IAS for ONB2.0 New Hires – 1 (upgrade OData to SCIM)
We are aware about the use of BizX login page for login of Onboardee in ONB2.0.
From 2H2022, SAP has officially released the feature of having IAS(Identity Authentication System) available to be integrated with ONB2.0 for New hires.
This brings the option of having better security for login of Onboardee and leverage features of IAS such as conditional authentication, Multi factor authentication etc.
Following are the articles about my understanding in upgrading the IPS to SCIM and implementing the IAS for ONB new hires. If you see something wrong or steps which can be done better, please highlight 🙂
To integrate ONB with IAS, the IPS system must be upgraded to SCIM version.
If you already have the IAS setup in your system or has an instance provisioned before Dec 2022, those system possibly will be in version 1.
The clients who have provisioned new IAS-IPS system after Dec 2022 will have their instances come with SCIM – version 2.
You can check the version by checking the value of ‘sf.api.version‘ in properties tab of the source system in your Identity Provisioning(IPS).
We will first see how to upgrade the IPS from version 1 to version 2(SCIM) and then see the configurations for ONB integration.
Upgrading IPS system from version 1 to version 2(SCIM)
- Setup mTLS (mutual Transport Layer Security) as your authentication method between Identity Provisioning and SuccessFactors.
To do this, generate(if there is no certificate) and download the outbound certificate and link with SuccessFactors.
- Go to SuccessFactors > Security Center >X509 Public Certificate Mapping > Add > upload the certificate created above.
Make sure you select ‘Identity Provisioning Service’ in the ‘Integration Name’ field and the login name of your admin user in the ‘Login Name’ field.
I used IPSADMIN as Login Name, which was used in the version 1 for IPS job.
- Change the api.version in Source system > Properties > from 1 to 2.
- Remove /odata/v2/ from the URL section in Properties
- Change the sf.user.filter as below
The transformation would also require changes once you upgrade the version from 1 to 2.
You can test this by running a IPS job simulation to check whether there is any error caused due to incorrect transformations.
This link will give you the mapping changes between SCIM and ODATA.
Note: As a best practice, Please be advised to update the Authentication setting from ‘BasicAuthentication’ to ‘ClientCertificateAuthentication’. This adjustment will function smoothly given that you have already uploaded the outbound certificate of the Source System within the SuccessFactors security center’s X.509 Public Certificate Mapping. Once this step is completed, there is no need to configure a username and password for IPSADMIN. The connection will operate effectively through certificate-based authentication.
Unlike sf.user.filter in version 1 where we had flexibility to sync only few users using ‘OR’ logical operator, version 2 is not offering that and hence making it hard to sync and test for only few users. As a bad workaround for testing you may used the operator ‘Contains’ to create a query.
Please vote the below enhancement request
You can find the configurations necessary for the integration of ONB with IAS in next article – IAS for ONB2.0 New Hires – 2.