I am writing a short blog to highlight one recent change that came into effect with the latest SAP SuccessFactors Production release on December 9th, 2022. This relates specifically to Identity Authentication / Identity Provisioning so if you are working on this topic this will be relevant for you.
As of the December 9th, 2022 production release, any newly established integration between SuccessFactors BizX instance and SAP Identity Authentication/Identity Provisioning Services (IAS/IPS) will be using the X.509 certificate for authentication of integration between SuccessFactors HXM Suite and IAS/IPS instead of the previous basic authentication mechanism with just username and password. This change applies to both newly provisioned SuccessFactors BizX Instances that have an Identity Authentication and Identity Provisioning tenants bundled together and delivered at the same time, and to existing SuccessFactors BizX instances performing the Initiate IAS Upgrade or Change IAS tasks through the Upgrade Center.
What is X.509/mTLS
X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many internet protocols, including TLS (Transport Layer Security) /SSL. Mutual Transport Layer Security (mTLS) establishes an encrypted TLS connection, in which both parties use X.509 certificates to authenticate and verify each other.
Why X.509/mTLS
mTLS prevents malicious third parties from imitating genuine applications and provides a more secure authentication option to its users.
When an application attempts to establish a connection with another application's secure web server, the mTLS protocol protects their communications, and verifies that the incoming server truly belongs to the application being called. When the client application requests access to a server application, the server application will provide its certificate to the client application and, in turn, ask the client application for its public certificate. This certificate will contain a public key, an identity, and a signature by a trusted certificate authority. Both entities will then look for the signature and climb the trust chain untill they find a mutual certificate authority validating the authenticity of both entities and creating a secure and encrypted channel.
Since both entities have to be validated, mTLS can reduce the chances of attacks, and provides a basis for zero-trust security framework, which is becoming increasingly important in cloud-based applications, and micro services deployments.
How can I find out whether I am using certificate-based authentication or basic authentication?
If your SuccessFactors BizX instance is already integrated with IAS/IPS, to find out whether you are using the previous basic authentication or the new X.509/mTLS certificate-based authentication, you can complete the following steps:
Can I migrate my SF to IPS integration from basic to certificate-based authentication?
If your SuccessFactors BizX instance is already integrated with IAS/IPS and is currently using the basic authentication for communication between BizX and IAS/IPS, we recommend that you migrate to the X509/mTLS certificate-based authentication.
For steps of migration on the BizX side, please refer to our help doc.
To migrate from basic authentication to X.509/mTLS certificate-based authentication, take the following steps:
Step 1: Generate and download the certificate from IPS.
Step 2: Register IPS for certificate-based incoming calls in BizX.
Field | Description |
Configuration Name | Example: New X.509 Certificate Mapping |
Integration Name | Select the name of your application from the drop-down menu. |
Certificate File | Upload the corresponding file with a certificate file extension cer, pem, crt etc. and that follows the X.509 protocol. |
Login Name | The login name of a user that has permission to consume the SAP SuccessFactors API for its respective application. By default, a technical user would be created and used for IPS, so this field is optional and should be left blank. |
Step 3: Configure IPS to use certificate-based authentication when communicating with BizX.
If you are using real time user sync for new hires between BizX and IAS/IPS, then please complete the following two steps:
Step 4: Generate and download the certificate from BizX
Step 5: Register SF BizX as administrator in IAS using certificate.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
3 | |
3 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 |