Skip to Content
Technical Articles
Author's profile photo Sushil Gupta

IAS integration with SAP Success Factors Application – Tips and Tricks


In this blog post you will learn some tips which can be followed if you are working on an end to end integration project (IAS integration with SuccessFactors application). It can save a lot of time if you know this information before hand . Also it can help you to plan your timelines in a more effective manner.

(Not useful for any POCs performed for testing or demo purpose)


Kindly read the blogs shared below before so that you are aware about the technical terminologies used in this blog(not mandatory if you are aware about the configuration)

Blog 1:IAS integration with SAP SuccessFactors Application – 0

Blog 2:IAS integration with SAP SuccessFactors Application – 1

Blog 3:IAS integration with SAP SuccessFactors Application – 2 (Sync users using Identity Provisioning Service(IPS))

Blog 4:IAS integration with SAP SuccessFactors Application – 3 (Activation and Testing)

Optional: To get better understanding about integration of IAS with SAP SuccessFactors(SF) application, please read the blogs mentioned below:

Blog 4:Why Identity authentication is required for SAP SuccessFactors Application

Blog 5:Identity Authentication Service(IAS) Configuration approach with SAP SuccessFactors Application


SAP SuccessFactors(SF) Application:

  • Email address is not a mandatory field in SAP SF Application. It can be left empty, multiple users can have same email address.
  • Username field is the identifier for SAP SF application.
  • Username is unique for every user.

SAP Cloud Identity Services – Identity Authentication(IAS)

“New Updates on blog”

Email address can be set as required and unique.

User Identifier






After SSO is configured – if you require users to be able to login with email address, you can keep email address as unique and configured. Below scenarios are only applicable only if email address is unique and required.

    • Email address should be unique for every user.
    • User creation and Password creation are 2 activities in IAS
      • You can create active users in IAS without passwords configured (they can be used in mapping and not for login purpose)
      • When password is configured – user can then perform the authentication in IAS.

SAP Identity Provisioning Service(IPS)

  • User sync process is divided in 2 parts
    • READ – from SAP SF application
    • Write – to IAS

Problem Statement 1:

Mostly in DEV or Preview environment of SAP SF application, users create multiple accounts for them with same email address(because its not a restriction in SAP SF application) or blank email address.

In IAS – if email address is set as unique and required.

When we sync the users from SAP SF application to IAS, first user – read by IPS will be created in IAS and all other users with same email address will fail in User sync.

Example: Users with duplicate email address

user – sushil gupta ,

username (in SF this is unique for every user)

sushil1 – email:

sushil2 – email:

sushil3 – email:

When IPS performs user sync – lets say it reads sushil1 first – in this case sushil1 user will be created in IAS with email address –,

now when it reads sushil2 –

  • Read from SAP SF application is successful, however
  • Write to IAS application fails – because user with same email address( already exist. Same happens with user – sushil3

Multiple users can have this issue and after integration – they will only be able to login with only one user.

Issues which can be faced if its not discussed before/ fixed before activation.

  • We don’t know which user is critical for them and which one is created just for testing purpose.
  • Users won’t be able to login with other users which failed in sync job.
  • Auto full sync won’t run after every 5 read jobs ( as per the standard parameters set in IPS) – because IPS sync job is failing.


3 kind of scenarios can happen

  • Users don’t have email address – blank email address
  • Users have duplicate email address
  • Users have dummy email addresses assigned to multiple users (

How to know how many users have the issue?

Login to SAP SF application, search export employee data, export all the users in excel and use filter in email address field.

IPS transformation comes to rescue in these scenarios. Use the below transformation

                "condition": "!($.email EMPTY false) || $.email == '' || $.email == ' ' || $.email == '' ",
                "sourcePath": "$.username",
                "targetPath": "$.emails[0].value",
                "functions": [
                        "type": "concatString",
                        "suffix": ""

Now for users with dummy email address , blank email address – IPS transformation will assign unique email address ( username +  – Make sure – email address does not route to an actual email server- (SAP encourages to use – .This test email address does not route to an actual email server)


For users with duplicate email address – ask them to either remove the email address(make it blank) or assign dummy email address –

This way all the users will be synced to IAS once the sync job runs in IPS.


  • Initially take the export of users – using export employee data in SAP SF application and add cleanup of users as a task in our activities – keep 2-3 days because we need to do follow-ups with users or SF admin who manages the user accounts to do this cleanup.
  • You can ask them to perform cleanup and in parallel you can do your IAS integration activities.
  • In IPS logs – we can only see 10 failed logs – (which includes for SF- read and IAS- write both). Because of this restriction – finding the information for all failed users is not possible. You can fix the users in batch of 10 users, run the sync job and then fix other 10.

Problem Statement 2:

Person GUID or Person UUID or perPersonUuid (also known by Person unique user ID) is a unique ID gets generated when a user is created in SAP SF application. In some scenarios, this field is empty for users.

How can it happen ?

Observation – In SAP SF application , users can be created by tool – Import employee data

In this case – we can update the details of users in a csv file and upload the excel on Import employee data – and if the field PersonGUID is left empty then user will be created without this unique number(blank)

  • How to avoid it – just remove the column of PersonGuid from csv and SAP SF application will auto generate the number by itself.

Issues which can be faced because of this:

If PersonGUID is empty for user, or First name or last name is empty for user in SAP SF application then

  • User sync will fail in IPS while reading from SAP SF application
  • Auto cleanup of the users from IAS won’t work if there is any user failed to be read by IPS job.(state: Read from SAP SF application)
    • IPS uses hashing algorithms at the backend and it compares the users in SF and IAS, if user is there in IAS and not in SF – (created by IPS as a part of user sync) then it removes the user from IAS.
    • If it fails to read any user from SAP SF application – it will not perform the cleanup or delete the users.
  • User is not synced – those users won’t be able to login after IAS activation with SAP SF applicatoion.


  • Update first name and last name for all the users.
  • Make sure no user have PersonGUID field empty, in case its found empty – request SAP SF admin to fix the user.
    • how do you know ? – which user have this field empty( use export employee data and put a filter on field – personGUID)
    • Even for first name and last name – if its empty update the users.


  • Filter the users for above criteria and make a plan to fix the users – have discussions with SAP SF admins.
  • Keep this as a part of initial discussions(pre implementation or implementation phase) – if users are already fixed into SAP SF application – then we need not to take the pain of correcting the users at the time of testing – when we check if all the functionalities are working as expected.
  • Plan your timeline accordingly.

Problem Statement 3:

Confusion over Partial SSO – For SAP SF instances where partial SSO is configured for external vendors, approach followed for user while user creation

  • There is a filed loginMethod – which is configured.
    • its set SSO for SSO users – uses the same SF URL
    • its set PWD for PWD users – uses a different URL
  • loginMethod – can be updated in GUI mode – if this field is enabled or Employee emport import can be used for mass user update.

Notes followed by users to configure it

2088837 – [SSO] Partial Organization Single Sign-On – BizX Platform | SAP Knowledge Base Article

2320766 – [SSO] Partial Organization Single Single-On: Data model configuration, tips & tricks from Support for Partners (

Confusion – Questions ?

  1. What will happen to Partial SSO after IAS activation?
  2. If i set pwd user in SAP SF application – will it be a pwd user – similarly for SSO users?
  3. Will loginMethod be a deciding factor for configuring different authentication mechanisms for different users?


Partial SSO – in SAP SF application is disabled after IAS integration with SAP SF application is successful.

  • All the authentication requests will directly go to IAS and IAS becomes the decision maker. If you have followed the approach of configuring rules based conditional authentication – you can configure multiple rules as per your requirement – for Password or SSO users.
  • If you are following a different approach and using IAS as proxy – follow the note:

This blog can help you with deciding the approach to be followed –Identity Authentication Service(IAS) Configuration approach with SAP SuccessFactors Application

now lets answer the questions

Clarity – Answers !

  1. Partial SSO (in SF application) is completely ruled out – its disabled.
  2. No, IAS will be deciding which user will be SSO user or PWD user. SAP SF application don’t have any control on deciding  authentication mechanism for different users. However we can do some configuration in IPS and IAS which can give some liberty to SAP SF application to perform decisions.
  3. loginMethod – its just a field in SAP SF application which is of no use after IAS activation with SAP SF application (as partial SSO is disabled – and this field is mainly used for partial SSO for PWD users to login using credentials).
    • It doesn’t matter you set it to SSO or PWD – whatever is set for that user in IAS, it will behave in that manner.

Like i said , there is a way we can still configure IPS and IAS in such a way that SAP SF admins can use loginMethod field to set the users as SSO or PWD users and it will work.


Below information can help you in configuration:

Group Users Based on Login Method – SAP Help Portal

What is exactly happening in this configuration:

  • We will filter the users as per loginMethod filed using IPS transformation to a group (lets say PassworD group)
  • Put this group on top in rules of conditional authentication – and Set it to authenticate in IAS.
  • this way – while user creation — for external vendors – SF admins will set user as PWD
    • IPS will sync the user to PassworD group
    • IAS will redirect all the users in PassworD group to IAS for authentication.

This gives you an additional option to have control over external users.

Other options you have is filter the users as per email address(domain names) to specific groups and use rule based conditional authentication.

Please have a look at the SAP Standard Note -it can be really helpful:

How to use loginMethod for users to login to SAP SuccessFactors with SSO and PWD once the Upgrade run


  • Keep this as a discussion point of which approach team wants to follow.
  • Remember IAS and IPS are just the tools , its you who will decide how configuration will look at the end of the day. So discussion with teams and decide accordingly.

Problem Statement 4:

Concerns related to Success factors mobile application access.

  1. In a fresh implementation project (where success factors was just purchased and implementation has started) –
    • how to implement SSO for SAP SF mobile application?
  2. In an already existing environment –
    • What will be the login process for new users after IAS activation with SAP SF application?
    • How will old users logging to the mobile application of SAP SuccessFactors application?


SAP SF mobile application have 2 options to login –

  • Scanning QR code – which you can scan from your online SAP SF portal – (after logging successfully using your credentials there)
  • By entering the company ID – it takes you to the SF page(if IAS is not configured) enter your credentials and login.

Now After IAS implementation with SAP SF application

  • Scanning QR code – works same how it worked earlier.
    • Just login to your web SAP SF portal -using credentials( or if SSO is configured for a corporate IDP- then perform authentication there)
    • Go to scan QR code option – scan it
    • and voila – you are logged into the SAP SF mobile application
  • Another way – enter the company ID – it usually opens up SF screen in browser, however because IAS is activated – it will prompt you with IAS screen, enter the email address and perform authentication (either on IAS screen or in Corporate IDP) and once authentication is successful, it will log you into the application

Now lets answer the concerns

  1. In a fresh implementation Project
    • Ask users to follow the same steps shared above( using QR code or perform authentication to corporate IDP) and then it will log users into applications
  2. In an already existing environment
    • New users can follow the same steps shared above (using QR code or perform authentication to corporate IDP) to login to SAP SF application
    • same goes for old users

There is no separate configuration from Mobile application perspective.

IAS activation with SAP SF application just provide addition authentication mechanism to login to mobile app(in case corporate IDPs are configured in IAS for SAP SF application) – Users can now authenticate to their corporate IDPs in mobile phone and login to SAP SF application.

Few other tips:

This will make your life a little easy while going for testing:

  • Use SAML tracer in browser to capture the trace – and understand about how authentication flow is happening and to troubleshoot in case of issues.
  • Whenever you are performing testing ( and you are already logged into IAS) , make sure you do testing in another browser, or logout from IAS before doing testing, or use incognito mode.
  • Enable SAML tracer in incognito mode( i didn’t know it earlier – this will help you to get SAML traces in incognito mode also).

  • Check the authentication logs in IAS in case you are facing issues while testing.
  • Make sure users are properly created in your corporate IDP with correct email address or identifier maintained(correctly).
  • If authentication fails while reaching to SAP SF application (after it passes from IAS) -its possible your user don’t have a login authorization. Sometimes users are not created properly in SAP SF application (without proper authorizations) and it fails because of this.
  • In rare cases – usually in SF prod – SF admins enable IP whitelisting and only users with specific IP addresses can login with credentials, If specific IPs are not whitelisted – users can’t login to system, So after IAS activation with SAP SF application – we should ask them to remove this restriction and then perform activation of IAS with SF application. If required – after activation, we can create rules with specific IPs in conditional authentication in IAS.

In this blog post you have learn about the challenges we face while going for E2E implementation and learnt about the solutions and approaches which can be followed to tackle the challenges.

Happy Learning !

I see amazing updates from SAP on Standard guide and standard notes related to this configuration. Just want to say Good job SAP ! and thanks for having a really amazing support team out there for this integration. Keep up the good work !


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Nikki Johns
      Nikki Johns

      In-depth details thank you

      Author's profile photo Istvan Bokor
      Istvan Bokor

      Hi Sushil Gupta,

      Thanks for the blog series!

      As a support engineer on IAS and IPS, I would add some further points on the above topic:

      The more proper and approved name for "SAP Cloud Identity Authentication service(IAS)" is "SAP Cloud Identity Services - Identity Authentication", or "Identity Authentication", or simply "IAS".

      Regarding "Email address is a mandatory field in IAS. Email address should be unique for every user." - e-mail can be set in IAS as not required and not unique for a couple of months, see:
      You can also consider this at "Problem Statement 1".
      Also, we don't recommend using (dummy) as we might block domains for abuse in case a huge amount of not existing e-mails are sent out, we rather recommend using for such purpose - as we described in our documentation.

      For the new partial SSO, you may consider, too.

      If you are facing issues during configuration, you can download the Troubleshooting logs from your IAS tenant to self-investigate the root cause of the issue using the Support Log Assistant. See KBA 2942816 – How to export troubleshooting logs from Identity Authentication Service.

      Best regards,

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Istvan Bokor ,

      Thank you so much for the details. I have updated the blog with the helpful links shared by you.

      I can see the Guided Answers  are also updated regarding the same.(email address is now configurable and can be set as not required in IAS).


      Thanks and Regards

      Sushil K Gupta

      Author's profile photo Istvan Bokor
      Istvan Bokor

      Hi Sushil Gupta,

      Thank you for doing the update so quickly. I will also update our KBAs on component BC-IAM-IDS and BC-IAM-IPS in the upcoming day.

      Best regards,

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Dear Readers,

      Above scenarios are only applicable if email address is set as unique and required in IAS.


      Thanks and Regards

      Sushil K Gupta

      Author's profile photo Jacques Maeda
      Jacques Maeda

      Hi Sushil Gupta ,

      Thanks for the blog. I wonder if you were able to figure out a proper programmatically solution for the duplicate emails scenario with SAC:

      For users with duplicate email address – ask them to either remove the email address(make it blank) or assign dummy email address –

      This workaround above does not work when we have thousands of users in the workforce with genuine shared/duplicate emails.

      The IPS transformation works well in a test environment when thousands of users have exactly the same email.



      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Jacques Maeda,

      Just saw the comment. Please find my inputs below:

      You got it right - this statement is for dev or test environments where users keep duplicate ids for test purpose. We need to perform cleanup of users so that all the users are synced properly so that we can check test the configuration is working fine -

      for example -

      1)if any user read fails in source system(SAP SF) then cleanup for users won't happen in IAS in case any user is deleted or set as inactive in SAP SF.

      2)If user fails in target - Read and Full sync job don't run as expected. Expected behaviour you may set using properties ( After every 5 read jobs , run 1 full sync job automatically)

      Now coming to production environment:

      My understanding (also observation from my last project) - Organisations keep a unique email for a specific employee. They don't assign one email address to multiple people (this may create confusions)

      So in my project - i have set some guidelines for user onboarding in production environment (which can avoid sync job failures and eventually unsuccessful user onboarding experience)

      saying - User email address should be unique , firstname , last name , person GUID should be maintained.

      Please note - this restriction of unique email address is not mandatory in IAS and you can disable it. Once you disable email address as mandatory - it will allow you to sync the users with duplicate email address. however i would recommend ,please do perform test for different scenarios to understand the application behaviour.

      How to do it?

      goto IAS > tenant settings > Logon Alias > Uncheck the unique checkbox for email address.


      Please let me know if you have scene scenarios where we are maintaining duplicate emails in prod environments.

      Kindly let me know your thoughts on this.


      Sushil k Gupta

      Author's profile photo Jacques Maeda
      Jacques Maeda

      HI Sushil,

      Thanks for your response.

      Ideally I would like to have unique and mandatory email for all users, however, our business requires non-unique and non-mandatory email, including extended workforce, and users in learning sites. It may be simple for some companies to change this requirement/culture, not for us. We have SAP ERP as well, and this inconsistency across SAP solutions just add obstacles in the IAS/IPS enablement. We can configure IAS to have non-unique email for SF, but we must have unique email if we want to enable SAC for those users.

      I might use IPS transformation for specific email domains like,, and we expect corporate emails to be unique, but there are workforce segments that will not have it, and if users want to access SAC (stories in people analytics), they must have unique email as prerequisite.



      Author's profile photo Marc Caslani
      Marc Caslani

      Great article and lots of great info - Thank you!

      One problem we are having and we are not seeing any mention of is 2FA for mobile. Before IAS was turned on, a user would need to sign into Okta, and if they needed to reset their password, it would pull up the Okta screen. So all access was shared with SF and Okta.

      Now, IAS circumvents Okta and only requires QR or Company name = zero security

      Any guides or help with how to get 2FA to work again?

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Marc,

      If i understand your question correctly, you mean you are concerned about the security of sf moblie app login after IAS activation. Please find my inputs below:

      when users are loggin to mobile apps using - scanning QR code, they are scanning it from an already logged in session - lets say they logged in in their office laptop (after performing all the authentication- 2factor and all) , so from security perspective- its their own session from where they scanned the qr code. Just don’t let any other person scan QR code from your session.

      and in mobile apps- lets say they follow other way of authentication- once they enter company id- it will detect its yours successfactors- which is eventually integrated with IAS so it will open either IAS( if ias is acting as identity provider) or octa screen (if ias as proxy) - once authentication is completed then only it will allow to access the mobile application.


      Nothing is changed for Mobile apps, its just now IAS came in between and if required you can enalbe 2FA in IAS for normal scenarios for users, it will work for mobile apps authentication also.

      Please let me know your thoughts on this!



      sushil k gupta


      Author's profile photo Philippe BOULICAUT
      Philippe BOULICAUT

      in order to support multiple users having same business email in multiple SF preview tenant, can we configure a new email type (UID) which is populated with business email.SF_Tenant_COID_counter


      where counter is incremented when more than 1 user share the same email address


      uid would look like


      where business email will look like


      And have ias uses these email address UID instead of business email ?

      these would allow us to have a single ias connected to our Active Directory instead of 4.

      Author's profile photo Sushil Gupta
      Sushil Gupta
      Blog Post Author

      Hi Phillippe,

      I understand that requirement is to use 1 IAS tenant in place of multiple IAS tenants for Multiple SF Tenants and issue which you are facing is that if a user is synced from one SF environment - lets say SF1, then if same user which exist in another SF environment - lets say SF2, it fails because it has same email address?

      Like you mentioned you are connecting IAS tenants to Active Directory -

      Please note if you are using IAS as proxy and (not as identity provider), and using IAS user store for just mapping purpose, in this case - it should not matter from which SF tenant User got synced and User will serve the same purpose. Even if it fails in sync job for other SF tenant environments , as user exists - your SF tenant applicaiton in IAS can use the existing user and perform mapping.

      Should not be a problem. Let me know if you are facing any challenge in this scenario.


      Now in case you want to sync the same user from multiple SF tenants and its working for one SF environment and failing for other environments which are connected to same IAS -

      please note. - email address is not a mandatory field in IAS now - and sap provides functionality to edit it.

      Email address can be set as required and unique in IAS tenant settings.

      User Identifier Required Unique
      E-Mail Yes/Configurable Yes/Configurable

      This way it will not fail in sync jobs.

      I think these 2 solutions can help in the scenario requested.

      Now lets discuss the solution proposed:

      You mentioned - if we have more than 1 users with same email address which is getting synced from 1 SF tenant - in this case you can use transformation code.

                      "condition": "!($.email EMPTY false) || $.email == '' || $.email == ' ' || $.email == '' ",
                      "sourcePath": "$.username",
                      "targetPath": "$.emails[0].value",
                      "functions": [
                              "type": "concatString",
                              "suffix": ""

      Now in place of using counter - which is just a numeric value - this code is actually updating - reason we used username is because its unique for every-user in Success Factors.

      Challenge which i see in your approach is first user will be synced as is - and from the second user it will be increasing the counter to counter+1

      For this case - you will need an if logic which reads the users from target system(IAS) check if user exist in IAS and if it exist then it will increase the counter to +1 and write the user in target system.

      How it works in IPS - we have a source system(SF in our scenario) from where we are reading the user and we have a target system(IAS) where we are writing the users.

      Now why it works in scenario which i proposed - it reads all users from SF - even the first one - checks if email is part of the condition and modify it while writing it to IAS.


      Please let me know your thoughts on this !

      Thanks and Regards

      Sushil K Gupta