providers to establish the trust communication.

  • Click on “Tenant Settings” section under the “Applications & Resources” tab
  • Extract the metadata file by accessing the “SAML 2.0 Configuration” section and selecting “Download Metadata File”

Configure Corporate Identity Providers

In our scenario we are considering 2 corporate Identity Providers. and in future lets say we are expecting more corporate IDPs – as per different regions – like India, US, UK, etc – you can follow same steps to add new corporate IDPs in future – if required.

  • Corporate IDP 1 – India (some local corporate IDP)
  • Azure AD

 

Create Corporate IDP 1

  • Under Identity Providers section – click add – enter the name: Corporate IDP 1 – India
  • Upload the metadata file received from Corporate IDP – by clicking on SAML2.0 Configuration – browse and upload
  • Select SAML 2.0 Compliant in Identity Provider type
  • Save the configuration

Create Azure AD

  • Under Identity Providers section – click add – enter the name: Azure AD
  • Upload the metadata file received from Azure AD – by clicking on SAML2.0 Configuration – browse and upload.
  • Select Identity Provider Type: Microsoft ADFS/AzureAD (If you don’t select this – you will get error at the time of testing)
  • As we are doing mapping for Azure AD users in IAS – considering the different identifier requirement – Enable Identity authentication user store
  • Save the configuration

Create User Groups

Create User Groups for your different corporate IDPs

  • Access the user groups in the “User Groups” section under the “Users & Authorizations” tab and create 2 groups DEV_IDP1 , DEV_AzureAD

DEV_IDP1 – user in this group will authenticate in Corporate Identity Provider 1 – india

DEV_AzureAD – user in this group will authenticate in Azure AD

Configure SAP SuccessFactors applications and conditional Authentication

  • Access the SAP SuccessFactors configuration under the “Applications” section of the “Applications & Resources”
  • Select the SAP SuccessFactors application created automatically as part of the SAP IAS upgrade process.
  • Select “Conditional Authentication” under the “Trust” tab to define conditional authentication rules.
  • Select IAS as default identity provider.
  • Create conditional authentication rules for each created user group to route users to the respective Identity Provider systems.
  • As per the groups – users will be redirected to different corporate Identity providers and in case user don’t quality any rule – user will be authenticated in IAS(Default identity Provider).

Configure Application Logo

  • Click on Branding and layout and select logo

Configure Password Policy

Check if Admin System user is created for IPS API access

 

Provide Authorizations to IPSADMIN user In SAP SuccessFactors application

  1. Log in to the SAP SuccessFactors environment and access the Admin Center.
  2. Select the “Password & Login Policy Settings” option under the “Company Settings”.
  3. Create a new policy under the “Set API login exceptions” option. Select the “Add” option.
  4. Create a new user security setting for the IPS administrator account and enter –
    1. Username: IPSADMIN
    2. MAX PASSWORD: -1
    3. IP ADDRESS RESTRICTIONS: Region specific IP restrictions

Grant IPS permissions to IPS administrator account

  1. Access the Admin Center. Select the “Manage Permission Roles” option under “Set User Permissions”.
  2. Create a new permission role by selecting the “Create New” option. Enter the role name and description for the created role.
  3. Select the “Permission” option and assign the following permissions to the created role:
    1. Manage Integration Tools Allow Admin to Access Odata API
    2. Manage User Account
    3. Manage User – Employee Export
  4. Select the “Add” option and assign the created role to the IPS administrator account

Reset password of IPS administrator account

  • Access the Admin Center. Select the “Reset User Passwords” option
  • Provide the new password and click on reset password

 

We will continue the next steps in our next blog ! Happy Learning !

 

Frequent questions from users:

How do we establish trust between Success factors and IAS?

When you perform first upgrade – it automatically create an application – SAP SuccessFactors in IAS and perform the initial setup like – exchange of certificate – Setting of Identifiers -Login name (Identifier)

Username in SAP SuccessFactors is LoginName in IAS

 

Does password policy of IAS tenant apply for users which are getting redirected to Corporate IDPs?

No , Password policy applies for all the users existing in IAS user store only. It don’t apply for users getting authenticated in corporate IDPs. It includes users – manually created in IAS , Users – synced from different applications using IPS or imported using CSVs

 

Do we need to perform any manual steps to enable single sign on in SAP SuccessFactors application – there are blogs available where we manually enable the SSO in manage SAML SSO  page. 

I would say, don’t change the SSO settings manually – enable SSO (even for testing) – because

  • It will be automatically taken care by Second upgrade – in upgrade center (once everything is done, you can perform the upgrade and do some pre-testing before doing the activation)
  • If you are a super admin in SAP SuccessFactors and you change the setting to SSO – then till the time you switch it back or someone do it, all the login access will be blocked (if correct assertion parties are not set and configured)

 

What is the use of IPS ? why we need IPS as in conditional authentication – we have options to redirect authentication to different corporate IDPs as per user groups, email address or IP addresses?

Here’s the catch ! If you don’t sync the users between SAP SuccessFactors and IAS using IPS then you can’t use any of the mentioned above. IAS will need user details to perform this segregation based on groups, email address etc.

IPS helps to ease the process of syncing the users between IAS and SAP SuccessFactors application.

 

What is the difference between IAS Non-Production and Production. How do we know which one is Non_Prod and which one is Prod environment. Can i use IAS Prod with SAP SucessFactors Bizx – Non Prod?

Its recommended to use SAP SF – BIzx – Non prod with IAS Non Prod and both should exist in same region. Same goes for production.

However if you want to integrate an IAS which is in different region than you SAP SF Bizx then You willl need to raise a ticket to SAP and request them to remove the flag so that other region IAS (or other types- prod, non prod) are visible at the time of first upgrade when we get option to choose IAS.

From Technical perspective i haven’t found any difference while doing configuration on IAS Non-Prod and IAS production. You can request SAP to give you details about – which IAS is production type and which IAS is non Prod type.

 

In this blog post you have learn how to initiate the integration of IAS with Success Factors application, IAS admin console activities and Setting up API user in SAP SuccessFactors application to migrate users from SAP SuccessFactors application to IAS using IPS.

See you in next blog post !

Click below to move to next step:

IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Service(IPS))

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo vaishnavi v
      vaishnavi v

      Hi Sushil,

      The blog is very useful thanks for that!

      When we try to run second upgrade there is an error stating SSO is not enabled.

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi vaishnavi,

      Thank you.

      Please note , when we run second upgrade:

      • It ask us to perform testing - If all the steps were completed successfully( users synced to IAS properly, other configurations are completed), it should perform authentication (ask you for credentials) and once authentication is successful- then only it will give you option to go-ahead with the upgrade(final upgrade).
      • for more detail regarding this: IAS integration with SAP SuccessFactors Application – 3 (Activation and Testing)

      In case after successful authentication, you trigger the upgrade and it fails - kindly raise a ticket to SAP regarding this( on high or very high priority). Its an automated steps which gets completed at the backend by this SAP Upgrade . (once you trigger second upgrade - usually it don't take more than 2-3 minutes)

      What actually happens in the backend is - a switch in Success Factors SSO settings - which makes IAS as default identity provider and after upgrade all the requests goes to IAS and IAS decides whether to forward the request to any corporate IDP (act as proxy) or act as identifier -- depends on the requirement and configuration.

      Please let me know if there is any other concern.

      Regards

      Sushil K Gupta

      Author's profile photo Harshita Srivastava2
      Harshita Srivastava2

      Hi Sushil, One question. Is there a separate license that client has to take from SAP for this ?

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Harshita,

      If you are performing implementation specific to SAP Success Factors application - No - IAS and IPS are bundled free with your SAP SF license. While performing the first upgrade - you can request IAS and IPS - absolutely free. If you face any issues, you can raise a ticket with SAP.

      They have an amazing support team for this integration !

      Also IAS and IPS are bundled free with multiple SAP Cloud Products. you need to just ask for it and they can guide you with the process.

      Please have a look at the below information from Standard Guide:

      Obtain a Bundle Tenant - SAP Help Portal

      >>>

      There will be certain restrictions on these tools (IPS - source system and target system - which  we can use) but for specific Application - it will work absolutely fine.

      Example - you ask SAP for bundled license with SAP SF application - In IPS - You can choose -- SAP SF as source and IAS as target. 

      You won't be able to use it for any other application.

      <<<

       

      If you want to integrate other applications- which are not included in bundled licenses - 

      You can purchase separate license for IAS.

      For IPS --

      <<<

      SAP Says:

      Effective October 20, 2020, Identity Provisioning can no longer be purchased as a standalone product! You can obtain and use it, along with Identity Authentication, as part of a bundled SAP cloud solution that you need to purchase. Existing customers who have already purchased Identity Provisioning as a standalone product, can use it as-is until the end of their contracts.

      >>>

      Let me know if there are any other doubts !

      Happy to help.

       

      Thanks and Regards

      Sushil K Gupta