SAP Cloud Platform Integration: IP address change impact on SuccessFactors application
SAP Cloud Platform Integration
SAP SuccessFactors API
SAP CPI performs frequent IP address upgrade due to security reasons.
This would also impact those SuccessFactors Customers who are consuming SuccessFactors APIs(SFAPI/ODATA API) and IP restriction for API user is maintained under Admin Center-> Password & Login policy Settings->Set API login exception.
If you have not enabled any IP restriction as above, there would not be any impact.
Also, if whole range of CPI is not whitelisted correctly, Integration with SuccessFactors application might fail with below error message:
[LGN0013]Authentication failed. We have prevented an attempted login from unauthorized ip: XXX.XXX.XXX.XX to company ID: XXXX with username: XXXX
How to validate if CPI IP range has been whitelisted correctly?
- Check region in your CPI tenant URL.
Here you see that region is eu2
- Go to CPI guide Regions in the Neo Environment and check the IP range for region
Example: For eu2, range documented in CPI document is 188.8.131.52/24, 184.108.40.206/24, 220.127.116.11/24 and 18.104.22.168/24
- As mentioned in KBA 2698088 - Whitelist IP Address Ranges for Cloud Platform Integration Data Centers, you need to make sure you resolve each range and then maintain the resulted start IP and End IP address in SF.
Example: For IP range mentioned above in my example, do not whitelist 22.214.171.124-126.96.36.199, 188.8.131.52-184.108.40.206, 220.127.116.11-18.104.22.168, 22.214.171.124-126.96.36.199 because this is not correct range.
You need to resolve each range individually using netmask lookup tool available online. For example, IP range for 188.8.131.52/24 would be 184.108.40.206-220.127.116.11
This needs to be done for all ranges for your region
- Once you get the range, follow steps mentioned in document Setting API Login Exceptions to whitelist the IP addresses in SuccessFactors.
[LGN0013]Authentication failed, Password & Login policy Settings, Set API login exception. IP Whitelisting, API whitelisting , KBA , LOD-SF-INT-CPI , Standard SF to 3rd Party CPI (HCI) Content , Problem