- Here are a few frequently asked questions related to IAS while configuring Single Sign-On
- How IAS implementation will impact Onboarding;
- How Onboarding is implemented with IAS;
SAP SuccessFactors Onboarding
1) Why IAS is mandatory for SF for modules like Embedded SAC, Career site while it is not mandatory for other SAP Cloud applications - why cant we use our own IDP ?
- IAS is mandatory for some of the modules like Embedded SAC/ Career site etc. as per the chosen design.
- These solutions require authentication against identifiers that may not be present in corporate IdP.
- Case in point being, People analytics - the attribute/ identifier used for integration is personGUID. Therefore only if users are present in IAS, will it be possible to authenticate them based on personGUID for people analytics and based on loginname for SFSF.
- This is also why users need to be persisted in IAS. Some additional reasons are as below:
- IAS also creates a global user unique identifier (locally generated in IAS) for all users that are stored in IAS. This identifier will be super useful for future integrations as more SAP applications will be able to use this for integration.
- Because of People Analytics and its login via personGUID, is crucial to have all user records in IAS as, even though the authentication for SSO would continue to happen with the corporate IdP, the password users will need to authenticate locally in IAS.
2) Why SF users need to be replicated to IAS if IAS is used as a proxy to Active Directory ?
- Kindly refer to the following link: https://help.sap.com/viewer/568fdf1f14f14fd089a3cd15194d19cc/latest/en-US/02f401d638bd42e49fb7d39565189c3e.html
3) For Pre-Day 1 users in Successfactors ONB 1.0, is it suggested to have IAS or let the users login to SF directly ?
- Since ONB1.0 treats Pre-day1 users as “active employees”, when SuccessFactors-IAS integration is enabled, your users will no longer have the old Partial SSO login option, which ONB 1.0 users were previously using to access SuccessFactors directly through PWD loginMethod on the SF URL;
- These onboardees will be required to authenticate via IAS, so the users will need to do the authentication via IAS;
- As the users are Active users on SuccessFactors UDF, they will be picked up in a IPS user sync job and therefore would be created on IAS.
4) If Authentication through IAS is mandatory for ONB 1.0 , how can we disable notifications on Welcome Email form ONB and SF ? The notification will go from IAS anyway if we use IAS for PD1 users.
- IAS is NOT mandatory for ONB1.0. The above scenario is a case where BizX (HXM Suite) is integrated with IAS.
- On this case, onboardees’ user experience is slightly changed as they will no longer reset their passwords on SuccessFactors, but have their passwords setup on IAS;
- There will be required to be changed the welcome email from SuccessFactors to remove the reset password link Token from it and advise about the IAS authentication process. You can refer to this Help Page https://help.sap.com/viewer/12be6a11886846cba1de18bf9027a0b6/latest/en-US/3be608bf27cb47d3aff1e8f2440e7ec1.html
5) How can we handle Pre-Day 1 users authentication in IAS while employees authentication is handed over to Corporate IDP i.e AD?
- Pre-day1 users would be password users in IAS while employees (active users) will be handled by Corporate IdP.
- You can use conditional authentication for bifurcating users based on loginMethod (pwd or SSO) or other relevant field to group the users in IAS and based on that send them to either IAS or Corp IdP, respectively, for authentication (which could break the seamless access for employees) or provide your Onboarding users with a different link to login (similar to the non-IAS login experience with loginMethod on the URL). You can refer to the KBA below on details on this approaches.
- Partial SSO on IAS KBA: https://launchpad.support.sap.com/#/notes/2954556
6) (Follow-up question on 5) In case, customer does not want to use IAS as IDP, they want to only use IAS as a proxy to AD and this works well for employees , the source of employee information for AD is SAP HCM on-prem. But for PD1 users, they are not maintained in SAP HCM and hence will not exist in AD. Is this achievable?
- It is confirmed that there is no plan to support “Native Login to ONB”.
- We require to have all SF active users sync to IAS, so any scenarios that are not syncing all the users are not covered.
7) What is the impact for Onboarding 2.0 login process for Pre-Day 1 users?
- Differently from Onboarding 1.0, where the Pre-Day 1 users are "normal active users", the Onboarding 2.0 users are external users and they have a different login URL with the "&pm_product_name=ONB" parameter, which the IAS implementation has not changed the behavior;
- Onboarding 2.0 users will keep accessing the system through the same process when accessing a URL on pattern below:
- <DC URL>/login?company=<Company ID>&pm_product_name=ONB
8) What is the impact for Onboarding implementation and user experience?
- For Onboarding 1.0, you can refer to this Help Page: https://help.sap.com/viewer/12be6a11886846cba1de18bf9027a0b6/latest/en-US/3be608bf27cb47d3aff1e8f2440e7ec1.html
- For Onboarding 2.0, you can refer to this Help Page: https://help.sap.com/viewer/c94ed5fcb5fe4e0281f396556743812c/latest/en-US/edeaa013f8d5459c93330bdd1015772c.html
IAS, SSO, IDP , KBA , LOD-SF-OBX , Onboarding 2.0 , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , Problem