This blog is one of the steps to migrate to IAS authentication for Onboardees.
Real-time synchronization allows for the immediate update of user account data without having to manually run or wait for a scheduled job. This feature comes in handy for scenarios when updates to a user’s information are made for immediate system access.
Do this:
- In SuccessFactors go to Admin Center > Security Center > X.509 Certificates screen.
Once the X509 certificate is generated, download it since we’ll need it for the next step.
- Login to your IAS system, navigate to administrator user section and Create a new system user in IAS administrator with the above created X509 certificate and grant it real time provisioning access.
- Register the Administrator User created above in Integration Service Registration Center of SuccessFactors.
Navigate to SFSF > Integration Service Registration Center
Select: “Identity Provisioning Service”
The destination URL should be in the format below and the system ID can be copied from
Ex:
You get the <source-system-id> in the URL displayed (highlighted below) in browser when you click on the source system in IPS.
Finally, Register the certificate created above in Integration Service Registration Center of SuccessFactors.
- Enable the “real time Sync” by going to “Manage Identity Authentication/Identity Provisioning Real Time Sync”.
Now, the new Onboardees will be updated immediately to IAS.
Common issues
Error: “User or Password configured for the provisioning system are empty or not specified at all.”
Note: As a best practice, Please be advised to update the Authentication setting from ‘BasicAuthentication’ to ‘ClientCertificateAuthentication’. This adjustment will function smoothly given that you have already uploaded the outbound certificate of the Source System within the SuccessFactors security center’s X.509 Public Certificate Mapping. Once this step is completed, there is no need to configure a username and password for IPSADMIN. The connection will operate effectively through certificate-based authentication.
How to check if Onboarding New hire is synced to IAS in Real Time sync
Ans: Execution Manager Dashboard > Pre-delivered integration display status of Real Time sync
Error:” Property sf.company.id is missing but it is required for ClientCertificateAuthentication mode”
Error:” HTTP operation failed invoking https://api19preview.cert.sapsf.com/rest/iam/scim/v2/Users?startId=initial&count=100&filter=status%20in%20’active’ with statusCode: 400 and body {“schemas”:[“urn:ietf:params:scim:api:messages:2.0:Error”],”scimType”:”invalidFilter”,”detail”:”The filter expression is invalid.status in ‘active'”,”status”:400}”
You haven’t set the filter properly. The sf.user.filter attribute filters the kind of users that are retrieved from SuccessFactors.
You should set as filter sf.user.filter = active eq “true”.
Unlike sf.user.filter in API version 1 where we had flexibility to sync only few users using ‘OR’ logical operator, version 2 is not offering that and hence making it hard to sync and test for only few users. As a bad workaround for testing you may used the operator ‘Contains’ to create a query.
ips.delete.existedbefore.entities
The ips.delete.existedbefore.entities is an optional property which can be set on every target system. You can use it to control whether recognized entities as “previously existed ones” should be deleted from the target system. SAP HELP
KBA 3017663 – Deleting the Inactive SF users from IAS via IPS provisioning job
The URL was unresolved or blocked. Enter another URL and retry. Ensure that the IP address used for this registration is not blocked. If the issue persists, contact Technical Support for further assistance.
The Destination URL is built as below:
Where to find th IPS tenant?
https://<ips-tenant-url>/ipsproxy/service/api/v1/systems/<source-system-id>;
statusCode: 400, Response: Value of attribute [applicationId] is invalid.
This is because the migration you are doing is to a very old IAS. You need to update this value sin the target system properties.
- The steps on how such IDs can be collected directly from IAS admin console are below:
- ias.application.id.attribute is the application id taken from IAS admin console. Select your SF application and check the URL in browser where the value can be found. Example of URL: https://<tenant_id>.ondemand.com/admin/#/applications/<application_id>/
- ias.source.system.attribute is 100 for SF, 101 for LMS, 102 for Fieldglass.
How to see the payload to check where is the error:
There is an IPS issue you are facing and you need to download the error issue payload.
Add the following properties to the involved system and make the payload of the errored, skipped user available in the job error log or job skip log.
ips.trace.failed.entity.content true
ips.trace.skipped.entity true
ips.trace.skipped.entity.content true
The onboarding process is a special one with no NHDR (new hire data review) step.
If there is no NHDR step, it’s very possible that the onboardee will not have all the requiered fields, like email. For example if you realize that the ONboardee is not provissioned with email, you can cerate a Condition in the target system to avoid empty emails.
The ERROR will be: “skip reason=Entity condition [($.emails EMPTY false) && ($.name.familyName EMPTY false)] is not fulfilled”
First: remove the condition in the transformation at the Source System:
Second, you can retrieve the email from other field:
In the example below, the transformation uses the username when the email it’s empty.
{
"sourcePath": "$.userName",
"targetPath": "$['emails[?(@.value)]']",
"condition": "$.emails EMPTY true"
}skip reason=Entity condition [($.emails EMPTY false) && ($.name.familyName EMPTY false)] is not fulfilled,
The entities (users) are skipped. After downloading the skip trace you have the foloowing error:
skip reason=Entity condition [($.emails EMPTY false) && ($.name.familyName EMPTY false)] is not fulfilled.
This is due to the transformaiton syntax:
Delete that and retrigger read job.