Symptom
An error is received either before or after IAS activation when enableRealtimeUserSync=true:
- “A new Learning-only user could not be created. Please verify the values from System Administration > Configuration > System Configuration > SAP CLOUD IDENTITY SERVICES > Identity Provisioning section and try again.”
Environment
SAP SuccessFactors Learning
Reproducing the Issue
Before IAS Activation
- Learning Administration > System Administration > Security > Activate Identity Authentication Integration > error message when clicking “Test Now” in Step 4 “Test Real-time User Creation”
After IAS Activation
- Learning Administration > System Administration > Configuration > System Configuration > SAP CLOUD IDENTITY SERVICES > error message when setting enableRealtimeUserSync=true and clicking Apply Changes.
Cause
There are four possible reasons:
- SAC Provisioning Indirectly includes LMS as a source system - In IPS, SAC target system> system source is set to “Target system will read entities from all enabled source systems” which will include LMS. However, provisioning Learning-only users in People Analytics is not supported.
- Tech User password for LMS, IAS and IPS are not equal - The tech user password must be the same in LMS, IAS and IPS. If any of these have been changed after provisioning then they all need to be reset to be the same. Tech User is in Learning with password in configuration for purposes of API usage only so when IAS and IPS call LMS, they need to have the correct password configured in Learning.
- IAS Test User from Previous Attempt is Blocking Activation - If a previous failed attempted has happened to enable real time user sync, then the "ias_test_user_27F5AAEA" user may have been created. Retrying the enablement of real time sync with this user in IAS will continue to make the job fail.
- The Learning IPS-mTLS Certificate may have expired - Uploading the renewed LMS mTLS certificate is required to use/enable real time user sync.
-
Missing below permissions for the technical user of the IAS target system
- read users
- access real-time provisioning API
Resolution
Please see above for the four different causes to identify the proper solution that needs to be followed.
- SAC Provisioning Indirectly includes LMS as a source system:
- In Identity Provisioning, navigate to Target Systems > Select SAC > Details tab then change SAC source system to “SuccessFactors”.
- Tech User password for LMS, IAS and IPS are not equal
- Set the password in each of the 3 systems to the same value
- For Learning: Learning Administration > Configuration > System Configuration> SAP CLOUD IDENTITY SERVICES "techUserPassword".
- For IPS: navigate to Source Systems > select Learning Source system > Properties tab, modify the Password Property to the new Password.
- For IAS: Admin > Identity Provisioning > Source Systems > Learning (the name would be usually LMS – tenantID). In the Technical User section change the Technical User Secret (password) to the new password.
- Set the password in each of the 3 systems to the same value
- IAS Test User from Previous Attempt is Blocking Activation
- Navigate to IAS>Users & Authorizations > User Management > Search for “ias_test_user_27F5AAEA”> Select and delete the user > Set ‘enableRealtimeUserSync’ to ‘true’ again.
- The Learning IPS-mTLS Certificate may have expired
- Navigate to the Identity Provisioning admin console and use the Learning IPS - mTLS Certificate Expiration KBA here to check if your LMS source system inbound certificate is expired. Example:
- If the certificate has expired, use the Learning IPS - mTLS Certificate Expiration KBA to upload the renewed LMS mTLS certificate and then you can attempt to enable real time user sync again.
- Navigate to the Identity Provisioning admin console and use the Learning IPS - mTLS Certificate Expiration KBA here to check if your LMS source system inbound certificate is expired. Example:
-
Please ensure to add the below permissions to the technical user of your IAS target system
- read users
- access real-time provisioning API
Keywords
IAS, IPS, LMS, Learning, User, fail, real, time, sync, failure, not, working, activation, enableRealtimeUserSync, source, system, Learning-only , KBA , LOD-SF-LMS-IAS , LMS IAS Integration for External User , Problem