SAP Cloud Platform Integration: IP address change impact on SuccessFactors application
SAP Cloud Platform Integration
SAP SuccessFactors API
SAP CPI performs frequent IP address upgrade due to security reasons.
This would also impact those SuccessFactors Customers who are consuming SuccessFactors APIs(SFAPI/ODATA API) and IP restriction for API user is maintained under Admin Center-> Password & Login policy Settings->Set API login exception.
If you have not enabled any IP restriction as above, there would not be any impact.
Also, if whole range of CPI is not under the allow list correctly, Integration with SuccessFactors application might fail with below error message:
[LGN0013]Authentication failed. We have prevented an attempted login from unauthorized ip: XXX.XXX.XXX.XX to company ID: XXXX with username: XXXX
How to validate if CPI IP range has been added into allow list correctly?
- Check region in your CPI tenant URL.
Here you see that region is eu2
- Go to CPI guide Regions in the Neo Environment and check the IP range for region
Example: For eu2, range documented in CPI document is 22.214.171.124/24, 126.96.36.199/24, 188.8.131.52/24 and 184.108.40.206/24
- As mentioned in KBA 2698088 - Add into allow list IP Address Ranges for Cloud Platform Integration Data Centers, you need to make sure you resolve each range and then maintain the resulted start IP and End IP address in SF.
Example: For IP range mentioned above in my example, do not add into allow list 220.127.116.11-18.104.22.168, 22.214.171.124-126.96.36.199, 188.8.131.52-184.108.40.206, 220.127.116.11-18.104.22.168 because this is not correct range.
You need to resolve each range individually using netmask lookup tool available online. For example, IP range for 22.214.171.124/24 would be 126.96.36.199-188.8.131.52
This needs to be done for all ranges for your region
- Once you get the range, follow steps mentioned in document Setting API Login Exceptions to add in the allow list of the IP addresses in SuccessFactors.
[LGN0013]Authentication failed, Password & Login policy Settings, Set API login exception. IP allow list, API , KBA , LOD-SF-INT-CPI , Standard SF to 3rd Party CPI (HCI) Content , Problem