SAP Knowledge Base Article - Public

2988807 - SAP Cloud Platform Integration: IP address change impact on SuccessFactors application

Symptom

SAP Cloud Platform Integration: IP address change impact on SuccessFactors application

Environment

SAP Cloud Platform Integration

SAP SuccessFactors API

Resolution

SAP CPI performs frequent IP address upgrade due to security reasons.

This would also impact those SuccessFactors Customers who are consuming SuccessFactors APIs(SFAPI/ODATA API) and IP restriction for API user is maintained under Admin Center-> Password & Login policy Settings->Set API login exception.

If you have not enabled any IP restriction as above, there would not be any impact.

Also, if whole range of CPI is not under the allow list correctly, Integration with SuccessFactors application might fail with below error message:

[LGN0013]Authentication failed. We have prevented an attempted login from unauthorized ip: XXX.XXX.XXX.XX to company ID: XXXX with username: XXXX

How to validate if CPI IP range has been added into allow list correctly?

  1. Check region in your CPI tenant URL.
    Example:https://xxxx-tmn.hci.int.sap.eu2.hana.ondemand.com/itspaces/
    Here you see that region is eu2
  2. Go to CPI guide Regions in the Neo Environment and check the IP range for region
    Example: For eu2, range documented in CPI document is 157.133.70.0/24, 157.133.204.0/24, 157.133.205.0/24 and 157.133.206.0/24
  3. As mentioned in KBA 2698088 - Add into allow list IP Address Ranges for Cloud Platform Integration Data Centers, you need to make sure you resolve each range and then maintain the resulted start IP and End IP address in SF.
    Example: For IP range mentioned above in my example, do not add into allow list 157.133.70.0-157.133.70.24, 157.133.204.0-157.133.204.24, 157.133.205.0-157.133.205.24, 157.133.206.0-157.133.206.24 because this is not correct range.
    You need to resolve each range individually using netmask lookup tool available online. For example, IP range for 157.133.70.0/24 would be 157.133.70.0-157.133.70.255 
    This needs to be done for all ranges for your region
  4. Once you get the range, follow steps mentioned in document Setting API Login Exceptions to add in the allow list of the IP addresses in  SuccessFactors.

Keywords

[LGN0013]Authentication failed, Password & Login policy Settings, Set API login exception. IP allow list, API , KBA , LOD-SF-INT-CPI , Standard SF to 3rd Party CPI (HCI) Content , Problem

Product

SAP SuccessFactors HCM suite all versions