3537690 - Additional IP Address allow-listing required in IAS/IPS integration scenarios with SAP SuccessFactors

To ensure the integration between SAP SuccessFactors and SAP IAS/IPS functions correctly, you need to identify and allow-list additional IP addresses.

This guidance applies only if: 

A) IP restrictions are enabled within your environment (e.g., configured through the SuccessFactors UI).

AND B) Basic Authentication is used with SAP IAS/IPS.

Note: if you are using Basic Authentication without IP restriction, this change does not apply to you. 

Important: This allow-listing requirement is temporary, due to ongoing internal infrastructure updates. You will receive further instructions directly via email and within this KBA.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

• SAP SuccessFactors HCM Suite
• SAP Cloud Identity Services – Identity Authentication IAS
• SAP Cloud Identity Services – Identity Provisioning IPS

Without allowlisting these additional IP Addresses, IPS user sync from SuccessFactors to IAS might fail for instances using Basic Authentication in IPS and IP Restriction in SuccessFactors.

This requirement applies only if: 

• Basic Authentication is used in the IPS Source System for SuccessFactors. Adding the below IP addresses to allowlist will ensure IPS can continue to make SuccessFactors API calls to read & transfer user data to IAS.

IP Address List:

Important: SAP IAS/IPS and SAP SuccessFactors may be hosted in different regions. If you are unsure of the regional locations for each product or if they are indeed in different regions, we recommend allow-listing all IP addresses provided above.

Change needed in API Login Exceptions

To proceed, please add the aforementioned IP addresses to existing allow-list within your SuccessFactors UI under API Login Exceptions, for the Username utilized in IPS configuration for the SuccessFactors Source System. KBA- 2253200 - How to restrict the API access of a specific user by IP addresses

Change needed in IP Restriction Management

Important: This section applies only if the IP Restriction Management feature is currently in use to restrict access to your SuccessFactors instance from specified IP addresses only. No action needed if IP Restriction Management is not in use.

To proceed, please add the aforementioned IP addresses to the existing allow-list within your SuccessFactors UI under IP Restriction Management. KBA- 2089414 - System: How to restrict access to SuccessFactors by IP address - IP Restriction Management

SAP Cloud Identity Services - Regional Availability

KBA 2791410 - Integrating SuccessFactors with Identity Authentication IAS through the Upgrade Center

KBA 3084273 - How to allow SuccessFactors and IAS integration across regions and/or tenant type

2089448 - SuccessFactors Data Center Name, Location, Production Login URL, Production Domain Name, External Mail Server Details and Outbound IP addresses

KBA 2H 2021: API login exception for external oauth when IP restriction management is enabled

*Internal* https://documentation.global.cloud.sap/docs/customer/support/service-now-ticket-creation/support-specific-requests-nat-ips/ 

GCID, IAS, IPS, SAP IAS, SAP IPS, SCI, SAP Cloud Identity Services, SAP Converged Cloud, Converged Cloud, CC, IP, allowlisting, allow listing, allowlist, allow list, allow-list, allow-listing, whitelisting, white listing, white list, whitelist, white-list, white-listing, IP Restriction, IP Restriction Management, Set API login exceptions, API IP, endpoint,  , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-INT-API , API & Adhoc API Framework , LOD-SF-INT-ODATA , OData API Framework , How To