SAP Knowledge Base Article - Public

2791410 - Integrating SuccessFactors with Identity Authentication through the Upgrade Center

Symptom

  • How to create SuccessFactors Identity Authentication Service Integration;
  • How to create IAS and IPS tenants for SuccessFactors integration;
  • How to setup IAS and IPS with SuccessFactors;

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

  • SAP SuccessFactors HXM Suite
  • Identity Authentication
  • Identity Provisioning

Resolution

IAS-SF Architecture for KBA.PNG

IMPORTANT

  • Before performing this implementation, note that this requires manual implementation on different systems and that it will not be a simple upgrade only on Upgrade Center
  • We require and strongly advise you to review the following content:
    • The Admin Guide for this feature, in which there are multiple optional steps you might need to follow for your business case
      • If you prefer you can access the pdf version HERE
      • Overview of the features and their implementation
      • How-to videos explaining actions you need to do. (It's advised to view ALL, especially this one.)
      • A link for Office Hours with an expert where you can raise questions and hear what other customers are asking
      • Receive updates on things supported and not

  • This activity can only be accomplished by an SAP S-User. Contact your system administrator for help in case you do not have an S-User
  • Until the 2011 release, it was allowed only two IAS tenants by default to each customer (one production instance and another preview). 
    • For customers that already upgraded using only 2 IAS tenants, SAP as of this moment is not retrofitting instances to allow 1SF-1IAS integration on already migrated instances.
    • After the 2011 release, customers have the option to select which IAS tenant to use (or if using a new one) for instances that were not yet migrated. 
  • This upgrade will disable Partial SSO and your PWD users will need to login through a different URL and an IAS feature is needed to be enabled;

1. How to Create Integration Settings

To create the settings and IAS and IPS tenants, you need to follow the steps below:

Prerequisites

  • Have the customer S-User credentials (Partner S-Users are not allowed to trigger the upgrade);
  • (Only if you already have an IAS tenant, you will know if you have it on step 1.7) Have your IAS tenant URL and access to that tenant;
    • You can self check and confirm your existing IAS tenants and their administrators on https://iamtenants.accounts.cloud.sap/
      • Existing IAS administrators are the only ones responsible to add additional administrators to IAS tenants.
      • If no one has access to the IAS tenant (for example all admins on the above page left the company), request access through an incident to BC-IAM-IDS before the implementation.


Procedure

  1. Go to Admin Center
  2. Open the Upgrade Center
  3. Search for upgrade Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration and click Learn More & Upgrade Now;
    • Note: If you don't find the upgrade and it is not under the Completed Upgrades, your instance must have one of the not supported features mentioned on the Community Page. Refer to the page for when the upgrade will be available for you;

Initiate upgrade.png

  1. Click Upgrade Now;
  2. A popup requesting an S-User and password will appear.
  3. Enter your S-User credentials, same as used in the support portal to open incidents for the instance;
    • If you face any issues or errors on the authentication of your S-User Credentials, please refer to this KBA 2944990 for the common issues and their solutions on this step;
  4. A pop-up will appear for you to select the IAS tenant to integrate with (as the screenshot below). Please choose the tenant accordingly or create a new one (this is an architecture decision on the customer side); In case your existing IAS tenants are not visible at this step, open a ticket on the component: LOD-SF-PLT-IAS.

IAS pop up.PNG

    • In case you want to use an existent IAS listed and you do not have access to the IAS tenant Administration Console:
      • You can self check and confirm your existing IAS tenants and their administrators on https://iamtenants.accounts.cloud.sap/
        • Existing IAS administrators are the only ones responsible to add additional administrators to IAS tenants.
        • If no one has access to the IAS tenant (for example all admins on the above page left the company), please create a support incident requesting access to component BC-IAM-IDS (select Cloud platform as the product to be able to select this component) to request access after checking internally if another team is not using that tenant;
    • If you click on Submit and face a warning message stating "The SAP Cloud Platform Identity Authentication Service tenant you've chosen for this upgrade is not in the same region as your SAP SuccessFactors tenant. Are you sure you want to continue?" and you want this warning to be removed, please check KBA 3084273 - Warning message during SF-IAS Initial upgrade - IAS is not in the same region as your SAP SuccessFactors tenant;
    • You can choose to share IAS tenants between different SuccessFactors tenants or choose a 1-1 approach. Both approaches work and are supported, depending on customer decision as each has its challenges:
      • With 1IAS - 1SF:
        • You will have more IAS tenants to administrate
        • More applications are needed to be created on your corporate IdP;
        • But will make user management on IAS easier and require fewer customizations on IPS later on;
      • For shared IAS tenants, you have to take care of some user management aspects between the instances as:
        • Users need to be matched between instances or be completely different. Users with one email in one instance and another in another instance might see issues on syncing.
        • You will need to do adjustments to the transformation rules to sync a unique user ID (UUID) to different custom attributes on the second step;
    • If Request New Tenant is selected, a new IAS (free of cost) will be created and used on SuccessFactors integration. The tenant ID will be a random automatically generated ID by the system.
  1. Click Request New Tenant or Submit to initiate the integration process, depending on if you are going to use an existent tenant or create a new one;
  2. The process can take over 2 hours to be completed;
    • If you did not have an IPS before the upgrade, you should know when it is completed by receiving an email with your IPS information (access will be your S-User credentials);
    • If you already have an IPS, you can check on the setup on Source for when it creates a new Source and Target for your SF and IAS tenants it will be completed; 

2. Complete IAS and IPS configuration

Prerequisites

  • Have completed the previous steps;
  • You need to have Admin access to both your IPS and IAS tenants (if you did not have the tenants before the previous steps, you should receive an email with the credentials);
    • If you need help to get the IAS or IPS credentials to access:
      • You can self check and confirm your existing IAS and IPS tenants and their administrators on https://iamtenants.accounts.cloud.sap/
        • Existing IAS/IPS administrators are the only ones responsible to add additional administrators to IAS/IPS tenants.
        • If no one has access to the IAS/IPS tenant (for example all admins on the above page left the company), request access through the incident to BC-IAM-IDS - for IAS, BC-IAM-IPS for IPS.
  • Have already read the Admin Guide as multiple configurations on these steps is optional and defined by business case;
  • This step is about getting your Users setup in the IAS tenant and integrating IAS with your corporate SSO (if applicable)

Procedure

  1. On SuccessFactors, provide API permissions and employee export permission for IPSADMIN user as referred on the guide's section Setting Up an API User for Sync Jobs;
    • User needs to receive the below permissions over everyone as target population:
      • Manage Users -> Employee Export;
      • Manage Users -> User Account OData entity;
      • Manage Integration Tools -> Allow Admin to Access OData API through Basic Authentication;
  1. On SuccessFactors, setup API Exception Login for IPS IP addresses on Password & Login Policy Settings as referred on the guide's section Setting Up an API User for Sync Jobs;
    • IP addresses provided on the guide are in a different format than as it needs to be used on SuccessFactors;
    • To facilitate the conversion, we are making available the below table for each region;
    • If you are not aware of the region of your IPS tenant, you can check on the tenant itself on the Support section (tool icon on button left corner as the screenshot below);

Region host.png 

Region Host URL IP Range
Australia (Sydney) ap1.hana.ondemand.com 210.80.140.0-210.80.140.255,157.133.96.0-157.133.97.255
Brazil (São Paulo)  br1.hana.ondemand.com  157.133.246.0-157.133.246.255
Canada (Toronto) ca1.hana.ondemand.com 157.133.54.0-157.133.54.255,157.133.62.0-157.133.62.255
Europe (Amsterdam) eu3.hana.ondemand.com 157.133.140.0-157.133.140.255,157.133.141.0-157.133.141.255
Europe (Frankfurt) eu2.hana.ondemand.com 157.133.70.0-157.133.70.255,157.133.204.0-157.133.204.255,157.133.205.0-157.133.205.255,157.133.206.0-157.133.206.255
Europe (Rot) hana.ondemand.com
eu1.hana.ondemand.com
155.56.128.0-155.56.255.255
Japan (Tokyo) jp1.hana.ondemand.com 157.133.150.0-157.133.150.255
Kingdom of Saudi Arabia (Riyadh) sa1.hana.ondemand.com 157.133.93.0-157.133.93.255
Russia (Moscow) ru1.hana.ondemand.com 157.133.2.0-157.133.2.255
UAE (Dubai) ae1.hana.ondemand.com 157.133.85.0-157.133.85.255
US East (Ashburn) us1.hana.ondemand.com 65.221.12.0-65.221.12.255,206.112.73.0-206.112.73.255,157.133.16.0-157.133.16.255,157.133.18.0-157.133.18.255
US West (Chandler) us2.hana.ondemand.com 64.95.110.0-64.95.110.255,64.95.111.0-64.95.111.255,157.133.24.0-157.133.24.255,157.133.25.0-157.133.25.255,157.133.26.0-157.133.26.255
US East (Sterling) us3.hana.ondemand.com 169.145.117.0-169.145.117.255,169.145.117.0-169.145.117.255
US West (Colorado Springs) us4.hana.ondemand.com 157.133.45.0-157.133.45.255
Europe (Rot) - Trial hanatrial.ondemand.com 155.56.128.0-155.56.255.255
  1. On SuccessFactors, reset IPSADMIN password and take note of the password for later setup on IPS;
  2. On IPS, update the password field for SuccessFactors as a source system as referred on step 6.1 with the password from the step above;
  3. On IPS, update sf.user.filter field as this is a filter of the users that will be read by IPS on SuccessFactors;
    • When created, this field will come with value status eq 'active' and username in 'sf_username1_placeholder','sf_username2_placeholder';
    • This means that only active users that are on the list will be synced (sf_username1_placeholder and sf_username2_placeholder)
    • You need to change the filter to sync usernames that exist on your instance as a test;
    • The filter should be only status eq 'active' for syncing all users to move forward on the implementation.
  4. (Optional) You can change your IPS transformation rules if you have some requirements, you can refer to Section 5 Configure Transformations in Identity Provisioning on the guide (implementation decision by customer);
    • Note: In the source system (SuccessFactors) all users must have unique emails to avoid provisioning issues (email must be unique on IAS and later on SAC/People Analytics);
    • If you require to have same emails on SuccessFactors, you refer to section 5.1 Remove Dummy Emails Transformation from the guide;
    • If you want users to receive email notifications when they are created in Identity Authentication, you need to Enable the SendMail transformation code as per the Define SendMail Transformation guide;
  5. Schedule the IPS sync job as referred on Section 7.2 Running and Scheduling Jobs (User Sync);
  6. Confirm that IPS sync job is running successfully on IPS;
    1. Login in to your IPS;
    2. Go to Job Logs;
    3. Click the last execution of the job;
    4. Confirm that the job is reading the users and if it is facing some issue on the writing of the user on IAS;
  7. Login to your IAS tenant;
  8. Confirm if the users on your IAS match the number of users that you have on SuccessFactors;
    • IAS will only have active users;
    • Users that have duplicated email will not be created on IAS (unless there was a change on transformation rules), so might be expected that not all users are on IAS;
    • IAS will likely have Admin users that will only exist on IAS;
  9. (Optional) Setup a corporate SSO integrated with IAS;
    • Follow Section 9 Configure Single Sign-On in Admin Center on the guide, there is a video that you could follow on how to do it;
    • IMPORTANT: This will also require that you set up an new application on your Corporate IdP (SSO) using metadata exported from IAS;
    • IMPORTANT: Make sure to use NameID-format as Unspecified on your IdP for IAS and to send as NameID a match with SuccessFactors username;
  10. (Optional) If you had Partial SSO and you have non-SSO users that will need to log in with user and password, you need to implement the feature on this KBA 2954556
    • Your PWD users will log in directly into an IAS URL;
  11. (Optional) All settings from Section 6 Identity Authentication Service Administration Console Tasks from the guide depending on your specific requirements;

3. Enable SAP SuccessFactors to SAP Cloud Platform IAS Integration

Prerequisites

  • Your SAP SuccessFactors system is integrated with the SAP Cloud Platform Identity Authentication service by doing the previous steps successfully
  • You have successfully configured Identity Authentication to meet your requirements and be ready to begin using it to authenticate users in your system
  • You have confirmed that the user sync between SAP SuccessFactors and Identity Authentication is successful

Procedure

  1. Go to Admin Center
  2. Access Upgrade Center
  3. Find the upgrade Activate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration;
  1. Click Learn More & Upgrade Now
  2. Click Upgrade Now;
  3. Click Test Now;
    • IMPORTANT: Make sure to be logged out of the IAS Administration Console on the browser that you are doing this task to not get your Admin active session.
  4. A new tab will be open with a link to test your integration that will redirect to your Authentication process after IAS activation;
    • URL open will be with this format: <IAS URL>/saml2/idp/sso?sp=<SuccessFactors Entity ID>/<your company ID>&RelayState=verification
    • This will stimulate your login through IAS, without activating it and if the authentication process is successful, it will allow you to activate IAS integration;
  5. You will be redirected to IAS to authenticate (IAS might redirect you to your corporate IdP depending on your implementation in section 2);
  6. Log in to the instance;
  7. You will receive a Success message, then come back to Upgrade Center on the other tab;
    • If you receive a failure message or do not get correctly redirected, this means that you have some configuration issue that is impacting your IAS authentication.
    • Please, review KBA 2954188 on IAS login issues and correct the configuration or complete any step missed;
  8. You now can move forward and activate the IAS integration;
  9. After this, your instance will be integrated with IAS and your users will be redirected to log in through IAS;
  10. If after running this upgrade, you face any login issue, please refer to this KBA 2954188 before opening an incident with Support;

Cautions and points to be caught up on before trying the upgrades:

  • You cannot undo this upgrade after it is completed;
  • For non-SSO enabled instances, performing the integration upgrade will automatically turn the SSO on with IAS as your SSO;
  • For SSO-enabled instances, another asserting party for IAS will be created, while others will be disabled as well as Partial SSO;
  • Non-Paid Demo instances aren't supported for IAS upgrade;
    • For Paid Salesdemo instances (with company ID starting at SFCPART) the process is supported and should work.
  • Note that OData API access will not be impacted by IAS implementation.

See Also

Keywords

IAS integration with SF, BizX integration with IAS,  SF integration with IAS, SuccessFactors IAS,  SSO integration with IAS , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-PLT , Platform Foundational Capabilities , BC-IAM-IDS , Identity Authentication Service , How To

Product

SAP SuccessFactors HXM Suite all versions

Attachments

IAS Setup Guide - New Instances.docx
IAS Setup Guide - Existing Instances.docx