Introduction

Hare Krishna !

Integrating Identity Provisioning Services (IPS) with SAP SuccessFactors(SF) enhances identity management however involves key scenarios like password migration for existing users, automating initial password creation using different logics, creation of Password by reading from a Password field from SF or using combinations of these to meet client requirements. This blog explores these challenges, providing insights and solutions to ensure a smooth, secure integration process.

 

Consideration:

Source System: SAP Success Factors Application

Target System: SAP Identity authentication service

 

Concepts:

1)How attributes are read from Success factors and Written in IAS using IPS source system and Target system transformation:

2)Reading custom fields from Successfactors

There are only few standard field from SAP Success factors which gets synced by IPS standards transformation code. Check Manage Workforce SCIM API in SuccessFactors for more details. You can select and unselect existing attributes but maintain a new attribute here.

If required additional fields can also be read from SuccessFactors using custom Attributes (15 custom attributes are available) which can be used for different purpose like creation of filters, writing it to custom attributes in Target or in creation of new password.

You will need to perform below activities

• Perform mapping of SAP SF standard fields with custom attributes in Manage business configurations

 

• Update transformation code in Source System to Read the values and Target System to perform the require action using those attribute values.

For example - in above screenshot we are reading date of birth from SF (which is mapped to SF custom05).

Add below code in Source system to read it. Value in Target Path can be used in Target transformation (as sourcePath) to perform required action.

{
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['customFields'][?(@.customFieldName == 'custom05')]['value']",
                "targetPath": "$.custom05",
                "optional": true
            },

Target Transformation - To write the date of birth value to custom attribute 1 in IAS for users which are getting synced.

{
                "sourcePath": "$.custom05",
                "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][0]['value']",
                "optional": true
            },
            {
                "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][0]['name']",
                "condition": "$.custom05" EMPTY false",
                "constant": "customAttribute1"
            },

3)IPS don't perform the Password migration.

• After IAS activation is performed by SAP SF, when user perform the login for the first time, Password is migrated from SF to IAS using the configuration performed in Authentication providers.

Configuration required for password configuration is in Authentication Providers

• IPS transformation code which is required to updated for users so that connectivity works as expected.

 {
                "targetPath": "$.sourceSystemId",
                "constant": "<CompanyID>"
            },
            {
                "targetPath": "$.sourceSystem",
                "constant": "100"
            },
            {
                "targetPath": "$.sendMail",
                "constant": "false",
                "scope": "createEntity"
            },
            {
                "targetPath": "$.passwordStatus",
                "constant": "enable",
                "scope": "createEntity"
            },

4) While password creation for users in IAS, how to make sure that user changes password on first login.

• Transformation code - Make sure PasswordStatus Constant is "initial", this will ensure that It prompt user to change the password on first login.

{
                "targetPath": "$.passwordStatus",
                "constant": "initial",
                "scope": "createEntity"
            },

Now let's discuss different scenarios requested by Clients in multiple projects:

Scenario 1

Project have SAP SF instance and client is performing the upgrade to IAS. Client requires existing users to login with same passwords.

Solution

Follow the steps mentioned in Concept 3 and configure - Authentication provider to perform the password migration for users when they login for the first time. Make sure to update the transformation code so that it don't trigger onboarding emails and update users in IAS with Company ID and Source system details so that it can connect to Success Factors instance at the time of password migration (first login post IAS upgrade).

Scenario 2

Project have new SAP SF instance which is already integrated with IAS. Client wants to configure a mechanism to create default password for new user using logic (for example - username +"HK!"). Once user performs first login, It ask to create a new password for user.

Solution:

As username is already getting fetched as standard attribute, else if any other attribute is required (use concept 2 - Source system transformation to fetch it). No update needed in Source system transformation.

Target Transformation:

This will ensure the logic of password creation

 {
                "targetPath": "$.password",
                "scope": "createEntity"
                "sourcePath": "$.userName",
                "optional": true,
                "functions": [
                    {
                        "function": "concatString",
                        "suffix": "HK!"
                    }

This will ensure user is prompted to change the password on first login:

{
                "targetPath": "$.passwordStatus",
                "constant": "initial",
                "scope": "createEntity"
            },

Scenario 3

Project have new SAP SF instance which is already integrated with IAS.

1. Client have created a field in SF called SF initial password field.
2. Onboarding team will create this password in this field and requirement is to create user in IAS with password getting fetched from this field.
3. Once user performs first login, It should ask to create new password for user.

Solution:

Follow concept 2 to perform the mapping of custom password field and fetch it from success factors. Update Target Transformation code as below:

{
                "sourcePath": "$.custom05",
                "targetPath": "$.password",
                "scope": "createEntity"
            }

Follow steps mentioned in concept 4 to make sure it prompt to create new password for users on first login.

Scenario 4

This is a mixed requirement where Project have an already existing SAP SF instance. Once integration with IAS is performed using upgrade center, Client wants existing user should be able to login with their existing passwords. For New users, client wants to read the password from SAP SF field. No users should loose the access.

Solution

Perform the steps mentioned in Concept 3 to make sure existing users perform password migration on the first login. Perform the full sync after updating the transformation code.

Now pause the sync job. Update the Transformation logic so that it will now fetch the data from SF and create new password for new users and ask to change it on first loginIn. (Refer Scenario 3 for transformation code).

Run the sync job again - configure it run after some interval so that new user onboarding happens properly.

now Old users which were already there in SF will use SF password for first time and for new users getting onboarded , it will create new password.

Scenario 5

Project have IP restriction enabled. This enables them to login to SAP SF only in Client VPN.

• Now client wants to remove this and enable 2 factor authentication for external vendors who login to SF using password. Enable Password creation for only these users by reading it from SF field.
• Use SAP SF field - loginMethod to filter the users with login Method field value as PWD in a PWDGroup in IAS,.
• Use risk based authentication to enable 2 factor authentication only for PWDGroup.

Solution

It contains multiple steps.

• Create Groups in IAS PWD_Group and SSO_Group and update target transformation logic to sync users to SSO and PWD group according to the value in LoginMethod field. If it's blank - it's considered as SSO. Also put the condition in password creation logic to only create it for users with LoginMethod field as PWD

{
                "sourcePaths": [
                    "$.loginMethod"
                ],
                "targetPath": "$.groups[0].value",
                "valueMappings": [
                    {
                        "key": [
                            "PWD"
                        ],
                        "mappedValue": "PWD_Group"
                    },
                    {
                        "key": [
                            "SSO"
                        ],
                        "mappedValue": "SSO_Group"
                    },
                    {
                        "key": [
                            ""
                        ],
                        "mappedValue": "SSO_Group"
                    }
                ],
                "type": "valueMapping",
                "defaultValue": "SSO_Group"
            },


 {
                "sourcePath": "$.custom05",
                "targetPath": "$.password",
                "condition": "$.loginMethod == 'PWD'",
                "optional": true,
                "scope": "createEntity"
            }

• Update the Risk based authentication in SF Application in IAS to enable 2 factor authentication for PWD group users.

• Disable the IP restriction in Successfactors

SAP Reference documents:

• Integrating SuccessFactors with Identity Authentication IAS through the Upgrade Center
• How to Use SCIM customFields from SuccessFactors
• Configure HRIS Sync Mappings in Employee Central using Manage Business Configuration
• System: How to restrict access to SuccessFactors by IP address - IP Restriction Management
•  How to use loginMethod for users to login to SAP SuccessFactors with SSO and PWD once the Upgrade ru...

Conclusion

This blog highlights key strategies for integrating Identity Provisioning Services (IPS) with SAP SuccessFactors (SF) and SAP Identity Authentication Service (IAS). It covers effective password migration, custom attribute handling, and automated password creation, ensuring a secure and efficient transition while addressing diverse client needs.