REQUIREMENT:

The business is setting up Single Sign-On (SSO) for internal employees, but external vendors must authenticate using passwords. Internal employees will log in via Microsoft SSO configured through IAS, while external vendors will log in using credentials via IAS.

To set up conditional authentication in IAS, employees must be assigned the correct user type to apply the appropriate authentication method.

To achieve this, a custom solution was set up. The Employee Class(custom03) field from SAP SuccessFactors will map to one of the custom attributes in the IAS system. Based on the value of this custom attribute, the user type field should be updated accordingly, hence updating the authentication method.

SOLUTION & IMPLEMENTATION STEPS:

STEP 1 - Add Source and Target code to update the 'Employee Class(Custom03)' field from SAP SuccessFactors to 'Custom Attribute 5' in the SAP Identity Provisioning Service (IAS).

• Source Code - Navigate to Identity Provisioning -> Source System -> Click on SAP SuccessFactors system -> Transformation-> Click on Edit Code -> Update the below code -> Save

  {
"sourcePath": "$.custom03",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom03']"
}, 

• Target Code - Navigate to Identity Provisioning -> Target System -> Click on SAP Identity Authentication system -> Transformation-> Click on Edit Code -> Update the below code -> Save

{
"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom03']",
"optional": true,
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][4]['value']"
},
{
"condition": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom03'] EMPTY false",
"constant": "customAttribute5",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][4]['name']"
},

• Run the Read Job to update the data

 Navigate to Identity Provisioning -> Source System -> Click on SAP SuccessFactors system -> Jobs-> Click on 'Run Now'.

The data will be updated for all the employees in IAS with the Custom Attribute 5 field flowing from Employee Class from SuccessFactors.

STEP 2 - Setting Conditional Logic for User Types

Once the 'Employee Class' is successfully mapped to 'Custom Attribute 5' in IAS, the next step is to define conditional logic to update the userType field based on the value of 'Custom Attribute 5'. This classification helps in categorizing users into different types.

Add Source and Target code with different conditions to update the User Type field in IAS. Conditions are as below:

• If Employee Class/Custom Attribute 5 = Contractor, User Type = External
• If Employee Class/Custom Attribute 5 = Employee, User Type = Employee
• If Employee Class/Custom Attribute 5 = Support, User Type = Partner
• If Employee Class/Custom Attribute 5 = API, User Type = Public

These conditions could vary depending on the business needs.

• Source Code - Navigate to Identity Provisioning -> Source System -> Click on SAP SuccessFactors system -> Transformation-> Click on Edit Code -> Update the below code -> Save

Custom3 denotes employee class in SuccessFactors, this key can be varied depending upon your system configuration.

{
"condition": "($.custom03 == 'Contractor')",
"constant": "External",
"targetPath": "$.userType"
},
{
"condition": "($.custom03 == 'Employee')",
"constant": "Employee",
"targetPath": "$.userType"
},

{
"condition": "($.custom03 == 'Support')",
"constant": "Partner",
"targetPath": "$.userType"
},

{
"condition": "($.custom03 == 'API')",
"constant": "Public",
"targetPath": "$.userType"
},

• Run the Read Job to update the data

Navigate to Identity Provisioning -> Source System -> Click on SAP SuccessFactors system -> Jobs-> Click on 'Run Now'.

Once the job is completed, the UserType field will be updated based on the conditions.

STEP 3 - Setup Conditional Authentication

The final step in the process is configuring conditional authentication rules in IAS. These rules determine the authentication method based on the user type.

Navigate to Applications & Resources -> Applications ->SuccessFactors System -> Conditional Authentication.

Click on the Add button and you can select criteria, one of the criteria is User- Type field. Select the User Type criteria to authenticate via a specific system. In this case, we want Employees to authenticate via Microsoft, Public with the IAS, and Partner with another service provider.

This can be customized as per the requirements but service providers that will be used as authentication system needs to be implemented before setting up conditional authentication.

For more detailed guidance on implementing Single Sign-On and setting up authentication via Microsoft, refer to the blog

Once the conditional authentications are saved, you can try logging with different user Types, authentication methods/system will be updated.

CONCLUSION

By following these steps, the business can achieve a secure and efficient authentication system customized to the needs of both internal employees and external vendors. This setup not only enhances security by leveraging SSO for internal employees but also provides flexibility to handle various user types appropriately.

This approach ensures a seamless and secure authentication experience, promoting productivity and security within the organization.

Thank you for taking the time to read this blog. Your feedback, questions, and suggestions are highly valued. Happy to hear your experiences, custom requirements, or any insights in the comments section below.

Happy learning 🙂