- Here are a few frequently asked questions related to IAS while configuring Single Sign-On
- How IAS implementation will impact Onboarding;
- How Onboarding is implemented with IAS;
SAP SuccessFactors Onboarding
1)IAS is mandatory with SF for modules like Embedded SAC, Career site ..etc while it is not mandatory for other SAP Cloud applications - why can't customer choose their own IDP ?
- IAS is mandatory for some of the modules like Embedded SAC/ Career site etc. as per the product design.
- These solutions require authentication against identifiers which may not be present in corporate IdP. For Example : With People analytics - the attribute/ identifier used for integration is personGUID and such a identifier is only available for users which are present in IAS.
- It is possible to authenticate users based on personGUID for people analytics but it can be authenticated using login name for other SFSF product modules. Some additional reasons are as below:
- IAS also creates a global user unique identifier (locally generated in IAS) for all users that are stored in IAS. This identifier will be super useful for future integrations as more SAP applications will be able to use this for integration.
- Because of People Analytics and it authenticates via personGUID ,it is crucial to have all user records in IAS while the authentication for SSO users would continue to happen with the Corporate IdP and the password users will be authenticated locally with IAS.
2) Why SF users need to be replicated to IAS , if IAS has to be used as a proxy to Active Directory ?
- Kindly refer to the following link for more details and sample use case: (Optional) Configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps) - SAP Help Portal
- You may refer below link which covers different architecture details around usage of proxy in customer landscape. https://d.dam.sap.com/a/7R6nvDu
3) For Pre-Day 1 users in Successfactors ONB 1.0, is it suggested to have IAS or let the users login to SF directly ?
- Pre-day1 users will be required to authenticate only via IAS.
- ONB 1.0 users had used SuccessFactors directly through PWD loginMethod via SF URL. Now when SuccessFactors-IAS integration has been enabled, users will no longer have an option to choose old Partial SSO login.
- ONB1.0 treats Pre-day1 users as “active employees” and so they will be picked up with IPS user sync job and they would be created on IAS.
- You may refer Section6.4 https://d.dam.sap.com/a/XREqKSs
4) If Authentication through IAS is mandatory for ONB 1.0 , how can we disable notifications on Welcome Email form ONB and SF ? The notification will go from IAS anyway if we use IAS for PD1 users.
- IAS is NOT mandatory for ONB1.0. The above scenario is a case where BizX (HXM Suite) need to be integrated with IAS for other business needs.
- With activation of IAS, onboarding user experience is slightly changed as onboardee would not be able to reset their passwords on SuccessFactors, but have their passwords setup on IAS.
- As a best practice, one should change the welcome email from SuccessFactors to remove the reset password link token from it and advise about the IAS authentication process. You can refer to this Help Page https://help.sap.com/viewer/12be6a11886846cba1de18bf9027a0b6/latest/en-US/3be608bf27cb47d3aff1e8f2440e7ec1.html
5) How can we handle Pre-Day 1 users authentication in IAS while employees authentication is handed over to Corporate IDP i.e AD?
- Pre-day1 users would be password users in IAS while employees (active users) will be handled by Corporate IdP.
- You can use conditional authentication for bifurcating users based on loginMethod (pwd or SSO) or other relevant field to group the users in IAS and based on that send them to either IAS or Corp IdP, respectively, for authentication (which could break the seamless access for employees) or provide your Onboarding users with a different link to login (similar to the non-IAS login experience with loginMethod on the URL). You can refer to the KBA below on details on this approaches.
- Partial SSO on IAS KBA: https://launchpad.support.sap.com/#/notes/2954556
6) Say, a customer is using IAS as a proxy to Corporate IdP (AD) for employees and it works well. However, ONB 1.0 pre-day users does get authenticated via IAS as an IdP by default. Now, customer wouldn’t like to use IAS as a IdP for pre-day 1 users but use IAS as a proxy similar to employees. Is this possible?
Please note, source of information for Corporate IdP (AD) is SAP HCM (CoreHR)?
- It is confirmed that there is no plan to support “Native Login to ONB”.
- we need to enable full data load (including preday1) to AD everyday so that the user is available on corporate Idp.
- After conversion of Preday 1 users to an employee on hire date ,preday1 users will get deactivated in AD as they are removed from sync job.
7) What is the impact for Onboarding 2.0 login process for Pre-Day 1 users?
- Differently from Onboarding 1.0, where the Pre-Day 1 users are "normal active users", the Onboarding 2.0 users are external users and they have a different login URL with the "&pm_product_name=ONB" parameter, which the IAS implementation has not changed the behavior;
- Onboarding 2.0 users will keep accessing the system through the same process when accessing a URL on pattern below:
- <DC URL>/login?company=<Company ID>&pm_product_name=ONB
8) What is the impact for Onboarding implementation and user experience?
- For Onboarding 1.0, you can refer to this Help Page: https://help.sap.com/viewer/12be6a11886846cba1de18bf9027a0b6/latest/en-US/3be608bf27cb47d3aff1e8f2440e7ec1.html
- For Onboarding 2.0, you can refer to this Help Page: https://help.sap.com/viewer/c94ed5fcb5fe4e0281f396556743812c/latest/en-US/edeaa013f8d5459c93330bdd1015772c.html
IAS, SSO, IDP , KBA , LOD-SF-OBX , Onboarding 2.0 , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , Problem