SAP Knowledge Base Article - Public

3359245 - Migrating SF Source system authentication from Basic Authentication to mTLS certificate

Symptom

  • How to migrate the IPS source authentication from Basic Authentication to mTLS certificate?
  • How to migrate from odata to scim API?

“Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.”

Environment

  • SAP SuccessFactors HCM Suite
  • SAP Cloud Identity Services – Identity Provisioning IPS
  • SAP Identity Provisioning Service

Resolution

Please, note that the migration from version 1 to version 2 to use the mTLS certificate is not mandatory, it should work using API version 1. However, it is recommended to migrate to SCIM API.

In order to migrate from BasicAuthentication to mTLS certificate, follow the below steps:

  1. The certificate in SF Source should be generated in IPS side -> Generate and Manage Certificates for Outbound Connection
  2. Then, you will add this certificate in SuccessFactors side -> Upgrade to X.509 Certificate-Based Authentication for Incoming Calls:

    Make sure the Integration Name is set as Identity Provisioning Service.

In case you are looking for migrating the API version, for each API version some additional configurations are needed in the IPS transformation and properties. There are two API versions:

  • ODATA API (Version 1): When Using SAP SuccessFactors HCM Suite OData API a technical user is created with permissions to call the SAP SuccessFactors HCM Suite OData API and to export employee data from the SAP SuccessFactors system.

  • SCIM API (Version 2): When Using SAP SuccessFactors Workforce SCIM API a backend user is created with Administrator permissions to query, edit and export employee data from the SAP SuccessFactors system.

The procedure to update the API version from Odata (version 1) to SCIM (Version 2) can be found in Upgrade from ODATA IPS Connector to SCIM IPS Connector with SAP SuccessFactors HXM Suite.

Since each version has your expressions, review the guide 3286518 to check which should be used. For SCIM API (Version 2) all the transformations must be modified.

In the help guide Mapping Between SCIM Users and ODATA User you can find the different mappings between these two versions. For example, in version 2 the Attribute userName is the Attribute personKeyNav/userAccountNav/accountUuid in version 1.

SCIM AttributeSub AttributeRead OnlyODATA Field
userName YpersonKeyNav/userAccountNav/accountUuid

Some of the SCIM Attributes have a sub attribute, which will used separated by a dot, as following: SCIM_Attribute.Sub_Attribute

The following attributes  default version 1 settings, they are not needed in version 2 (SCIM):

sf.user.attributes =  userId,username,usernameSAP,status,email,lastName,firstName,lastModifiedDateTime,personKeyNav

When switching to version 2 (SCIM) please follow the SCIM migration instructions.

See Also

3312844 Client certificate based authentication in IPS with SuccessFactors as Source system

2215682 - Successfactors API URLs for different Data Centers

Generate and Manage Certificates for Outbound Connection

Upgrade to X.509 Certificate-Based Authentication for Incoming Calls

SAP SuccessFactors

3343915 - How to Use SCIM customFields from SuccessFactors

Keywords

IPS, SCIM API, ODATA API, upgrade from odata, transformations, attributes, scim migration, INC9295233 , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , BC-IAM-IDS , Identity Authentication Service , BC-IAM-IPS , Identity Provisioning Service (IPS) , LOD-SF-INT-ODATA , OData API Framework , How To

Product

SAP SuccessFactors Platform all versions