Symptom
- How to migrate the IPS source authentication from Basic Authentication to mTLS certificate?
- How to migrate from odata to scim API?
“Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.”
Environment
- SAP SuccessFactors HCM Suite
- SAP Cloud Identity Services – Identity Provisioning IPS
- SAP Identity Provisioning Service
Resolution
Please, note that the migration from version 1 to version 2 to use the mTLS certificate is not mandatory, it should work using API version 1. However, it is recommended to migrate to SCIM API.
In order to migrate from BasicAuthentication to mTLS certificate, follow the below steps:
- The certificate in SF Source should be generated in IPS side -> Generate and Manage Certificates for Outbound Connection
- Then, you will add this certificate in SuccessFactors side -> Upgrade to X.509 Certificate-Based Authentication for Incoming Calls:
Make sure the Integration Name is set as Identity Provisioning Service.
In case you are looking for migrating the API version, for each API version some additional configurations are needed in the IPS transformation and properties. There are two API versions:
- ODATA API (Version 1): When Using SAP SuccessFactors HCM Suite OData API a technical user is created with permissions to call the SAP SuccessFactors HCM Suite OData API and to export employee data from the SAP SuccessFactors system.
- SCIM API (Version 2): When Using SAP SuccessFactors Workforce SCIM API a backend user is created with Administrator permissions to query, edit and export employee data from the SAP SuccessFactors system.
The procedure to update the API version from Odata (version 1) to SCIM (Version 2) can be found in Upgrade from ODATA IPS Connector to SCIM IPS Connector with SAP SuccessFactors HXM Suite.
Since each version has your expressions, review the guide 3286518 to check which should be used. For SCIM API (Version 2) all the transformations must be modified.
In the help guide Mapping Between SCIM Users and ODATA User you can find the different mappings between these two versions. For example, in version 2 the Attribute userName is the Attribute personKeyNav/userAccountNav/accountUuid in version 1.
SCIM Attribute | Sub Attribute | Read Only | ODATA Field |
---|---|---|---|
userName | Y | personKeyNav/userAccountNav/accountUuid |
Some of the SCIM Attributes have a sub attribute, which will used separated by a dot, as following: SCIM_Attribute.Sub_Attribute
The following attributes default version 1 settings, they are not needed in version 2 (SCIM):
sf.user.attributes = userId,username,usernameSAP,status,email,lastName,firstName,lastModifiedDateTime,personKeyNav
When switching to version 2 (SCIM) please follow the SCIM migration instructions.
See Also
3312844 Client certificate based authentication in IPS with SuccessFactors as Source system
2215682 - Successfactors API URLs for different Data Centers
Generate and Manage Certificates for Outbound Connection
Upgrade to X.509 Certificate-Based Authentication for Incoming Calls
Keywords
IPS, SCIM API, ODATA API, upgrade from odata, transformations, attributes, scim migration, INC9295233 , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , BC-IAM-IDS , Identity Authentication Service , BC-IAM-IPS , Identity Provisioning Service (IPS) , LOD-SF-INT-ODATA , OData API Framework , How To