SAP Knowledge Base Article - Public

3204536 - How to Setup up Identity Authentication Service (IAS) for Onboarding External Users – Onboarding

Symptom

  • As an SAP SuccessFactors administrator, I would like to configure SAP Identity Authentication Service (IAS) to authenticate external users.
  • I would like to configure IAS/IPS to sync external users - Onboarding.
  • I want to ensure that the Welcome email to Onboarding users is configured and triggered though IAS. 

Environment

SAP SuccessFactors HXM Suite

SAP SuccessFactors Onboarding

Identity Authentication Service IAS

Resolution

[Section 1]: Enabling Onboarding new hire authentication in Identity Authentication Service (IAS)

Prerequisites

In HXM Suite:

  • Disable the Single Sign On (SSO)Partial Organization SSO option in provisioning.
  • Disable the following templates in Email Services Actual Name:
    • Template: (ONB) External User Welcome Message Template rehire welcome message
    • Template: (ONB) Rehire User Welcome Message Template

Note: If you do not disable the welcome email template, the Onboarding new hire will receive two welcome e-mails, one from HXM Suite and one from IAS.

  • The SAP Identity Provisioning filter for external hires is configured in the Identity Provisioning Service (IPS) source system.
  • In the Identity Authentication Service (IAS) target system:
    • Employee authentication is configured in your existing SAP Identity Authentication Service (IAS) configuration.
    • There is no existing account in SAP Identity Authentication Service with the e-mail address or username of the external user.
    • Enable Identity Provisioning Service filter to include Onboarding new hires in job sync.
  • Account Activation Email templates for Onboarding new hires in Identity Authentication Service (IAS) is configured.
  • Configure the home URL for the SAP SuccessFactors application. Refer to the Configure an Application's Home URL in the Related Links section.
  • Ensure you've updated the (ONB) Start Onboarding process Template to reflect the user name and account activation related instructions. Ensure you’ve activated your account first using the account activation email received from our system. If you’ve not received any account activation email, please contact your admin.
  • Template content to be updated for all supported languages.

Context

Identity Authentication Service (IAS) authenticates provisioned users. To enable Onboarding new hire authentication in IAS, you must complete the following:

  1. Map the Onboarding Identity Provisioning Service (IPS) user type to Identity Authentication Service (IAS).
  2. Configure Onboarding welcome email template in Identity Authentication Service (IAS)
  3. Configure Identity Authentication Service (IAS) target system login behavior for Onboarding users.
  4. Configure the home URL redirect for the SAP SuccessFactors application. Note: Any Home page URL or link in the Onboarding email template should be updated, so that the template don’t have pm_product_name=ONB query parameter.
  5. Ensure that the email tokens that have [[NewHireLoginUrl]] [[NewHireLoginUrlWithoutUserName]] [[LoginUrl]] are replaced with the hardcoded URL.

See also: - Configure an Application's Home URL  

 

[Section 2.1]: Mapping the Onboarding New Hire User Replication and User Type from Identity Provisioning Service (IPS) to Identity Authentication Services (IAS) using sf.api.version = 2 (aka SCIM API)  (Recommended approach)

As an SAP SuccessFactors Identity Provisioning Service administrator, configure the Identity Provisioning Service (IPS) source system to sync with the Identity Authentication Service (IAS) target system.

Prerequisites

  • Verify that the SAP Identity Provisioning filter for external hires is configured in the Identity Provisioning Service (IPS) source system.
  • In the Identity Authentication Service (IAS) target system:
    1. Verify that employee authentication is configured in your existing SAP Identity Authentication Service (IAS) configuration.
    2. Verify that there are no existing account in SAP Identity Authentication Service with the e-mail address or username of the external user.

Context

With 2H 2022 Onboarding-IAS integration provides Onboarding new hire authentication and user account management with SAP IAS System using Cross-domain Identity Management (SCIM) API.

Benefits of using SAP Identity Authentication Service for Onboarding New hires:

  • Pre-day 1 Onboarding Work zone integration
  • It provides a secure and centralized platform for managing user authentication and access control for both Onboarding New hires and Employees.
  • Seamless and consistent user experience across different applications and devices
  • By providing single sign-on capabilities, users can easily access the other cloud applications and resources they need without having to remember multiple usernames and passwords.
  • By integrating with IAS, you can enforce strong authentication methods such as multi-factor authentication and password policies.

Procedure

  • To verify that the active and active_external_suite statuses are included in the sf.user.filter Identity Provisioning Service filter property, go to > IPS Administration Source Systems SF configuration Properties and ensure you have the following properties configured in the filter status field:

    Name

    Value

    sf.user.filter

    active eq ‘true’ 

      All steps are detailed in the reference: Onboarding New Hires Authentication using SAP Identity Authentication Service (IAS) | SAP Blogs 

      Result

      • The source Identity Provisioning Service (IPS) Onboarding new hire user type is mapped to the target Identity Authentication Service (IAS) user type.

       

      [Section 2.2]: Mapping the Onboarding New Hire User Replication and User Type from Identity Provisioning Service (IPS) to Identity Authentication Services (IAS) using Odata connector (Check limitations below)

       

      As an SAP SuccessFactors Identity Provisioning Service administrator, configure the Identity Provisioning Service (IPS) source system to sync with the Identity Authentication Service (IAS) target system.

      Prerequisites

        • →  The same as Section #2.1

        Context

        • Confirm that the Onboarding new hire user replication and user type mappings are correct in Identity Provisioning Services (IPS), by verifying that the active and active_external_suite statuses are included in the sf.user.filter filter properties.

        Procedure

        • To verify that the active and active_external_suite statuses are included in the sf.user.filter Identity Provisioning Service filter property, go to > IPS Administration Source Systems SF configuration Properties and ensure you have the following properties configured in the filter status field:

          Name

          Value

          sf.user.filter

          status in 'active','active_external_suite' and (personKeyNav/userAccountNav/userType in 'employee', 'onboardee')

            Note: If you've set up basic authentication in IPS Properties to connect to the SF source system, remember to grant access to the Onboarding external user target population for the SF user being used (e.g., ipsadmin) in order to enable basic authentication.

              • To identify the type of the provisioned user (either employee or onboarding New Hire) in the source system, go to > IPS Administration Source Systems SF configuration Transformation, > update the JSON conditions for Employee and Onboarding new hire in the user mappings section:
              {

                              "condition": "($.status == 't') && ($.personKeyNav.userAccountNav.userType == 'employee')",

                              "constant": "employee",

                              "targetPath": "$.userType"

              },

              {

              "condition": "($.status == 'active_external_suite') && ($.personKeyNav.userAccountNav.userType == 'onboardee')",

                              "constant": "onboardee2.0",

                              "targetPath": "$.userType"

              },
              •  Update target system configuration. To map the Onboarding new hire user type in Identity Authentication Service (IAS) in the target system, go to > IPS Administration Target Systems IAS configuration Transformation > and add this JSON fragment:
              {

                              "condition": "$.userType contains 'onboardee'",

                              "constant": "Public",

                              "targetPath": "$.userType"

              },
              • Right after this existing one:

              {

                              "sourcePath": "$.userType",

                              "optional": true,

                              "targetPath": "$.userType"

              },

               

              Result

              • The source Identity Provisioning Service (IPS) Onboarding new hire user type is mapped to the target Identity Authentication Service (IAS) user type.

              Limitations: ONB function limitations with the OData Connector

              Points to be aware of for the OData v2 solution:

              1. Onboarding new hire syncs to IAS by a regular IPS sync job.  Real time sync is not supported. You can set up a Job run frequency as per your business case.
              2. Onboarding new hire will receive IAS activation email only after the successful IAS account creation once the IPS job is run.
                • Onboarding new hires may receive “Complete Paperwork” email before receiving IAS activation email. 
                • Customers can include a note in “Complete Paperwork” email informing new hires to wait for the IAS activation email (if not yet received) and activate the account once new hire receives the email. 
              3. In case of cancel Onboarding, Onboarding new hire Account deactivation will be done when next IPS sync job runs. 
              4. In case of Rehire on New Employment case, please follow below workaround. 
                • To receive the account activation email from SAP Identity Authentication Service for rehire, ensure that you've:
                  • Deleted the old email id of type Business and updated the new email id of type Business in the New Hire Data Review step or in the Rehire Data Review step.
                  • OR, removed the Business type email from Employee Profile  Contact Information section of the terminated user or changed the email type to any other email type apart from Business.

              Next Step

              • Configure the email templates or login behaviors in Identity Authentication Service (IAS).

               

              [Section 3]: Configuring Onboarding Welcome Email Template in Identity Authentication Service (IAS)

               

              As an SAP SuccessFactors administrator, configure the Onboarding welcome email template in Identity Authentication Services (IAS).

               

              Prerequisites

              • Employee authentication is configured in your existing Identity Authentication Service (IAS) configuration.
              • You've configured the SAP Identity Provisioning filter for external hires.
              • You've disabled the (HXM Suite) welcome email template for new hire and rehire in Onboarding to prevent two welcome emails from being sent to the new hire.

              Context

              • The Onboarding welcome email was previously sent from HXM Suite. You need to create a new welcome email template in IAS and configure the template for use in Onboarding.

              Procedure

              • To configure the On-Behalf Registration e-mail template set, go to IAS Administration Console (IPS Administration Target Systems IAS configuration and follow the instructions outlined in the Configuring Email Templates topic. For more information, refer to the Configuring E-Mail Templates link in the Related link section.
              • To specify the email template set that should be used for Onboarding, go to IPS AdministrationàTarget SystemsàIAS configurationàTransformation and add this fragment to the template:
              {

              "condition": "$.userType == 'onboardee2.0'",

              "constant": "c33e67c2-2c03-452f-86d7-7b40be5af9d4",

              "targetPath": "$.emailTemplateSetId",

              "scope": "createEntity"

              },

              Note: You can locate the value for the constant, by opening the corresponding welcome email template set in IAS Administration console Email Templates Sets SF ONB 2.0 On-Behalf Registration. Click on the template, then copy the value found in the URL after Template Sets.

              Result

              • The IAS welcome email template is configured to trigger when the IAS sync job adds the new hire to Identity Authentication Service (IAS).

              Next Steps

              [Section 4]: Configuring Identity Authentication Service Target System Login Behavior for Onboarding Users

               

              As an SAP SuccessFactors Identity Authentication Service or Identity Provisioning Service administrator, configure the Identity Authentication Service target system to authenticate Employee and Onboarding new hire user types from the Identity Provisioning Service source system.

               

              Prerequisites

              • Employee authentication is configured in your existing Identity Authentication Service (IAS) configuration.
              • You've configured the SAP Identity Provisioning filter to include Onboarding new hires.
              • You've disabled the Onboarding welcome email template for new hire and rehire in HXM Suite.
              • You've configured the IAS Welcome email template to trigger when the new hire is added to Identity Authentication Service.

              Context

              • Map the Onboarding User behaviors from Identity Provisioning Service to the target system, Identity Authentication Service. The new hire receives an email with a link to verify their account and create a password.

              Procedure

              • To configure the Onboarding user type login behavior in the Identity Authentication Service target system, go to IPS Administration Target Systems IAS configuration Transformation and add the following JSON conditions after the fragments:
              { "constant": "false", "targetPath": "$.sendMail", "scope": "createEntity" },

              { "condition": "$.userType == 'onboardee2.0'", "constant": "true", "targetPath": "$.sendMail", "scope": "createEntity" },

              { "constant": "true", "targetPath": "$.mailVerified", "scope": "createEntity" },

              { "condition": "$.userType == 'onboardee2.0'", "constant": "false", "targetPath": "$.mailVerified", "scope": "createEntity" },

              { "constant": "disabled", "targetPath": "$.passwordStatus", "scope": "createEntity" },

              { "condition": "$.userType == 'employee'", "constant": "enabled", "targetPath": "$.passwordStatus", "scope": "createEntity" }

              Note: The fragments in bold should be part of the default configuration provisioned by Upgrade procedure.

              Result

              • Employee and Onboarding new hire user type login behaviors are configured. The new hire welcome email is triggered. The new hire can click the link in the email to verify their email account (User ID) and create a password.

              Next Steps

              • Configure the home URL redirect after user activation.

              [Section 5]: Configuring the Home URL Redirect after User Activation

               

              Prerequisites

              As an SAP SuccessFactors administrator, configure the home page URL redirect for the new hire email activation link:

              • Employee authentication is configured in your existing Identity Authentication Service (IAS) configuration.
              • You've configured the SAP Identity Provisioning filter for external hires.
              • You've disabled the Onboarding welcome email template for new hire and rehire in HXM Suite.
              • You've configured the IAS Welcome email template to trigger when the new hire is added to Identity Authentication Service.
              • You've configured the Identity Authentication Service target system to authenticate Employee and Onboarding new hire user types from the IPS source system.

              Context

              • Configure the URL address to redirect the new hire when they activate the link in their welcome email.

              Procedure

              • In IAS Administration Console, configure the home URL for the SAP SuccessFactors application. Fore more information on configuring the home URL, refer to Configure an Application's Home URL topic in the Related Links section. Note: For Home URL, we recommended that you use the SAP SuccessFactors application login URL with the company parameter (like https://qaautocand.hcm.ondemand.com/login?company=CompanyName)
              • Go to IPS Administration Target Systems IAS configuration Transformation > and add the following fragment (Note: The ID specified as value of the constant is found in the URL of the corresponding SF application in IAS Administration console Application):
              {

              "constant": "61de964c51a62f1c942c7293", "

              targetPath": "$.applicationId",

              "scope": "createEntity"

              }

              Result:

              • The new hire is redirected to a URL that includes SAP SuccessFactors and the desired company details.

              See Also

              Keywords

              IAS, IAS Configuration, Identity Authentication Service, Login Method , KBA , LOD-SF-OBX-IAS , IAS User Authentication , How To

              Product

              SAP SuccessFactors Onboarding all versions