2089491 - Reverse Proxy Feature in Provisioning

• What is the Reverse Proxy?
• How do I request the Reverse Proxy for my instance?
• Deprecation of the Reverse Proxy Feature in Provisioning
• How can I prepare for the upcoming deprecation of the Reverse Proxy feature?
• An email was received by the customer: ACTION REQUIRED: Deprecation of Reverse Proxy in the 2H 2025 Release.

SAP SuccessFactors HCM suite

What is the Reverse Proxy?

By default, we access the company instance via the URL provided by SuccessFactors. This URL is determined based on the data center where your instance is hosted.

For example, if your instance is located in DC4, the URL to access it would be: https://performancemanager4.successfactors.com/

However, some customers prefer to access using a custom URL (e.g., https://successfactors.mycompany.com) by setting up Reverse Proxy servers implemented on their Corporate Network end.

In such cases, customers should get the Reverse Proxy feature enabled in SuccessFactors provisioning. This is to ensure that their users don't run into issues while accessing any SuccessFactors links or features which are using the default datacenter URL (e.g. SF email deeplinks).

Important Note: Accessing SuccessFactors with customized URL using Reverse Proxy servers is an entirely customer network end implementation. This is not a SuccessFactors feature and is entirely out of scope for technical support (how-to questions or any issue troubleshooting).There is no feature available at present on the SuccessFactors product end to implement customized URL for any customer instance.

How to request the Reverse Proxy on my instance?

In order for SuccessFactors to support this use case the configuration "Reverse Proxy Url Prefix" in provisioning would need to be configured. Any functions within SuccessFactors that generates an absolute URL (i.e: an URL that includes domain and path https://domain/path) or any SSO trust and endpoint configuration has to respect this configuration when generating the link or setting up SSO trust.

• One function of SuccessFactors is sending email to user with links to access their form. When generating the link for the use the application logic has to use the configured "Reverse Proxy Url Prefix" to build the absolute URL link.
• Another part of SuccessFactors is using SSO to integrate with other Service Provider (i.e. LMS, WFA...). If the endpoint configuration is not set up with the correct domain the integration might have unexpected behavior.

Only Implementation Partners and Product Support have access to Provisioning. If you don't have an Implementation Partner and need to make the required update in provisioning, please open an case with Technical Support providing the below information:

• Company ID:
• Datacenter:
• Reverse Proxy URL:

Note: Reverse Proxy configuration will apply to all modules. 

Deprecation of Reverse Proxy Feature in Provisioning:

The Reverse Proxy Feature in Provisioning will be fully deprecated on November 21, 2025.

The Reverse Proxy URL Prefix is being deprecated due to:

• Inconsistent behavior across SuccessFactors tenants, leading to unreliable results.
• Low adoption, with most customers using default SuccessFactors domains.
• Complex SSO configurations, where domain mismatches can cause authentication issues.

With the deprecation of the Reverse Proxy feature, we highly recommend customer to transition to default SAP SuccessFactors domains for all logins, SSO configurations, and embedded URLs in email notifications.

This standardized approach simplifies domain management, reduce complexity and improve the overall security, and maintainability of domain-related configurations, especially in environments that integrate with external identity providers.

Reverse proxy settings that will be deprecated:

On the Provisioning > Single Sign On Settings page:

• The Reverse Proxy Url Prefix. Leave blank for default field if blank, will be read-only.
  • If this field already contains a value, the contents of the field can only be deleted.
  • If there is any change to the value in this field, the new value cannot be saved unless the field is blank.
• If the Only allow request to Reverse Proxy checkbox is unchecked or was never checked, it cannot be enabled later.
• Only allow request to Reverse Proxy not checked should be fine, as long as there is a value in the reverse proxy URL field, it would be picked up. 

SAP is deprecating the Reverse Proxy feature for SuccessFactors tenants. To support this transition, a migration script has been prepared and is scheduled to run during the 2H 2025 release. The script will:

• Set your tenant’s domain to the current Reverse Proxy URL (if a reverse proxy URL is configured, it will be retained. This approach ensures that no changes are required to your Identity Provider (IdP) or Authorized SP Consumer Services (ACS) settings. If there's no URL, the feature will just be disabled).
• Disable the Reverse Proxy feature.

Note: If you wait for the global migration, you will not have the opportunity to proactively monitor or test the application before or after the script is executed.

What Are Your Options?

If you want to keep using the Reverse Proxy URL as your login URL and continue using the current settings in your IdP and ACS configurations, you have two choices:

1. Request Early Migration:
   • Raise a support ticket with SAP to run the migration script on your tenant.
   • This allows you to monitor the process and test your system before and after the changes.
2. Do Nothing:
   • SAP will automatically run the script during the 2H 2025 (2511) release. This means no early testing or monitoring will be possible on your side.

Important Notes:

• If your SuccessFactors tenant is integrated with an IdP (SAP Cloud Identity Services or your corporate IdP), and/or you're using SuccessFactors as an Identity Provider for ACS, and you prefer to control the timing, test, and monitor the migration, please:
• • Log a support ticket under component LOD-SF-PLT.
  • Ask SAP to execute the Reverse Proxy disablement.
• After this change, you will need to regenerate your metadata and re-import it into your IdP. For guidance, refer to KBA 2707993 – [SSO] Metadata file for SSO | How to generate it for SF x IDP and Outbound SSO scenarios.
• If you're okay with SAP handling the migration during the 2H 2025 release and don't require early testing, no action is needed. SAP will take care of the migration automatically at that time.

Frequently Asked Question (FAQs):

Q: Is it possible to turn on the Reverse Proxy feature before the deletion?

A: Unfortunately, it’s no longer possible

Q: What are the possible options to help us prepare for this deprecation?

A: Here are the only options available:

• Remove the current proxy setting, which will revert URLs to the default. However, customers and partners will need to update any integrated applications to use the default SuccessFactors URL. Please refer to this help guide -> Deprecation of Reverse Proxy Feature in Provisioning. Specifically, the "What to do next to prepare for this deprecation".
• Keep the reverse proxy setting and run a script that will make the current reverse proxy URLs as the default URL for the instance (e.g., https://successfactors.mycompany.com), so no changes to other applications are needed.
• Keep the reverse proxy setting and wait until the second half of 2025, when the script from option 2 will run automatically, also requiring no changes to other applications.
  

Q: Are we talking about the same script in both cases, when there's no URL set in the reverse proxy and when there is one? Do we want to keep the default behavior for both?

A: Yes, the same script will be executed. With the reverse proxy deprecation script, the BizX base URL will change from the current performancemanager4.successfactors.com to the URL specified in the reverse proxy field (e.g., https://successfactors.mycompany.com). If no URL is configured in the reverse proxy, it will continue using the default URL: https://performancemanager4.successfactors.com/.
Q: Does the running of the script have to be executed by the partner or SAP side?  

A: This will be run on the SAP side

Q: If we preserve the reverse proxy URL instead of the default domain in the metadata files, is going to be any major impact? 

A: When running the script, the current reverse proxy URL will be kept and set as the default BizX URL/domain. This means you won't need to update the SAML metadata files before or after running it. However, please note that the reverse proxy URL is different from the standard data center (DC) URLs (performancemanager4.successfactors.com). 

In the future, if we introduce any features that rely on DC-specific domains, this difference could cause issues. If your production tenant will eventually use the default DC domain, and it's not too much trouble to switch now, it might be better to use the default domain for long-term compatibility.

Q: Do we need disable logins/prevent changes while the script is running? 

A: No, technically no need to disable login.

Q: Is there any specific date for the run that will occur in the second half of 2025? 

A: Current plan is to execute the script within two weeks after the 2H 2025 release: ie. For preview DCs, between Oct 14 to Oct 27, for production DCs, between Nov 15 to Nov 30. We can't dictate the timing when the script is going to be run as it depends on the DBA team’s operation capacity.

Q: If we choose to run the script early and we have problems, can we or SAP revert it back? 

A: No revert, the script only removes the current URL in the final step. We'll be monitoring the script closely as it runs, so if any issues come up, we can catch them before that last step. Also, this script has already been run successfully on several other customer tenants without any problems, so it’s considered very safe. 

Running the script on your own designated time/pace would mean you can also monitor and test in semi-real time, while if we run the script, likely we will try to aim to run in off hours, and the schedule could fluctuate with the ops team, so we would need more coordination on test/monitoring on your side.

Reverse Proxy, URL, Provisioning, Reverse, Proxy, Deprecation of Reverse Proxy, Deprecation, LOD-SF-PLT-PRX, SuccessFactors, Platform, SFSF, SF, company provisioning settings, SFPLU-9268 , KBA , LOD-SF-PLT-PRVR , Issues with Manage Provisioning Access Tool , How To

SAP SuccessFactors HCM Suite all versions