Symptom
Instead of Basic Authentication, a certificate based authentication is set up in IPS>Source System for IPS sync job to read SF users.
However, when running the read job in IPS, it returns error
Cannot execute provisioning job in tenant context: xxxxxxxxxx
Caused by: Error during execution on behalf of tenant with ID: xxxxxxxxxx
Caused by: Executing delta load failed.
Caused by: HTTP operation failed invoking https://api15preview.cert.sapsf.cn/rest/iam/scim/v2/Users?startId=initial&count=100&filter=active%20eq%20true with statusCode: 401 and body {"error":{"code":"AuthenticationFailed","message":"Authentication service failed to return token.","details":"[AUTH0032]Invalid client certificate"}}
Caused by: HTTP operation failed invoking https://api15preview.cert.sapsf.cn/rest/iam/scim/v2/Users?startId=initial&count=100&filter=active%20eq%20true with statusCode: 401, Response: {"error":{"code":"AuthenticationFailed","message":"Authentication service failed to return token.","details":"[AUTH0032]Invalid client certificate"}}
Environment
SAP SuccessFactors HCM Suite
Reproducing the Issue
- Login IPS admin console page.
- Go to Source System>Property.
- Confirm that Authentication field is set as ClientCertificateAuthentication.
- Go to Jobs and run the read user job.
- The job failed with an error code "[AUTH0032]Invalid client certificate".
Cause
The uploaded certificate in SF Security Center might not get synchronized correctly even all configurations and certificate are confirmed set up correctly according to KBA 3312844 - Error 401 when using Client Certificate based authentication in IPS connection to SuccessFactors.
Resolution
It is necessary to confirm the steps below, to ensure the configuration is correct and the certificate matches:
- Check on IPS source system the certificate fingerprint and go to SuccessFactors to see if the number matches in Security Center > X509 Public certificate mapping option.
- If yes, please have a try to delete the existing X509 certificate in SF Security Center and upload the same X509 certificate again which is downloaded from IPS>Outbound Certificate.
- Ensure the "INACTIVE" certificate in IPS is removed from the Outbound certificate session, otherwise the sync might still fail.
If the same error still occurs after re-uploading the certificate, please raise a ticket to SAP support with the component LOD-SF-PLT-IAS for further investigation.
See Also
- KBA 3312844 - Error 401 when using Client Certificate based authentication in IPS connection to SuccessFactors
Keywords
[AUTH0032]Invalid client certificate, Client Certificate based authentication, Certificate, ClientCertificateAuthentication, AUTH0032, IPS, Read job failed, sf, IPS , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , Problem