Human Capital Management Blogs by SAP
Get insider info on HCM solutions for core HR and payroll, time and attendance, talent management, employee experience management, and more in this SAP blog.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Onboarding New Hires Authentication using SAP Identity Authentication Service (IAS)

smitajalit
Product and Topic Expert
Product and Topic Expert
‎05-10-2023 6:43 PM

Overview:


With 2H 2022 Onboarding-IAS integration provides Onboarding new hire authentication and user account management with SAP IAS System using Cross-domain Identity Management (SCIM) API.

Benefits of using SAP Identity Authentication Service for Onboarding New hires:



  • Pre-day 1 Onboarding Work zone integration

  • It provides a secure and centralized platform for managing user authentication and access control for both Onboarding New hires and Employees.

  • Seamless and consistent user experience across different applications and devices

  • By providing single sign-on capabilities, users can easily access the other cloud applications and resources they need without having to remember multiple usernames and passwords.

  • By integrating with IAS, you can enforce strong authentication methods such as multi-factor authentication and password policies.


Onboarding new hire User Experience with Onboarding-IAS integration


When a new hire is created in SAP SuccessFactors Onboarding, they’re provisioned in Identity Authentication in real-time.

  • If the New Hire Data Review step is available in the Onboarding process flow, then the new hire's account is synced to SAP Identity Authentication Service after the New Hire Review Data step is complete.

  • If the New Hire Review Data step is not available, then as soon as the Initiate Onboarding step is complete, the new hire's account is synced to SAP Identity Authentication Service.


Onboarding New hire receives IAS Account Activation email to set her/his password in IAS. Onboarding new hires will be able to login using IAS login page and HXM application URL.

             


Going forward Onboarding New hires will be able to perform “forgot password” from IAS login screen once their user record is synced to IAS.


 

Note: Point to remember with regards to Welcome email and password setting link.

Once you have Onboarding-IAS integration, “Reset User Password link” link in Welcome email will not be functional. You can refer to below screenshot “Reset your password using think link” does not show Hyperlink.


 

It is recommended to Disable the following templates in Email Services:

  • Template: (ONB) External User Welcome Message Template

  • Template: (ONB) Rehire User Welcome Message Template


If you do not disable the welcome email template, the Onboarding new hire will receive two welcome e-mails, one from HXM Suite and one from Identity Authentication Service (IAS).

If you are okay with sending 2 emails, then ensure that you've removed the Reset User Password link from the email template.

Real Time sync configuration: Ensure that you've enabled the Real Time Sync option to trigger real-time sync whenever there’s a new hire account being created, or any changes occur to the onboarding New Hire account status or account type. Refer to the link for configuration setup Manage Real-Time Sync of New Hires from SAP SuccessFactors to Identity Authentication with Identity ...

 

More details about Onboarding -  IAS integration


As of the December 9th, 2022  production release any newly established integration between SuccessFactors BizX instance and SAP Identity Authentication/Identity Provisioning Services (IAS/IPS) will be using the SCIM API.

Let’s understand how this change applies to new and existing HXM instances. For simplicity I am going to use Type 1, Type 2, and Type 3 setups.

  • [Type 1] newly provisioned SuccessFactors HXM Instances that have an identify authentication and Identity provisioning tenant bundled together and delivered at the same time, and

  • [Type 2] existing SuccessFactors HXM instances performing the Initiate IAS Upgrade or Change IAS tasks through Upgrade Center.


[Type 3] Before December 9th, 2022  if you integrated SAP SuccessFactors HXM suite tenants with Identity Authentication Service (IAS) configured then you are using ODATA IPS Connector and you must upgrade from ODATA IPS Connector to SCIM IPS Connector to authenticate both employees and new hires with Identity Authentication and Identity Provisioning.

For more information, refer to help guide topics:

If you don’t migrate your tenants from ODATA IPS Connector to SCIM IPS Connector then Onboarding new hires will continue to work the same way as before:

  • Onboarding a new hire is not synced to IAS

  • Onboarding New hire receives Password reset link to set a password in SuccesssFactor HXM.

  • Onboarding new hire gets login URL with parameter pm_product_name = ONB in his/her emails.


Once you migrate your tenants from ODATA IPS Connector to SCIM IPS Connector then Onboarding new hires will be authenticated using IAS

  • Onboarding new hire sync to IAS

  • Onboarding New hire receives IAS Account Activation email to set her/his password in IAS.

  • Onboarding new hire gets login URL without parameter pm_product_name = ONB in his/her emails.


We recommend you upgrade your IAS-integrated instances from ODATA IPS Connector to SCIM IPS Connector to have the same IAS version across all your preview and production instances.

Example: Let’s say your Preview instances are using ODATA IPS Connector but production instances are not yet integrated with IAS and if you've upgraded your production instance after December 9, 2022 to SAP Identity Authentication Service (IAS) using the System for Cross-domain Identity Management (SCIM) 2.0 REST API, then in the Preview instance, the new hire receives HXM suite password link to set the password through Onboarding Welcome email and in the Production instance, the new hire receives the SAP Identity Authentication Service (IAS) activation email to set the password.

 

Need to know configuration and Do’s/Don’t


[Type 1] newly provisioned SuccessFactors HXM Instances that have an identity authentication and Identity provisioning tenant bundled together and delivered at the same time.

Newly provisioned instances are provisioned with Talent application. Onboarding Application provisioning switch will be turned On only after the customer has Onboarding License.

When the “Onboarding Application” provisioning switch is OFF following is the expected behavior:

  • Provisioning Company setting switch “Onboardee Identity Authentication” is Turned on By default. Do not switch off this setting.

  • As Onboarding Application switch is Off, the “Settings” Tab will not be shown in the below screenshot.



 

When “Onboarding Application” provisioning switch is ON following is the expected behavior:

  • Provisioning Company setting switch “Onboardee Identity Authentication” is Turned on By default. Do not switch off this setting.

  • As Onboarding Application switch is ON, the “Settings” Tab will be shown as below.


You will see Employee and Onboardee Application Completed displayed and grayed out since the option has already been enabled by the tenant provisioning process automatically. This means Onboarding new hires are part of IAS user sync along with Employee using Using System for Cross-domain Identity Management (SCIM) API.


[Type 2] existing SuccessFactors HXM instances performing the Initiate IAS Upgrade or Change IAS tasks through Upgrade Center.

If you have performed IAS upgrade from the Upgrade center after December 9, 2022 then following is the expected behavior for Onboarding Customers:

  • Provisioning Company setting switch “Onboardee Identity Authentication” is Turn on By default. Do not switch off this setting.

  • As Onboarding Application switch is ON, the “Settings” Tab will be shown as

  • You will see Employee and Onboardee Application Completed displayed and grayed out as you have initiated the upgrade to Identity Authentication after December 9, 2022, and the upgrade is complete.


This means Onboarding new hires are part of IAS user sync along with Employee using Using System for Cross-domain Identity Management (SCIM) API.


[Type 3] Before December 9th, 2022  if you integrated SAP SuccessFactors HXM suite tenants with Identity Authentication Service (IAS) configured then you are using ODATA IPS Connector and the Settings tab under Admin Center  Monitoring Tool for Identity Authentication/Identity Provisioning Service Upgrade is unavailable.

You must upgrade from ODATA IPS Connector to SCIM IPS Connector to authenticate both employees and new hires with Identity Authentication and Identity Provisioning.

Steps as below:

  • Follow the steps mentioned in Upgrade from ODATA IPS Connector to SCIM IPS Connector with SAP SuccessFactors HXM Suite to upgrade from ODATA IPS Connector to SCIM IPS Connector.

  • Enable Provisioning switch “Onboardee Identity Authentication “ from Company Settings.

  • Initiated the upgrade to SAP Cloud Identity Services - Identity Authentication, and the upgrade is complete, the option to select Apply to both Employee and Onboardee will be displayed.


 


 

 

Frequently Asked Questions Answers


1. What is the change for new hire before and after Onboarding IAS integration using SCIM API?

Answer:

        Before IAS upgrade Onboarding New hire experience:

  • Onboarding new hire is not synced to IAS

  • Onboarding New hire receives Password reset link to set password in SuccesssFactor HXM.

  • Onboarding new hire gets login URL with parameter pm_product_name = ONB in his/her emails.


          After IAS upgrade Onboarding New Hire experience:

  • Onboarding new hire sync to IAS

  • Onboarding New hire receives IAS Account Activation email to set her/his password in IAS.

  • Onboarding new hire gets login URL without parameter pm_product_name = ONB in his/her emails.


 

2. When will Onboarding New hire Record sync to IAS?

Answer: Onboarding New hire Record will be synced to IAS in real time as soon as it is marked as ready for sync to IAS.

  • If the New Hire Data Review step is available in the Onboarding process flow, then the new hire's account is synced to SAP Identity Authentication Service after the New Hire Review Data step is complete.

  • If the New Hire Review Data step is not available, then as soon as the Initiate Onboarding step is complete, the new hire's account is synced to SAP Identity Authentication Service.


 

3. What if Real Time sync does not sync Onboarding New hire record to IAS instantly?

Answer: Onboarding Regular scheduled IPS job will sync Onboarding New hires to IAS.

 

 4. At what stage of Onboarding, the activation email from IAS will trigger to Onboarding new hires?

Answer:  IAS activation email will be sent as soon as Onboarding new hire’s account is synced to IAS.

 

5. How to check Onboarding new hire record is marked as Ready to Sync?

Answer: You can check "Extension Status" in "Data inspector" under Admin center.

Extension status represents if onboarding new hire record is ready to sync to IAS.

0 - Active (Sync new hire to IAS as New hire is active external user)

1 - Inactive (Do not sync to IAS as New hire is inactive external user)

2 - Pending (Do not sync to IAS as New hire is not yet ready to sync to IAS.)

Example - "New hire data review step" is Not completed to proceed with next step by New hire "provide personal data collection".

 

 6. Is the activation email from IAS customizable? Can we update the email content?

Answer: Yes. IAS provides a way to customize email template. Please refer Help guide link for additional configuration changes.

Configuring Activation Email Template in Identity Authentication Service (IAS)

Configuring E-Mail Templates

 

7. Can we add Login name/Username in IAS Activation email?

Answer: Yes. Please refer allowed placeholders for IAS email templates.

Allowed Placeholders per E-Mail Template

 

8. What would be the sequence of both emails, activation email from IAS and Welcome email in Onboarding is kept active by removing reset password link. password link?

Ans:  Both emails are Asynchronous and expected to be received by New hire at same time.

 

9. What happens to the IAS user record when Onboarding is Cancelled

Ans: If the admin cancels the new hire's account, then the account created using SAP Identity Authentication Service is deactivated. When the next sync job runs, it will delete the new hire's account created using SAP Identity Authentication Service.

 

10. How to check if Onboarding New hire is synced to IAS in Real Time sync

Ans: Execution Manager  Pre-delivered integration display status of Real Time sync

 


 


 

11. Will the Login URL contains pm_product_name = ONB for Onboarding New hire for ONB-IAS integrated system?

Ans: No, Onboarding New hire will receive emails with Login link without pm_product_name = ONB  parameter in URL.

 

12. How to set up Autogenerated Username for Onboarding IAS account

You've setup Generate Onboarding User Data rule to generate user data such as username while creating an onboarding record. Reference Help Guide - https://help.sap.com/docs/SAP_SUCCESSFACTORS_ONBOARDING/c94ed5fcb5fe4e0281f396556743812c/c116de98fbc...

 

13. How is New hire’s IAS account maintained if new hire exists as External Learner user in IAS?

Ans: Onboarding New hire account and External learner accounts are maintained as 2 separate IAS account with unique personal email id and Username. Once Onboarding New hire is converted as Employee, New hire’s IAS account will be changed from Onboardee user Type IAS account to Employee user Type IAS account with change in personal email to work email and Username (if updates are done during Manage Pending Hire step).

In the Identity Authentication Service (IAS) target system, ensure that there are no existing account in SAP Identity Authentication Service with the e-mail address or username of the new hire. Please follow below guidance if you have IAS account for External Learner and Onboarding New hire.


 

14. How to check if the customer is using IAS with Odata API or SCIM API?

Answer: sf.api.version handles the version of the API which is consumed by the SAP SuccessFactors system.

Possible values:

1 - Indicates that SAP SuccessFactors HCM Suite OData API (in short, OData API) is used.

2 - Indicates that SAP SuccessFactors Workforce SCIM API (in short, SCIM API) is used.

Reference  SAP Cloud Identity Services - Identity Provisioning - SuccessFactors

 

15. What if Onboarding new hire is unable to redirect to Home page once he/she activates IAS account from IAS Activation email?

Answer: Onboarding new hire should be  redirected to the Home URL after activating his/her IAS account. Home URL is expected to be set up automatically once your instance is upgraded to SCIM IAS.

Reference Configure an Application's Home URL

Please check below IAS configuration. Please add Home URL if it’s not  available.




Help Guide references:


Setting up SAP Identity Authentication Service for New Hires Using System for Cross-domain Identity ...

Initiating the Upgrade to SAP Cloud Identity Services - Identity Authentication Service

Help Guide reference for SAP Cloud Identity Services - Identity Provisioning with SuccessFactors

Overview of SAP SuccessFactors Workforce SCIM API 

SAP SuccessFactors IPS Integration

Conclusion:


In conclusion, SAP SuccessFactors IAS integration provides a secure, automated, and user-friendly platform for managing user authentication and access control for Onboarding new hires along with Employees. It helps organizations improve and simplify user management.

 
Labels:
6 Comments
Popular Blog Posts