SAP Knowledge Base Article - Public

3204536 - [Onboarding] Setting up Identity Authentication Service (IAS) for Onboarding External Users

Symptom

As an SAP SuccessFactors administrator, configure SAP Identity Authentication Service (IAS) to authenticate external users.

Environment

SAP SuccessFactors Onboarding

Resolution

IAS

Prerequisites

Note: This feature is available only to customers who are part of the early adoption program.

In HXM Suite:

  • Disable the Single Sign On (SSO)Partial Organization SSO option in provisioning.
  • Disable the following templates in Email Services Actual Name:
  1. Template: (ONB) External User Welcome Message Template rehire welcome message
  2. Template: (ONB) Rehire User Welcome Message Template

Note: If you do not disable the welcome email template, the Onboarding new hire will receive two welcome e-mails, one from HXM Suite and one from IAS.

  • The SAP Identity Provisioning filter for external hires is configured in the Identity Provisioning Service (IPS) source system.
  • In the Identity Authentication Service (IAS) target system:
  1. Employee authentication is configured in your existing SAP Identity Authentication Service (IAS) configuration.
  2. There is no existing account in SAP Identity Authentication Service with the e-mail address or username of the external user.
  3. Enable Identity Provisioning Service filter to include Onboarding new hires in job sync.
  • Account Activation Email templates for Onboarding new hires in Identity Authentication Service (IAS) is configured.
  • Configure the home URL for the SAP SuccessFactors application. Refer to the Configure an Application's Home URL in the Related Links section.
  • Ensure you've updated the (ONB) Start Onboarding process Template to reflect the user name and account activation related instructions. Ensure you’ve activated your account first using the account activation email received from our system. If you’ve not received any account activation email, please contact your admin.
  • Template content to be updated for all supported languages.

Context

Identity Authentication Service (IAS) authenticates provisioned users. To enable Onboarding new hire authentication in IAS, you must complete the following:

  • Map the Onboarding Identity Provisioning Service (IPS) user type to Identity Authentication Service (IAS).
  • Configure Onboarding welcome email template in Identity Authentication Service (IAS)
  • Configure Identity Authentication Service (IAS) target system login behavior for Onboarding users.
  • Configure the home URL redirect for the SAP SuccessFactors application.

Note: Any Home page URL or link in the Onboarding email template should be updated, so that the template don’t have pm_product_name=ONB query parameter.

  • Ensure that the email tokens that have [[NewHireLoginUrl]] [[NewHireLoginUrlWithoutUserName]] [[LoginUrl]] are replaced with the hardcoded URL.

Related Links:

Mapping the Onboarding New Hire User Replication and User Type from Identity Provisioning Service to Identity Authentication Services

As an SAP SuccessFactors Identity Provisioning Service administrator, configure the Identity Provisioning Service (IPS) source system to sync with the Identity Authentication Service (IAS) target system.

Prerequisites

  • Verify that the SAP Identity Provisioning filter for external hires is configured in the Identity Provisioning Service (IPS) source system.
  • In the Identity Authentication Service (IAS) target system:
  1. Verify that employee authentication is configured in your existing SAP Identity Authentication Service (IAS) configuration.
  2. Verify that there are no existing account in SAP Identity Authentication Service with the e-mail address or username of the external user.

Context

  • Confirm that the Onboarding new hire user replication and user type mappings are correct in Identity Provisioning Services (IPS), by verifying that the active and active_external_suite statuses are included in the sf.user.filter filter properties.

Procedure

  • To verify that the active and active_external_suite statuses are included in the sf.user.filter Identity Provisioning Service filter property, go to IPS Administrationà Source SystemsàSF configurationàProperties and ensure you have the following properties configured in the filter status field:

    Name

    Value

    sf.user.filter

    Status in 'active','active_external_suite' and (personKeyNav/userAccountNav/userType in 'employee', 'onboardee')

    • To identify the type of the provisioned user (either employee or onboarding New Hire) in the source system, go to IPS AdministrationàSource SystemsàSF configurationàTransformation, update the JSON conditions for Employee and Onboarding new hire in the user mappings section:

    {

                    "condition": "($.status == 't') && ($.personKeyNav.userAccountNav.userType == 'employee')",

                    "constant": "employee",

                    "targetPath": "$.userType"

    },

    {

    "condition": "($.status == 'active_external_suite') && ($.personKeyNav.userAccountNav.userType == 'onboardee')",

                    "constant": "onboardee2.0",

                    "targetPath": "$.userType"

    },

    •  Update target system configuration. To map the Onboarding new hire user type in Identity Authentication Service (IAS) in the target system, go toIPS AdministrationàTarget SystemsàIAS configurationàTransformation and add this JSON fragment:

    {

                    "condition": "$.userType contains 'onboardee'",

                    "constant": "Public",

                    "targetPath": "$.userType"

    },

    • Right after this existing one:

    {

                    "sourcePath": "$.userType",

                    "optional": true,

                    "targetPath": "$.userType"

    },

    Result

    • The source Identity Provisioning Service (IPS) Onboarding new hire user type is mapped to the target Identity Authentication Service (IAS) user type.

    Next Step

    • Configure the email templates or login behaviors in Identity Authentication Service (IAS).

    Configuring Onboarding Welcome Email Template in Identity Authentication Service (IAS)

    As an SAP SuccessFactors administrator, configure the Onboarding welcome email template in Identity Authentication Services (IAS).

    Prerequisites

    • Employee authentication is configured in your existing Identity Authentication Service (IAS) configuration.
    • You've configured the SAP Identity Provisioning filter for external hires.
    • You've disabled the (HXM Suite) welcome email template for new hire and rehire in Onboarding to prevent two welcome emails from being sent to the new hire.

    Context

    • The Onboarding welcome email was previously sent from HXM Suite. You need to create a new welcome email template in IAS and configure the template for use in Onboarding.

    Procedure

    • To configure the On-Behalf Registration e-mail template set, go to IAS Administration Console (IPS Administrationà Target Systemsà IAS configuration and follow the instructions outlined in the Configuring Email Templates topic. For more information, refer to the Configuring E-Mail Templates link in the Related link section.
    • To specify the email template set that should be used for Onboarding, go to IPS AdministrationàTarget SystemsàIAS configurationàTransformation and add this fragment to the template:

    {

    "condition": "$.userType == 'onboardee2.0'",

    "constant": "c33e67c2-2c03-452f-86d7-7b40be5af9d4",

    "targetPath": "$.emailTemplateSetId",

    "scope": "createEntity"

    },

    Note: You can locate the value for the constant, by opening the corresponding welcome email template set in IAS Administration console Email Templates Sets SF ONB 2.0 On-Behalf Registration. Click on the template, then copy the value found in the URL after Template Sets.

    Result

    • The IAS welcome email template is configured to trigger when the IAS sync job adds the new hire to Identity Authentication Service (IAS).

    Next Steps

    • Configure the Identity Authentication Service target system login behavior for Onboarding users.

    Related Link

    Configuring Identity Authentication Service Target System Login Behavior for Onboarding Users

    As an SAP SuccessFactors Identity Authentication Service or Identity Provisioning Service administrator, configure the Identity Authentication Service target system to authenticate Employee and Onboarding new hire user types from the Identity Provisioning Service source system.

    Prerequisites

    • Employee authentication is configured in your existing Identity Authentication Service (IAS) configuration.
    • You've configured the SAP Identity Provisioning filter to include Onboarding new hires.
    • You've disabled the Onboarding welcome email template for new hire and rehire in HXM Suite.
    • You've configured the IAS Welcome email template to trigger when the new hire is added to Identity Authentication Service.

    Context

    • Map the Onboarding User behaviors from Identity Provisioning Service to the target system, Identity Authentication Service. The new hire receives an email with a link to verify their account and create a password.

    Procedure

    • To configure the Onboarding user type login behavior in the Identity Authentication Service target system, go to IPS Administrationà Target Systemsà IAS configurationà Transformation and add the following JSON conditions after the fragments:

    { "constant": "false", "targetPath": "$.sendMail", "scope": "createEntity" },

    { "condition": "$.userType == 'onboardee2.0'", "constant": "true", "targetPath": "$.sendMail", "scope": "createEntity" },

    { "constant": "true", "targetPath": "$.mailVerified", "scope": "createEntity" },

    { "condition": "$.userType == 'onboardee2.0'", "constant": "false", "targetPath": "$.mailVerified", "scope": "createEntity" },

    { "constant": "disabled", "targetPath": "$.passwordStatus", "scope": "createEntity" },

    { "condition": "$.userType == 'employee'", "constant": "enabled", "targetPath": "$.passwordStatus", "scope": "createEntity" }

    Note: the fragments in bold should be part of the default configuration provisioned by Upgrade procedure.

    Result

    • Employee and Onboarding new hire user type login behaviors are configured. The new hire welcome email is triggered. The new hire can click the link in the email to verify their email account (User ID) and create a password.

    Next Steps

    • Configure the home URL redirect after user activation.

    Configuring the Home URL Redirect after User Activation

    As an SAP SuccessFactors administrator, configure the home page URL redirect for the new hire email activation link:

    • Employee authentication is configured in your existing Identity Authentication Service (IAS) configuration.
    • You've configured the SAP Identity Provisioning filter for external hires.
    • You've disabled the Onboarding welcome email template for new hire and rehire in HXM Suite.
    • You've configured the IAS Welcome email template to trigger when the new hire is added to Identity Authentication Service.
    • You've configured the Identity Authentication Service target system to authenticate Employee and Onboarding new hire user types from the IPS source system.

    Context

    • Configure the URL address to redirect the new hire when they activate the link in their welcome email.

    Procedure

    • In IAS Administration Console, configure the home URL for the SAP SuccessFactors application. Fore more information on configuring the home URL, refer to Configure an Application's Home URL topic in the Related Links section.

    Note: For Home URL, we recommended that you use the SAP SuccessFactors application login URL with the company parameter (like https://qaautocand.hcm.ondemand.com/login?company=CompanyName)

    • Go to IPS Administrationà Target SystemsàIAS configurationà Transformation and add the following fragment:

    {

    "constant": "61de964c51a62f1c942c7293", "

    targetPath": "$.applicationId",

    "scope": "createEntity"

    }

    Note: The ID specified as value of the constant is found in the URL of the corresponding SF application in IAS Administration consoleApplications.

    Result:

    • The new hire is redirected to a URL that includes SAP SuccessFactors and the desired company details.

    NOTE: SAP IAS support for external users feature is only for customers who are part of the Early Adopter Care program for SAP SuccessFactors WorkZone.

    See Also

    Keywords

    IAS, IAS Configuration, Identity Authentication Service, Login Method , KBA , LOD-SF-OBX , Onboarding 2.0 , Problem

    Product

    SAP SuccessFactors Onboarding 2205