All SAP SuccessFactors systems can use the SAP Cloud Platform Identity Authentication service. SAP plan for all SAP SuccessFactors systems to be migrated to the service in the future.
In case you are wondering why Identity authentication service(IAS)is used for SAP Success Factors Application: Kindly read this :
If SAML2.0, SSO , IAS, Identity Provider are new terms for you, kindly read this:
- You will need a valid customer S-User ID to perform this activity
- Admin access to Upgrade center in SAP SuccessFactors Application.
- Admin access in SAP SuccessFactors application (to perform activities like create and manage roles, reset password)
- Request metadata files from Corporate IDPs to establish trust communication(in case of SSO to Corporate IDPs)
- Users in SAP SuccessFactors should have unique email address
I have taken this little complicated architecture so that i can cover most of the functionalities of IAS. You can add or remove Applications, Corporate IDPs as per your requirement.
We perform 2 upgrades in SAP SuccessFactors application in this activity
First upgrade will provide you details of IAS and IPS and automatically do some initial setup.
Second upgrade – Don’t perform this upgrade – until all the configurations are completed because there is no going back once this upgrade is completed. After completion – IAS becomes the default identity provider for SAP SuccessFactors application and all the requests will by default go to IAS.
In case you want to integrate an existing IAS in your landscape with SAP SuccessFactors Application – make sure that both are in same region.
Strongly recommend to read Admin Guide
- Perform first upgrade in upgrade center in SAP SuccessFactors application – Initiate the integration between IAS and SAP SuccessFactors.
- Perform IAS admin console Tasks
- Provide Authorizations to IPSADMIN user In SAP SuccessFactors application
- Perform IPS admin console Tasks
- Perform Source system configuration, Password migration configuration
- Perform Second upgrade in upgrade center in SAP SuccessFactors application – Activate the integration between IAS and SAP SuccessFactors
Lets get Started !
Perform First Upgrade: “Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration”
- Login to SAP SuccessFactors Application. Access the SAP SuccessFactors Upgrade Center.
- Select the optional upgrade “Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration” and begin the upgrade process
- Enter Customer Suser-ID and Password
- Select one of the existing IAS or you can request a new IAS tenant.
- In case the required IAS(existing in your landscape is not visible – it can be because your SAP SuccessFactors Application is in different region than your IAS
- Solution – Raise a ticket to SAP mentioning the details and request them to remove the flag so that you can select the required IAS for integration
- You can check the upgrade status in monitoring tools for IAS/IPS until upgrade is completed
Perform IAS admin console Tasks
Generate metadata file from IAS and provide it to corporate Identity Providers to establish the trust communication.
- Click on “Tenant Settings” section under the “Applications & Resources” tab
- Extract the metadata file by accessing the “SAML 2.0 Configuration” section and selecting “Download Metadata File”
Configure Corporate Identity Providers
In our scenario we are considering 2 corporate Identity Providers. and in future lets say we are expecting more corporate IDPs – as per different regions – like India, US, UK, etc – you can follow same steps to add new corporate IDPs in future – if required.
- Corporate IDP 1 – India (some local corporate IDP)
- Azure AD
Create Corporate IDP 1
- Under Identity Providers section – click add – enter the name: Corporate IDP 1 – India
- Upload the metadata file received from Corporate IDP – by clicking on SAML2.0 Configuration – browse and upload
- Select SAML 2.0 Compliant in Identity Provider type
- Save the configuration
Create Azure AD
- Under Identity Providers section – click add – enter the name: Azure AD
- Upload the metadata file received from Azure AD – by clicking on SAML2.0 Configuration – browse and upload.
- Select Identity Provider Type: Microsoft ADFS/AzureAD (If you don’t select this – you will get error at the time of testing)
- As we are doing mapping for Azure AD users in IAS – considering the different identifier requirement – Enable Identity authentication user store
- This will allow us to leverage the different unique identifiers on IDP and Application side
- for more information – please read Why Identity authentication is required for SAP SuccessFactors Application
- Save the configuration
Create User Groups
Create User Groups for your different corporate IDPs
- Access the user groups in the “User Groups” section under the “Users & Authorizations” tab and create 2 groups DEV_IDP1 , DEV_AzureAD
Configure SAP SuccessFactors applications and conditional Authentication
- Access the SAP SuccessFactors configuration under the “Applications” section of the “Applications & Resources”
- Select the SAP SuccessFactors application created automatically as part of the SAP IAS upgrade process.
- Select “Conditional Authentication” under the “Trust” tab to define conditional authentication rules.
- Select IAS as default identity provider.
- Create conditional authentication rules for each created user group to route users to the respective Identity Provider systems.
- As per the groups – users will be redirected to different corporate Identity providers and in case user don’t quality any rule – user will be authenticated in IAS(Default identity Provider).
Configure Application Logo
- Click on Branding and layout and select logo
Configure Password Policy
Check if Admin System user is created for IPS API access
Provide Authorizations to IPSADMIN user In SAP SuccessFactors application
- Log in to the SAP SuccessFactors environment and access the Admin Center.
- Select the “Password & Login Policy Settings” option under the “Company Settings”.
- Create a new policy under the “Set API login exceptions” option. Select the “Add” option.
- Create a new user security setting for the IPS administrator account and enter –
- Username: IPSADMIN
- MAX PASSWORD: -1
- IP ADDRESS RESTRICTIONS: Region specific IP restrictions
Grant IPS permissions to IPS administrator account
- Access the Admin Center. Select the “Manage Permission Roles” option under “Set User Permissions”.
- Create a new permission role by selecting the “Create New” option. Enter the role name and description for the created role.
- Select the “Permission” option and assign the following permissions to the created role:
- Manage Integration Tools Allow Admin to Access Odata API
- Manage User Account
- Manage User – Employee Export
- Select the “Add” option and assign the created role to the IPS administrator account
Reset password of IPS administrator account
- Access the Admin Center. Select the “Reset User Passwords” option
- Provide the new password and click on reset password
We will continue the next steps in our next blog ! Happy Learning !
Frequent questions from users:
How do we establish trust between Success factors and IAS?
When you perform first upgrade – it automatically create an application – SAP SuccessFactors in IAS and perform the initial setup like – exchange of certificate – Setting of Identifiers -Login name (Identifier)
Username in SAP SuccessFactors is LoginName in IAS
Does password policy of IAS tenant apply for users which are getting redirected to Corporate IDPs?
No , Password policy applies for all the users existing in IAS user store only. It don’t apply for users getting authenticated in corporate IDPs. It includes users – manually created in IAS , Users – synced from different applications using IPS or imported using CSVs
Do we need to perform any manual steps to enable single sign on in SAP SuccessFactors application – there are blogs available where we manually enable the SSO in manage SAML SSO page.
I would say, don’t change the SSO settings manually – enable SSO (even for testing) – because
- It will be automatically taken care by Second upgrade – in upgrade center (once everything is done, you can perform the upgrade and do some pre-testing before doing the activation)
- If you are a super admin in SAP SuccessFactors and you change the setting to SSO – then till the time you switch it back or someone do it, all the login access will be blocked (if correct assertion parties are not set and configured)
What is the use of IPS ? why we need IPS as in conditional authentication – we have options to redirect authentication to different corporate IDPs as per user groups, email address or IP addresses?
Here’s the catch ! If you don’t sync the users between SAP SuccessFactors and IAS using IPS then you can’t use any of the mentioned above. IAS will need user details to perform this segregation based on groups, email address etc.
IPS helps to ease the process of syncing the users between IAS and SAP SuccessFactors application.
What is the difference between IAS Non-Production and Production. How do we know which one is Non_Prod and which one is Prod environment. Can i use IAS Prod with SAP SucessFactors Bizx – Non Prod?
Its recommended to use SAP SF – BIzx – Non prod with IAS Non Prod and both should exist in same region. Same goes for production.
However if you want to integrate an IAS which is in different region than you SAP SF Bizx then You willl need to raise a ticket to SAP and request them to remove the flag so that other region IAS (or other types- prod, non prod) are visible at the time of first upgrade when we get option to choose IAS.
From Technical perspective i haven’t found any difference while doing configuration on IAS Non-Prod and IAS production. You can request SAP to give you details about – which IAS is production type and which IAS is non Prod type.
In this blog post you have learn how to initiate the integration of IAS with Success Factors application, IAS admin console activities and Setting up API user in SAP SuccessFactors application to migrate users from SAP SuccessFactors application to IAS using IPS.
See you in next blog post !
Click below to move to next step: