Hare Krishna !
Integrating Identity Provisioning Services (IPS) with SAP SuccessFactors(SF) enhances identity management however involves key scenarios like password migration for existing users, automating initial password creation using different logics, creation of Password by reading from a Password field from SF or using combinations of these to meet client requirements. This blog explores these challenges, providing insights and solutions to ensure a smooth, secure integration process.
Source System: SAP Success Factors Application
Target System: SAP Identity authentication service
There are only few standard field from SAP Success factors which gets synced by IPS standards transformation code. Check Manage Workforce SCIM API in SuccessFactors for more details. You can select and unselect existing attributes but maintain a new attribute here.
If required additional fields can also be read from SuccessFactors using custom Attributes (15 custom attributes are available) which can be used for different purpose like creation of filters, writing it to custom attributes in Target or in creation of new password.
You will need to perform below activities
For example - in above screenshot we are reading date of birth from SF (which is mapped to SF custom05).
Add below code in Source system to read it. Value in Target Path can be used in Target transformation (as sourcePath) to perform required action.
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['customFields'][?(@.customFieldName == 'custom05')]['value']",
"targetPath": "$.custom05",
"optional": true
},
Target Transformation - To write the date of birth value to custom attribute 1 in IAS for users which are getting synced.
{
"sourcePath": "$.custom05",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][0]['value']",
"optional": true
},
{
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][0]['name']",
"condition": "$.custom05" EMPTY false",
"constant": "customAttribute1"
},
Configuration required for password configuration is in Authentication Providers
{
"targetPath": "$.sourceSystemId",
"constant": "<CompanyID>"
},
{
"targetPath": "$.sourceSystem",
"constant": "100"
},
{
"targetPath": "$.sendMail",
"constant": "false",
"scope": "createEntity"
},
{
"targetPath": "$.passwordStatus",
"constant": "enable",
"scope": "createEntity"
},
{
"targetPath": "$.passwordStatus",
"constant": "initial",
"scope": "createEntity"
},
Now let's discuss different scenarios requested by Clients in multiple projects:
Project have SAP SF instance and client is performing the upgrade to IAS. Client requires existing users to login with same passwords.
Follow the steps mentioned in Concept 3 and configure - Authentication provider to perform the password migration for users when they login for the first time. Make sure to update the transformation code so that it don't trigger onboarding emails and update users in IAS with Company ID and Source system details so that it can connect to Success Factors instance at the time of password migration (first login post IAS upgrade).
Project have new SAP SF instance which is already integrated with IAS. Client wants to configure a mechanism to create default password for new user using logic (for example - username +"HK!"). Once user performs first login, It ask to create a new password for user.
As username is already getting fetched as standard attribute, else if any other attribute is required (use concept 2 - Source system transformation to fetch it). No update needed in Source system transformation.
Target Transformation:
This will ensure the logic of password creation
{
"targetPath": "$.password",
"scope": "createEntity"
"sourcePath": "$.userName",
"optional": true,
"functions": [
{
"function": "concatString",
"suffix": "HK!"
}
This will ensure user is prompted to change the password on first login:
{
"targetPath": "$.passwordStatus",
"constant": "initial",
"scope": "createEntity"
},
Project have new SAP SF instance which is already integrated with IAS.
Solution:
Follow concept 2 to perform the mapping of custom password field and fetch it from success factors. Update Target Transformation code as below:
{
"sourcePath": "$.custom05",
"targetPath": "$.password",
"scope": "createEntity"
}
Follow steps mentioned in concept 4 to make sure it prompt to create new password for users on first login.
This is a mixed requirement where Project have an already existing SAP SF instance. Once integration with IAS is performed using upgrade center, Client wants existing user should be able to login with their existing passwords. For New users, client wants to read the password from SAP SF field. No users should loose the access.
Perform the steps mentioned in Concept 3 to make sure existing users perform password migration on the first login. Perform the full sync after updating the transformation code.
Now pause the sync job. Update the Transformation logic so that it will now fetch the data from SF and create new password for new users and ask to change it on first loginIn. (Refer Scenario 3 for transformation code).
Run the sync job again - configure it run after some interval so that new user onboarding happens properly.
now Old users which were already there in SF will use SF password for first time and for new users getting onboarded , it will create new password.
Project have IP restriction enabled. This enables them to login to SAP SF only in Client VPN.
Solution
It contains multiple steps.
{
"sourcePaths": [
"$.loginMethod"
],
"targetPath": "$.groups[0].value",
"valueMappings": [
{
"key": [
"PWD"
],
"mappedValue": "PWD_Group"
},
{
"key": [
"SSO"
],
"mappedValue": "SSO_Group"
},
{
"key": [
""
],
"mappedValue": "SSO_Group"
}
],
"type": "valueMapping",
"defaultValue": "SSO_Group"
},
{
"sourcePath": "$.custom05",
"targetPath": "$.password",
"condition": "$.loginMethod == 'PWD'",
"optional": true,
"scope": "createEntity"
}
This blog highlights key strategies for integrating Identity Provisioning Services (IPS) with SAP SuccessFactors (SF) and SAP Identity Authentication Service (IAS). It covers effective password migration, custom attribute handling, and automated password creation, ensuring a secure and efficient transition while addressing diverse client needs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
6 | |
6 | |
4 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 |