SAP Knowledge Base Article - Public

2791410 - Integrating SuccessFactors with Identity Authentication through the Upgrade Center


  • How to create SuccessFactors Identity Authentication Service Integration;
  • How to create IAS and IPS tenants for SuccessFactors integration;
  • How to setup IAS and IPS with SuccessFactors;

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.


  • SAP SuccessFactors HXM Suite
  • Identity Authentication
  • Identity Provisioning


IAS-SF Architecture for KBA.PNG


  • Before performing this implementation, note that this requires manual implementation on different systems and that it will not be a simple upgrade only on Upgrade Center
  • We require and strongly advise you to review the following content:
    • The Admin Guide for this feature, in which there are multiple optional steps you might need to follow for your business case
      • If you prefer you can access the pdf version HERE
      • Overview of the features and their implementation
      • How-to videos explaining actions you need to do. (It's advised to view ALL, especially this one.)
      • A link for Office Hours with an expert where you can raise questions and hear what other customers are asking
      • Receive updates on things supported and not

  • This activity can only be accomplished by an SAP S-User. Contact your system administrator for help in case you do not have an S-User
  • Until the 2011 release, it was allowed only two IAS tenants by default to each customer (one production instance and another preview). 
    • For customers that already upgraded using only 2 IAS tenants, Customers can change the IAS mapping through "Change SuccessFactors Identity Authentication Service Integration";
    • After the 2011 release, customers have the option to select which IAS tenant to use (or if using a new one) and we recommend to do the mapping like 1 IAS to each SF instance, for simpler implementation;
      • Production and Test instances are not suppose to be integrated together, for that reason, the upgrade does not allow it, so we strongly not recommend to do any mappings that mix production instance with any test environments;
  • This upgrade will disable Partial SSO and your PWD users will need to login through a different URL and an IAS feature is needed to be enabled;

1. How to Create Integration Settings

To create the settings and IAS and IPS tenants, you need to follow the steps below:


  • Have the customer S-User credentials (Partner S-Users are not allowed to trigger the upgrade);
  • (Only if you already have an IAS tenant, you will know if you have it on step 1.7) Have your IAS tenant URL and access to that tenant;
    • You can self check and confirm your existing IAS tenants and their administrators on
      • Existing IAS administrators are the only ones responsible to add additional administrators to IAS tenants.
      • If no one has access to the IAS tenant (for example all admins on the above page left the company), request access through an incident to BC-IAM-IDS before the implementation.


  1. Go to Admin Center
  2. Open the Upgrade Center
  3. Search for upgrade Initiate the SAP Cloud Identity Services Identity Authentication Service Integration and click Learn More & Upgrade Now;
    • Note: If you don't find the upgrade and it is not under the Completed Upgrades, your upgrade is likely under the View Saved for Later Items;

Initiate upgrade.png

  1. Click Upgrade Now;
  2. A popup requesting an S-User and password will appear.
  3. Enter your S-User credentials, same as used in the support portal to open incidents for the instance;
    • If you face any issues or errors on the authentication of your S-User Credentials, please refer to this KBA 2944990 for the common issues and their solutions on this step;
  4. A pop-up will appear for you to select the IAS tenant to integrate with (as the screenshot below). Please choose the tenant accordingly or create a new one (this is an architecture decision on the customer side); In case your existing IAS tenants are not visible at this step, open a ticket on the component: LOD-SF-PLT-IAS.

IAS pop up.PNG

    • In case you want to use an existent IAS listed and you do not have access to the IAS tenant Administration Console:
      • You can self check and confirm your existing IAS tenants and their administrators on
        • Existing IAS administrators are the only ones responsible to add additional administrators to IAS tenants.
        • If no one has access to the IAS tenant (for example all admins on the above page left the company), please create a support incident requesting access to component BC-IAM-IDS (select Cloud platform as the product to be able to select this component) to request access after checking internally if another team is not using that tenant;
    • If you click on Submit and face a warning message stating "The SAP Cloud Platform Identity Authentication Service tenant you've chosen for this upgrade is not in the same region as your SAP SuccessFactors tenant. Are you sure you want to continue?" and you want this warning to be removed, please check KBA 3084273 - Warning message during SF-IAS Initial upgrade - IAS is not in the same region as your SAP SuccessFactors tenant;
    • You can choose to share IAS tenants between different SuccessFactors tenants or choose a 1-1 approach. Both approaches work and are supported, depending on customer decision as each has its challenges:
      • With 1 IAS - 1 SF:
        • You will have more IAS tenants to administrate
        • More applications are needed to be created on your corporate IdP;
        • But will make user management on IAS easier and require fewer customizations on IPS later on;
      • For shared IAS tenants, you have to take care of some user management aspects between the instances as:
        • Users need to be matched between instances or be completely different. Users with one email in one instance and another in another instance might see issues on syncing.
        • You will need to do adjustments to the transformation rules to sync a unique user ID (UUID) to different custom attributes on the second step;
    • If Request New Tenant is selected, a new IAS (free of cost) will be created and used on SuccessFactors integration. The tenant ID will be a random automatically generated ID by the system.
  1. Click Request New Tenant or Submit to initiate the integration process, depending on if you are going to use an existent tenant or create a new one;
  2. The process can take over 2 hours to be completed;
    • If you did not have an IPS before the upgrade, you should know when it is completed by receiving an email with your IPS information (access will be your S-User credentials);
    • If you already have an IPS, you can check on the setup on Source for when it creates a new Source and Target for your SF and IAS tenants it will be completed; 

2. Complete IAS and IPS configuration


  • Have completed the previous steps;
  • You need to have Admin access to both your IPS and IAS tenants (if you did not have the tenants before the previous steps, you should receive an email with the credentials);
    • If you need help to get the IAS or IPS credentials to access:
      • You can self check and confirm your existing IAS and IPS tenants and their administrators on
        • Existing IAS/IPS administrators are the only ones responsible to add additional administrators to IAS/IPS tenants.
        • If no one has access to the IAS/IPS tenant (for example all admins on the above page left the company), request access through the incident to BC-IAM-IDS - for IAS, BC-IAM-IPS for IPS.
  • Have already read the Admin Guide as multiple configurations on these steps is optional and defined by business case;
  • This step is about getting your Users setup in the IAS tenant and integrating IAS with your corporate SSO (if applicable)


  1. On SuccessFactors, provide API permissions and employee export permission for IPSADMIN user as referred on the guide's section Setting Up an API User for Sync Jobs;
    • User needs to receive the below permissions over everyone as target population:
      • Manage Users -> Employee Export;
      • Manage Users -> User Account OData entity;
      • Manage Integration Tools -> Allow Admin to Access OData API through Basic Authentication;
  1. On SuccessFactors, setup API Exception Login for IPS IP addresses on Password & Login Policy Settings as referred on the guide section Setting Up an API User for Sync Jobs. Any region not covered in that guide section can be found in the IPS Help guide here-> Regional Availability - SAP Help Portal
    • IP addresses provided on the guide are in a different format than as it needs to be used on SuccessFactors, and needs to be converted using any commonly available tool.
    • If you are not aware of the region of your IPS tenant, you can check on the tenant itself on the Support section (tool icon on button left corner as the screenshot below);

Region host.png 

  1. On SuccessFactors, reset IPSADMIN password and take note of the password for later setup on IPS;
  2. On IPS, update the password field for SuccessFactors as a source system as referred on step 6.1 with the password from the step above;
  3. On IPS, update sf.user.filter field as this is a filter of the users that will be read by IPS on SuccessFactors;
    • When created, this field will come with value status eq 'active' and username in 'sf_username1_placeholder','sf_username2_placeholder';
    • This means that only active users that are on the list will be synced (sf_username1_placeholder and sf_username2_placeholder)
    • You need to change the filter to sync usernames that exist on your instance as a test;
    • The filter should be only status eq 'active' for syncing all users to move forward on the implementation.
  4. (Optional) You can change your IPS transformation rules if you have some requirements, you can refer to Section 5 Configure Transformations in Identity Provisioning on the guide (implementation decision by customer);
    • Note: In the source system (SuccessFactors) all users must have unique emails to avoid provisioning issues (email must be unique on IAS and later on SAC/People Analytics);
    • If you require to have same emails on SuccessFactors, you refer to section 5.1 Remove Dummy Emails Transformation from the guide;
    • If you want users to receive email notifications when they are created in Identity Authentication, you need to Enable the SendMail transformation code as per the Define SendMail Transformation guide;
  5. Schedule the IPS sync job as referred on Section 7.2 Running and Scheduling Jobs (User Sync);
  6. Confirm that IPS sync job is running successfully on IPS;
    1. Login in to your IPS;
    2. Go to Job Logs;
    3. Click the last execution of the job;
    4. Confirm that the job is reading the users and if it is facing some issue on the writing of the user on IAS;
  7. Login to your IAS tenant;
  8. Confirm if the users on your IAS match the number of users that you have on SuccessFactors;
    • IAS will only have active users;
    • Users that have duplicated email will not be created on IAS (unless there was a change on transformation rules), so might be expected that not all users are on IAS;
    • IAS will likely have Admin users that will only exist on IAS;
  9. (Optional) Setup a corporate SSO integrated with IAS;
    • Follow Section 9 Configure Single Sign-On in Admin Center on the guide, there is a video that you could follow on how to do it;
    • IMPORTANT: This will also require that you set up an new application on your Corporate IdP (SSO) using metadata exported from IAS;
    • IMPORTANT: Make sure to use NameID-format as Unspecified on your IdP for IAS and to send as NameID a match with SuccessFactors username;
  10. (Optional) If you had Partial SSO and you have non-SSO users that will need to log in with user and password, you need to implement the feature on this KBA 2954556
    • Your PWD users will log in directly into an IAS URL;
  11. (Optional) All settings from Section 6 Identity Authentication Service Administration Console Tasks from the guide depending on your specific requirements;

3. Enable SAP SuccessFactors to SAP Cloud Platform IAS Integration


  • Your SAP SuccessFactors system is integrated with the SAP Cloud Platform Identity Authentication service by doing the previous steps successfully
  • You have successfully configured Identity Authentication to meet your requirements and be ready to begin using it to authenticate users in your system
  • You have confirmed that the user sync between SAP SuccessFactors and Identity Authentication is successful


  1. Go to Admin Center
  2. Access Upgrade Center
  3. Find the upgrade Activate SuccessFactors Identity Authentication Service Integration;
  1. Click Learn More & Upgrade Now
  2. Click Upgrade Now;
  3. Click Confirm;
  4. Click Test Now;
    • IMPORTANT: Make sure to be logged out of the IAS Administration Console on the browser that you are doing this task to not get your Admin active session.
  5. A new tab will be open with a link to test your integration that will redirect to your Authentication process after IAS activation;
    • URL open will be with this format: <IAS URL>/saml2/idp/sso?sp=<SuccessFactors Entity ID>/<your company ID>&RelayState=verification
    • This will stimulate your login through IAS, without activating it and if the authentication process is successful, it will allow you to activate IAS integration;
  6. You will be redirected to IAS to authenticate (IAS might redirect you to your corporate IdP depending on your implementation in section 2);
  7. Log in to the instance;
  8. You will receive a Success message, then come back to Upgrade Center on the other tab;
    • If you receive a failure message or do not get correctly redirected, this means that you have some configuration issue that is impacting your IAS authentication.
    • Please, review KBA 2954188 on IAS login issues and correct the configuration or complete any step missed;
  9. You now can move forward and activate the IAS integration;
  10. After this, your instance will be integrated with IAS and your users will be redirected to log in through IAS;
  11. If after running this upgrade, you face any login issue, please refer to this KBA 2954188 before opening an incident with Support;

Cautions and points to be caught up on before trying the upgrades:

  • You cannot undo this upgrade after it is completed;
  • For non-SSO enabled instances, performing the integration upgrade will automatically turn the SSO on with IAS as your SSO;
  • For SSO-enabled instances, another asserting party for IAS will be created, while others will be disabled as well as Partial SSO;
  • Non-Paid Demo instances aren't supported for IAS upgrade;
    • For Paid Salesdemo instances (with company ID starting at SFCPART) the process is supported and should work.
  • Note that OData API access will not be impacted by IAS implementation.
  • Note that any Login page customization, password recovery and SSO integration after this implementation will be under IAS product scope, being setup on IAS and supported by IAS support under component BC-IAM-IDS.

See Also


IAS integration with SF, BizX integration with IAS,  SF integration with IAS, SuccessFactors IAS,  SSO integration with IAS , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-PLT , Platform Foundational Capabilities , BC-IAM-IDS , Identity Authentication Service , How To


SAP SuccessFactors HXM Suite all versions


IAS Setup Guide - New Instances.docx
IAS Setup Guide - Existing Instances.docx