From the 2H 2022 release, the onboardees account is a SAP IAS one. This IAS account is created though the (SCIM) API in real time or updated through the IPS scheduled job. In this blog I’ll try to resume with examples how it works.
How it works?
When a new hire is created in SAP SuccessFactors Onboarding, they’re provisioned in IAS in real-time. This is accomplished though the “SCIM” (System Cross-domain Identity Management).
This means that the email and password are hosted and managed from IAS.
To enable the ONB module to use the IAS for onbaordees authentications, it’s required to migrate from ODATA API to SCIM API
Some facts: Once you start authenticating the Onboardees though IAS then:
* Onboarding new hire sync to IAS
* Onboardees will receive a “IAS Account Activation” email to set her/his password in IAS.
* Onboardees will receive a login URL without the parameter “pm_product_name = ONB” in his/her emails.
How do I know if I have SCIM activated?
This is a long topic, and I suggest you to check this great SAP community.
But to resume and make it easy, do this:
👉In SFSF access to the transaction > “Monitoring Tool for Identity Authentication and Identity Provisioning Migration” and check if you have enabled this settings tab (screenshot below).
Do yo uhave the “settings” tab vissible? If YES then click on “Settings” and check the screen below.
👉 Then if it’s greyed you are using SCIM.
The fact that the “Settings” tab is enabled means that “Onboarding Application” option at provisioning is switched ON
Additionally the fact that “Apply to both Employee and Onboardee” is greyed, means that the SCIM is working/implemented.
How to find the onbaordees in my IAS?
First of all. How to check if Onboardees are replicated into IAS?
If onboardees are replicated into IAS, then the 👉the user’s attribute “user type” it’s “Onboardee”.
It’s possible to check if Onboardees are replicated into IAS, by verifying the “User Type” field.
Notice that it’s not possible to search users by “User Type” filter in the IAS search header, so if you want a list of onboardees it is a good option to “Export users” and filter the column in an excel table.
Are onboardees replicated into IAS through the scheduled jobs?
The real time sync will provide onboardees immediately to the IAS. But what about the scheduled “IAS identity Provisioning” job? Is that job at the “Source system” provisioning the onboardees?
If you have already migrated to the SCIM connector, then the only posible filter is sf.user.filter=active eq “true”. Then the onboardees are synched though the SCIM API and not through the SCHEDULED JOB. If you have continued with API 1 version (ODATA connector) then the provisioning of onboardees will be through the scheduled job. Mora info of this scenario at this KBA Section 2.2
The provisioning of onboardees through scheduled jobs is is configured through the filters in the source system. To set the filters in the system firstly, you should check which API version are you using. Consider that filters will be different depending of the API version (1 or 2).
To check the API version, go to your IAS panel > Source system > Properties, and check the “sf.api.version”
Once you checked the API version, let’s go to the source filter topic!
To ensure the IPS job is pulling onboardees, “IPS source system filters” should set as: ‘active’,’active_external_suite’.
👉 Do this:
- At the IAS panel, go to “Identity Provisioning” then to “Source System” > then to “Properties”.
- Filters are configured as “filter sf.user.filter” field at the source system. Then insert this values:
| If you are using the sf.api.version=2, then you should set as filter sf.user.filter=active eq “true”. (this true inclues onboardees and employees) SAPHELP |
| If you are using sf.api.version=1, then you should set as filer “sf.user.filter=status in ‘active’,’active_external_suite’ and (personKeyNav/userAccountNav/userType in ’employee’, ‘onboardee’)” |
Email Services at SuccessFactors
Through “email services” are managed all the emails sent to the onboardees.
If the account is managed though IAS, then the welcome message and the reset password will be send from IAS instead from “email services”
That’s why it is recommended to disable the following templates in Email Services:
- Template: (ONB) External User Welcome Message Template
- Template: (ONB) Rehire User Welcome Message Template
👉 IAS for Onboarding implementation Process
If your SFSF suite is still using the SuccessFactors login authentication, then this part of the blog is for you. You need to migrate to IAS authentication ASAP.
The migration requires many verifications to configure the integration to the standard. It largely depends on how old your instance is and the maintenance it has received.
The following steps make all the verifications and are linked to the further steps required.
FAQ
I can’t find the onboardees at the UDF
The onboardees are listed in the UDF, even if you are not able to see them though “export employee”.
One of the oboardees is not replicated into IAS.
Check if the onbaordee has passed the NHDR (New Hire Data Review) step. If the New Hire Data Review step is available in the Onboarding process flow, then the new hire’s account is synced to SAP Identity Authentication Service after the New Hire Review Data step is complete.
If the New Hire Review Data step is not available, then as soon as the Initiate Onboarding step is complete, the new hire’s account is synced to SAP Identity Authentication Service.
“Setting” tab not available at “Monitoring Tool for Identity Authentication and Identity Provisioning Migration”
As Onboarding Application switch is Off, the “Settings” Tab will not be shown in the below screenshot.
I want to replicate the inactive employees as well.
For API 1:
sf.user.filter –> status in ‘active’,’inactive’
Pingback: Onboarding Basic Auth Login Method Deprecation - SuccessFactors blog