SAP Knowledge Base Article - Public

2791410 - Integrating SuccessFactors with SAP Cloud Identity Authentication Through the Upgrade Center

Symptom

  • How to create SuccessFactors Identity Authentication Service Integration;
  • How to create IAS and IPS tenants for SuccessFactors integration;
  • How to setup IAS and IPS with SuccessFactors;

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

  • SAP SuccessFactors HXM Suite
  • SAP Cloud Platform Identity Authentication Service
  • SAP Cloud Platform Identity Provisioning Service

Reproducing the Issue

  1. Go to Admin Center
  2. Click Upgrade Center
  3. Notice New Optional Upgrades:
  • Create SuccessFactors Identity Authentication Service Integration
  • Enable SuccessFactors to SAP Cloud Platform Identity Authentication Service Integration

Resolution

IMPORTANT

  • Before perform this implementation, note that this requires manual implementation on different systems and that it will not be a simple upgrade only on Upgrade Center
  • We require and strongly advise you review the following content:
    • The Admin Guide for this feature, in which there are multiple optional steps you might need to follow for your business case
      • If you prefer you can access the pdf version HERE
      • Overview of the features and its implementation
      • How-to videos explaining actions you need to do. (It's advised to view ALL, especially this one.)
      • A link for an Office Hours with an expert where you can raise questions and hear what other customers are asking
      • Receive updates on things supported and not

  • This activity can only be accomplished by an SAP S-User. Contact your system administrator for help in case you do not have a S-User
  • It is allowed two IAS tenants by default to each customer (one to the production instance and other to the preview instance)
  • This upgrade will disable Partial SSO and your PWD users will need to login through a different URL and an IAS feature is needed to be enabled;

How to Create Integration Settings

To create the settings and IAS and IPS tenants, you need to follow the steps below:

Prerequisites

  • Have the S-User credentials;
  • (Only if you already have IAS tenant) Have your IAS tenant URL;


Procedure

  1. Go to Admin Center
  2. Open the Upgrade Center
  3. Search for upgrade Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration and click Learn More & Upgrade Now;
    • Note: If you doesn't find the upgrade and it is not under the Completed Upgrades, your instance must have one of the not supported features mentioned on the Community Page. Refer to the page for when the upgrade will be available for you;

Create SF IAS.JPG

  1. Click Upgrade Now;
  2. A popup requesting a S-User and password will appear.
  3. Enter your S-User credentials, same as used in the support portal to open incidents for the instance;
  4. If you already have an IAS tenant, you will be asked for the IAS tenant URL. The URL should start with https:// and usually end on ondemand.com;
    • Here you need to provide the url for the tenant matching the BizX Instance type (BizX Prod with IAS Prod and BizX Test/Dev/Preview with IAS Test);
    • If you do not know your tenant URL, check internally with your Company Admin or your SAP Representative (they can search for SCI_IDP on our internal tool Cloud Reporting);
    • If the information is still not available, create a support incident using component LOD-SF-PLT-IAS, to request assistance;
  5. Click Create to initiate the integration process;
  6. The process can take over 2 hours to be completed;
    • If you did not have an IPS prior to the upgrade, you should know when it is completed by receiving an email with your IPS information (access will be your S-User credentials);
    • If you already have an IPS, you can check on the setup on Source for when it creates a new Source and Target for your SF and IAS tenants it will be completed; 

Complete IAS and IPS configuration

Prerequisites

  • Have completed the previous steps;
  • You need to have Admin access to both your IPS and IAS tenants (if you did not have the tenants before the previous steps, you should receive an email with the credentials);
    • If you need help to get the IAS or IPS credentials to access, please open an incident to BC-IAM-IDS for IAS or BC-IAS-IDS;
  • Have already read the Admin Guide as multiple configurations on this steps is optional and defined by business case;
  • This step is about getting your Users setup in the IAS tenant and integrate IAS with your corporate SSO (if applicable)

Procedure

  1. Setup API user for IPS as referred on the guide on step 6.1 and 6.2;
  2. (Optional) You can change your IPS transformation rules if you have some requirement, you can refer to step 6.4 on the guide (this is implementation decision by customer);
    • Note: In the source system (SuccessFactors) all users must have unique emails to avoid provisioning issues.(email must be unique on IAS);
    • If you require to have same emails on SuccessFactors, you can follow this Guided Answer to have the users created with different dummy emails, this would be a change on transformation rules;
    • Remember IAS uses email to login, so users would need to login with their emails
  3. Schedule the IPS sync job as referred on Step 6.3;
  4. Confirm that IPS sync job is running successfully on IPS;
    1. Login into your IPS;
    2. Go to Job Logs;
    3. Click on the last execution of the job;
    4. Confirm that the job is reading the users and if it is facing some issue on the writting of the user on IAS;
  5. Login to your IAS tenant;
  6. Confirm if the users on your IAS match the number of users that you have on SuccessFactors;
    • IAS will only have the active users;
    • Users that have duplicated email will not be created on IAS (unless there was a change on transformation rules), so might be expected that not all users are on IAS;
    • IAS will have Admin users that will only exist on IAS;
  7. (Optional) Setup a corporate SSO integrated with IAS;
    • Follow step 5.6.1 Corporate Identity Provider in IAS on the guide, there is a video that you could follow on how to do it;
    • IMPORTANT: This will also require that you setup an new application on your Corporate IdP (SSO) using metadata exported from IAS;
    • IMPORTANT: Make sure to use NameID-format as Unspecified on your IdP for IAS and to send as NameID a match with SuccessFactors username;
  8. (Optional) If you had Partial SSO and you have non-SSO users that will need to login with user and password, you need to implement the feature on this KBA 2954556
    • Your PWD users will login directly into an IAS URL;
  9. All settings from Chapter 5 (Identity Authentication Service Administration Console Tasks) from the guide depending on your specific requirements;

Enable SAP SuccessFactors to SAP Cloud Platform IAS Integration

Prerequisites

  • Your SAP SuccessFactors system is integrated with the SAP Cloud Platform Identity Authentication service by doing the previous steps successfully
  • You have successfully configured Identity Authentication to meet your requirements and be ready to begin using it to authenticate users in your system
  • You have confirm that the user sync between SAP SuccessFactors and Identity Authentication is successful

Procedure

  1. Go to Admin Center
  2. Access Upgrade Center
  3. Find the upgrade Activate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration;

Enable.JPG

  1. Click Learn More & Upgrade Now
  2. Click Upgrade Now
  3. After this your instance will be integrated with IAS and your users will be redirected to login through IAS;
  4. If after running this upgrade, you face any login issue, please refer to this KBA 2954188 before opening an incident with Support;

Cautions and points to be gaught up on prior to try the upgrades:

  • You cannot undo this upgrade after it is completed;
  • For non-SSO enabled instances, performing the integration upgrade will automatically turn the SSO on with IAS as your SSO;
  • For SSO-enabled instances, another asserting party for IAS will to be created, while others will be disabled as well as Partial SSO;
  • Demo instances aren't covered by the automatic upgrade via Upgrade Center;
    • For such environment kind, the configuration must be carried out manually by following the KBA 2674232.

See Also

Keywords

IAS, BizX, biz x, SF, success factors, plt, platform, e-mail, SSO , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-PLT , Platform Foundational Capabilities , How To

Product

SAP SuccessFactors HXM Suite all versions

Attachments

IAS Setup Guide - New Instances.docx
IAS Setup Guide - Existing Instances.docx