This requirement usually happen when you need to enable the IAS as the authentication method for the Onboardees. Then you realized that your IAS Source System communicated with Odata api (API 1) and you need to migrate to SCIM (API 2)
STEP 1: Setup mTLS (mutual Transport Layer Security)
At this step you will create a conection between IAS and SFSF, this is done thought the mTLS. To create this connection, follow the steps below:
- At IAS > go to “Identity Provisioning” > from the list of source systems, select the desired SAP SuccessFactors tenant record.
- Click on the Outbound Certificate tab
- Once you have this certificate downloaded.
Go to SuccessFactors > Security Center >X509 Public Certificate Mapping > Add > upload the certificate created above.
Make sure you select ‘Identity Provisioning Service’ in the ‘Integration Name’ field and the login name of your admin user in the ‘Login Name’ field.
I used IPSADMIN as Login Name, which was used in the version 1 for IPS job.
- Go back to your SFSF source System > Properties tab to configure the property parameters > and set as below:
Refer to the table below for a list of the properties:
a. Change the “sf.api.version” in Source system > Properties > from 1 to 2.
b. Filed URL: Refer to List of SAP SuccessFactors API Servers under the mTLS Certificate Server column.
c. Change the “sf.user.filter” to active eq “true”
d. Change the “Authentication” to ClientCertificateAuthentication
Run the “Read Job ” and the system should connect as usual.
Until now, the IAS was connected to SFSF though the Odata API, and the access to that data was pointed thought the “transformations”. By changing the connection to SCIM the data endpoints are not the same..
You’ll need to therefore update these default transformations to the Source and Target transformations.
Visit this SAP HELP to copy and paste the new transformations. - Reset Identity Provisioning for the current SAP SuccessFactors tenant Source System by following the steps in Reset Identity Provisioning System.
- Go to Identity Provisioning Source Systems Jobs (your SAP SuccessFactors source system) and resume your scheduled sync jobs, or run a new Read Job, if you did not have one scheduled.
STEP 2: Source System to use the SCIM API and are configured in your Identity Provisioning administration console.
If you are upgrading to SCIM because of Onboarding requierements
Create a
Create a new IAS system and grant it real time provisioning
This is required to sync the onboardees in real time instead of waiting for the IPS sync job schedule.
Activate Real-Time Sync of New Hires from SAP SuccessFactors to Identity Authentication with Identity Provisioning
activate the real time sync for Onboardee – SuccessFactors > Manage Identity Provisioning Real Time Sync
The destination URL should be in the format below and the system ID can be copied from
https://<ips-tenant-url>/ipsproxy/service/api/v1/systems/<source-system-id>;
Common issues
Error: “User or Password configured for the provisioning system are empty or not specified at all.”
Note: As a best practice, Please be advised to update the Authentication setting from ‘BasicAuthentication’ to ‘ClientCertificateAuthentication’. This adjustment will function smoothly given that you have already uploaded the outbound certificate of the Source System within the SuccessFactors security center’s X.509 Public Certificate Mapping. Once this step is completed, there is no need to configure a username and password for IPSADMIN. The connection will operate effectively through certificate-based authentication.
How to check if Onboarding New hire is synced to IAS in Real Time sync
Ans: Execution Manager Dashboard > Pre-delivered integration display status of Real Time sync
Error:” Property sf.company.id is missing but it is required for ClientCertificateAuthentication mode”
Error:” HTTP operation failed invoking https://api19preview.cert.sapsf.com/rest/iam/scim/v2/Users?startId=initial&count=100&filter=status%20in%20’active’ with statusCode: 400 and body {“schemas”:[“urn:ietf:params:scim:api:messages:2.0:Error”],”scimType”:”invalidFilter”,”detail”:”The filter expression is invalid.status in ‘active'”,”status”:400}”
You haven’t set the filter properly. The sf.user.filter attribute filters the kind of users that are retrieved from SuccessFactors.
You should set as filter sf.user.filter = active eq “true”.
Unlike sf.user.filter in API version 1 where we had flexibility to sync only few users using ‘OR’ logical operator, version 2 is not offering that and hence making it hard to sync and test for only few users. As a bad workaround for testing you may used the operator ‘Contains’ to create a query.
ips.delete.existedbefore.entities
The ips.delete.existedbefore.entities is an optional property which can be set on every target system. You can use it to control whether recognized entities as “previously existed ones” should be deleted from the target system. SAP HELP
KBA 3017663 – Deleting the Inactive SF users from IAS via IPS provisioning job
The URL was unresolved or blocked. Enter another URL and retry. Ensure that the IP address used for this registration is not blocked. If the issue persists, contact Technical Support for further assistance.
The Destination URL is built as below:
https://<ips-tenant-url>/ipsproxy/service/api/v1/systems/<source-system-id>;
statusCode: 400, Response: Value of attribute [applicationId] is invalid.
This is because the migration you are doing is to a very old IAS. You need to update this value sin the target system properties.
- The steps on how such IDs can be collected directly from IAS admin console are below:
- ias.application.id.attribute is the application id taken from IAS admin console. Select your SF application and check the URL in browser where the value can be found. Example of URL: https://<tenant_id>.ondemand.com/admin/#/applications/<application_id>/
- ias.source.system.attribute is 100 for SF, 101 for LMS, 102 for Fieldglass.
How to see the payload to check where is the error:
There is an IPS issue you are facing and sometimes there may be a need to troubleshoot the issue.
Add the following properties to the involved system and make the payload of the errored, skipped user available in the job error log or job skip log.
ips.trace.failed.entity.content true
ips.trace.skipped.entity true
ips.trace.skipped.entity.content true
The onboarding process is a special one with no NHDR (new hire data review) step.
If there is no NHDR step, it’s very possible that the onboardee will not have all the requiered fields, like email. For example if you realize that the ONboardee is not provissioned with email, you can cerate a Condition in the target system to avoid empty emails.
The ERROR will be: “skip reason=Entity condition [($.emails EMPTY false) && ($.name.familyName EMPTY false)] is not fulfilled”
First: remove the condition in the transformation at the Source System:
Second, you can retrieve the email from other field:
In the example below, the transformation uses the username when the email it’s empty.
{
"sourcePath": "$.userName",
"targetPath": "$['emails[?(@.value)]']",
"condition": "$.emails EMPTY true"
}- Logon IAS administration console
- Navigate to involved Email Template Set by Applications & Resources ->Email Template Sets -> Click involved template set
- The ID of the Email Template Set can be found in the URL. For example:
https://<tenantid>.accounts.ondemand.com/admin/#/emailTemplateSets/SAP_DEFAULT/MAILING_ACTIVATE_SELF
=>SAP_DEFAULT
https://<tenantid>.accounts.ondemand.com/admin/#/emailTemplateSets/67a49b24-5951-41f8-9a10-7ddd3567234f/MAILING_ACTIVATE_SELF
=>67a49b24-5951-41f8-9a10-7ddd3567234f
SAP KBA 3383918 – How to find ID of the Email Template Set in IAS
Pingback: 👉IAS account for Onboardees - SuccessFactors blog