Human Capital Management Blogs by SAP
Get insider info on SAP SuccessFactors HCM suite for core HR and payroll, time and attendance, talent management, employee experience management, and more in this SAP blog.
cancel
Showing results for 
Search instead for 
Did you mean: 
haidongsong
Product and Topic Expert
Product and Topic Expert
5,870

I am writing a short blog to highlight one recent change that came into effect with the latest SAP SuccessFactors Production release on December 9th, 2022. This relates specifically to Identity Authentication / Identity Provisioning so if you are working on this topic this will be relevant for you. 

 As of the December 9th, 2022,  production release any newly established integration between SuccessFactors BizX instance and SAP Identity Authentication/Identity Provisioning Services (IAS/IPS) will be using the SCIM API to manage user/group information exchange instead of the old oDATA API. This change applies to both newly provisioned SuccessFactors BizX Instances that have an identify authentication and Identity provisioning tenant bundled together and delivered at the same time, and to existing SuccessFactors BizX instances performing the Initiate IAS Upgrade or Change IAS tasks through Upgrade Center.  

What is SCIM API 

SCIM stands for System for Cross-domain Identity Management (SCIM), it is an open standard designed to make managing user identities in cloud-based applications and services easier, and to facilitate automation of user provisioning and user life cycle management process. SCIM communicates user identity data between identity providers (such as SAP Identity Authentication / Provisioning Services, Microsoft Azure Active Directory etc) and service providers requiring user identity information (such as enterprise SaaS apps in ERP, HXM, CRM, procurement etc) 

Why SCIM API 

Adoption of SCIM API aims to help you better manage user accounts and user groups, it makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process. 

SCIM provides a way to synchronize user information between multiple applications. Since it is a standard, user data is stored in a consistent way and can be communicated as such across different apps. This enables administrators/IT to employee/contractors onboarding and off boarding process. The automation would also reduce mistakes and data inconsistencies between identity ecosystems. 

If you are using or planning to deploy SuccessFactors Onboarding 2.0 module, then we strongly recommend to migrate to SCIM API if not already done so to take advantage of the real time user sync capabilities that are only available with SCIM API not oDATA API.  For details of Onboarding 2.0 user sync configuration scenarios, please see blog Onboarding New Hires Authentication using SAP Iden... - SAP Community

Also with SCIM API, you can sync users into People Stories only if the users have Reporting permissions, to streamline the setup of People Stories, and reduce the number of user records to be synced.

The use of SCIM API for SuccessFactors to IPS user sync does not prevent you from using oDATA API in other ways, for example existing integrations using oDATA to sync user information between SuccessFactors and other applications.

 How can I find out whether I am using SCIM or OData 

If your SuccessFactors BizX instance is already integrated with IAS/IPS, to find out whether you are using the previous OData API or the new SCIM API, you can follow the following steps:  

  • Log into the IPS Admin Console 
  • from IPS Admin console Home page, click on Source Systems tile 
  • from the list of source systems, select the desired SuccessFactors tenants record 
  • click on Properties tab to check the value of “sf.api.version” parameter: if the value is 1, then OData API is used, if the value if 2, then SCIM API is used.  

2023-04-05_17-29-04.jpg

 

Can I migrate my SF to IPS integration from OData to SCIM 

If your SuccessFactors BizX instance is already integrated with IAS/IPS, and is currently using the previous OData API for integration between BizX and IPS for user data integration, we recommend that you migrate to the new SCIM API,  

Note that SCIM does not support case sensitive usernames, To use SCIM APIs, please disable the setting  “Enable Non-Case-Sensitive Username” in Provisioning before you migrate from OData API to SCIM API.  

  • Before you enable the “Enable Non-Case-Sensitive Username option”, check for duplicate usernames under >Admin Center > Check Tool > System Health > User Management , check “There are no duplicate usernames in the noncase-sensitive mode” should have “No Issue Found” under Results column. 

2023-04-05_17-23-43.jpg

To migrate from OData API to SCIM API, take the following steps:  

  1. Log into the IPS Admin Console 
  2. from IPS Admin console Home page, click on Source Systems tile 
  3. from the list of source systems, select the desired SuccessFactors tenant record 
  4. click on Properties tab to then change the value of “sf.api.version” parameter from 1 to 2, and save the changes. 
  5. click on Properties tab, update the value of sf.user.filter property, and save the changes. Please note that the sf.user.filter property under SCIM is different than that under oDATA and supports different values. For detail of IPS properties, please refer to SAP SuccessFactors2023-04-05_17-29-04.jpg
  6. Click on the Transformations tab, update the transformations to conform to SCIM standards, referring to the following information: 
    1. Mappings between SCIM user and oDATA user 
    2. Default SCIM transformation: in the Code Syntax section under “Default transformation for SCIM API v2” section. 
    3. 2023-04-05_17-31-34.jpg
  7. Reset Identity Provisioning for the current SF tenant Source System, please follow steps in Reset Identity Provisioning System
    1. For the relevant target systems (such as IAS and SAC) that would use the user data from SF – the following property should be added (ips.delete.existedbefore.entities with value true) in order to allow IPS to further delete users created before the reset is done.
  8. Perform a full sync of applicable user records from SuccessFactors to IAS/IPS
    1. In IPS admin console, from the list of source systems, select the desired SuccessFactors tenants record 
    2. click Jobs tab 
    3. click the Run Now next to Read Job, or Schedule to schedule the job run in a later time 
    4. 2023-04-05_17-30-24.jpg
  9. Validate user sync completes successfully, and all user information are synchronized between BizX and IAS/IPS. 

Note: If you are already using Onboarding 2.0 then after this migration Onboarding new hires will be authenticated using IAS. 

Additional info on migration: Adoption of SuccessFactor SCIM Connector and X.509... - SAP Community

Resources:

Upgrade from ODATA IPS Connector to SCIM IPS Connector with SAP SuccessFactors HXM Suite | SAP Help ...

Upgrade to X.509 Certificate-Based Authentication for Incoming Calls | SAP Help Portal

KBA 3359245 - Migrating IPS and SF authentication from Basic Authentication to mTLS certificate usin...

KBA 3378362 - IPS transformations created by SuccessFactors Identity Authentication Service Integrat...

 

5 Comments