SAP Knowledge Base Article - Public

3281873 - [Onboarding] IAS Main KBA

Symptom

FAQs on IAS for external users (Onboardee)

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

SAP SuccessFactors Onboarding

Resolution

SuccessFactors Onboarding can now be authenticated using SAP Identity Authentication Service (IAS) before joining the organization, using System for Cross-domain Identity Management (SCIM) 2.0 REST API. onboardee will be redirected to IAS Login Page.

Q1. How can we check the Onboardee is synced to IAS?

A. Extension status represents if onboarding new hire record is ready to sync to IAS.

0 - Active (onboardee sync to IAS)

1 - Inactive (onboardee is inactive external user will not be synced to IAS)

2 - Pending

Pending status means the user would not be synced to IAS though S/He is an active user. This is applicable only for Onboardees. Employees would toggle between 0 and 1.

When the Onboardee is required to provide PDC, we set the status to 0 (Active) so that the user is synced to IAS and gets an IAS Activation email. So net effect, Onboardee will be notified only when his/her inputs is required.

NOTE: @Support please refer to Internal Memo on how to change the extension status manually

Q2. What is activation email?

A. Activation email is the email that is sent from IAS for setting the initial password. This would be delinked from the current welcome email which was having the reset password link for Bizx. Still welcome email would be sent from onboarding 

Q3. How to distinguish employee from Onboardee in IAS?

A. we have a new user type Onboardee in IAS. This will distinguish the user from Employee.

B2211, Realtime sync for IAS is supported for Onboardees and not for employees. Employees would be synced using schedule job. 

Q4. During Onboarding initiation, we provide an email and if the HM changes the email during NHDR page will the IAS mail be sent to the updated email, or the email maintained during the time of onboarding initiation? 

A.  It will be updated email as the email ID that will be picked from platform tables and hence the mail will be sent to updated email.

Q5. Q. In normal scenario for external users, we can reset the password using the Reset user password page, so for IAS user do we have any function where the admin can reset the password? 

A. The external candidate can reset the password using Forgot password function, but admin will not have access to passwords. Reset can be self-service via the login page, or based on the IAS settings, Admin can set a default and enable change on login type of functionality so that password is secure.

Q6. If IAS is enabled, by default all the external users will have IAS login or can we select set of users that have IAS enabled? 

A. By deafult, IAS is used for authenticating onboardee and employee once customer enabled SAP identity authentication service using System for Cross-domain Identity Management (SCIM) 2.0 REST API.

Q7. What will be login URL parameter for onboardee If IAS enabled?

A. If IAS is used for Onboardee authentication then the Login URL will NOT have pm_product_name .
    If Onboardees are not authenticated via IAS, then pm_product_name is automatically added. 

Q8. how to check onboardee is enabled with IAS

Steps to check:

  1. IDP: Customer is using IAS IDP.
  2. Go to Admin Center Monitoring Tool for Identity Authentication Service/Identity Provisioning Service Upgrade page.

Review this page and check “Initiated on:” date.

If this date is

For preview environment from Nov 29th, 2022,

For  production environment from  Dec 9th, 2022

Then customer is using 2211 Enhanced ONB-IAS SCIM integration.

 

Expectation: Customer have followed all steps mentioned in below documentation.

WNV: https://help.sap.com/docs/SAP_SUCCESSFACTORS_RELEASE_INFORMATION/8e0d540f96474717bbf18df51e54e522/2dbcd6ff61284a2a84a7ecb18e3be859.html

https://help.sap.com/docs/SAP_SUCCESSFACTORS_ONBOARDING/c94ed5fcb5fe4e0281f396556743812c/c3c8a0bd465246dc8aeda39700e358ad.html - Please make sure to disable Welcome email template as mentioned in this help guide link.

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/568fdf1f14f14fd089a3cd15194d19cc/4ce03614440e4c3a85b9eb4716bc97ed.html

 

Q9. How to check real time sync? 

A. To check Real time Sync:

Once Real time sync is configured as mentioned in https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/568fdf1f14f14fd089a3cd15194d19cc/4ce03614440e4c3a85b9eb4716bc97ed.html

After configuration, create new Onboardee and complete “New Hire Data Review” step. 

You can check Admin Center Execution Manage Dashboard Pre-delivered integration to monitor real time sync as shown in below sample screenshot.

 

Regarding Realtime sync not enabled – We recommend real-time sync to be enabled so that Onboardee is activated in IAS immediately. Else, it would be picked up in the next full sync whose run frequency may be once per day. 
Real-time sync is offered only for Onboardees and also note that cancelled Onboardees needs to be removed from the system at the earliest for security reasons. Failure to do so would allow access to our systems till the next sync runs


Q10: Reset Password URL not sent to candidate, Why?
Please check with the customer if on implementing onboarding, if they enabled in provisioning, then disabled in provisioning and enabled again.
We have known issue where when customer disabled ONB 2.0 feature, all ONB related permission config will become inactive. When customer re-enable ONB 2.0, these permission config won't be brought back.

To resolve we need to open ticket with engineering to run a script. Customer approval also required for the script.
@Support please see internal memo for reference engineering ticket.

Q11: ISP Target synchronization process skipped the entry of ONB user and data are not sent to IAS. Email and last name are missing inside the SCIM data.
To resolve please check if Login Name is populated in certificate in admin centre > security centre.
If Login name exists it should have target population for all onboardees.

Generally we will recommend customer to upload certificate again and leave login name empty, we will have a technical user in backend to handle all the permission stuff. Details in step 3 notes  

Troubleshooting Steps:

  • 1.IAS upgrade should be green in admin centre-Monitoring Tool for Identity Authentication Service/Identity Provisioning Service Upgrade.

      In Monitoring Tool for Identity Authentication Service/Identity Provisioning Service Upgrade - Settings page- apply to both employee and onboardee- be enabled.

  • 2.Onboarding identity authentication switch should be enabled in provisioning -> company settings if SCIM is used.

  • Check if Real time sync is enabled for onboardee.

      A) Provide RBP (RBP-Permission role-administrator permission-Manage Identity Account and Group-Manage Identity Authentication/Identity Provisioning Real Time Sync.

      B) In admin center -Manage Identity Authentication/Identity Provisioning Real Time Sync- check real time sync is enabled.

  • If custom Process variant is used, then Process variant Manager needs to be deployed with latest xml and should have the IAS code.
  • Ensure that the onboardee has completed New hire data review step

IAS REAL TIME SYNC ERROR

  • When Onboarding-IAS real-time synchronization encounters error code 531, it no longer waits 27 hours to reflect in the Execution Manager for the failure, including multiple auto-retries. Instead, it provides a manual retry option, enabling the customer to check and resolve the issue through Admin Alerts under 'Failed domain events.' This allows the customer to address data issues and manually synchronize the new hire's user account with IAS.
  • The Admin alerts for real-time sync failures in IAS fall under the category of 'Failed Domain Events' and remain accessible for 10 days. Even if the issues aren't resolved, these alerts are automatically removed after the 10-day retention period. If the problems persist beyond this timeframe, IPS admin can check logs and take necessary action to correct failures. IPS admin can run resync job or wait for next sync job to run. This will  synchronize the new hire's user account with IAS.
  • The details of the error codes as mentioned in https://confluence.successfactors.com/pages/viewpage.action?spaceKey=ENG&title=IPS+Real+time+sync+response+code+handling+in+SFSF
  • Screenshots of the error details in Execution Manager and Admin Alerts.

Note: @Support please check internal memo for additional troubleshooting steps via internal logs.

See Also

3204536 - How to Setup up Identity Authentication Service (IAS) for Onboarding External Users - using ODATA connector.(https://launchpad.support.sap.com/#/notes/3204536)

3078444 - [Onboarding] FAQs on IAS for Onboarding(https://userapps.support.sap.com/sap/support/knowledge/en/3078444)

IAS IDP Documentation ::https://d.dam.sap.com/a/XREqKSs/IDP%20-%20SAP%20SuccesFactors%20Suite%20Identity%20and%20Access%20Management%20v1.23.pdf

IAS Blog: https://blogs.sap.com/2023/05/10/onboarding-new-hires-authentication-using-sap-identity-authentication-service-ias/

Real time sync guide: https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/568fdf1f14f14fd089a3cd15194d19cc/4ce03614440e4c3a85b9eb4716bc97ed.htm

Pre-requisite for IAS setup:https://help.sap.com/docs/SAP_SUCCESSFACTORS_ONBOARDING/c94ed5fcb5fe4e0281f396556743812c/c3c8a0bd465246dc8aeda39700e358ad.html

Keywords

IAS, Onboarding, Onboardee, IAS for onboardee , KBA , LOD-SF-OBX-IAS , IAS User Authentication , How To

Product

SAP SuccessFactors Onboarding 2211

Attachments

Pasted image.png