3737619 - IPS Sync Failure After Switching from Basic Authentication to Client Certificate Authentication

In the IPS configuration for the SuccessFactors source system, the authentication method was changed from BasicAuthentication to ClientCertificateAuthentication.

After this change, the IPS sync started failing with the following errors:

• Caused by: Property sf.company.id is missing, but is required for ClientCertificateAuthentication mode

• Caused by: Mandatory property 'sf.company.id' missing from configuration

OR

• Caused by: Executing delta load failed

• Caused by: HTTP operation failed while invoking API URL /odata/v2/User... with status code 401 and message: Authentication credentials are required. Please provide a valid username, password, and company id

• Caused by: HTTP operation failed while invoking API URL /odata/v2/User

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

• SAP SuccessFactors HCM Suite
• SAP Cloud Identity Services – Identity Authentication IAS
• SAP Cloud Identity Services – Identity Provisioning IPS

The issue occurs because the required property sf.company.id is missing in the source system configuration, and the API URL is incorrectly maintained.

Please follow the below steps to update the authentication from BasicAuthentication to ClientCertificateAuthentication for the SuccessFactors source system:

1. Go to SAP Cloud Identity Services Administration Console → Identity Provisioning → Source Systems.
2. From the list, select the source system for the SAP SuccessFactors instance.
3. Navigate to the Outbound Certificates tab.
4. If there is no active certificate, click Generate and Download. If already available, click Download.
5. Go to SAP SuccessFactors Admin Center → Security Center → X.509 Public Certificate Mapping and click Add.
6. Enter a name for the mapping, select Identity Provisioning Service in the Integration Name field, and upload the downloaded certificate.
7. Save the changes.
8. Navigate back to SAP Cloud Identity Services Administration Console → Identity Provisioning → Source Systems → [SuccessFactors Source System] → Properties tab.
9. Set the following properties:

• Properties for User and Password can be removed as they are not used for ClientCertificateAuthentication.
• Trigger Simulation job to check if users can be read from source system.

• IAS Guided Answers - Integrating SuccessFactors with IAS
• Community Blog - Step-by-Step Guide of SF to IAS Integration Process and Common Troubleshooting Tips
• Community Blog - Migration to SAP Cloud Identity Authentication (IAS/IPS)
• Easier Tenant Selection During Identity Authentication Integration | SAP Help Portal
• Reuse SAP Cloud Identity Services Tenants for Different Customer IDs | SAP Help Portal
• Setting Up SuccessFactors with SAP Cloud Platform Identity Authentication Services

IPS Sync Failure After Switching from Basic Authentication to Client Certificate Authentication, IPS sync failure SuccessFactors, ClientCertificateAuthentication IPS error, sf.company.id missing IPS, SuccessFactors IPS certificate authentication issue, IPS delta load failed 401 error SuccessFactors, authentication credentials required SuccessFactors API, IPS source system configuration error, SuccessFactors API URL incorrect IPS, X.509 certificate mapping SuccessFactors IPS, IPS BasicAuthentication to ClientCertificateAuthentication issue , KBA , LOD-SF-PLT-IPS , IPS integration & sync with BizX , How To