Introduction:
Identity Provisioning Service(IPS) comes as a very handy tool to sync all the users from SAP Success Factors to IAS using some pretty cool sync jobs - which you can automate to run at a particular interval of times( minimum 30 minutes). Once you configure it - everything is automated with minimal manual intervention.
This blog post will mainly focus on Identity Provisioning Service(IPS) configuration , Password migration and completing all the requirements before Identity authentication service(IAS) activation with SAP SuccessFactors application.
This blog post is part of a series of blogs
Please read following before to get better understanding about this blog:
blog1 -Why Identity authentication is required for SAP SuccessFactors Application
blog2 -IAS integration with SAP SuccessFactors Application – 0
blog3 -IAS integration with SAP SuccessFactors Application – 1
Quick Recap:
First upgrade is completed. IAS is setup. Now we want to sync all the users from SAP SuccessFactors Application to IAS into different groups - segregation will be based on the domain names of the users.
Scenario
IPS: Sync all the users from SAP SuccessFactors Application to Identity Authentication Service(IAS)
Password Migration Configuration in IAS: To sync the passwords of SAP SuccessFactors Application to IAS.
IPS scenario
Pre-requisites
IAS Admin Access: To perform the configuration and changes in IAS
SUSER ID and IPS_ADMIN role: You will need SUSER ID and IPS admin role assigned to your SUSER ID in particular IPS to access it. If you have performed the first upgrade using your SUSER-ID, you are automatically assigned this role.
Continue Implementation steps
IPS Admin Console Tasks
Source system and Target system are by default created as a part of the first upgrade process with default settings.
IPS Source System - SAP Success Factors Application
Login to IPS using Suser-ID which you used for initiating the first upgrade or having IPS_ADMIN role
Properties
- Check the details below:
- “User” field is in the format “IPS administrator account ID”@”SAP SuccessFactors CompanyID”
- “URL” field is the URL for the SAP SuccessFactors source system
- Edit and enter the password of IPSADMIN user - which we reset earlier in previous blog post.
Set the property:
ips.trace.failed.entity.content - true
- so that you will be able to see the full details in logs in case of errors in sync job for better troubleshooting
ips.job.notification.ignored.consecutive.failures - 0
- to avoid getting multiple emails for same sync job failing at a particular interval of time(defined by us)
Transformation
As email address is not a mandatory field in SAP Success Factors application, however if you are using email address as required and unique in IAS, for all the users which have blank email address or duplicate email addresses will fail in sync job while writing to IAS. Usually a dummy email address or no email address is maintained by SAP SuccessFactors team for test users. To make sure those test users are synced properly, we can maintain the below transformation code:
- In this dummy@email.com - is your dummy email address which is assigned by SAP SF team to all test users
- somethingRandom.com - you can assign anything which is not pointing to some actual domain
{
"condition": "!($.email EMPTY false) || $.email == '' || $.email == ' ' || $.email == 'dummy@email.com' ",
"sourcePath": "$.username",
"targetPath": "$.emails[0].value",
"functions": [
{
"type": "concatString",
"suffix": "@somethingRandom.com"
}
]
},For more details - follow SAP Guided answers
Jobs:
Sync jobs are divided into 2 parts and you many get errors in both as per the restrictions of different systems.
- Reading entries from source system
- Writing entries in target systems
You can schedule the read job as per requirement - minimum time is 30 minutes. It will automatically run the read job with specific interval of time.
IPS target System - Identity Authentication Service(IAS)
- Check the details below:
- “User” field is the same user - create in IAS - System Administrator.
- “URL” field is the URL for the Target IAS
Properties:
ips.delete.existedbefore.entities: true
- to perform the cleanup - delete users from IAS which are removed or set as inactive in SAP SuccessFactors applicaiton
scim.user.unique.attribute : userName
- This way, if the Identity Provisioning reads two different users with the same e-mail, it will try to resolve the second one by user name. Since these two users have different user names, this second entity will fail with an error for duplicate e-mail. You will see it in the Job Logs. This approach is safe because it won't affect the successfully created users in the target system, and will only prompt you to edit the SAP SuccessFactors e-mails of newly added conflicting users.
- if we don't set it, it will overwrite the previous users(different users) with same email address already existing in IAS - which may cause issues for both the users.
Transformation
We can maintain transformation here to redirect the specific users (with specific domain names) to specific groups in IAS.
for example:
@abc.com to DEV_IDP1 group - for lets say India region
@def.com to DEV_AzureAD group - for Azure AD
{
"condition": "$.emails[0].value =~ /.*@abc.com.*/",
"constant": "DEV_IDP1",
"targetPath": "$.groups[0].value"
},
{
"condition": "$.emails[0].value =~ /.*@def.com.*/",
"constant": "DEV_AzureAD",
"targetPath": "$.groups[1].value"
},Password migration
Go to Identity Providers in IAS > Source System Configuration > click on Add
- Select Source System Type - SuccessFactors
- Company ID : Company ID of the SAP SuccessFactors instance
- Authentication URL: For more details regarding URL click here
- Technical user: IPSADMIN@companyID
- technical user Secret - password of IPSADMIN user
- first logon behavior
- User whose password does not meet the password policy requirements of the application must reset or change it after the first logon. Choose one of the following options:User whose password does not meet the password policy requirements of the application must reset or change it after the first logon. Choose one of the following options:
- change password or reset password
Transformation
Maintain in IPS target System - Identity Authentication Service
Replace companyID with companyID of SAP SuccessFactors instance to be connected.
{
"constant": "companyID",
"targetPath": "$.sourceSystemId"
},
{
"constant": "100",
"targetPath": "$.sourceSystem"
},
{
"constant": "enabled",
"targetPath": "$.passwordStatus",
"scope": "createEntity"
},
{
"constant": "false",
"targetPath": "$.sendMail",
"scope": "createEntity"
},
{
"constant": "true",
"targetPath": "$.mailVerified",
"scope": "createEntity"
}Add IAS IP-address to IP address restrictions of IPSADMIN user
For IP address details of IAS Click here
Configurations are completed
We will continue with activation of IAS with SAP Success Factors application and will perform some testing in our next blog!
Frequent questions from users
How IPS sync the users. what protocol it uses ?
IPS using SCIM(System for Cross-domain Identity Management) API.
I can't see much details in error logs. How can i see more details about the failed users in IPS?
Please set IPS property - Target System- IAS - ips.trace.failed.entity.content = true
IPS configuration is completed, i have even set the property - ips.delete.existedbefore.entities, however cleanup don't happen. When users are deleted in SAP Success factors applicaitons, users are not getting deleted automatically in next IPS user sync(both read job and full sync job) ?
Kindly note that in IPS logs of sync job, there should not be any failed entity -in Source system. Once all users which have issues and are failing in source system are fixed. Cleanup will work.
Users usually fails from source system:
- if required entries are not maintained correctly - first name, Last name
- Person GUID(UUID) in SAP SuccessFactors should not be empty. Usually its an automated value assigned to users but in some scenarios if its empty - user will fail in sync job
- email address format should be correct format - whatever@domain.com , sometimes while test user creation - any random value is assigned by SAP SuccessFactors team in email address like asdfj.
Users failed in user sync are much more than the logs visible in IPS?
Its a restriction from SAP that users can't see all the logs. You can request SAP to provide the details or fix the users in batch of 10 users, run the sync job and then fix other 10. I have done like this.
Our SAP SuccessFactors application contains users personal data and we won't want to sync the user personal details to IAS because of data security concerns. Why would we expose the user data to some other application?
IPS won't sync any user personal data from your SAP SuccessFactors application. It will only sync few fields which can help IAS to do the mapping or segregation of users.
IPS sync entries:
userId,username,status,email,lastName,firstName,lastModifiedDateTime,personKeyNav
No personal data is synced. Don't worry !
Can we get notification when IPS job sync fails so that we can inform SAP SuccessFactors team to fix the users.
You can enable the notification - so that you will receive an email
Go to Source system - SAP SuccessFactors-companyID > Jobs > Subscribe(bottom right corner you should find a button) > enter display name and email address and voila you will get the email notification now.
Please note:
- you can configure - how often you want to get the notification using these parameters
- ips.job.notification.ignored.consecutive.failures: If you have activated notifications for a source system and a provisioning job fails, you'll receive notification e-mails with subject Provisioning Finished with Error. You can also receive an e-mail if you manually stop a running job.
- ips.job.notification.repeat.on.failure: With property ips.job.notification.repeat.on.failure, you can control the frequency of the received notifications.
Does IPS does the password migration? will it create any temporary files while reading password?
IPS don't perform the password migration. No passwords are read by IPS.
For password migration, we setup Source system configuration in IAS and password is migrated only once for user - when user login to SAP Success Factor using IAS - once login is successful - password is maintained in IAS and from now IAS takes care of the password management.
- In case password don't support the IAS password policy set by us, It will ask user to change the password on the first login.
- From now , if user want to reset the password - they can use option - forget password or ask IAS admins to do the password reset.
- Kindy don't reset the password in SAP Success factors after this because now IAS is taking care of the passwords and reset password in SAP Success Factors application will not work.
Can i add more Suser-IDs as administrators to IPS and how to provide the IPS_ADMIN role?
Yes to provide IPS admin role
- click on Authorizations > Add >enter SuserID and enalbe Manage Identity Provisioning
In this blog post you have learn about IPS and password migration configurations. Please share your views about the blog post and let me know in case there are any questions !
See you in next blog post !
Click below to move to next step:
- SAP Managed Tags:
33 Comments
