SuccessFactors

Nov 19 2021

How to Migrate an On-Premise SAP HR and Payroll Solution to SAP SuccessFactors

The business landscape is evolving, and with it, the workforce. HR and payroll must keep up by embracing more flexible systems that cater to today’s increasingly hybrid and remote world. Many SAP on-premise HR and payroll customers are moving to the cloud-based SAP SuccessFactors, a process that delivers a wealth of benefits, such as:

Increased agility, enabling you to better manage a remote or hybrid workforce
Improved flexibility, ensuring staff are remunerated in line with their contractual agreement
A single source of truth, making sure teams across your organisation are working with unified, real-time data
Actionable insights, allowing staff, HR managers, and executives to make data-backed decisions

Despite the growth-enabling potential of cloud-based HR and payroll, migration is often a sticking point. The process can take a significant amount of time to execute, regardless of whether a complete re-implementation of payroll is required. That’s where migration tools, backed by SAP expertise, come into play.

Migration tools – namely SpinifexIT’s SAP-compatible Easy Migration solution – help teams copy and migrate HR and Payroll data in record time, saving valuable resources and reducing stress. Out-of-the-box testing functionalities and data anonymisation further streamline the moving process.

We’ll walk you through the three-step implementation process below. But first, let’s take a closer look at Easy Migration.

What Is Easy Migration?

The Easy Migration solution minimises risk while accelerating your SAP SuccessFactors migration. The software copies the data and payroll configuration from your legacy on-premise SAP system. It then runs tests between your legacy and the new system to validate the data and configuration before go-live.

Easy Migration can move all employee information – including current and historical payroll results and infotypes – across to your new system. Built-in reports ensure your payroll executions perform as expected post-migration.

Conventional migrations from on-premise to cloud HR and payroll can take three to six months from start to finish. SpinifexIT’s Easy Migration can reduce that timeframe down for the initial build transfer to days.

How to Migrate from SAP’s On-Premise HR and Payroll to SuccessFactors

The migration process can be broken down into three main steps: copying payroll configuration, copying employee data and validating payroll before going live. Each of these phases is de-risked and accelerated by the migration tool. Here’s how the process unfolds with Easy Migration.

pensive diverse colleagues working on paper draft in office

Step 1: Copying Payroll Configuration

Conventional timeframe: 2-3 months

Easy Migration timeframe: As little as 2 days

Overview: This step encompasses copying your existing payroll configuration, migrating that configuration, and creating a test system.

Breakdown: Easy Migration comes with an in-built replication tool, complete with tables that tailor the migration process to each country’s requirements. You are able to decide what is migrated to your new system and what is not. This might include Infotype Setup, Payroll Configuration, Payroll Area Configuration, Time Evaluation, and more.

The Easy Migration replication will detect the relevant configuration for your country and migrate this across. Then, it will update the tables and store this information on a Transport, which means it’s ready to migrate to your test and production system.

For peace of mind, the process can be run in test mode first, empowering you to iron out any kinks before going live. Plus, the migration is traced through audit tables, giving you full visibility over the process.

Benefit snapshot:

Quickly create test and development systems
Preview what will happen before the live run
Monitor audit logs to detect issues before they cause damage

Step 2: Copying Employee Data

Conventional timeframe: 1-2 months

Easy Migration timeframe: As little as 3 days

Overview: This step encompasses converting data from your legacy system to SuccessFactors, validation of your data, and payroll runs.

Breakdown: Easy Migrations allows you to copy employee data between systems, with no in-between steps. That means you can migrate a sample of ‘test employees’ to your development system to check whether the payroll execution performs as expected. You can scramble that data, too, to reduce privacy risks and concerns.

Benefit snapshot:

No manual data extraction
Fuss-free payroll execution testing
Scramble data to protect employee privacy

Step 3: Validating Payroll

Conventional timeframe: 4 days

Easy Migration timeframe: As little as 4 hours

Overview: This step encompasses the conversion and validation of historical data.

Breakdown: You can undergo several pre-delivered tests to ensure your new system is functioning as expected. Crucial tests include the Pay and Year-to-day reports, which compare the payroll results from your two systems, underlining any discrepancies. Then, when you are happy with your results, it’s time to push the new system live.

Benefit snapshot:

Connect legacy and new systems with ease
Easily compare payroll results with automatically highlighted differences
Drill down your tests to track key metrics

Do Migration Tools Keep My Data Safe?

While we cannot speak for all migration tools, SpinifexIT’s Easy Migration adheres to SAP’s robust privacy and security measures – because your data is safe with SAP, your data is safe with Easy Migration. Additional privacy measures – such as the ability to anonymise employee data and payroll results – ensure your business’s most sensitive information is protected throughout the migration, testing, and go-live process.

Migrate to SuccessFactors Without Days of Work and Hassles

Easy Migration’s solution is 100 per cent compatible with SAP, which means modernising your HR and payroll doesn’t have to be time-consuming, resource-intensive, or high-risk. By seamlessly connecting the legacy solution with your new system, you can migrate, test, and execute with total peace of mind.

Take advantage of the benefits of the cloud. Get in contact with our team today to kick-start the process. We know SuccessFactors inside and out, and we leverage the game-changing features of Easy Migration to get you on the cloud and running fast. But, migration is just the beginning. We help you thrive today, tomorrow, and beyond.

Nov 01 2021

Moving SAP’s HR/Payroll On-Premise to the Cloud with SAP SuccessFactors

Business is changing, becoming increasingly focused on flexibility, agility and mobility. The workforce is changing too, as staff members begin to expect more from their employers and the systems they work with. This means HR and payroll also need to change, keeping pace with this ongoing evolution. With SAP SuccessFactors, traditional HR models are moving to the cloud, unlocking a wealth of benefits in the process.

The Benefits of Cloud-Based HR/Payroll Solutions

You already have on-premise HR and payroll systems in place, so why do you need to migrate this to the cloud? Take a look at some of the key advantages of cloud migration with SAP SuccessFactors.

A Comprehensive Approach to Remote Workforces

Perhaps the primary advantage of cloud-based HR/payroll solutions is the increased agility they provide. The workforce is becoming more dynamic, with remote teams operating across disparate locations and partners collaborating in real-time across national and continental boundaries. The COVID-19 pandemic has also accelerated the pivot towards home-based work, with a large number of employees now spending significant proportions of their working week outside of the traditional office.

All of this puts strain on HR teams. These teams may find that their resources are spread increasingly thinly as they work to support a dispersed working model. With the cloud-based SuccessFactors solution on their side, HR personnel can manage distributed teams wherever they are found, reducing the time, effort and expense associated with this.

Improved Flexibility for On-Premise Teams

While a dynamic, remote workforce is becoming a common fixture in business, traditional on-premise teams still have a role to play. As we shift towards remote agility, we cannot forget about headquarters- or office-based teams, and HR personnel need to support these team members in the right way.

A cloud-based solution improves flexibility and support for these teams. The SAP solution integrates seamlessly with existing on-premise solutions, ensuring that no legacy capability is lost during migration to the cloud. Meanwhile, HR departments leverage advanced time tracking and attendance features that provide more capability for the in-office environment, supporting more flexible working practices while ensuring staff members are equipped and remunerated according to their contract requirements.

Centralised HR Data Source

The cloud-based HR/Payroll solution represents a central pillar of truth for human resource data. This is crucial as businesses grow and evolve over time, ensuring that all departments and teams are working from a unified dataset that is updated in real-time.

Via the staff member portal and mobile app, teams can ensure that all their information is correct, relevant and up-to-date. From the HR end, human resource teams manage and verify this information, achieving a growing data source that scales alongside the business. The centralised solution can be configured and localised to meet the specific needs of the business.

hr on premise to sap successfactors 345397471

Effective C-Suite HR Reports

HR data needs to be more than just data — it needs to be a leverageable source of information with actionable insight at all levels. This means providing the applications and portals that staff members and HR managers can use to access the resource and backing this up with higher-level operations such as C-suite reporting.

This is one area in which SAP’s cloud-based HR solution can make a great deal of difference. At the C-suite level, executives can commission reports that draw upon up-to-the-minute data, gaining a supreme vantage point from which to view and analyse operations. In this light, the SuccessFactors platform is inherently useful for businesses from the top-down, enabling all stakeholders to get more from human resource procedures and data stores.

Cloud HR/Payroll in Action: SAP SuccessFactors Use Cases

How does the solution work in practice? What will migration from on-premise HR solutions to the SAP SuccessFactors cloud platform look like for your business? Let’s examine some use cases to learn more.

Providing and Managing Timesheets for Remote Teams

Employees need to be remunerated for their time. Businesses need to ensure that remuneration is delivered fairly and efficiently, streamlining the operational procedure. This is where mobile timesheets from the SAP SuccessFactors platform come in. Timesheets can be configured, customised and delivered without delay. From the employee side of things, staff members can complete and submit their timesheet via a mobile device, attaching any supporting documentation or resources.

Timesheets can then be approved, managed and audited by HR teams and by managers at other levels. The result is a far more efficient and transparent process for all stakeholders.

hr on premise to sap successfactors 331483441

Employee Mobile Access

Employees need to be able to do more than simply complete and submit timesheets. They will also need to manage and edit their existing HR data and complete other actions such as requesting leave. Traditional on-premise models have made this difficult and inefficient, but secure cloud platforms have revolutionised employee-HR interaction.

SAP SuccessFactors goes further, providing a dedicated employee app that integrates with the platform via a secure connection. Employees can use this to manage data and complete other business-critical actions without compromising data security.

C-Suite Report on the Move with Enhanced Mobility

We’ve already touched upon the benefit of a cloud-based solution for C-suite level reporting. However, executives and upper management teams also need to leverage the flexibility and agility of modern solutions. Reporting has always been possible with on-premise HR solutions — albeit slowly — but a forward-thinking solution needs to do more.

With SuccessFactors, C-suite level reporting is achievable on demand and on the move. Secure integrations with tablet and mobile apps mean that reports can be configured and commissioned with just a few taps of the touchscreen, putting insight at executives’ fingertips.

Modernise HR with SAP SuccessFactors

Moving your HR solutions from an on-premise model to the cloud becomes a seamless process with SAP SuccessFactors. Integrations with legacy solutions make sure of this, while innovative features unlock a wealth of potential for businesses.

Reach out to our team today to get started with this solution. We are the SuccessFactors experts, supporting you as you implement a more efficient, more effective, future-focused HR model for your business.

Oct 11 2021

What Can Employees Do with the SuccessFactors Mobile App?

SAP’s mobile-first strategy has unlocked a wealth of opportunities for its enterprise users. Rather than relying upon desktop platforms and other static solutions, organisations can improve the experience they provide by leveraging mobile software, such as the SuccessFactors Mobile App. In turn, operations become far easier to manage and the employee experience is greatly enhanced.

The mobile experience has also become critically important, particularly as the workforce in Australia and New Zealand grows younger and becomes increasingly comprised of digital natives. Smartphone penetration in Australia is expected to surpass 80% of the population in the coming years, making an offering like the SuccessFactors mobile app in the modern workplace.

Let’s learn more about the specifics of this mobile app, approaching it from the point of view of your team members as we examine what employees can do with the SuccessFactors application.

Manage HR Data

Within the SuccessFactors mobile app, employees can access the Core HR area. This is a portion of the mobile app that is designed to be employee-facing, giving team members the tools they need to manage their data and ensure it is up to date. They can achieve this via the Employee Self Service — or ESS — a feature that is built into the app. From here, team members can access and update personal information held in their Employee Central People Profile.

Complete and Edit Timesheets

The SuccessFactors app supports the completion, editing and submission of timesheets, ready for approval from management teams. Employees can complete their timesheets digitally, ensuring that all of their working hours are properly recorded and that they are remunerated for their time according to their contract. These timesheets are then viewable in the Manager Self Service — MSS — area of the app and can be approved or queried.

Case Study: Outsourced IT Maintenance

sap successfcators mobile app adobestock 8116129

For organisations that need to outsource specific aspects of their work, the importance of this timesheet feature becomes acutely evident. While some businesses may have a very simple salary structure, plus any required overtime, more dynamically structured firms will need to be able to manage timesheets from both sides, i.e. from the HR/management side as well as from the employee side.

Let’s take outsourced IT maintenance as an example. If an organisation has an ad hoc arrangement with a third party IT maintenance team, they will need to pay for the work carried out. This can become confusing with traditional timesheet solutions, as errors or discrepancies may not be noticed until after your company pays for services. With the SuccessFactors app, maintenance workers can edit and submit timesheets in real-time, gaining swift approval and eliminating errors along the way.

Request Leave

Employees are able to submit leave requests via the SAP SuccessFactors app, inputting the dates and duration of the leave and identifying the type of leave required. This leave may be part of the annual leave provided in their contract, or it may be a different kind of leave, such as paternity or maternity periods, which employees are legally entitled to. The employee can support their leave request with any documentation that may be required — for example, medical documents and doctor’s notes in the event that sick leave is required. Management can provide swift approval for leave requests, or ask the employee to provide further information — interactions that can be picked up in real-time via the app.

Access Pay Statements

It is useful for employees to be able to access digital pay statements and payment records. They can achieve this in the Employee Central area, using the Payroll Information feature to view pay statements. This feature is provided alongside the SAP SuccessFactors Employee Central Payroll, and the system will need to be properly configured and integrated before team members can gain access to payroll data via the application. Employees will not have access to Year to Date Gross and Net data via the Employee Central area, although this data will still be viewable by management and HR teams.

Complete Performance Goal Actions

The Mobile Performance and Goals area of the SuccessFactors app is primarily for management teams to create performance goal plans and to conduct and manage performance reviews. However, employees will be able to complete actions when prompted. If the employee is required to view and confirm goal and performance review data, they can use the mobile application to carry this out.

Access Training and Learning Features

The Learning Features area of the mobile application is similarly geared towards the creation and management of training and learning programs. However, employees will also be able to use this area to manage course enrolments and to approve and sign off on actions that have been completed.

Employees will be able to access learning and support content via this area of the app. The Learning Features section of the app integrates with Continuous Performance Management — CPM — to form the Improved Learning and Talent Experience feature, supporting the ongoing development of personnel.

Case Study: Logistics Fuel Benefits

To understand how the app’s training and learning features work in practice, we can examine a case study from the logistics industry. Employees in the logistics field have specific training and learning pathways based on the requirements of their role — a driver, for instance, will have different learning objectives to those of a maintenance worker. Employees can access specific learning modules and content based on their own needs, ensuring that only relevant content is delivered to them.

This is just one example, of course. The training and learning feature is broadly applicable and can be leveraged across a wide variety of different industry sectors.

Support Your Employees with the SAP SuccessFactors Mobile App

Digital technology puts a great deal of power into your hands — and into your employees’ hands too. With the SAP SuccessFactors mobile app, you can provide the very highest levels of support to your team as they go about their work.

Reach out to us today to get started. We are SuccessFactors experts, assisting you as you make life easier for your team members and achieve a better way of doing business.

Aug 04 2021

SAP SuccessFactors Talent Management

What comes to mind when you consider your business resources? Perhaps it is the capital you have at your disposal. Maybe it is the tech assets that drive your organisation forwards. Or it could be the infrastructure that supports your operations. All of these are key resources, but your personnel and your talent outshine all of this.

This is what makes talent management such a key consideration for modern businesses, which is why Talent Management modules from SAP SuccessFactors are so critical in achieving a competitive operational structure in the long term.

Key Benefits of Talent Management

We have put together some of the key benefits of an effective talent management strategy that can help your organisation.

Focus on Employee Development and Growth

Your employees need to be supported if they are to develop and grow over time. This means delivering the right tools, the right understanding, and the right training to employees in the field. Without this, your teams will still be able to do their jobs, but productivity and efficiency will suffer.

Talent management gives your business a way to keep on top of this ongoing development. With the insight derived from this kind of solution, training and growth become more straightforward. Upskilling opportunities are identified and capitalised on, while reporting and analysis assist with ongoing management of training and support.

Foster Engagement Among Employees

Talent management solutions are comprehensive and wide-ranging, covering all of your employees across each of your teams. However, conversely, this enables you to adopt a more personal approach to employee engagement and support.

With a talent management system handling the overarching data, you will be able to gain insight into individual employees. From here, you can provide the direct support and personal and professional goal-alignment that each individual needs to be fully engaged with and invested in your business.

This is critical for keeping hold of your team members, bolstering your business, and reducing the cost associated with hiring replacements.

Create an Effective Business Culture

Over time, talent management will begin to transcend the delivery of support and development. Rather than being a solution to help you to deliver this directly, it will become a cornerstone of your human resources strategy. In other words, high levels of employee support and engagement will become core elements of your business culture.

With talent management as part of your business identity, your productivity and agility will accelerate. This will help you to step ahead of your competitors.

Hire with Confidence

While a talent management system helps you to retain the talent that drives your business forwards, you can’t expect to keep hold of all of your personnel assets indefinitely. You will still need to hire new personnel eventually, and when you do, you need to be able to do this with confidence and decisiveness.

The solution will give you the data you need to achieve this. You will gain the insight required to identify where hires are necessary, as well as an understanding of the attributes you are looking for as you select and onboard new personnel. This is designed to remove much of the uncertainty from the process.

Improve Decision Making

The data insight achieved from a talent management solution goes beyond simply understanding your current teams and bringing in new hires to complement this. In fact, the system becomes a valuable data resource that will inform your strategies going forward.

With the reporting and analytical functions discussed above, you will be able to gain an accurate insight into how your business is performing and what needs to be developed or evolved. This data serves as fuel for decision-making and goal-setting, dramatically improving the efficiency of both.

SAP SuccessFactors Modules for Talent Management

The best talent management strategies are geared towards workforce optimisation. This means following the optimisation cycle of planning and outlining a strategy, identifying and acquiring talent, developing this talent, retaining team members and structures in the long term, and helping personnel assets to reach their full potential.

This is why increasing numbers of businesses are utilising the SAP SuccessFactors platform to achieve enterprise-level talent management. The platform features a number of different modules designed with this capability in mind.

Recruiting

Find and engage candidates from across the globe, identifying the hires that will benefit your business, and nurturing them in the right direction.

Treat candidates like client-side leads, fostering increased engagement and connection with your business. Then, deploy automation and workflow simplification capabilities to improve procedural efficiency.

Onboarding

eSignatures and digitised documents make it easy to secure new hires without the additional paperwork. What’s more, a user-friendly onboarding portal helps management teams analyse and monitor the whole process.

Onboarding and cross-boarding capabilities make it easy to bring in new hires and promote or move existing personnel into the optimal roles.

Performance and Goals

Support your employees as they set goals, and then deliver the required data to them so they can follow a proactive path towards goal achievement.

Performance reviews become more detailed and development-aligned thanks to the data from the solution. Meanwhile, action planning tools support better decision-making.

Compensation

Compensation has always been an important aspect of human resource management. With the SAP solution, you will be able to set rewards and deliver recognition for your personnel and manage their remuneration in an accurate and effective manner.

You will also be able to model optimal compensation programmes and implement these on an ongoing basis.

Learning

Put compliance training programmes in place and deliver educational resources to personnel as and when required.

The solution will help you to foster a profound culture of learning and development at the core of your business identity. From here, you will be able to extend enterprise learning to meet evolving needs.

Succession and Development

Manage the career paths of your employees, conducting talent reviews, and implementing calibration tools that help the right employees develop into the right roles.

Eliminate talent gaps in key roles by fostering an efficient pipeline of talent development.

Sales Performance Management

Sales Performance Management modules — such as SAP Commissions, SAP Territory and Quota, and SAP Agent Performance Management — assist your business as you keep on top of the performance of your teams in the field.

Put SAP SuccessFactors to Work for Your Business

Your team members are key resources for your business, and managing this resource is critical to your success. With SAP SuccessFactors’ Talent Management modules, this not only becomes easy to achieve but becomes a vital part of your business’s structure and identity.

Let’s begin. Reach out today and speak to our friendly and knowledgeable team of SuccessFactors experts. Together, we can optimise your teams and achieve formidable flexibility and capability.

Jun 24 2021

How to single sign-on, or not

Some background to SSO

Single Sign On has been around for years. The variant that most of us use with web-based tools is known as Security Assertion Markup Language (SAML) (often pronounced SAM-el or SAM-al). Specifically, the version 2.0 which has been an OASIS (Organization for the Advancement of Structured Information Standards) standard since 2005. There are other versions of SSO that you will probably have come across, but in the general market today there is an overwhelming support for SAML2.0. There is some movement toward using JSON Web Tokens (JWT) to manage SSO rather than SAML but for this discussion let’s just stick with the areas that are well defined!

SSO (both SAML or JWT based) depends on two different servers – the application (e.g. SAP SuccessFactors) and the identity provider (e.g. Microsoft Azure AD). The application (also known as the service provider or SP) and the identity provider (IdP) share some secrets with each other in the form of public key cryptography*. Each system knows the public key of the other system and uses this along with its own private key to sign messages. Thus, the two servers know when they are sharing messages securely.

There are two ways to initiate SSO – SP initiated (probably most common) and IdP initiated**. As the names suggest these are different in that SP initiated starts with the user accessing the application which then starts the authentication flow. In IdP initiated flows the user starts with a link to the IdP which then will forward the user to the application. What’s important for this discussion is that if the application uses deep links in, for example, emails sent from the system – e.g. a link to complete your performance review that will take you directly to the performance review document – then these will pretty much always trigger SP initiated SSO – because the link is to the application URL, not the IdP.

So how do we set this up when we need to have both SSO and Password users?

With the background out of the way – let’s discuss the particular situation which I’ve found a fair bit recently.

When implementing SAP IAS (Identity Authentication Service) for a few SAP SuccessFactors customer recently, they have needed the ability to be able to log into the system either via SSO (majority of users) or via password (small number of users). Mainly this has been triggered because not all of the users of the solution are in the main corporate IdP. With IAS, the possibility to enable multi factor authentication within the SAP tooling means that paying for an IdP subscription for these people isn’t necessarily worthwhile anymore from a security standpoint, so more customers taking this opportunity to not put all employees in the IdP.

IAS has two methods for enabling this possibility. Both are configured in the conditional authentication area of the application configuration in IAS.

Option A

In the first set-up, you configure IAS to pass all authentication requests to the IdP. To make things easier to follow let’s call this “Option A”. This means that if a user is logged into the IdP they get “true” SSO – no need to enter anything and they are logged into SAP SuccessFactors (as long as they are already logged into the corporate IdP – which for AS. For those users that are not in the IdP there is the possibility to enable an additional “Allow Identity Authentication Users Log On” setting which gives a URL that users can then use to use password login to IAS.

Option B

In the second setting, let’s call it “Option B”, we enable rules in the conditional authentication that directs those users that are part of an SSO group to the corporate IdP for SSO and those users that are part of the password group (i.e. not in SSO group) to use IAS.

Generally, I would define a Password group so that I can set risk-based authentication rules to force all password users to require the use of Multi-Factor Authentication (MFA).

I set up the different groups in IAS based on the existing login method field in SAP SuccessFactors, it’s fairly easy to do***, you can still find some of the details on the SuccessFactors IAS/IPS setup help site about the IPS transformations that may be needed.

Differences in User Experience

In Option A if you do have users that are not in the corporate IdP then deep links will only work for them if they log into SuccessFactors/IAS first via the special link.

In the second setup, Option B, all users must enter their email address/username before they are redirected to SSO via corporate IdP or password login.

To mitigate the second setup not having “one-click” access to SAP SuccessFactors for already signed-in users, it is possible to use IdP initiated SSO as the “link” to use for most users to log into SAPSF.

saml sign on — SAP SuccessFactors SAML Sign On

The entry of email address/username cannot be totally avoided however as, users would still need to do the “enter email address” step if they followed a link sent in an email – as this would do SP initiated login, redirect to IAS not corporate IdP.

This said, IAS does retain the last username/email that you logged on with and save this as a persistent cookie with 90-day lifetime and pre-populate the login details… so other than the first time a user logs in, it’s likely that with Option B users will only need to click/press one extra button to redirect to corporate IdP (and then log in there, if not already) for SSO in to SuccessFactors.

It is worth considering not even using the corporate IdP initiated login for option B just to ensure that the login experience is consistent between following a link in an email and the “portal” or “homepage” link experience. It will depend on how much value is put on ease of login vs. consistency.

Configuration option	User Type	Experience – link from main company portal page	Experience – link from deep link (to specific area of SAP SuccessFactors)	How Good?
Option A default Corporate IdP login	SSO	One click and in (if you’re already logged into corporate IdP)	One click and in (if you’re already logged into corporate IdP)
Option A default Corporate IdP login	Password	Need to have “special” link for these people can’t use same link	Issue as user not in IdP, need to remember to follow special link first to log into SuccessFactors, then click deep link
Option Bdefault IAS login	SSO	Either set up different IdP initiated login link for these people, then one click and in (if logged into Corp IdP), or user prompted to enter email address (which may be defaulted if they entered it in last 90 days and haven’t cleared their cookies)	User prompted to enter email address (which may be defaulted if they entered it in last 90 days and haven’t cleared their cookies) then in (if already logged on to corporate IdP)
Option Bdefault IAS login	Password	user prompted to enter email address (which may be defaulted if they entered it in last 90 days and haven’t cleared their cookies) then prompted to enter password.	user prompted to enter email address (which may be defaulted if they entered it in last 90 days and haven’t cleared their cookies) then prompted to enter password.

What do SAP recommend.

Well, until I gave this doc to my good friends at SAP (Vish G, Paul T and Marko S) to review to see if I’d made some errors, I had to go by the details in the SAP help documentation:

where it says you have two options.

“Option A: Define the Corporate Identity Provider as Default Authentication IDP for the SAP SuccessFactors Application”

But for some reason, in a most Monty Pythonesque way – there is no Option B.

By the time you read this there may well be an option B in the documentation.

There also is one note/KBA 2954556 “How to implement Partial SSO after IAS implementation on SuccessFactors” where SAP are recommending using Corporate IdP and alternative link approach. Strangely enough, just like the current help doco they don’t even mention that there are other possibilities in that KBA. (Again, with a little bit of a luck, hint, or push, it may well be that this also changes by the time you check out that KBA).

Either way, at the moment, it’s not really a recommendation, more an explanation of different possibilities. Recommendations, it seems are left for opinionated people like me to deliver!

So, what do I recommend?

If you only have a handful of non-SSO users, potentially consultants supporting your system or other people who understand that they are “special” and need to behave in a special way to use the system, then use the corporate IdP as the default identity provider (Option A). Otherwise, use the IAS with conditional authentication (Option B). I’d recommend that you don’t use an IdP initiated login link, as it won’t work for password users and will likely cause confusion when deep links behave differently. I’d only suggest using the IdP initiated login link if there is an expectation from the senior executive sponsors of the solution that it should be “one click and in” and they don’t seem receptive to the various details I’ve mentioned – they just hear “Techno babble, blah, blah blah, excuse why you can’t make it do what I was told by the sales people that it could do… blah blah blah.” I’ve seen some of those situations, logic can’t help you, just give them the IdP initiated login link.

That’s all folks

Hopefully, that was useful! It seems this was a slightly shorter post that I was fearing it was going to be before I started writing! If there’s anything you’d like to follow up on or ask – please do post a question in the SuccessFactors community, there are no doubt many people who have been through the fun of IAS implementations who can offer advice, including myself.

If you looking for more info – start at the SuccessFactors community post about IAS – https://community.successfactors.com/t5/Platform-Resources-Blog/Migration-to-SAP-Cloud-Identity-Authentication-With-IAS-IPS-from/bc-p/272831 and check out all the links there. Read all the comments and questions that others have asked, and others have answered.

Then if you have more questions, please come to one of the weekly Office Hours, where you can ask questions and hopefully have them answered. The team from SAP are super knowledgeable and super friendly and are just waiting to help you be successful. (And I might be there too being opinionated if you join the APJ time-zone friendly session!)

This article was originally published on the SAP SuccessFactors community website.

*Explaining how public key cryptography works is way beyond the scope of this post, and there are hundreds of people who’ve done great work doing this. If you don’t understand public key cryptography, do yourself a favour and go and research it. It is the tooling which underpins most of the internet. It’s not that hard a concept! I wrote a simple RSA encryption algorithm for a game my friends and I were playing where we had to pass a floppy disk between us to take turns back when I was 13 so that we could send each other messages secure in knowledge that the others couldn’t read the messages. Given that I wrote the code in GW-BASIC which only handled 16bit integers, I’m pretty sure one of my friends could have brute-forced the codes… but this is pointless reminiscing, the point is, just go and learn how it works!

**There is a case that can be made that IdP initiated SSO is less secure than SP initiated SSO because it can more easily be used in man-in-the-middle attacks. However, given that all applications and IdPs would be using HTTPS (TLS) to encrypt their communications, if a MITM attack can intercept the authentication assertion, you’ve got bigger problems than your SSO being compromised.

*** Okay, it’s easy for me because I’ve done it lots of times! If this is the first time that you’re trying this, yes it isn’t easy. Sorry! I’m not going to go into the details of what you need to modify in your IPS setup to enable the split between password and SSO groups and even sending different email notifications (or not) to the two different groups, that’s probably a decent sized post just by itself. Stay tuned though as I’m planning to put something together for my next presentation at SAP Australia User Group Summit on this.