2954491 - IAS Integration Upgrade post refresh issue

• After a refresh IPS sync for IAS is failing, and users are not able to access the instance;
• IPSADMIN user exists on instances that were not yet upgraded;
• What to do in IPS after a BizX refresh, for tenants already migrated to IAS?

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

SAP SuccessFactors HXM Suite

1. Go to Admin Center
2. Access Upgrade Center

The instance refresh copies the users, password policies and permissions, which impact the IPSADMIN used on the sync of the users.

Instance refreshes copies all users and their permissions from source to target, which overwrites the IPSADMIN user created in target for IPS sync of users. This limitation is expected to be solved in the future (pending date confirmation). Until then, the followin g should be done post refresh:

If Target SF Instance is Integrated with IAS and source is not:

Important Note: 
If the Target instance  

• Was created with pre-configured IAS/IPS after December 9th 2022.
• Had the IAS integration upgrade run after December 9th 2022. 

Then it is using mTLS certificate based authentication between IPS and BizX, using Technical User in BizX. This Technical User & Certificate based setup in any instance will not be impacted by the refresh, and the below "For IPSADMIN user" steps are not required. You can skip directly to the "For User Sync in IPS" steps.

For IPSADMIN user:

You may need to re-create the IPSADMIN that IPS uses read user on SuccessFactors instance, only in case the user is not found in the target post refresh.
In case a recreation is needed, please follow the below steps:

1. On SuccessFactors instance, create a user with user ID and Username as IPSADMIN. You can do it through an import;
2. Set up IPSADMIN user for IPS as referred on the guide on step 6.1 and 6.2;
3. Make sure to have the IPSADMIN password setup as it was before. Or reset it in SF, then update on the IPS source system and (only if Password migration from KBA 2950998 has been set up) IAS source system.

For User Sync in IPS:

Then, the following actions are needed in the IPS instance connected to the refresh target SF instance-

If the Source & Target SF had exactly same user data (all users with same usernames and email address) pre-refresh- 

1. In IPS, Reset the IAS Target System. KBA- 3041934 - You need to perform a System Reset in a Target or Source system from IPS
2. Then run the sync job (Read Job) from the SF Source System, so that the users are updated in the target IAS with the post refresh user data from the SuccessFactors instance.

If the Source & Target SF had different user data pre-refresh-

1. In the IPS source system, add some user filter (sf.user.filter) property value which will not match any user in the SuccessFactors instance, preventing IPS from being able to read them.
2. Run a Resync job from the IPS source system. 
3. This sync run with the filter from step 1 should delete all previously synced users from the Target IAS instance.
4. Once the sync run is complete, revert the user filter (sf.user.filter) property value in the IPS source system so it can now read all required users from the SuccessFactors instance.
5. Run a Resync job from the IPS source system again.
6. This sync run should create the user profiles in IAS with the post refresh user data from the SuccessFactors instance.

Note: Users that existed on both source and target system with different UUIDs (due to users being created on both tenants and not copied on a previous report) will likely be deleted from IAS target, to then be re-created as UUID is used as a primary ID on the IPS transformation (this is required to support Global Assignment and Concurrent Employment features). This is expected post refresh behavior.

If Target SF Instance is NOT Integrated with IAS and Source is:

No action needed.

If both Target and Source SF Instances are integrated with IAS:

Important Note: 
If the Target instance  

• Was created with pre-configured IAS/IPS after December 9th 2022.
• Had the IAS integration upgrade run after December 9th 2022. 

Then it is using mTLS certificate based authentication between IPS and BizX, using Technical User in BizX. This Technical User & Certificate based setup in any instance will not be impacted by the refresh, and the below "For IPSADMIN user" steps are not required. You can skip directly to the "For User Sync in IPS" steps.

For IPSADMIN user:

For the Target-

You should analyze and change, if necessary, the IPSADMIN password on IPS console -> Source Systems, for your SuccessFactors instance receiving the copy from the refresh. Be aware that all users and passwords are copied from source to target, then if you are using different passwords for IPSADMIN user in source and target (SF instances), you should change the password on IPS console in your target environment - step 7.1 from this guide.

Pages below. The user that should be updated is IPSADMIN@<target company ID>. (if you used another API user on SF it could be another user, but it will not be the standard)

Note: The Password Field value is not normally visible as on the example above (where you can see the password), the expected is to the password not be shown.

If Refresh Source Instance and Target Instance had the same password for the user no action will be required, though as you cannot check on it.

You may run a Read job to confirm if it fails to read users, then you need to update the password on above IPS screen. If you do not know the password- reset it on SF, then update on the IPS source system and (only if Password migration from KBA 2950998 has been set up) IAS source system.

If your Source instance was integrated with different IAS and IPS tenants on different datacenters, you will need also to correct the IP Address Restrictions on SuccessFactors side accordingly.

For User Sync in IPS:

Then, the following actions are needed in the IPS instance connected to the refresh target SF instance-

If the Source & Target had exactly same user data (all users with same usernames and email address) pre-refresh-  

1. In IPS, Reset the IAS Target System. KBA- 3041934 - You need to perform a System Reset in a Target or Source system from IPS
2. Then run the sync job (Read Job) from the SF Source System, so that the users are updated in the target IAS with the post refresh user data from the SuccessFactors instance.
    

If the Source & Target had different user data pre-refresh-

1. In the IPS source system, add some user filter (sf.user.filter) property value which will not match any user in the SuccessFactors instance, preventing IPS from being able to read them.
2. Run a Resync job from the IPS source system. 
3. This sync run with the filter from step 1 should delete all previously synced users from the Target IAS instance.
4. Once the sync run is complete, revert the user filter (sf.user.filter) property value in the IPS source system so it can now read all required users from the SuccessFactors instance.
5. Run a Resync job from the IPS source system again.
6. This sync run should create the user profiles in IAS with the post refresh user data from the SuccessFactors instance.

Note: Users that existed on both source and target system with different UUIDs (due to users being created on both tenants and not copied on a previous report) will likely be deleted from IAS target, to then be re-created as UUID is used as a primary ID on the IPS transformation (this is required to support Global Assignment and Concurrent Employment features). This is expected post refresh behavior.

Instance Refresh IRT IAS Identity SAC , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-PLT-IRT , Instance Refresh Tool , LOD-SF-PLT-REF , Instance Refresh , Problem