Skip to Content
Technical Articles

IAS integration with SAP SuccessFactors Application – 3 (Activation and Testing)

Introduction

Configurations for IAS(Identity Authentication Service)  integration with SAP SuccessFactors is completed. In case you want to understand what steps are followed to do the configuration, kindly refer the blog post mentioned below:

Blog 1:IAS integration with SAP SuccessFactors Application – 0

Blog 2:IAS integration with SAP SuccessFactors Application – 1

Blog 3:IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Service(IPS))

Optional: To get better understanding about integration of IAS with SAP SuccessFactors(SF) application, please read the blogs mentioned below:

Blog 4:Why Identity authentication is required for SAP SuccessFactors Application

Blog 5:Identity Authentication Service(IAS) Configuration approach with SAP SuccessFactors Application

 

In this blog post we will discuss about Activation of the Configuration and will perform testing of different scenarios

 

Important

To activate the configuration – We will perform the second upgrade in upgrade center in SAP SF application

Once you activate the configuration – Activate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration 

  • All the requests will be by default redirected to IAS and as per the configurations performed in IAS – Users will authenticate in IAS or in different Corporate Identity Providers(in our scenario – Corporate IDP 1 -India region, or Azure AD)
  • Once configuration is activated successfully, you can’t go back
  • I strongly recommend not to perform the second upgrade if you haven’t performed the pre-requisites.

 

Lets get started !

Testing Scenario

We will test 3 scenarios for which we have performed the configuration:

  • Password user
  • SSO to Azure AD
  • SSO to Corporate IDP 1 – India region

Continue Implementation Steps

Perform Second upgrade in upgrade center in SAP SuccessFactors application – Activate the integration between IAS and SAP SuccessFactors

Testing is a part of this upgrade and only when testing is successful, it will give you option to go-ahead with the upgrade.

  • You can test only 1 scenario – and if its successful – it will give option to activate the configuration.
  • You can cancel it on last screen and re-perform the same steps to test all the scenarios. Make sure not to activate the configuration once all scenarios are tested otherwise that scenario won’t work after activation and you will need to fix it after activation.

 

Testing 1: Password user scenario

  • Login to SAP SF application
  • Goto upgrade center and select platform
  • Click on upgrade – Activate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration 
  • Click on upgrade now
  • Click on Test Now
  • It will redirect you to IAS screen – This screen exactly look like how users will see after activation is completed. Enter the Username or email address of user and click continue
  • Enter the Password and continue
  • Authentication Successful
  • Click on Yes if you want to continue. You can click cancel and test other scenario

 

Testing Scenario 2: For Azure AD users

In this scenario –  mapping is enabled in IAS(option is enabled – USE IAS USER STORE) , Username and email address is different in SAP SF application

  • Clear browser cookies and close the browser
  • Login to SF and perform the upgrade again and click on test now.
  • enter the email address of user (Azure AD user – test@def.com)
  • It will redirect you to Azure AD screen – if you are already logged into your azure AD(in case you are in VPN) it will directly log you into SAP SF application. In case you are not logged into your Azure AD account. It will ask you for password
  • Authentication successful
  • Now you can activate the configuration by clicking on yes or cancel it to test the other scenario

 

Testing Scenario 3: For Corporate IDP – India Region users

In this scenario –  mapping is no enabled in IAS, Username and email address are same in SAP SF application

  • Clear browser cookies and close the browser
  • Login to SF and perform the upgrade again and click on test now.
  • enter the email address of user (Corporate IDP -India region user – test@def.com)
  • User is redirected to Corporate IDP.
  • Authentication successful
  • Now you can activate the configuration by clicking on yes
  • Usually it don’t take more than 1 or 2 minutes to activate the configuration.

Post activation of the configuration – you can try all the testing scenarios again to be confirmed that everything is working as expected.

 

Frequent questions from Users

How to check the error in case testing fails?

You can install a google chrome extension called SAML tracer 

and then start capturing the trace while reproducing the issue. This can help you in troubleshooting.

 

What will happen in case upgrade failed? Will users be able to login?

In case upgrade failed – you can fix the issue and re-trigger it in next 30 days. till the time upgrade is not successfully completed. User will authenticate how they were getting authenticated earlier without any issues.

 

In this blog post you have learnt about the steps to be performed while activating the IAS integration with SAP SF and testing !

Please let me know your thoughts about the blogs in comment section.

Thank you !

10 Comments
You must be Logged on to comment or reply to a post.
  • Hi!!!

    Thanking you for your guidance, I have a question, in my case we are implementing an IdP of our own development in the company, but it has not been able to communicate with IAS. What characteristics should the IdP have so that it can be related to IAS? If you had a note (KBA) or a guide, I would appreciate it very much.

    Regards

    Miguel

    • Hi Miguel,

      Only compatibility concern can be - Your Identity Provider should support SAML 2.0 (which IAS uses for SSO configuration).

      Please find the standard note and document - which you can follow:

      Central note for IAS integration with SAP Success Factors:

      2791410 - Integrating SuccessFactors with SAP Cloud Identity Authentication Through the Upgrade Center

      https://launchpad.support.sap.com/#/notes/2791410

      Guide:

      https://help.sap.com/viewer/568fdf1f14f14fd089a3cd15194d19cc/2011/en-US/fb069584363a4df08aad42315cebdd6d.html

       

      Do let me know if you have any other questions !

      Regards

      Sushil K Gupta

      • Hi Sushil Gupta

        Thanking you for your answer, I tell you that we reviewed at the technical provider level and it tells me that they now have communication, but when trying to test the following error is generated:

        "None of the subject confirmations in the SAML2Assertion is valid.None of the subject confirmations in the SAML2Assertion is valid" related the issue of synchronization of hours between portal people and IAS with the values of "issue instan", "notBefore", " notOnOrAfter "

        Although the values are within the ranges of the image, it still cannot be synchronized with IAS, please review and correct. The range between notBefore and notOnOrAfter may be very long. notOnOrAfter.

        Do you have any idea what could be happening?

        Thanking you for your help

        Miguel

        /
        • Hi Miguel,

          If configurations are performed correctly and your IDP supports SAML2.0 then it should work.

          Never seen this error(might be Identity provider specific). Kindly raise a ticket with SAP regarding this. They may help you with this query.

          You can try using SAML tracer (extension in Chrome) for better troubleshooting.

           

          Regards

          Sushil K Gupta

  • Hi Sushil Gupta

    Thank you for you excellent blog!!

    Always helps a lot in IAS field.

    Could you please confirm if my unserstanding is correct?

    1. So even the url is same, these three group users will login through different Login Screen? (I understand only the first time require all user to login IAS firstly.)
    2. for the Azure authentication and Corporate IDP india authentication users, the password is not saved and managed in IAS?
    3. if yes, is the password policy different?
    4. if yes, is the emial template differnent when a user change their password?
    5. if yes, is the authentication identifier different too? for example, Azure user login using email but IAS user login through user name

    Look forward to hearing from you.

    Have a wonderful day!!

    bojun

    • Hi Bojun,
      Please find my inputs below:

      1. So even the url is same, these three group users will login through different Login Screen? (I understand only the first time require all user to login IAS firstly.)

      Users will be presented IAS screen(with some custom changes which you can perform- like logos etc) - and once user enter the email address(or loginname) user will be redirected to IDPs(configured) -- next time IAS screen won't come untill user clears the browser cookies.

      1. for the Azure authentication and Corporate IDP india authentication users, the password is not saved and managed in IAS?

      yes correct

      1. if yes, is the password policy different?

      Yep- whatever is used at IDP level

      1. if yes, is the emial template differnent when a user change their password?

      it will be specific to IDP level , you can check with identity provider- no password is managed in IAS.

      1. if yes, is the authentication identifier different too? for example, Azure user login using email but IAS user login through user name

      you can enable different logins (attributes) in IAS - in tenant settings in Logon Alias ( then you can enter email address or login name -- as per your choice - it will work same).

      because IAS has email address also - so all users can use their email address -- even on IAS screen - so that they need not to remember SF username(login name in IAS). Users will just know their email address - once they enter it - it will authenticate with their accounts in azure AD.

      Hope it was helpful !

      Regards

      Sushil K Gupta

  • Hi Sushil,

     

    We have implemented IAS and IPS and in Preview instance only but due to some data challenges we are still finding our ways with the Transformations to accommodate that.

    However I would like to challenge one of your statement that the functionality cannot be rolled back once activated.

    So as per my understanding, SAP provides 30 days window to roll back any upgrade done via upgrade center, after which you cannot roll it back. So that's standard process.

    However with regards to IAS/ IPS, we have observed that if we remove the Token from the Provisioning --> SSO Settings then we are able to achieve the roll back or kind of Switch to Toggle between IAS and normal legacy login window.

    Please share your views and correct me if I am wrong.

    The whole intention is to understand we are not mistaken and not stuck once we go live in Production.

     

    Thanks & Regards

    Varun

     

     

    /
    • Hi Varun,

      Good question.

      My understanding comes from the statement from SAP Standard guide - Click here for more detail

      >>

      If the upgrade fails for some reason, use the Undo option in Upgrade Center, within 30 days, to rerun the upgrade after you’ve resolved the cause of the failure. If you're not sure why the upgrade failed or how to fix it, contact SAP Cloud Support.

      <<

      In case you are getting the option to undo it after successful integration- we should report it to SAP so that they can update their standard guide. I haven't got the option to undo the changes once i have performed the upgrade.

      Also my understanding is  -

      we should not do the changes manually until the upgrade fails due to some reason.

      I think initially it was performed manually and a lot users have got many issues - that's why SAP has simplified the process to perform it using upgrade center. ( and no super admin privilege is required for this - like we require for SSO provisioning)

       

      I do one question -

      In case after successful integration you perform changes and remove the Token from the Provisioning --> SSO Settings. (i beleive you have already performed the second upgrade(activation) )

      Then is the second upgrade visible in upgrade center to perform the integration again? or you will need to manually switch it back to IAS? and after switching it back -

      does it work fine in case you have configured multiple corporate IDPs in IAS? (because i feel after integration all corporate IDPs are visible as assertion parties in SAP SF and IAS take the decisions using conditional authentication).

       

      Reason for this question is -

      • For customers that already upgraded using only 2 IAS tenants, SAP as of this moment is not retrofitting instances to allow 1SF-1IAS integration on already migrated instances.
      • SAP Note

      This can be helpful for these customer who are facing this.

      Let me know your thoughts on this !

       

      PS: My purpose of writing the blogs was to explore more on this topic. and i think now its serving the purpose 🙂

      Regards

      Sushil K Gupta

       

       

  • Hi Sushil,

    Thanks for all your deep analysis and sharing useful information.

    Actually we never experienced failure while activating the feature via Upgrade Centre and now it shows in Completed Upgrades without an Undo option.

    So SAP and You were quite right that once activated you cannot roll back, but that was just about the feature.

    However this all IAS thing, at least for our instance where SSO is enabled via Token based, we are able to deactivate the whole setup by just removing the Token and can re-enable once we put that same token In.

    This doesn't impact any configuration we have done in IAS/IPS or the Feature Enablement in the BizX - Upgrade Centre at all, so may be the Token in Provisioning just bypass the whole IAS setup, if keyed in and when keyed out works perfectly as feature is already enabled.

     

    Hope that answers and clarifies, for your other areas, I will have a look, Review and will then come back.

    But Thank you so much for the clarification.

     

    Cheers

    Varun