Symptom
- Feature upgrade failed / Upgrade Center task for People Analytics Embedded Edition fails stating IAS is not enabled
- SAP Identity Authentication Service (IAS) is not configured in your tenant
- What are the items / configuration checked by Upgrade center to confirm if IAS is enabled in an instance?
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Environment
SAP SuccessFactors HXM Suite
Reproducing the Issue
For People Analytics:
- Ensure IAS is enabled and configured in the instance
- Navigate to Upgrade Center
- Perform the People Analytics Embedded Edition upgrade
- The upgrade fails after after a few seconds and the following error shows up "The upgrade task for Stories in People Analytics has failed because of the following SAP Identity Authentication Service related single sign-on settings in provisioning" with one or more of reasons:
- Single sign-on is not enabled.
- Multiple asserting parties are configured for SAP SuccessFactors HXM Suite.
- The Service Provider (SP) initiated login is not enabled.
- The Security Assertion Markup Language (SAML) flag is not enabled.
- The SAP Identity Authentication Service Integration flag is not enabled.
- The "Send request as Company-Wide issuer" flag is not enabled.
- The default issuer flag is not enabled.
- The "SAML Asserting Party Name" field is not configured.
- The "SAML Issuer" field is not configured.
Resolution
The below items also checked by the system to confirm if IAS is enabled.
Lack of one or more of the items will result in an IAS pre-check failure.
Note: The below configurations are available in Provisioning under 'Single Sign-On (SSO) Settings' and 'Company settings'
If you are facing this issue, engage with your partner to check and correct the settings (this might be result of an implementation issue). In case you do not have a partner, raise a case to LOD-SF-ANA-SAC.
- Check If IAS upgrades were completed:
For partners: Check if on instance provisioning -> 'Company Settings' on the section 'Features upgraded using Upgrade Center'
For Customers: Admin Center -> Upgrade Center -> Recently Completed UpgradesPlease make sure if upgrades 'Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration' and 'Activated SuccessFactors SAP Cloud Platform Identity Authentication Service Integration' are shown there.
Resolution: If either Initiate or Activate upgrade is not completed, please follow KBA 2791410 - Integrating SuccessFactors with Identity Authentication IAS through the Upgrade Center.
IMPORTANT NOTE: If your instance was subject of a refresh after the upgrade, you might need to have support engaged to correct the upgrade status to reflect the IAS implementation as completed.
You refer to KBA 2954491 - IAS Integration Upgrade post refresh issue. - SSO needs to be enabled.
IMPORTANT NOTE: SSO must be enabled initially by the mentioned upgrades in #1.
Please only enable SSO manually if it was disabled manually earlier. - Saml2 V2 (SAML v2 SSO) needs to be enabled
- IAS has to be the only Enabled IDP / Asserting Party - SAML Asserting Parties(IdP)
More than one Asserting party can exist but only IAS should be Enabled.
This is indicated by “Enable SAML Flag” is being enabled.
For the other SAML Asserting Parties, this flag must be Disabled.
You can identify the IAS assertion party by opening the URL on Issuer field on a new tab and it loading IAS login page.
The standard IAS URL will end on ondemand.com or sapcloud.cn, but we can have exception.
This action is being performed by Activate upgrade, disable non-IAS assertions, and enables IAS.
(You can integrate your Corporate IdPs with SF having IAS in between)
Please avoid updating “Enable SAML Flag” manually.
If SAML Asserting Party of IAS has not got enabled by please submit a support case LOD-SF-PLT-IAS.
NOTE: The Story upgrade will fail if there is a custom IAS host URL set in "SAML Issuer". Please check the KBA 3508274 - SAP IAS integration flag should be enabled under SAML v2: SAP IAS integration:
IMPORTANT NOTE: SAP IAS Integration Flag can be only enabled if IAS assertion enabled and Partial SSO is disabled. - SAML v2 : SP-initiated login
Please make sure to have the following settings:
- Enable sp initiated login (AuthnRequest) should be set to 'Yes'
- Default issuer should be enabled
- Single sign on redirect service location (to be profvided by idp) should be set to your IAS URL on format https://<IAS URL>/saml2/idp/sso/<IAS URL>
- Send request as Company-Wide issuer should be set to 'Yes'
Resolution: You will need to implement the SP-Initiated for IAS as referred on the above. - Partial Organization SSO
Partial Organization SSO should be disabled if IAS is implemented.
If PWD login method is also required, that solution must be done vie IAS.
In order to implement partial SSO via IAS, please refer KBA 2954556 - How to implement Partial SSO after Identity Authentication IAS upgrade on SuccessFactors
See Also
Keywords
IAS, SSO, Enabled, Failed, prerequisite, pre-requisite, precheck, pre-check, despite, incorrect, error, checklist, missing, disabled, upgrade, PAEE, SAC, SuccessFactors, Upgrade, Admin, Center, task, SAP, Identity, Authentication, Service, Story, stories, SAML, Single Sign On, automatically, logged on, remote, data source , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-ANA-SAC-ADM , SF Admin configurations (Security Center, Provisioning) , How To
Product
Attachments
Pasted image.png |
Pasted image.png |