Technical Articles
IAS integration with SAP SuccessFactors Application – 1
Introduction:
All SAP SuccessFactors systems can use the SAP Cloud Platform Identity Authentication service. SAP plan for all SAP SuccessFactors systems to be migrated to the service in the future.
In case you are wondering why Identity authentication service(IAS)is used for SAP Success Factors Application: Kindly read this :
If SAML2.0, SSO , IAS, Identity Provider are new terms for you, kindly read this:
Prerequisites:
- You will need a valid customer S-User ID to perform this activity
- Admin access to Upgrade center in SAP SuccessFactors Application.
- Admin access in SAP SuccessFactors application (to perform activities like create and manage roles, reset password)
- Request metadata files from Corporate IDPs to establish trust communication(in case of SSO to Corporate IDPs)
- Users in SAP SuccessFactors should have unique email address
Scenario
Architecture
I have taken this little complicated architecture so that i can cover most of the functionalities of IAS. You can add or remove Applications, Corporate IDPs as per your requirement.
Important
We perform 2 upgrades in SAP SuccessFactors application in this activity
First upgrade will provide you details of IAS and IPS and automatically do some initial setup.
Second upgrade – Don’t perform this upgrade – until all the configurations are completed because there is no going back once this upgrade is completed. After completion – IAS becomes the default identity provider for SAP SuccessFactors application and all the requests will by default go to IAS.
In case you want to integrate an existing IAS in your landscape with SAP SuccessFactors Application – make sure that both are in same region.
Strongly recommend to read Admin Guide
Steps
- Perform first upgrade in upgrade center in SAP SuccessFactors application – Initiate the integration between IAS and SAP SuccessFactors.
- Perform IAS admin console Tasks
- Provide Authorizations to IPSADMIN user In SAP SuccessFactors application
- Perform IPS admin console Tasks
- Perform Source system configuration, Password migration configuration
- Perform Second upgrade in upgrade center in SAP SuccessFactors application – Activate the integration between IAS and SAP SuccessFactors
Lets get Started !
Perform First Upgrade: “Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration”
- Login to SAP SuccessFactors Application. Access the SAP SuccessFactors Upgrade Center.
- Select the optional upgrade “Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration” and begin the upgrade process
- Enter Customer Suser-ID and Password
- Select one of the existing IAS or you can request a new IAS tenant.
- In case the required IAS(existing in your landscape is not visible – it can be because your SAP SuccessFactors Application is in different region than your IAS
- Solution – Raise a ticket to SAP mentioning the details and request them to remove the flag so that you can select the required IAS for integration
- You can check the upgrade status in monitoring tools for IAS/IPS until upgrade is completed
Monitoring
Perform IAS admin console Tasks
Generate metadata file from IAS and provide it to corporate Identity Providers to establish the trust communication.
- Click on “Tenant Settings” section under the “Applications & Resources” tab
- Extract the metadata file by accessing the “SAML 2.0 Configuration” section and selecting “Download Metadata File”
Configure Corporate Identity Providers
In our scenario we are considering 2 corporate Identity Providers. and in future lets say we are expecting more corporate IDPs – as per different regions – like India, US, UK, etc – you can follow same steps to add new corporate IDPs in future – if required.
- Corporate IDP 1 – India (some local corporate IDP)
- Azure AD
Create Corporate IDP 1
- Under Identity Providers section – click add – enter the name: Corporate IDP 1 – India
- Upload the metadata file received from Corporate IDP – by clicking on SAML2.0 Configuration – browse and upload
- Select SAML 2.0 Compliant in Identity Provider type
- Save the configuration
Create Azure AD
- Under Identity Providers section – click add – enter the name: Azure AD
- Upload the metadata file received from Azure AD – by clicking on SAML2.0 Configuration – browse and upload.
- Select Identity Provider Type: Microsoft ADFS/AzureAD (If you don’t select this – you will get error at the time of testing)
- As we are doing mapping for Azure AD users in IAS – considering the different identifier requirement – Enable Identity authentication user store
- This will allow us to leverage the different unique identifiers on IDP and Application side
- for more information – please read Why Identity authentication is required for SAP SuccessFactors Application
- Save the configuration
Create User Groups
Create User Groups for your different corporate IDPs
- Access the user groups in the “User Groups” section under the “Users & Authorizations” tab and create 2 groups DEV_IDP1 , DEV_AzureAD
Configure SAP SuccessFactors applications and conditional Authentication
- Access the SAP SuccessFactors configuration under the “Applications” section of the “Applications & Resources”
- Select the SAP SuccessFactors application created automatically as part of the SAP IAS upgrade process.
- Select “Conditional Authentication” under the “Trust” tab to define conditional authentication rules.
- Select IAS as default identity provider.
- Create conditional authentication rules for each created user group to route users to the respective Identity Provider systems.
- As per the groups – users will be redirected to different corporate Identity providers and in case user don’t quality any rule – user will be authenticated in IAS(Default identity Provider).
Configure Application Logo
- Click on Branding and layout and select logo
Configure Password Policy
Check if Admin System user is created for IPS API access
Provide Authorizations to IPSADMIN user In SAP SuccessFactors application
- Log in to the SAP SuccessFactors environment and access the Admin Center.
- Select the “Password & Login Policy Settings” option under the “Company Settings”.
- Create a new policy under the “Set API login exceptions” option. Select the “Add” option.
- Create a new user security setting for the IPS administrator account and enter –
- Username: IPSADMIN
- MAX PASSWORD: -1
- IP ADDRESS RESTRICTIONS: Region specific IP restrictions
Grant IPS permissions to IPS administrator account
- Access the Admin Center. Select the “Manage Permission Roles” option under “Set User Permissions”.
- Create a new permission role by selecting the “Create New” option. Enter the role name and description for the created role.
- Select the “Permission” option and assign the following permissions to the created role:
- Manage Integration Tools Allow Admin to Access Odata API
- Manage User Account
- Manage User – Employee Export
- Select the “Add” option and assign the created role to the IPS administrator account
Reset password of IPS administrator account
- Access the Admin Center. Select the “Reset User Passwords” option
- Provide the new password and click on reset password
We will continue the next steps in our next blog ! Happy Learning !
Frequent questions from users:
How do we establish trust between Success factors and IAS?
When you perform first upgrade – it automatically create an application – SAP SuccessFactors in IAS and perform the initial setup like – exchange of certificate – Setting of Identifiers -Login name (Identifier)
Username in SAP SuccessFactors is LoginName in IAS
Does password policy of IAS tenant apply for users which are getting redirected to Corporate IDPs?
No , Password policy applies for all the users existing in IAS user store only. It don’t apply for users getting authenticated in corporate IDPs. It includes users – manually created in IAS , Users – synced from different applications using IPS or imported using CSVs
Do we need to perform any manual steps to enable single sign on in SAP SuccessFactors application – there are blogs available where we manually enable the SSO in manage SAML SSO page.
I would say, don’t change the SSO settings manually – enable SSO (even for testing) – because
- It will be automatically taken care by Second upgrade – in upgrade center (once everything is done, you can perform the upgrade and do some pre-testing before doing the activation)
- If you are a super admin in SAP SuccessFactors and you change the setting to SSO – then till the time you switch it back or someone do it, all the login access will be blocked (if correct assertion parties are not set and configured)
What is the use of IPS ? why we need IPS as in conditional authentication – we have options to redirect authentication to different corporate IDPs as per user groups, email address or IP addresses?
Here’s the catch ! If you don’t sync the users between SAP SuccessFactors and IAS using IPS then you can’t use any of the mentioned above. IAS will need user details to perform this segregation based on groups, email address etc.
IPS helps to ease the process of syncing the users between IAS and SAP SuccessFactors application.
What is the difference between IAS Non-Production and Production. How do we know which one is Non_Prod and which one is Prod environment. Can i use IAS Prod with SAP SucessFactors Bizx – Non Prod?
Its recommended to use SAP SF – BIzx – Non prod with IAS Non Prod and both should exist in same region. Same goes for production.
However if you want to integrate an IAS which is in different region than you SAP SF Bizx then You willl need to raise a ticket to SAP and request them to remove the flag so that other region IAS (or other types- prod, non prod) are visible at the time of first upgrade when we get option to choose IAS.
From Technical perspective i haven’t found any difference while doing configuration on IAS Non-Prod and IAS production. You can request SAP to give you details about – which IAS is production type and which IAS is non Prod type.
In this blog post you have learn how to initiate the integration of IAS with Success Factors application, IAS admin console activities and Setting up API user in SAP SuccessFactors application to migrate users from SAP SuccessFactors application to IAS using IPS.
See you in next blog post !
Click below to move to next step:
Hi Sushil,
The blog is very useful thanks for that!
When we try to run second upgrade there is an error stating SSO is not enabled.
Hi vaishnavi,
Thank you.
Please note , when we run second upgrade:
In case after successful authentication, you trigger the upgrade and it fails - kindly raise a ticket to SAP regarding this( on high or very high priority). Its an automated steps which gets completed at the backend by this SAP Upgrade . (once you trigger second upgrade - usually it don't take more than 2-3 minutes)
What actually happens in the backend is - a switch in Success Factors SSO settings - which makes IAS as default identity provider and after upgrade all the requests goes to IAS and IAS decides whether to forward the request to any corporate IDP (act as proxy) or act as identifier -- depends on the requirement and configuration.
Please let me know if there is any other concern.
Regards
Sushil K Gupta
Hi Sushil, One question. Is there a separate license that client has to take from SAP for this ?
Hi Harshita,
If you are performing implementation specific to SAP Success Factors application - No - IAS and IPS are bundled free with your SAP SF license. While performing the first upgrade - you can request IAS and IPS - absolutely free. If you face any issues, you can raise a ticket with SAP.
They have an amazing support team for this integration !
Also IAS and IPS are bundled free with multiple SAP Cloud Products. you need to just ask for it and they can guide you with the process.
Please have a look at the below information from Standard Guide:
Obtain a Bundle Tenant - SAP Help Portal
>>>
There will be certain restrictions on these tools (IPS - source system and target system - which we can use) but for specific Application - it will work absolutely fine.
Example - you ask SAP for bundled license with SAP SF application - In IPS - You can choose -- SAP SF as source and IAS as target.
You won't be able to use it for any other application.
<<<
If you want to integrate other applications- which are not included in bundled licenses -
You can purchase separate license for IAS.
For IPS --
<<<
SAP Says:
Effective October 20, 2020, Identity Provisioning can no longer be purchased as a standalone product! You can obtain and use it, along with Identity Authentication, as part of a bundled SAP cloud solution that you need to purchase. Existing customers who have already purchased Identity Provisioning as a standalone product, can use it as-is until the end of their contracts.
>>>
Let me know if there are any other doubts !
Happy to help.
Thanks and Regards
Sushil K Gupta
How long should this process take to upgrade to IAS?
Hi Terri,
There are two upgrades we run - first is to initiate the configuration which gives us IAS and IPS details(in case it don't exist - it request new tenants).
Second is Activation of the configuration (after performing all the pre steps and checks).
First upgrade shouldn't take more than Few hours ( in case there is no error at the backend)
Second upgrade takes less than 2 minutes when you click on activate button
If you are asking about the whole process of configuration from starting till delivery of system. - I kept 2 weeks for every instance ( there were 3 instances - DEV, PREVIEW, PROD in my case).
- it includes some buffer time also which i had kept to perform cleanup of user which were failing in Sync job.
Let me know if it answers your question.
PS: Make sure you have all the requirements before starting the configuration.
Regards
What happens on IAS when the Login name (userName in SF) gets changed for the same user ?
Do we need to take extra actions on IAS ? Like reset account on IAS ?
Is " performing cleanup of user which fail in Sync job " an important task for the other updates on users to follow ? Or can the cleanup be postponed like a monthly activity ?
Hi Vishnu,
Please find my inputs below:
1)What happens on IAS when the Login name (userName in SF) gets changed for the same user ?
Inputs:
Username in SF - gets synced to IAS and becomes Login Name for user in IAS.
now lets say Username is changed - technically it should sync the new username(in SF) to IAS(loginname) and update the entry.
Also please note - username also acts as the SAML identifier in SAP SF so in scenario where you are using corporate IDP:
I would suggest to test it to be sure about the behaviour of the application. Capture the SAML trace to get more details.
2)" performing cleanup of user which fail in Sync job " an important task for the other updates on users to follow ? Or can the cleanup be postponed like a monthly activity ?
Inputs:
Please note:
If its QA or PROD environment - i would suggest to perform the cleanup and fix all the users.
Reason why syncing the users ( performing cleanup) is a pre-requisite and not a post step - Whatever users which fails in sync job won't be able to perform any role in authentication and once IAS activation is completed - system will be live - even a small change in transformations may cause issues( i recommend to avoid it ).
Regards
Sushil K Gupta
Hi Sushil,
We want to bring Employee class and LMS flag which currently exist in Job information of an employee. When running a OData API query from CPI or from Post man we are getting values for these fields using below query.
https://api2preview.sapsf.eu/odata/v2/User?$select=empInfo/jobInfoNav/employeeClassNav/localeLabel,userId,empInfo/jobInfoNav/customString14Nav/localeLabel&$expand=empInfo/jobInfoNav/employeeClassNav,empInfo/jobInfoNav,empInfo,empInfo/jobInfoNav/customString14Nav&$filter=userId eq 'XXXXXX'
But when i have updated the below code in IAS, job is running successfully but the value is not appearing in user management->user record->custom attributes
Code that I have configured in different areas
Source System:
sf.user.attributes: userId,username,status,email,lastName,firstName,lastModifiedDateTime,personKeyNav,empInfo/jobInfoNav/employeeClassNav/localeLabel,empInfo/jobInfoNav/customString14Nav/localeLabel
sf.user.attributes.expand: personKeyNav,personKeyNav/userAccountNav,empInfo/jobInfoNav/employeeClassNav,empInfo/jobInfoNav,empInfo
transformation:
{
"sourcePath": "$.empInfo.jobInfoNav.employeeClassNav.localeLabel",
"targetPath": "$.employeeClass"
},
{
"sourcePath": "$.empInfo.jobInfoNav.customString14Nav.localeLabel",
"targetPath": "$.LMSFlag"
}
TargetSystem:
{
"sourcePath": "$.employeeClass",
"optional": true,
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][9]['value']"
},
{
"condition": "$.employeeClass EMPTY false",
"constant": "customAttribute10",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][9]['name']"
},
{
"sourcePath": "$.LMSFlag",
"optional": true,
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][8]['value']"
}
{
"condition": "$.LMSFlag EMPTY false",
"constant": "customAttribute9",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][8]['name']"
}
Am I missing somethings?
Thank you in advance.
Suresh
Hi Suresh,
Currently i don't have access to the environments so i can't test it however based on the details shared - please find my inputs below:
Understanding: You are trying to sync the users from
Source - SuccessFactors
Target- IAS
You want to update the custom attributes of the user in IAS using some Success factors attribute values.
Question:
From the query i understand - you are trying to fetch the details from SF and you are able to receive it using postman.
Can you try to update the custom attribute field for a user using postman tool in IAS - if you are able to successfully update this field using API access.
If it works then there is some issue in your IPS transformation.
Try to troubleshoot in IPS transformation:
In case you are working in a test envrionment you can try steps to find the logs
Even if job is running successful and custom attributes are not updated - i understand transformation is not working as expected -
try to put block of code like this
sourcePath: dummy
targetPath: dummy
(After your updated transformation code)
This should intentionally fail the sync job and capture the logs. Try to check if you can find details in the logs.
In case nothing works - share all your findings with SAP IPS support team and request for support.
Thanks and Regards
Sushil K Gupta
Hi Sushil,
I want to reflect the parameters such as " Manager Name " "Department" Company" and Country and Region in IAS when the sync job runs from SF.
Please let me know what to include in JSON transformation in IPS and do we need to add these parameters in SF.user.filter parameter as well. Appreciate your help.
Deepika
Hi Deepika,
Just saw your comment, Yes you will need to add these parameters to Sf.user.filter.
To sync these parameters you will need to modify both source transformation - SAP Success factors and Target transformation - SAP Identity authentication.
Check api.sap.com for exact variable names you will need to put in IPS transformation code:
https://api.sap.com/api/IAS_SCIM/schema
https://api.sap.com/products/SAPSuccessFactors/apis/packages
Thanks and Regards
Sushil K Gupta
Good one!!
Hi Sushil Gupta,
thank you for the excellent blog! 🙂
One question, hope you can help me with.
If SF is already connected with an IAS, but now we want to switch it to another IAS we ordered, is such a switch possible? Should we just repeat the first step and just choose the other IAS we want?
Thank you in advance. 🙂
Hi Batoul Kserawy,
Please check if below SAP Documentation helps with your query:
Remapping an Identity Authentication Tenant
Option to check in upgrade center:
Change SuccessFactors Identity Authentication Service Integration and click Learn More & Upgrade Now
Please let me know if it helps !
Thanks and Regards
Sushil K Gupta
Hi Sushil,
if it was already upgraded in SF before, then I think it is not possible to do it again, right?
Because I can see that has been already upgraded before, and I can't upgrade (change IAS configuration) anymore.
Hi Batoul,
i see this statement in documentation
>>>
In the Upgrade Center, you can remap tenants that have already been initiated, activated, or configured with SAP Cloud Identity Services Identity Authentication.
<<<
initiated - first upgrade
activated - second upgrade.
I understand from the statement that it should be possible now.
When i performed this activity(2 year back) it was not possible, however i think now SAP has provided the functionality.
In case you are unable to find the option in upgrade center, or getting any error , would suggest to raise a ticket - and check with the Product team. They will be able to fix it from backend.
Regards
sushil
Thank you Sushil for this insightful blog.
I currently have SuccessFactors setup on IAS and AzureAD as corporate IDP, but there are some employees that don't have email addresses on AzureAD and so they can't login to their SF account. My question is if there is a way to have those users login to SuccessFactors with their login name and password without being redirected to AzureAD authentication.
Hi Ahmed,
You can use IAS as identity provider for all the external users who don't have email ids in your Azure AD or you don't want to create their accounts in AzureAD.
In this - Users and their passwords are maintained in IAS.
Now you can have 2 scenarios -
One is You are using IAS as proxy to Azure AD - and not using rule based conditional authentication option( means in default option you are selecting your Azure AD directly). In this case a check box will be visible to enable - which will provide you a URL which can be used by all external users to login to successfactors with their login name and password which is managed in IAS.
You will need to maintain different urls for SSO and external users - like it was earlier in succes factors environment. this is also called as partial SSO.
Another Scenario - you have created rule in conditional authentication - to redirect users with specific domain name to Azure AD and kept default option as IAS. In this case - all users get prompt to enter their email ID or login name in first screen and then as per rule it takes to Either Azure AD or as to enter password (for external user case when you manage their user in IAS).
This one have advantage that no additional URL is required to be maintained. But on first login users get a prompt to enter email.
Check this SAP Note for more details -
https://userapps.support.sap.com/sap/support/knowledge/E/2954556
Regards
Sushil K Gupta
Thank you for the explanation Sushil.
In the second scenario you said users can login into AzureAD with their emailID or login name but it seems to me users can login only using their emailID. Is this an option to use loginID as the unique identifier that the user can login with and get mapped to SF.
Regards,
Ahmed.
Hi Ahmed,
I didn't understand your second statement when you mentioned about loginID - AzureAD - and Unique identifier and Mapping to SF. Please share more details on this.
Please do note that SNI(Subject name identifier) which is used to perform the mapping in SAML - SSO scenario and what users uses to login can be different.
What i mentioned is - In second scenario - As per the rules configured by you - Users can authentication either in Azure AD (they login how they login in Azure AD - nothing changes here) else they will be presented to enter password (users maintained in IAS).
IAS has option to enable login Aliases ( check IAS documentations) - this can help users to login in IAS using password with more than one option - like email, LoginID, Firstname etc - you can enable as per your requirement.
Let me know if you have any more doubts ! Happy to help !
Thanks and Regards
Sushil K Gupta