Skip to Content

SuccessFactors SSO with IAS and Corporate User Store

Hi all,

we try to use Cloud Platform Identity Authentication Service (IAS) for Successfactors (SF) SSO. We've tested the proxy scenario successful, where authentication is happening on Identity Provider (IdP) side and you're redirected to the IdP. But with this scenario you're loosing functionality of IAS like IP Restriction, Condiotional Authentication and One Time Password.

In order to make use of the additional features we want to use this scenario. Authentication is happening against IAS, during first login minimaster user record is created on IAS but passwords stays in Corporate User Store:

I've followed this configuration guide for AS JAVA User Store.

SAP Help Guide Corporate User Store

When I try to login to SF the IAS login screen apears. But it seems that authentication is not redirected to Corporate User Store. On the Cloud Connector logs I don't see any traffic.

Any idea which config to change on IAS that will make use of the connected AS JAVA User Store?

Regards,

Timmy

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • Best Answer
    Apr 05 at 07:54 AM

    Dear all,

    we've checked with SAP and found the issue.

    It is a small but important restriction that has to be considered. Following the documenation
    Corporate User Store Setup

    it is import when creating the destination in Identity Authentication Add-On on SCP that HTTPS is not supported.

    The consequence is that the pattern

    http:// <Virtual host configured in Cloud Connector>:<virtual Port>/scim/v1/

    is meant like this. Any URL beginning with https:// won't work.

    I've requested SAP to enhance the documentation accordingly.

    Best regards

    Timmy

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 13 at 08:49 AM

    Dear Timmy,

    Please review your configuration by following KBA: 2656742 - How to Setup Trust for Corporate Identity Provider in SAP Cloud Identity Authentication Service

    Pay special attention to the prerequisites.

    Best Regards,

    Zsuzsa

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Zsuzsa,

      thanks for your remark. I'm not sure if the note is valid for our scenario. We don't want to use IAS in Proxy mode, because you'll lose functionality.

      We've managed to connect an MS AD successfully without following the note. But we need to use the AS JAVA as corporate user store. This is still not working. Still no traffic on the cloud connector.

      Regards,

      TImmy

  • Mar 17 at 08:50 PM

    Hi Timmy,

    if you don't see any traffic on Cloud Connector, then check whether the OAuth settings are correct (recreate the client secret and replace it in the IAS tenant, for example). Also, the destination to the on-premise system must be on service level (i.e. in the Identity Authentication Add-on service).

    Best Regards,
    Lucas

    Add comment
    10|10000 characters needed characters exceeded