2791410 - Integrating SuccessFactors with Identity Authentication IAS through the Upgrade Center

• How to create SuccessFactors Identity Authentication Service Integration
• How to create IAS and IPS tenants for SuccessFactors integration
• How to setup IAS and IPS with SuccessFactors

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

• SAP SuccessFactors HXM Suite
• SAP Cloud Identity Services – Identity Authentication IAS
• SAP Cloud Identity Services – Identity Provisioning IPS

IMPORTANT

• Before performing this implementation, note that this requires manual implementation on different systems and that it will not be a simple upgrade only on Upgrade Center.
• We require and strongly advise you to review the following content:

• The Admin Guide for this feature, in which there are multiple optional steps you might need to follow for your business case;

• If you prefer you can access the pdf version HERE.
  

• The SuccessFactors Community Page Innovation Alert, where you can find the information below:

• Overview of the features and their implementation;
• How-to videos explaining actions you need to do; (It's advised to view ALL, especially this one.)
• A link for Office Hours with an expert where you can raise questions and hear what other customers are asking;
• Receive updates on things supported and not.
  
  
• This activity can only be accomplished by an SAP S-User. Contact your system administrator for help in case you do not have an S-User.
• Until the 2H 2020 release (aka b2011 release), it was allowed only 2 IAS tenants by default to each customer (one production instance and another preview). 
• For customers that already upgraded using only 2 IAS tenants, Customers can change the IAS mapping through "Change SuccessFactors Identity Authentication Service Integration".
• After the 2H 2020 release (aka b2011 release), customers have the option to select which IAS tenant to use (or if using a new one), and we recommend to do the mapping like 1 IAS to each SF instance for simpler implementation. Production and Test instances are not suppose to be integrated together. For that reason, the upgrade does not allow it, so we strongly not recommend to do any mappings that mix production type instance with any test type environments.
• NOTE: This upgrade will disable Partial SSO. Your PWD users will need to login through a different URL. [Reference: KBA 2954556 ]

NEW UPDATES: Customer Communication for Migration to IAS/IPS

SAP SuccessFactors has been encouraging and working with our remaining customers who need to migrate to the SAP Cloud Identity Authentication services that offers advanced identity management features, multi factors, and risk-based authentication. We are asking our customers to plan, test, and make the move to IAS/IPS prior to the impact changes that are coming in 2024 and 2025.

There are two areas that are of impact to the remaining customers which are:

1. Corporate IDP (such as Microsoft Azure AD, Okta, Google, OneLogin, etc.); or,
2. Basic Authentication (username and password).

• The third-party cookie deprecation in second half 2024 was announced by Google (https://blog.google/products/chrome/update-testing-privacy-sandbox-web/). The third-party cookies are used to enable user sign in offering Single Sign-On, thus enhancing the user experience. With this recently announcement, the actions to avoid any issues with authentication issues, we highly recommend to roll out the IAS integration.
• Upon expiration of SuccessFactors SSO signing certificate on June 2, 2025, if customers do not migrate to IAS or make any changes, the User authentication and Single Sign-On functionalities will not work. For more details and the oficial communication in this Community page.

1. How to Create Integration Settings

To create the settings and IAS and IPS tenants, you need to follow the steps below:

Prerequisites

• Have the customer S-User credentials (Partner S-Users are not allowed to trigger the upgrade);
• (Only if you already have an IAS tenant, you will know if you have it on step 1.7) Have your IAS tenant URL and access to that tenant;
• You can self-check and confirm your existing IAS tenants and their administrators on https://iamtenants.accounts.cloud.sap/.
• Existing IAS administrators are the only ones responsible to add additional administrators to IAS tenants. Check Add Administrators | SAP Help Portal for adding additional IAS administrators and KBA 3033198 for adding additional IPS administrators.
• If no one has access to the IAS tenant (for example, all admins on the above page left the company), request access through an case to BC-IAM-IDS before the implementation.

Procedure

1. Go to Admin Center.
2. Open the Upgrade Center.
3. Search for upgrade Initiate the SAP Cloud Identity Services Identity Authentication Service Integration and click Learn More & Upgrade Now.

• Note: If you don't find the upgrade and it is not under the Completed Upgrades, your upgrade is likely under the View Saved for Later Items.

4. Click Upgrade Now.
5. A popup requesting an S-User and password will appear.
6. Enter your S-User credentials, same as used in the Support Portal to open cases for the instance.
• If you face any issues or errors on the authentication of your S-User Credentials, please refer to this KBA 2944990 for the common issues and their solutions on this step.
7. A pop-up will appear for you to select the IAS tenant to integrate with (as the screenshot below). Please choose the tenant accordingly or create a new one (this is an architecture decision on the customer side). In case your existing IAS tenants are not visible at this step, open a ticket on the component: LOD-SF-PLT-IAS.

• In case you want to use an existent IAS listed and you do not have access to the IAS tenant Administration Console:
• You can self check and confirm your existing IAS tenants and their administrators on https://iamtenants.accounts.cloud.sap/.
• Existing IAS administrators are the only ones responsible to add additional administrators to IAS tenants. Check KBA 3033198 for adding additional IPS administrators. Check KBA 2570572 for adding additional administrators in IAS tenant.
• If no one has access to the IAS tenant (for example all admins on the above page left the company), please create a support case requesting access to component BC-IAM-IDS (select Cloud platform as the product to be able to select this component) to request access after checking internally if another team is not using that tenant.
• If you click on Submit and face a warning message stating "The SAP Cloud Platform Identity Authentication Service tenant you've chosen for this upgrade is not in the same region as your SAP SuccessFactors tenant. Are you sure you want to continue?" and you want this warning to be removed, please check KBA 3084273 - Warning message during SF-IAS Initial upgrade - IAS is not in the same region as your SAP SuccessFactors tenant.
• You can choose to share IAS tenants between different SuccessFactors tenants or choose a 1-1 approach. Respecting that they are the same type: Production with Production and Test with Test. Both approaches work and are supported, depending on customer decision as each has its challenges:
• With 1 IAS - 1 SF:
• You will have more IAS tenants to administrate.
• More applications are needed to be created on your corporate IdP.
• This will make user management on IAS easier and require fewer customizations on IPS later on.
• For shared IAS tenants, you have to take care of some user management aspects between the instances as:
• Users need to be matched between instances or be completely different. Users with one email in one instance and another in another instance might see issues on syncing.
• You will need to do adjustments to the transformation rules to sync a unique user ID (UUID) to different custom attributes on the second step.
• If Request New Tenant is selected, a new IAS (free of cost) will be created and used on SuccessFactors integration. The tenant ID will be a random automatically generated ID by the system.
8. Click Request New Tenant or Submit to initiate the integration process, depending on if you are going to use an existent tenant or create a new one.
9. The process can take over 2 hours to complete.
• If you did not have an IPS before the upgrade, you should be able to access it with the same credentials as the admin user created for IAS.
• If you already have an IPS, you can check on the setup on Source for when it creates a new Source and Target for your SF and IAS tenants.

2. Complete IAS and IPS configuration

Prerequisites

• Have completed the previous steps.
• You need to have Admin access to both your IPS and IAS tenants (if you did not have the tenants before the previous steps, you should receive an email with the credentials).
• For IAS or IPS credentials:
• You can self check and confirm your existing IAS and IPS tenants and their administrators on https://iamtenants.accounts.cloud.sap/.
  Existing IAS/IPS administrators are the only ones responsible to add additional administrators to IAS/IPS tenants. Check KBA 3033198 for adding additional IPS administrators. Check KBA 2570572 for adding additional administrators in IAS tenant. SAP support teams under component BC-IAM-IDS will only add additional tenant administrators in exceptional cases, typically when the existing administrator is unavailable, such as leaving the company, or when there are no active tenant administrators in the tenant. This is done to address potential legal concerns. [Reference: KBA 3035908 ]
• Please read Implementation Guide - Configuring Applications on SAP Cloud Identity Services – Identity Authentication IAS | SAP Help Portal as having multiple configurations on these steps is optional and defined by business case.
• This step is about getting your Users setup in the IAS tenant and integrating IAS with your corporate SSO (if applicable).

Procedure

Important Note: For upgrades run post 2H 2022 release, the below steps 1 to 4 concerning IPSADMIN are no longer relevant. The IPS to SF connection is certificate based now (mTLS authentication), and the IPSADMIN user is no longer created in SF by the upgrade process.

Addtionally, if the IPS Source System for SuccessFactors is using sf.api.version 2, then the user filter condition from Step 5 needs to be set differently in accordance to SF SCIM API (Ref: https://api.sap.com/api/PLTScim/resource).

Steps 1-4 are relevant only for upgrades performed before 2H2022.

1. On SuccessFactors, provide API permissions and employee export permission for IPSADMIN user as referred on the guide's section Setting Up an API User for Sync Jobs.
• User needs to receive the below permissions over everyone as target population:
• Manage Users -> Employee Export;
• Manage Users -> User Account OData entity;
• Manage Integration Tools -> Allow Admin to Access OData API through Basic Authentication.

2. On SuccessFactors, setup API Exception Login for IPS IP addresses on Password & Login Policy Settings as referred on the guide section Setting Up an API User for Sync Jobs. Any region not covered in that guide section can be found in the IPS Help guide here-> Regional Availability - SAP Help Portal.
• IP addresses provided on the guide are in a different format than as it needs to be used on SuccessFactors and needs to be converted using any commonly available tool.
• If you are not aware of the region of your IPS tenant, you can check on the tenant itself on the Support section (tool icon on button-left corner as the screenshot below) (relevant only for upgrades performed before 2H2022).

3. On SuccessFactors, reset IPSADMIN password, and take note of the password for later setup on IPS (relevant only for upgrades performed before 2H2022).
4. On IPS, update the password field for SuccessFactors as a source system as referred on step 7.1 on the guide with the password from the step above (relevant only for upgrades performed before 2H2022).
5. On IPS, update sf.user.filter field as this is a filter of the users that will be read by IPS on SuccessFactors.
• When created, this field will come with value status eq 'active' and username in 'sf_username1_placeholder','sf_username2_placeholder'.
• This means that only active users that are on the list will be synced (sf_username1_placeholder and sf_username2_placeholder).
• You need to change the filter to sync usernames that exist on your instance as a test.
• The filter should be only status eq 'active' for syncing all users to move forward on the implementation.
6. (Optional) You can change your IPS transformation rules if you have some requirements, you can refer to Section 5 Configure Transformations in Identity Provisioning on the guide (implementation decision by customer).
• Note: In the source system (SuccessFactors) all users must have unique emails to avoid provisioning issues (email must be unique on IAS and later on SAC/People Analytics).
• If you require to have same emails on SuccessFactors, refer to section 5.1 Remove Dummy Emails Transformation from the guide.
• If you want users to receive email notifications when they are created in Identity Authentication, enable the SendMail transformation code as per the Define SendMail Transformation guide.
7. Schedule the IPS sync job as referred on Section 7.2 Running and Scheduling Jobs (User Sync).
8. Confirm that IPS sync job is running successfully on IPS:
1. Login in to your IPS;
2. Go to Job Logs;
3. Click the last execution of the job;
4. Confirm that the job is reading the users and if it is facing some issue on the writing of the user on IAS.
9. Login to your IAS tenant.
10. Confirm if the number of users listed on your IAS match the number of users that you have on SuccessFactors:
• IAS will only have active users;
• By default, Users that have duplicated emails will not be created on IAS, so might be expected that not all users are on IAS;
• IAS will likely have Admin users that will only exist on IAS.
11. (Optional) Setup a corporate SSO integrated with IAS:
• Follow Section 9 Configure Single Sign-On in Admin Center on the guide. There is a video that you could follow on how to do it;
• IMPORTANT NOTE: This will also require that you set up an new application on your Corporate IdP (SSO) using metadata exported from IAS;
• IMPORTANT NOTE: Make sure to use NameID-format as Unspecified on your IdP for IAS and to send as NameID a match with SuccessFactors username.
12. (Optional) If you had Partial SSO and you have non-SSO users that will need to log in with user and password, check reference knowledge base article 2954556 - How to implement Partial SSO after Identity Authentication IAS upgrade on SuccessFactors.
13. (Optional) Go through the SAP Cloud Identity Services – Identity Authentication IAS Operations Guide | SAP Help Portal and implement the optional settings based on your own requirements. 

3. Enable SAP SuccessFactors to SAP Cloud Platform IAS Integration

Prerequisites

• Your SAP SuccessFactors system is integrated with the SAP Cloud Platform Identity Authentication service by doing the previous steps successfully.
• You have successfully configured Identity Authentication to meet your requirements and be ready to begin using it to authenticate users in your system.
• You have confirmed that the user sync between SAP SuccessFactors and Identity Authentication is successful.

Procedure

1. Go to Admin Center.
2. Access Upgrade Center.
3. Find the upgrade Activate SuccessFactors Identity Authentication Service Integration.

4. Click Learn More & Upgrade Now.
   
5. Click Upgrade Now.
6. Click Confirm.
7. Click Test Now.
• IMPORTANT: Make sure to be logged out of the IAS Administration Console on the browser that you are doing this task to not get your Admin active session.
8. A new tab will be opened with a link to test your integration that will redirect to your Authentication process after IAS activation.
• The URL will be with this format: <IAS URL>/saml2/idp/sso?sp=<SuccessFactors Entity ID>/<your company ID>&RelayState=verification.
• This will stimulate your login through IAS without activating it. If the authentication process is successful, it will allow you to activate IAS integration.
9. You will be redirected to IAS to authenticate (IAS might redirect you to your corporate IdP depending on your implementation in section 2).
10. Log in to the instance.
11. You will receive a Success message, then come back to Upgrade Center on the other tab.
• If you receive a failure message or do not get correctly redirected, this means that you have some configuration issue that is impacting your IAS authentication.
• Please review KBA 2954188 on IAS login issues, and correct the configuration or complete any step missed.
12. You now can move forward and activate the IAS integration.
13. After this, your instance will be integrated with IAS and your users will be redirected to log in through IAS.
14. If you face any login issue after running this upgrade, please refer to this KBA 2954188 before opening a case with Support.

Notes - Cautions and points to be caught up on before trying the upgrades:

1. You cannot undo this upgrade after it is completed;
2. For non-SSO enabled instances, performing the integration upgrade will automatically turn the SSO on with IAS as your SSO;
3. For SSO-enabled instances, another asserting party for IAS will be created, while others will be disabled as well as Partial SSO;
4. The upgrade center will not work with sales demo instances of SF Paid and non-paid Demo: Basically paid instances are directly delivered with pre-configured IAS & IPS now. Non-Paid Demo instances aren't delivered with pre-configured IAS & IPS and do not have the IAS upgrade under upgrade center so to integrate with IAS, full manual process needs to be done;
5. OData API access will not be impacted by IAS implementation;
6. Any Login page customization, password recovery and SSO integration after this implementation will be under IAS product scope, being setup on IAS side and supported by IAS support team under component BC-IAM-IDS.
7. It is recommended to turn offcase sensitivity for Usernames along with enabling the IAS integration. KBA on how that can be done-> 2214831 - Is there a way to remove the case sensitivity of Usernames in SuccessFactors?.

FAQ (Frequently Asked Questions)

1. How to implement partial SSO using IAS?
   
   When using IAS, the partial SSO configuration will be set in IAS side. To do it, please refer to the KBA 2954556 - How to implement Partial SSO after Identity Authentication implementation on SuccessFactors - SAP for Me regarding conditional authentication.
   
   
2. Are there any post-refresh activities to perform in an instance with IAS?
   Note: For upgrades run post 2H 2022 release, the below concerning IPSADMIN are no longer relevant. The IPS to SF connection is certificate based now (mTLS authentication), and the IPSADMIN user is no longer created in SF by the upgrade process.
   
   Instance refreshes copies all users and their permissions from source to target, which overwrites the IPSADMIN user created in target for IPS sync of users. Some actions might be required. Refer to 2954491 - IAS Integration Upgrade post refresh issue.
   
   
3. When and how should SuccessFactors customers implement IAS?
   
   For new tenants created after December 9th 2022, IAS is automatically deployed as announced in the following community thread: Identity Authentication Services (IAS) -automatically deployed starting 9th of December 2022.
   
   Refer to 3097769 IAS / IPS - Is IAS implementation mandatory for all SuccessFactors customers?
   
   
4. Receiving "Invalid S-User. Enter the correct S-User for this company" error message when entering S-user credentials for IAS upgrade.
   
   This can be seen for several reasons. lease check the KBA 2944990 IAS Upgrade error when validating S-User credentials for further details.
   
   
5. Error when testing the Identity Authentication Service (IAS) Migration in the Activate upgrade.
   
   In the last step of the process, before your system allows you to activate your migration, you will be asked to test your configuration. If your configuration passes, you are prompted to activate your IAS migration. In case you face issues, please review the KBA 2908705 BizX Test Tool for SAP Identity Authentication Service (IAS) Migration – Platform.
   
   
6. IAS upgrades are not available in the Upgrade Center.
   

   For the list of all current known limitations, please follow the SAP SuccessFactors Community link below:

   • Migration to SAP Cloud Identity Authentication With IAS/IPS from Existing Systems - Innovation Alert
   • 2917097 - The options to enable IAS in Upgrade Center are not showing
   
   
7. How to change the IAS & IPS mapping for a BizX instance?
   
   Use the Change SuccessFactors Identity Authentication Service Integration. This allows customers who have already completed the IAS integration once to change the IAS/IPS mapping for their BizX tenant. Refer to 3089598 How to change existing IAS & IPS mapping for a BizX instance - SuccessFactors Platform.
   
   
8. Upgrade is marked as 'Completed' in Upgrade Center, but neither the tenants were created nor the emails were received.
   
   Please check this KBA for further actions: 2843423 - IAS via Upgrade Center | No tenants created nor credentials email received after running the "Create/Initiate [...]" task.
   
   
9. The upgrade in Upgrade Center does not show desired IAS tenant as an option or "Create New Tenant" option is disabled or grayed out.
   
   Please check this KBA for further actions: 3084273 - How to allow SuccessFactors and IAS integration across regions and/or tenant type.
   
   
10. How does the welcome email work when IAS is enabled?
    
    The Welcome email from Email Notifications Template is no longer needed. Welcome/Activation e-mails are turned on in the transformation of the Identity Provisioning for Identity Authentication target system. Find more details in 3321943 SuccessFactors Welcome email when IAS is enabled.
    
    
11. How to start the IPS job to provisioning users from SF to IAS?
    
    Refer to 3251905 How to manually set up IPS for user provisioning from SuccessFactors to IAS.
    
    
12. How to configure the IAS/IPS tenants to have mapped two SF instances?
    
    Refer to 2954815 Configuring IAS and IPS when two SuccessFactors instances are mapped to one IAS tenant - People Analytics.
    
    
13. When starting the IAS in upgrade center, it is not showing all the tenants that the customer has.
    

    Cause 1: For "Preview" SuccessFactors instances, only "Non-Productive" IAS tenants will be available for choice in Upgrade Center. For "Productive" SuccessFactors instances, only "Productive" IAS tenants will be available for choice in Upgrade Center.

    Cause 2: For both Preview and Productive SuccessFactors instances, only IAS tenants in the same region will be available for choice. See KBA 3084273 - Warning message during SF-IAS Initial upgrade - IAS is not in the same region as your SAP SuccessFactors tenant.

    Cause 3: If the IAS tenant that does not show is already added as an Asserting Party in SSO settings for the BizX system, it will not show up for selection in the Upgrade.

    Cause 4: The concerned IAS tenant and the BizX tenant are mapped to different customer ids.

    Please check KBA 3086919 Not all IAS tenants available to be chosen during Initiate or Change IAS Upgrade for further details and resolution path.

• Setting Up SuccessFactors with SAP Cloud Platform Identity Authentication Services
• KB article 2796199 - Failed to generate Response Bean when we try to Create SuccessFactors Identity Authentication Service Integration from the Upgrade Center
• KB article 2823816 - Responsibilities of IAS and PLT teams for case Handling when IAS Tenant is the Identity Provider for SSO Connection
• KB article 2843423 - IAS Upgrade via Upgrade Center is Not Working
• KB article 2877303 - Quick Guide to Enable People Analytics Embedded edition
• KB article 2954491 - IAS Integration Upgrade post refresh issue

IAS integration with SF, BizX integration with IAS,  SF integration with IAS, SuccessFactors IAS,  SSO integration with IAS, IAS upgrade, SAP Cloud Identity Services – Identity Authentication IAS, SAP Cloud Identity Services – Identity Provisioning IPS , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-PLT , Platform Foundational Capabilities , BC-IAM-IDS , Identity Authentication Service , BC-IAM-IPS , Identity Provisioning Service (IPS) , How To