- Feature upgrade failed / Upgrade Center task for People Analytics Embedded Edition fails stating IAS is not enabled
- SAP Identity Authentication Service (IAS) is not configured in your tenant
- What are the items / configuration checked by Upgrade center to confirm if IAS is enabled in an instance?
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
SAP SuccessFactors HXM Suite
Reproducing the Issue
For People Analytics:
- Ensure IAS is enabled and configured in the instance
- Navigate to Upgrade Center and perform the People Analytics Embedded Edition upgrade
- The job fails after after a few seconds with the following message:
'SAP Identity Authentication Service (IAS) is not configured in your tenant'
The below items also checked by the system to confirm if IAS is enabled.
Lack of one or more of the items will result in an IAS pre-check failure.
Note: The below configurations are available in Provisioning under 'Single Sign-On (SSO) Settings' and 'Company settings'
If you are facing this issue, engage with your partner to check and correct the settings (this might be result of an implementation issue). In case you do not have a partner, raise an incident to LOD-SF-ANA-SAC.
- Check If IAS upgrades were completed: Check if on instance provisioning -> 'Company Settings' on the section 'Features upgraded using Upgrade Center' (you can also check on Admin Center -> Upgrade Center -> Recently Completed Upgrades) if the upgrade 'Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration' and 'Activated SuccessFactors SAP Cloud Platform Identity Authentication Service Integration' are shown there.
IMPORTANT NOTE: If your instance was subject of a refresh after the upgrade, you might need to have support engaged to correct the upgrade status to reflect the IAS implementation as completed. You can refer to this KBA https://launchpad.support.sap.com/#/notes/2954491
- SSO needs to be enabled.
Resolution: You need to enable the SSO and with the the IAS. There is other steps that you need to make sure before this as if the next checks that follow below. Only do this manually if the upgrades above were already performed and your SSO was manually disabled for some reason after the upgrades.
- Saml2 V2 (SAML v2 SSO) needs to be enabled
- IAS has to be the only Enabled IDP / Asserting Party (SAML Asserting Parties(IdP))
More than one Asserting party can exist but only IAS should be Enabled. (Enable SAML Flag is enabled) Others should be Disabled.
You can identify the IAS assertion party by opening the URL on Issuer field on a new tab and it loading IAS login page. The standard IAS URL will end on ondemand.com or sapcloud.cn, but we can have exception.
Resolution: If IAS is disabled, you need to enable it. If other assertions (that are not IAS) are enabled, you need to disable them. Note that the Activate upgrade does exactly this, disable non-IAS assertions and enables IAS, but we had some customers/partners that have manually other assertions, but it is not supported for People Analytics and should not be done. (You can integrate your Corporate IdPs with SF having IAS in between)
- SAP IAS integration flag should be enabled under SAML v2: SAP IAS integration:
Resolution: You need to enable the SAP IAS Integration Flag, note that the flag will allowed to be enabled if there is only the IAS assertion enabled and Partial SSO is disabled.
- SAML v2 : SP-initiated login
- Enable sp initiated login (AuthnRequest) should be set to 'Yes'
- Default issuer should be enabled
- Single sign on redirect service location (to be profvided by idp) should be set to your IAS URL on format https://<IAS URL>/saml2/idp/sso/<IAS URL>
- Send request as Company-Wide issuer should be set to 'Yes'
Resolution: You will need to implement the SP-Initiated for IAS as referred on the above.
- Partial Organization SSO should be Disabled
As the warning says, this option should anyway be disabled if IAS is implemented. If you require to have user accessing via PWD, you will need to have those users authenticating on IAS, please refer to this KBA on how to have Password users on IAS https://launchpad.support.sap.com/#/notes/2954556
Resolution: You need to disable the Partial SSO on the instance and instead use a different solution implemented on IAS that is referred on the above KBA.
IAS, SSO, Enabled, Failed, prerequisite, pre-requisite, precheck, pre-check, despite, incorrect, error, checklist, missing, disabled, upgrade, PAEE, SAC, SuccessFactors, Upgrade, Admin, Center, task, SAP, Identity, Authentication, Service , KBA , LOD-SF-ANA-SAC-ADM , Admin - IAS, IPS, Instance Sync/Refresh, Upgrade , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , How To