- SAP Managed Tags:
Identity authentication to different Corporate Idp based on email domains in SuccessFactors
Requirements:
The SuccessFactors system has multiple legal entities with separate email domains. The business requirement is to use different corporate IDP for identity authentication of users based on different email domains used in the employee’s email.
Configuration steps:
Step 1: Create multiple user groups in Identity Authentication System (IAS) to store users of different companies with company domains.
Step 2: Map users to different user groups (created in step 1) based on their email domains in Target System Identity Authentication System (IAS) as shown below
Here we would need to check only the text after ‘@’ in the user’s email hence, we would create a email regex attribute to store the substring of the email address in the format ‘@companydomain.com’
Create 2 email regex attribute to store email domains for company 1 and company 2.
Navigate to Identity Provisioning -> Target System -> Click on SAP Identity Authentication system -> Properties-> Click on Edit -> Click on Add then select standard -> Save
email-regex = /^([a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,})$/
Mapping Transformation:
"condition": "$.email =~ %email-regex% || $.ExternalEmail[0] =~ %email-regex%"
Here, the condition is comparing only the email domain from the email address. Below is the link for the SAP help documentation regarding the Properties.
https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/properties
Now, map the email regex attributes to corresponding user groups in the transformation mapping.
Navigate to Identity Provisioning -> Target System -> Click on SAP Identity Authentication system -> Transformation-> Click on Edit Code -> Update the below code in the user mapping section-> Save
{
"condition": "$.emails[0].value =~ %ias.email.domain.company1.regex.attribute%",
"constant": "SSO_Company1",
"targetPath": "$.groups[0].value"
},
{
"condition": "$.emails[0].value =~ %ias.email.domain.company2.regex.attribute%",
"constant": "SSO_Company2",
"targetPath": "$.groups[0].value"
}
Step 3: Configure Corporate Identity Providers in Identity Authentication System
Under Identity Providers, choose the Corporate Identity Providers
Create new identity providers and give a display name. Update Identity Provider Type = Microsoft ADFS/Entra ID (SAML 2.0) and Click on the Create button.
Click on Company1 Azure AD and go to SAML Click on Application, Go to Trust -> SAML 2.0 Configuration, and click on Browse to upload the Metadata XML file of the Company1 Azure AD. Click Save.
Repeat the steps for Company2 Azure AD.
Enable Identity Authentication user store under Identity Federation.
Repeat the steps for Company2 Azure AD.
Step 4: Configuration of Conditional Authentication Rules
Navigate to Applications & Resources -> Applications -> Click on SAP SuccessFactors system -> Conditional Authentication
Click on Add rule to create Conditional Authentication rules.
Select the Corporate Idp of Company1 and the corresponding user group. Repeat the steps for Company 2 as well.
This will enable users in SSO_Company1 to be redirected to Company1 Azure AD and users in SSO_Company2 to be redirected to Company 2 Azure AD respectively and any other users will be authenticated with IAS since it is the default Authentication Identity provider.
Conclusion: The above steps can be replicated for additional user groups and Corporate IDp as per business requirements.
Also, the emails can be restricted to these email domains from IAS and emails can be triggered only to external users alone as well.
Hope this helps!
Happy Learning
2 Comments
| User | Count |
|---|---|
| 5 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 |
