cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Using IPS to create a predictable password for non-SSO Users in IAS for SF?

ahrbmartin
Explorer

on ‎2025 Feb 26 12:10 AM

348

Hello, I have a question about possibilities of using IPS to set large amounts of default passwords on an ongoing basis.

With many companies starting the mandatory migration to IAS/IPS for SuccessFactors, we are finding more that have large populations of "PWD" Password users with no real emails that still need to access the system. 

With CIS in place the mechanism to update passwords has moved to IAS and not in SF anymore where the old mass import tools are no longer applicable for an HR Admin to use.

If we need to update more than 50, 100, 300 passwords, how is this achievable realistically? IPS method for setting default passwords for all newly synced users would be the ideal process for the business over an outside API call or file import done every so often but concessions can be made. 

It seems file-based export of existing synced users and re-import CSV with an initial password I setup in a column does not work (anymore?). This was the "old" method available in SF and used by many that would now be gone switching to IAS. You could control the predictable password this way and pass them out per employee. 

We have reviewed the documentation and seems the most promising as it doesn't need an HR Admin to manually interfere and only follow a business process with rules you set in the transformations, but the rules are limited currently:
Set Up Default Passwords Using Transformations | SAP Help Portal

The last portion of this document is incomplete/inaccurate. It gives a title of "combining" fields and then only gives one field example. 

The other examples for a "predictable password" might work for some companies, to set it to their Employee ID but that could be risky to onboard 100s of password users and tell them their password is their Employee ID. At the moment our only consideration is trying to combine 2 of the fields and concat into their password field like FirstName+LastName or more fields, or something unique to the employee as possible, but even this does not completely pass security standards.

 

Is this currently the best or only option for automating the process for bringing in Password users? Whatever method we choose, the HR Admins/business still has to communicate to the user how to login, with what user, what password and build their job aids. 

The note 3001615 - How to mass update user password in Identity Authentication, seems incomplete as it says to use one API and then mentions it is deprecated and to explore the business hub to build your own API call from Postman. This is not exactly something I can hand an HR Admin as a replacement for what they could previously do in SF. 


Thanks for any input I appreciate all opinions on this discussion. 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
arunkumar_yerram
Participant
‎2025 May 12 11:36 PM
0 Kudos
I have the same question on how to combine multiple attributes to set a default password. The Option 3 of the help document https://help.sap.com/docs/successfactors-platform/setting-up-sap-successfactors-with-identity-authen... is misleading as it only refers to one attribute and not multiple. SAP Team, could you provide directions here?

Accepted Solutions (0)

Answers (3)

Answers (3)

dyaryura
Contributor
‎2025 Feb 26 1:30 PM

Hi

The simplest way to achieve this is what is called "password migration"

https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configure-source-system-to...

With this scenario your non-SSO will be able to login to SSFF with their old password (SSFF Password) and the passwords will be saved and managed in IAS after the first logon.

Create new passwords and share with the users anyway is not a good idea. As a second option i'd use an activation email if the password synch is not achievable in your scenario.

I'd recommend also to join the call "SAP Cloud Identity Services (IAS/IPS): Open Office Hours for SAP SuccessFactors HCM". There's one session tomorrow. You'll be able to raise your questions there. Check the links at the top of the blog: https://community.sap.com/t5/product-and-customer-updates/migration-to-sap-cloud-identity-authentica...

 

Hope it helps

Diego

 

 

 

Show replies
Show replies
ahrbmartin
Explorer
‎2025 Feb 26 2:58 PM
0 Kudos

Thanks Diego for the suggestions, but the Password Migration only works one time and not for ongoing adding of new synced users. Unless I am misunderstanding this is a one time activity, and leaving the IPS code in will give your users password issues. As stated above, the users do not have emails to use the activation emails. Thanks I will try to join soon and raise the question as it is becoming more common scenario.

ahrbmartin
Explorer
‎2025 Feb 26 2:59 PM
0 Kudos
Thanks Diego for the suggestions, but the Password Migration only works one time and not for ongoing adding of new synced users. Unless I am misunderstanding this is a one time activity, and leaving the IPS code in will give your users password issues. As stated above, the users do not have emails to use the activation emails. Thanks I will try to join soon and raise the question as it is becoming more common scenario.
dyaryura
Contributor
‎2025 Feb 26 5:56 PM
0 Kudos

.

Show replies
Show replies
dyaryura
Contributor
‎2025 Feb 26 3:16 PM
0 Kudos

Hi,

Leaving the code in IPS will not cause an issue. This will be checked just once on the first login of the user and password then managed in IAS (if needed).


Technically you can keep that config forever in IPS and the new users in SSFF with loginmethod=PWD will be able to do the same. i.e use the password you set in SSFF initially. Once the user logins (and maybe change the pwd depending on the config you set up future local PWD changes have to be managed directly from IAS.


Clearly that's not the normal use case scenario and probably not intended by SAP to be used but if you already had a way to setup passwords for these new users in SSFF you can still do so and new users will be able to use initially the pwd you set in SSFF.


Also If these new users you are mentioned are in another IDP that supports SAML/OIDC you can add multiple IDPs to IAS and send the users to different IDPs based on rules

Show replies
Show replies
Ask a Question