Skip to Content
Technical Articles
Author's profile photo Sushil Gupta

IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Service(IPS))

Introduction:

Identity Provisioning Service(IPS)  comes as a very handy tool to sync all the users from SAP Success Factors to IAS using some pretty cool sync jobs – which you can automate to  run at a particular interval of times( minimum 30 minutes). Once you configure it – everything is automated with minimal manual intervention.

This blog post will mainly focus on Identity Provisioning Service(IPS) configuration , Password migration and completing all the requirements before Identity authentication service(IAS) activation with SAP SuccessFactors application.

This blog post is part of a series of blogs

Please read following before to get better understanding about this blog:

blog1 –Why Identity authentication is required for SAP SuccessFactors Application

blog2 –IAS integration with SAP SuccessFactors Application – 0

blog3 –IAS integration with SAP SuccessFactors Application – 1

 

Quick Recap:

First upgrade is completed. IAS is setup. Now we want to sync all the users from SAP SuccessFactors Application to IAS into different groups – segregation will be based on the domain names of the users.

Scenario

IPS: Sync all the users from SAP SuccessFactors Application to Identity Authentication Service(IAS)

Password Migration Configuration in IAS: To sync the passwords of SAP SuccessFactors Application to IAS.

IPS%20scenario

IPS scenario

Pre-requisites

IAS Admin Access: To perform the configuration and changes in IAS

SUSER ID and IPS_ADMIN role: You will need SUSER ID and IPS admin role assigned to your SUSER ID in particular IPS to access it. If you have performed the first upgrade using your SUSER-ID, you are automatically assigned this role.

Continue Implementation steps

IPS Admin Console Tasks

Source system and Target system are by default created as a part of the first upgrade process with default settings.

IPS Source System – SAP Success Factors Application

Login to IPS using Suser-ID which you used for initiating the first upgrade or having IPS_ADMIN role

Properties

  • Check the details below:
    • “User” field is in the format “IPS administrator account ID”@”SAP SuccessFactors CompanyID”
    • “URL” field is the URL for the SAP SuccessFactors source system
    • Edit and enter the password of IPSADMIN user – which we reset earlier in previous blog post.

Set the property:

ips.trace.failed.entity.content – true

  • so that you will be able to see the full details in logs in case of errors in sync job for better troubleshooting

ips.job.notification.ignored.consecutive.failures – 0

  • to avoid getting multiple emails for same sync job failing at a particular interval of time(defined by us)

Transformation

As email address is not a mandatory field in SAP Success Factors application, however if you are using email address as required and unique in IAS, for all the users which have blank email address or duplicate email addresses will fail in sync job while writing to IAS. Usually a dummy email address or no email address is maintained by SAP SuccessFactors team for test users. To make sure those test users are synced properly, we can maintain the below transformation code:

  • In this dummy@email.com – is your dummy email address which is assigned by SAP SF team to all test users
  • somethingRandom.com – you can assign anything which is not pointing to some actual domain
 {
                "condition": "!($.email EMPTY false) || $.email == '' || $.email == ' ' || $.email == 'dummy@email.com' ",
                "sourcePath": "$.username",
                "targetPath": "$.emails[0].value",
                "functions": [
                    {
                        "type": "concatString",
                        "suffix": "@somethingRandom.com"
                    }
                ]
            },

For more details – follow SAP Guided answers

Jobs:

Sync jobs are divided into 2 parts and you many get errors in both as per the restrictions of different systems.

  • Reading entries from source system
  • Writing entries in target systems

You can schedule the read job as per requirement – minimum time is 30 minutes. It will automatically run the read job with specific interval of time.

IPS target System – Identity Authentication Service(IAS)

  • Check the details below:
    • “User” field is the same user – create in IAS – System Administrator.
    • “URL” field is the URL for the Target IAS

Properties:

ips.delete.existedbefore.entities: true

  • to perform the cleanup – delete users from IAS which are removed or set as inactive in SAP SuccessFactors applicaiton

scim.user.unique.attribute : userName

  • This way, if the Identity Provisioning reads two different users with the same e-mail, it will try to resolve the second one by user name. Since these two users have different user names, this second entity will fail with an error for duplicate e-mail. You will see it in the Job Logs. This approach is safe because it won’t affect the successfully created users in the target system, and will only prompt you to edit the SAP SuccessFactors e-mails of newly added conflicting users.
  • if we don’t set it, it will overwrite the previous users(different users) with same email address already existing in IAS – which may cause issues for both the users.

Transformation

We can maintain transformation here to redirect the specific users (with specific domain names) to specific groups in IAS.

for example:

@abc.com to DEV_IDP1 group – for lets say India region

@def.com to DEV_AzureAD group – for Azure AD

  {
                "condition": "$.emails[0].value =~ /.*@abc.com.*/",
                "constant": "DEV_IDP1",
                "targetPath": "$.groups[0].value"
            },
            {
                "condition": "$.emails[0].value =~ /.*@def.com.*/",
                "constant": "DEV_AzureAD",
                "targetPath": "$.groups[1].value"
            },

 

Password migration

Go to Identity Providers in IAS > Source System Configuration > click on Add

  • Select Source System Type – SuccessFactors
  • Company ID : Company ID of the SAP SuccessFactors instance
  • Authentication URL: For more details regarding URL click here
  • Technical user: IPSADMIN@companyID
  • technical user Secret – password of IPSADMIN user
  • first logon behavior
    • User whose password does not meet the password policy requirements of the application must reset or change it after the first logon. Choose one of the following options:User whose password does not meet the password policy requirements of the application must reset or change it after the first logon. Choose one of the following options:
    • change password or reset password

Transformation

Maintain in IPS target System – Identity Authentication Service

Replace companyID with companyID of SAP SuccessFactors instance to be connected.

{
                "constant": "companyID",
                "targetPath": "$.sourceSystemId"
            },
            {
                "constant": "100",
                "targetPath": "$.sourceSystem"
            },
            {
                "constant": "enabled",
                "targetPath": "$.passwordStatus",
                "scope": "createEntity"
            },
            {
                "constant": "false",
                "targetPath": "$.sendMail",
                "scope": "createEntity"
            },
            {
                "constant": "true",
                "targetPath": "$.mailVerified",
                "scope": "createEntity"
            }

 

Add IAS IP-address to IP address restrictions of IPSADMIN user

For IP address details of IAS Click here

 

Configurations are completed

We will continue with activation of IAS with SAP Success Factors application and will perform some testing in our next blog!

 

Frequent questions from users

 

How IPS sync the users. what protocol it uses ?

IPS using SCIM(System for Cross-domain Identity Management) API.

 

I can’t see much details in error logs. How can i see more details about the failed users in IPS?

Please set IPS property – Target System- IAS – ips.trace.failed.entity.content = true

 

IPS configuration is completed, i have even set the property – ips.delete.existedbefore.entities, however cleanup don’t happen. When users are deleted in SAP Success factors applicaitons, users are not getting deleted automatically in next IPS user sync(both read job and full sync job) ?

Kindly note that in IPS logs of sync job, there should not be any failed entity -in Source system. Once all users which have issues and are failing in source system are fixed. Cleanup will work.

Users usually fails from source system:

  • if required entries are not maintained correctly – first name, Last name
  • Person GUID(UUID) in SAP SuccessFactors should not be empty. Usually its an automated value assigned to users but in some scenarios if its empty – user will fail in sync job
  • email address format should be correct format –  whatever@domain.com , sometimes while test user creation  – any random value is assigned by SAP SuccessFactors team in email address like asdfj.

 

Users failed in user sync are much more than the logs visible in IPS?

Its a restriction from SAP that users can’t see all the logs. You can request SAP to provide the details or fix the users in batch of 10 users, run the sync job and then fix other 10. I have done like this.

 

Our SAP SuccessFactors application contains users personal data and we won’t want to sync the user personal details to IAS because of data security concerns. Why would we expose the user data to some other application?

IPS won’t sync any user personal data from your SAP SuccessFactors application. It will only sync few fields which can help IAS to do the mapping or segregation of users.

IPS sync entries:

userId,username,status,email,lastName,firstName,lastModifiedDateTime,personKeyNav

No personal data is synced. Don’t worry !

 

Can we get notification when IPS job sync fails so that we can inform SAP SuccessFactors team to fix the users. 

You can enable the notification – so that you will receive an email

Go to Source system – SAP SuccessFactors-companyID > Jobs > Subscribe(bottom right corner you should find a button) > enter display name and email address and voila you will get the email notification now.

Please note:

  • you can configure – how often you want to get the notification using these parameters
    • ips.job.notification.ignored.consecutive.failures: If you have activated notifications for a source system and a provisioning job fails, you’ll receive notification e-mails with subject Provisioning Finished with Error. You can also receive an e-mail if you manually stop a running job.
    • ips.job.notification.repeat.on.failure: With property ips.job.notification.repeat.on.failure, you can control the frequency of the received notifications.

 

Does IPS does the password migration? will it create any temporary files while reading password?

IPS don’t perform the password migration. No passwords are read by IPS.

For password migration, we setup Source system configuration in IAS and password is migrated only once for user – when user login to SAP Success Factor using IAS – once login is successful – password is maintained in IAS and from now IAS takes care of the password management.

  • In case password don’t support the IAS password policy set by us, It will ask user to change the password on the first login.
  • From now , if user want to reset the password – they can use option – forget password or ask IAS admins to do the password reset.
  • Kindy don’t reset the password in SAP Success factors after this because now IAS is taking care of the passwords and reset password in SAP Success Factors application will not work.

 

Can i add more Suser-IDs as administrators to IPS and how to provide the IPS_ADMIN role?

Yes to provide IPS admin role

  • click on Authorizations > Add >enter SuserID and enalbe Manage Identity Provisioning

 

In this blog post you have learn about IPS and password migration configurations. Please share your views about the blog post and let me know in case there are any questions !

See you in next blog post !

Click below to move to next step:

Assigned Tags

      20 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Barbara Silva
      Barbara Silva

      Hi,

      When configuring source system details sf.user.filter to define which users will be provisioned to IAS, should we also pull to IAS inactive users or just active users?

      If anyone could clarify this, I would really appreciate.

      Thanks a lot.

       

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Barbara,

      No, we should not put inactive users.

      Lets try to think through - why we would want to sync the inactive users?

      In case any user is inactive in SAP SuccessFactors means - its not required. and in case its required and activated (using employee import option or any other way) in future, our IPS sync job(which you can configure to run in every half an hour) - will sync it in your IAS and User can perform the authentication and login after half an hour(once user is synced to IAS).

       

      In case there is an inactive user synced to IAS - which is inactive in your SAP Success Factors application - when the authentication happens and control is passed back to SAP SF application, it will fail because user is inactive in SAP SF application.

      >>>

      How can i test this -

      make user active - sync the user to IAS using full sync job or read job.

      now make the user inactive in SF and do this testing before another sync job runs so that it won't automatically delete the inactivated user.

      Try logging with your inactive user - it will fail - when authentication is successful and control is transferred to SAP SF application.

      <<<

      To do some testing before syncing all the users. You can put "and" condition in your sf.filter and put few users and test in case you want.

      example:  “status eq ‘active’ and username in ‘Test1’ , 'Test2'

       

      If you want to put "inactive", you can but it will just fill the IAS user store with users which are not serving any purpose.

      Let me know your thoughts on this !

       

      Thanks and Regards

      Sushil K Gupta

      Author's profile photo Barbara Silva
      Barbara Silva

      Thank you for your explanation, very enlightening!

      Best regards

      Author's profile photo Janek Niefeldt
      Janek Niefeldt

      I also tried to create a group assignment based on the user's email. However the condition mentioned you did not work for me.

      "condition": "$.emails[0].value =~ /.*@abc.com.*/",

      Turns out this condition is case sensitive. If you change it to the following it will also work for all-uppercase emails:

      "condition": "$.emails[0].value =~ /.*@(?i)abc.com/",

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Janek,

      Your observation is correct, it's case sensitive. When i was doing the implementation, this was a constraint and i requested users to maintain email address in one specific format(which i maintained in conditions).

      Thanks much for sharing this ! It can be a solution to remove the constraint from users to maintain a specific format for email address.

       

      Thanks and Regards

      Sushil K Gupta

      Author's profile photo Suporte Externo
      Suporte Externo

      Hi Sushil,

      Thanks for these blog posts on IAS - truly helpful.

      Just one note: I believe this setting no longer exists in source system properties:

      ips.job.notification.ignored.consecutive.failures – 0

      to avoid getting multiple emails for same sync job failing at a particular interval of time(defined by us)

      At least, I haven't been able to locate it in our IPS.

      Also, regarding the source system URL, could you please confirm if it is enough to have only https://api2preview.sapsf.eu/odata/v2/ (this is what we got pre-defined) or should it really be replaced by the actual link we use to access to SF, such as https://hcm2preview.sapsf.eu/login?company=companyidxxxx#/login

      Thanks you!

      Best Regards,

      Dália Martins

      IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Service(IPS)) | SAP Blogs

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Dália Martins,

      Thanks you, Please find my inputs below:

      >>

      Just one note: I believe this setting no longer exists in source system properties:

      ips.job.notification.ignored.consecutive.failures – 0

      <<

      It is possible - This tool keeps getting updated - i also observed changes in IAS and IPS.

      I understand

      User sync is a two step process -

      first IPS reads user from SF - some user might fail due to some issues( missing first-name, last name, personGUID field empty)

      Second it writes the users in IAS - user might fail due to some issues.

      Now if any of the above scenario happens - it a Job failure - and it may show you - succeeded with errors. 

      Now if this  property in target system (IAS) does the job - like it don't send the continuous notifications to users after job failure - i think we are good - as it does the job.

      Try checking with SAP on this.

       

      Regarding

      >>

      Also, regarding the source system URL, could you please confirm if it is enough to have only https://api2preview.sapsf.eu/odata/v2/ (this is what we got pre-defined) or should it really be replaced by the actual link we use to access to SF, such as https://hcm2preview.sapsf.eu/login?company=companyidxxxx#/login

      <<<

      Keep the default URL - 

      actually IPS uses SCIM protocol to read and write users at the backend - and it don't communicate with applications in front end. It requires an API url (  https://api2preview.sapsf.eu/odata/v2/  which you see by default) -

      You can also find the URLs for specific tenants - in IAS standard guide.

       

      I suggest - use few users in sf.user.filter and perform testing - it will help you in exploring the scenarios.

      Run the sync job for few users.

      You can try changing the URLs and check - it will fail with errors.

       

      Please let me know your thoughts on this !

      PS: Keep a backup of default configuration before performing any changes and then you can test the scenarios.

       

      Regards

      Sushil K Gupta

      Author's profile photo Jan Roubal
      Jan Roubal

      Hello Sushil,

      we need to sync also inactive users from SF to IAS. Can you please let me know what needs to be changed? Only filter or something else needs to be done?

      Thanks a lot

      Jan

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Jan Roubal,

      Only updating sf.user.filter entry should work.

      >>>

      Lets see a scenario - If we put filter as “status eq ‘active’ and username in ‘Test1’ , 'Test2'

      In this - IPS will sync only 2 active users - Test1 and Test2.

      If we update filter as “status eq ‘active’ and username in ‘Test1’

      It will sync only one active user - Test1.

       

      In both scenarios we haven't changed anything else apart from sf.user.filter - and we were able to sync specific users.

      <<<

       

      My question would be on requirement - why would we want to sync the inactive users.

      Reason for question:

      Off boarding process of users in IAS is also automated by IPS -

      Logic: If a user is disabled(set as inactive) / deleted in SAP Success Factors, next IPS sync job will automatically remove the user from IAS ( if sf.user.filter is set as active)

       

      Let me know your thoughts on this !

      Thanks and Regards

      Sushil K Gupta

      Author's profile photo Jan Roubal
      Jan Roubal

      Hi Sushil,

      thanks a lot for your support. The reason why we need also inactive users is follow:

      We have external system for signing of documents which use IAS as identity authorization service. To be able to sign documents in our external system user needs to be created in IAS first and we need to sign documents before day 1. For example employment contract needs to be signed in before hire date in our external system.

      Do you see any other possibility how to manage this?

      Can we send also onboardee users to IAS somehow?

       

      Thanks a lot

      Jan

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Jan Roubal,

      Thank you for sharing the scenario details. I am able to understand now the reason why you are trying to sync inactive users.

      >>>

      I understand user is created in SF before joining and set as inactive. This user will be set as active on the joining date. However before joining, user needs to access some external system (which is connected to IAS and wants to gets authenticated in IAS) and sign something.

      So you are planning to sync the inactive users of SF to IAS so that - user details are auto created in IAS and users can access the external system using that user which got synced from SF.

      <<<

       

      IAS has one user store only - so same user can be used to access multiple applications - with same credentials - (If IAS acts as an Identity provider) - just need to provide the privileges. (like accessing SF and external system in your case)

       

      Answer to your question:

      Can we send also onboardee users to IAS somehow? If onboardee users are created in some other application or Corporate IDP - yes you can sync the users from there to IAS. however you  need to think whether its worth the effort.

      If directly syncing inactive users from SF to IAS does the job then we will need not to manage different configuration for this.

       

      Few points in case it helps in syncing inactive users for you:

      >Final value which we set so that all active users can be synced is

      sf.user.filter                           status="active"

      you can check if you can use OR condition in filter so that you can put something like this

      sf.user.filter                           status="active" OR status="inactive"

       

      >In case your Configuration is already live and people are using it in IPS- then testing might cause issues to existing users. In this case:

      you can create one more source system (with a different name) using the existing SF source system details - (try exporting the configuration and importing it - and give it a different name).

      This way you are not disturbing the existing configuration. Now on newly created source system you can try with different values to sf.user.filter or if you want just use this new configuration to sync inactive users. ( in future if you need you can tweek this as per your need without disturbing the standard configuration of syncing the active users).

      ** this is not a recommended way but can work in this scenario **

       

      Have a good day !

       

      Thanks and Regards

      Sushil k Gupta

      Author's profile photo Jan Roubal
      Jan Roubal

      Hi Sushil,

      Thanks for your support.

      I tested to send also inactive EEs from SF to iAS. This is working but unfortunately inactive users from SF are also inactive in IAS so account cant be used.

      Do you know some workaround how to solve this?

      Thanks

      Jan

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Jan Roubal,

      We have default transformations in Source system - SF and in target system- IAS. This behaviour must be because of those transformations.

       

      I think it should be possible to tweek the transformations for your scenario and then try to run the job again.

       

      Currently i don't have access to IAS IPS tenants to perform testing however i would suggest you to check the standard guide of IPS for transformations.

      Something like this. - (this is not the exact code) - try to find in standard guide.

      >>>

      {
              "condition": "$.active == false",
              "constant": "f",
              "targetPath": "$.status"
            },

      <<<

      Few suggestions:

      >Check with SAP IPS team - they might help you with exact transformation code for your scenario.

      >While writing the users using SCIM protocol, IPS is setting the status (as it got from SAP SF), try to search for specific transformation in Target system for status - and then change it to set users as active.

      >you can set the users manually as active by going to user management or using import CSV (for mass users) - it will be a manual effort. (in case it helps).

      PS: If its creating and setting user inactive in IAS (means its getting this value inactive from somewhere - just search for that somewhere and change it)

       

      Hope it helps !

       

      Thanks and Regards

      Sushil K Gupta

      Author's profile photo Jan Roubal
      Jan Roubal

      Hi Sushil,

      thanks. In my IPS I have found out only these parts in transformation:

      In source system:

      {
      "constant": false,
      "targetPath": "$.active"
      },
      {
      "condition": "$.personKeyNav.userAccountNav.accountStatus =='ACTIVE'",
      "constant": true,
      "targetPath": "$.active"
      },

      and in Tagrget this:

      {
      "sourcePath": "$.active",
      "optional": true,
      "targetPath": "$.active"
      },

      Seems to me there is not part about set status as inactive.

      What do you think?

      Thanks

      Jan

       

       

      Author's profile photo Deepika B
      Deepika B

      Hi Sushil,

       

      My requirement is once the user is created in SF , he is getting the welcome email.

      Welcome to SuccessFactors!

      And automatically in IAS the email is showing as verified without even verifying. How to rectify this.

      We need to get the email "Activate Your Account for SuccessFactors " and it needs to get activated after this only. Kindly help.

       

      Deepika

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Deepika,

      i understand there might be some issue in IPS transformation in your scenario.

      Below transformation behaviour is

      Transformation:

      {
                      "constant": "false",
                      "targetPath": "$.sendMail",
                      "scope": "createEntity"
                  },
      {
                      "constant": "true",
                      "targetPath": "$.mailVerified",
                      "scope": "createEntity"
                  }

      Once user is created in Success factors > IPS sync job will create the User in IAS and will not trigger any email to users and mail verified option will be true.

      Now user logon behaviour will be how we decide

      >either we can use source system configuration to use the password of sucessfactors or We can create an initial password for every user which gets synced.

       

      Now in your scenario - i suppose transformation for mail verified is true and send email attribute is also true. Try with updating the IPS transformation and test the behaviour.

       

      There are options in IAS where you can update the template of email which is sent to users (in case required)

       

      Please let me know if it helps or there are any other doubts !

      Happy to help !

       

      Thanks and Regards

      Sushil K Gupta

      Author's profile photo Deepika B
      Deepika B

      Hi Sushil,

       

      Thanks for the input. I am going to test it today.

      Yes my transformation is this .

       

      {
      "constant": "true",
      "targetPath": "$.sendMail",
      "scope": "createEntity"
      },
      {
      "constant": "true",
      "targetPath": "$.mailVerified",
      "scope": "createEntity"
      },

       

      If I make it mail verified False will it trigger an activation email or do I need to add any more code for the activation email.

      Please advise.

      Deepika B

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Deepika,

      Just saw your message. Because the first transformation block of code is true , yes it will trigger the email.

       

      Thanks and Regards

      Sushil K Gupta

      Author's profile photo Deepika B
      Deepika B

      Hi Sushil,

       

      It worked fine with below transformation code in the target system.

      {
      "constant": "https://<SF URL>/login#/login",
      "targetPath": "$.targetUrl",
      "scope": "createEntity"
      },
      {
      "constant": "true",
      "targetPath": "$.sendMail",
      "scope": "createEntity"
      },
      {
      "constant": "false",
      "targetPath": "$.mailVerified",
      "scope": "createEntity"
      },

      Thanks for your help.

       

      Deepika B

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Deepika,

      Good to hear that your issue is resolved.

      Happy to help !

       

      Thanks and Regards

      Sushil K Gupta