Overview
SAP Cloud Identity Services (CIS) is a robust suite of tools designed to manage identity and access across the SAP ecosystem. This blog explores how CIS integrates with SAP SuccessFactors, focusing on hybrid integration patterns that enable seamless user authentication and identity provisioning in complex enterprise landscapes.
There are three primary flavors to integrating
- Standard Integration (Recommended)
- Proxy Integration using CIS(external IDP as authentication provider)
- Hybrid Integration using CIS (external IDP or both external IDP and CIS as authentication provider) without SF being the source of user records to CIS
SAP SuccessFactors with SAP Cloud Identity Services:
Option 1: Integration Between SAP SuccessFactors and SAP CIS (Standard)
This is the most recommended method, fully aligned with SAP’s best practices for managing user identities. It involves the following steps:
- Integrate SAP SuccessFactors with Identity Authentication: Run the upgrade job in the SAP SuccessFactors Upgrade Center to enable features and establish trust between SF and CIS.
- Confirm that user sync is set up in Identity Provisioning in SAP Cloud Identity Services: Set up sync jobs with Identity Provisioning. Ensure that the user that is configured in the Identity Provisioning
- Review the default configurations: Review the default configuration of the Identity Authentication service to determine if it meets your requirements or if additional configuration is required.
- Additional configuration optional features:Configuration options in Identity Authentication include: Password policy settings, Single sign-on (SSO) etc
- Activate Identity Authentication (IAS): Turn on the Identity Authentication service
This ensures standardized, low-effort configuration and a consistent integration experience.
Option 2: Using SAP CIS as a Proxy (Standard)
Many enterprises already use external identity providers (e.g., Azure AD, Okta) and want to continue doing so while adopting SAP applications.
By integrating the external IdP with CIS, organizations can:
- Maintain centralized identity governance.
- Enable secure authentication across SAP SuccessFactors, SAC, and Joule.
In this approach CIS acts as a proxy and user authentication is taken care by the external Identity provider like Entra, OKTA, etc. CIS may/may not have user records in its internal store (based on your requirements). Federation can be used if user records exist. Synching user records in CIS unlock features like SAC and future innovations such as SAP Joule, as they’re a key prerequisite for access. Ideal for customers wanting minimal disruption to existing identity infrastructure while gaining access to SAP’s innovation roadmap.
Option 3: Hybrid Integration — Using SAP CIS as a Proxy Without Standard SF User Sync.
Further details in this blog primarily focuses on this hybrid model.
Key Characteristics:
- SAP SuccessFactors is not the user provisioning source.
- CIS can act as a proxy or both proxy and IDP
- User profile data is synced to CIS from a different /external source to enable:
- Access to services like SAP Analytics Cloud (SAC) and SAP Joule
- Federated authentication via external IdPs
- Access to services like SAP Analytics Cloud (SAC) and SAP Joule
This method provides the flexibility to maintain external Identity manager to keep managing users in an enterprise while using SAP CIS to enabling access to SAP applications and to access new features and innovations.
Understanding Standard Integration Behavior
SAP’s standard SF-to-CIS integration includes two background jobs(in case if SAC exist):
Job 1: User Sync from SuccessFactors to IAS
- Reads user data from SF.
- Creates users in CIS.
- Generates a Global User ID, and store it in personKeyNav/GlobalUserId in SF.
- Populates CustomAttribute1 if the user has SAC access permissions.
Job 2: Sync to SAP Analytics Cloud (SAC)
- Reads user data from SF and syncs only users with access to embedded analytics to SAC
- Prevents SAC user creation for ineligible accounts.
Adapting the Integration for an External Data Source
If you’re not syncing users from SAP SF (i.e., using an external Data source like Identity manager), the standard jobs need to be customized to use IAS as the source and SAC as the target. It is very important to make sure that only users who have permission to embedded analytics should be synched to SAC. This step can be done either inside the cync job or can be taken care at source level (making sure to populate the custom attribute only if user has permission to access SAC)
To configure this job, you can modify the existing target or create a new one. If creating a new target, an SAP support ticket is required to set credentials (OAuth token URL, Client ID, and Secret).
Step-by-Step: Hybrid Integration with External Source
- Integrate SAP SuccessFactors with Identity Authentication: Run the upgrade job in the SAP SuccessFactors Upgrade Center to enable features and establish trust between SF and CIS.
- Review the default configurations: Review the default configuration of the Identity Authentication service to determine if it meets your requirements or if additional configuration is required.
- Create Admin User for SCIM Access: Use SCIM APIs to push user records from the external system.
- Retain Global User ID (Optional): If needed, set the Global User ID in CIS to a unique external ID or let the system generate one. This Global User Id needs to be updated in SF at (personKeyNav/GlobalUserId).
- Sync to SAC
Run a custom job (IAS → SAC) to:- Check SAC access rights.
- Create users accordingly.
- Check SAC access rights.
Addressing Common Technical Challenges in Hybrid Integration
1: Managing Different Subject Name Identifiers (SNI) Across Applications
In hybrid, multi-application environments, it’s common for login identifiers to vary across systems. SAP CIS supports multiple Subject Name Identifiers (SNI) per application, allowing flexibility. For scenarios where CIS login name is taken by another application as the identifier and it doesn’t have the same value as username in SF then any other field supported field can be used for SNI.
For SAP SuccessFactors (SF), it’s essential to ensure that the runtime value of the SNI must align with the SF username field to enable proper user identification.
Note: Expression-based SNI mapping is supported, but functionality is currently limited. Use with caution and review configuration thoroughly before implementation
2: Can SAP Analytics Cloud (SAC) Work Without a Direct Sync from SF to CIS?
Yes, Though it is recommended to sync it from SF SAC does not require a direct user synchronization from SF. However, there’s a critical requirement to enable user access:
Ensure CustomAttribute1 is correctly populated, as it is used to determine analytics access. Regardless of the data source, this attribute must be synced to SAC via CIS.
3: Can CustomAttribute1 Be Replaced with Another Attribute?
Absolutely. CustomAttribute1 is just a label. In SAP CIS, custom attributes are internally stored as an array, offering flexibility in how they’re used.
If you choose to use a different custom attribute:
- Ensure the transformation logic is updated accordingly, to confirm that consuming applications (e.g., SAC) are configured to read the new attribute.
- Update the SNI mapping to reference the correct custom attribute.
4: Connecting Multiple SF Tenants to a Single CIS Tenant (with SAC for Each SF)
While technically possible, connecting multiple SuccessFactors tenants to the same CIS tenant, each with its own SAC instance, but it is not recommended. This setup introduces significant complexity in Managing user states across tenants.
Conclusion
Integrating SAP SuccessFactors with SAP Cloud Identity Services offers flexibility, security, and alignment with SAP’s innovation roadmap. Whether through standard integration or a hybrid identity landscape using external IdPs, these methods empower organizations to centralize access control, reduce redundancy, and prepare for emerging technologies like SAP Joule.
