cancel
Showing results for 
Search instead for 
Did you mean: 

SAP IAS SSO with SF

younesmm
Explorer
0 Kudos
752

Hello Experts,

we are using a third party (IDM- IDP) solution on premise. in the on-premise IDP, we are using a government ID only.

in SF we want to use employee no as a user ID for End users to login to SF and we want to configure SSO between SF and this 3rd party IDP which understand only Government ID as a user ID. 

can we use SAP Identity Authentication Services (IAS) as a proxy between SF and the on premise IDP to achieve this?

in SF the user ID(login ID ) will be the employee no that end users use to login to SF, then SF sends Employee no to IAS, in IAS custom attribute to be used to map employee no with government ID , then IAS identify the government ID of the received employee no then IAS sends government ID to IDP to complete the authentication .

is this possible ? IAS can help on this ? as SF doesn't have Government ID and IDP doesn't have employee no . we want IAS to do this mapping by somehow may be custom attributes and to establish the SSO.

your thoughts please .

MMAli_0-1716898661445.png

Thanks  

Accepted Solutions (0)

Answers (1)

Answers (1)

Colt
Active Contributor

Yes, it is possible to use SAP Identity Authentication Services (IAS) as a proxy between SuccessFactors (SFSF) and the on-premise Identity Provider to achieve the desired Single Sign-On configuration. In IAS, create a custom attribute to store the mapping between the employee number and the government ID. Populate this custom attribute with the relevant mappings.

Better Approach: It makes sense to persist IDP data from a central user store (Single Source of Truth, SSOT) into the Identity Service (Identity Directory) to establish a unified user base. This approach will continue to be essential for various SAP SaaS/BTP applications in the future.

In gerneral I would recommend end users should only use one central ID as their login credential, so they only need to remember one ID for all applications. The Corporate IdP (your authenticating IdP) handles authentication, including SSO and MFA, and passes the data to the SAP IAS.

IAS can then use its persistence layer to map to various application-specific custom attributes and pass the required NameID incl. transformations and other claims to target applications such as SFSF but also others.

  • Persist User Base and transfer data from your SSOTs into the IAS Identity Directory.
  • End users always only log in using their central ID (whatever this may be, often employeeID, UPN, email...)
  • The Corporate IdP performs authentication (including SSO and MFA) and passes the data to IAS.
  • IAS uses its persistence layer to map custom attributes and provides the correct NameID format and additional claims to target applications
  • This way you ensure consistent and secure authentication across various applications by using IAS and ID-Federation as the central element for mapping and passing user information.