Are you waiting for two IT giants - SAP and Microsoft to work together and simplify the integration between SAP SuccessFactors and Microsoft’s Identity Management solution? Are you looking for “best practices” to implement the Bidirectional Identity Integration between SuccessFactors and Microsoft Azure Active Directory? Are you a global company looking for recommendations around handling global mobility or concurrent employment scenarios in identify provisioning? If you have concerns related to any of these points above, we have got it covered in this IDP.
IDP (Implementation Design Principle) is not same as IdP (Identity Provisioning)
Also, If you have expertise in SAP SuccessFactors solution and keen to contribute to any new or existing IDPs and earn SAP badge, please follow this blog (published by Smitha Kondajji - Product Management Advisor, SAP SuccessFactors) for more details.
Enough of advertising on IDPs! Back to the core topic for this blog: - “SuccessFactors Bidirectional Identity Integration with Microsoft Azure Active Directory”.
While this document provides advise on technical design and configuration of SAP SuccessFactors custom and productized integrations for Identity Provisioning with 3rd Party Identity Providers (IdPs), Active Directory domains (ADs) and their connected applications, this IDP also provides recommendations on handling global mobility and concurrent employment scenarios in identity provisioning.
Global Assignment or Concurrent Employment is one of the key HR processes and It is important that, adding, changing, or removing employments does not affect the capability of the employee to login to applications if a valid employment exists. Hence these scenarios need to be dealt very carefully to implement the identity provisioning services. Following options are discussed as part of this IDP to handle Global Assignment and Concurrent Employment scenarios for an employee in case of integration with Active Directory.
Option 1: - Customers define the employment to be used for picking the username or always pick the home employment.
Option 2: - Custom fields in AD that can be used to hold additional information from EE Host record
Option 3: - Copy username from UserAccount Object to custom field on EE Portlet
Few key points to note for these options
These options are documented considering SuccessFactors will generate the username for all the employees.
All the options above have an underlying principle that Microsoft AD will have only one record (home or primary record) created in case of Global Assignment or Concurrent Employment.
Using any of the options above, the login username will not change and hence ability for employees to access different applications will not be impacted
Employee example shown in the figure below is not related to any real person and referenced here just for the demonstration purpose.
Global Assignment Scenario
Concurrent Employment Scenario
For Concurrent Employment scenarios below, if an employee has many active contracts (e.g., an employee has 10 active contracts) then options 2 may not be an ideal option considering the number of additional fields required. In such scenario it is advised to explore the feasibility of option 1 or option 3.
Thanks to the team effort between SAP, Microsoft, and other experts (Co-Authors Amit Taur, Arijit Kumar Das, Chris Paine, Himadri Chakraborty, Praveen Yaram) involved from SAP Partner companies. It was an interesting last few month with several insightful conversation and discussions with this team that helped to finalize this document.
We hope that this document will act as a good foundation to help resolve some key issues in past around the identity Integration between SuccessFactors and Microsoft AD/Azure AD. However, It will also be wise to say that there are still some limitations around this integration that are planned to be addressed in future and accordingly this document will be enhanced further. Until that time have a good read.