SAP SuccessFactors HXM Core, SAP Business Technology Platform

SAP BTP SuccessFactors Work Zone Setup with SuccessFactors Sales4Demo Instance Part 1

webadmin

Introduction:

In this blog post of Part 1 you will learn about setting up SAP Success Factor Work Zone with your SAP Success Factor tenant pre-requisites steps.

SAP SF RM Certification Preparation Guide

SAP SuccessFactors Work Zone is a solution available through SAP SuccessFactors and offers a prepackaged experience specifically to address the needs of HR organizations based on SAP Work Zone. The SAP SuccessFactors Work Zone solution is a superset of SAP Work Zone plus additional functionality such as workflow and mobile services.

SAP SuccessFactors Work Zone offers the following extended capabilities:

  • UI integration cards

Preconfigured cards that provide direct integration into SAP SuccessFactors application to surface relevant employee-centric information and support a deep link into the SAP SuccessFactors HXM Suite in one click. You can use integration cards to display information from SAP SuccessFactors applications on a unified page, such as employee profile, organization chart, and time off balance.

  • Guided experiences

Workflow-based cards that help you go through otherwise complex process that could span multiple different systems. You can use guided experiences to perform some tasks, such as giving a spot award to recognize your colleague, or develop a return-to-workplace plan after COVID-19.

  • Workspace templates

Configurable templates for a variety of purposes including a variety of pre-defined cards. You can use these templates to create workspaces conveniently.

Part 1 : Configuration Pre-Requisites for Steps Of SAP BTP Success Factor Work Zone Setup –

  • Subscribe to SAP SuccessFactors Work Zone
  • Configure Trust Between SAP Cloud Identity – Identity Authentication and SAP BTP, Cloud Foundry Environment
  • Create Groups in the Identity Authentication Service and Assign Users
  • Create a Role Collection for Accessing XSUAA
  • Map Identity Authentication Groups to a Role Collection
  • Create Service Key & Service Instance for SAP Success Factors Work in your SAP BTP Subaccount
  • Connect your Subaccount to IPS

Part 2: Configuration Pre-Requisites before running Work Zone Configurator-

There are two ways to do the Pre-Requisites of Work Zone Configuration as mentioned below –

  1. Create a new tenant.
  2. Create a tenant based on an existing SAP Jam tenant.

Here we will go with Option 1 for doing the Pre-Requisites for Work Zone Configurator.

Below are the required steps involved while going with Option 1 i.e. Create a New tenant –

  • Create a Destination to SAP SuccessFactors.
  • Set up Environment.
  • Configure IAS and IPS service for Source & Target System.

Part 1 Setup Process Initialized :

  • Subscribe to SAP SuccessFactors Work Zone –

In SAP BTP cockpit, go to the Instances and Subscriptions screen of your subaccount, click Create, and add a subscription to the SAP SuccessFactors Work Zone service.

  • Configure Trust Between SAP Cloud Identity – Identity Authentication and SAP BTP, Cloud Foundry Environment

1. In the SAP BTP cockpit, go to Security & Trust Configuration.

2. Choose the option that is applicable to you:

  • Subaccounts running on Feature Set A: Set all active trust configurations to inactive, including the default trust configuration to SAP ID Service.
  • Subaccounts running on Feature Set B: You can’t deactivate the default identity provider. Instead, edit this entry and disable the options Available for User Logon and Create Shadow Users During Logon.

In our case Subaccounts running of Feature Set B so disable the option Available for User Logon and Create Shadow Users During Logon i.e. uncheck the boxes.

3. Exchange the metadata files between SAP BTP and the Identity Authentication service as described below :

  • Login to the IAS admin console & navigate to Application and Resources —>Tenant Settings—>SAML 2.0 configuration to download the metadata of your IAS tenant by clicking on Download Metadata File.
  • Now Login to your SAP Success Factor Work Zone BTP Subaccount & navigate to Security —>Trust Configuration to add New Trust Configuration.
  • Choose New Trust Configuration & click on Upload to upload the metadata file downloaded in above step.
  • Click on Save.

In the cockpit, download the service provider SAML metadata file. Open the link https://<subaccount_subdomain>.authentication.<region_host>/saml/metadata

<subdomain> is part of the subaccount details in the cockpit.

<region_host> is the API endpoint without api.cf..

  • When you are prompted, save the XML file on your local file system. This file contains the SAML 2.0 metadata describing SAP BTP as a service provider.
  • Now in IAS Applications & Resources –> Applications
  • Choose the +Add button on the left-hand panel, and enter the name of your subaccount & Save.
  • Configure the SAML 2.0 trust with the subaccount as a service provider. To do so, proceed as follows:
  1. On the left-hand side, choose the newly created application, and then choose Trust.
  2. Choose SAML 2.0 Configuration.
  3. Upload the metadata XML file of your subaccount that you have downloaded in Step 6.On service provider metadata upload, the fields are populated with the parsed data from the XML file.
  4. Save the configuration settings.
  1. In the Identity Authentication service, go to Applications & Resources Applications, and click +Add to add a new application from type SAP BTP Solution.

5. Open the SAML 2.0 Configuration editor of the application you’ve created, and paste the service provider metadata file that you’ve downloaded from the configurator.(Screenshot below). Save your changes.

6. Open the Subject Name Identifier editor of the application, and change the basic configuration attribute from User ID to User UUID & Save.

7. Click Assertion Attributes.

  • Click +Add.
  • Add the user attribute Groups from the list.
  • In the Assertion Attribute column, change the value groups to Groups (must start with an upper case letter), and save.
  • Add another Assertion Attributes
    • Click +Add.
    • Add the user attribute User UUID with the value user_uuid.

8. Click Default Attributes.

  • Click +Add.
  • Add a new attribute Groups (must start with an upper case letter) with the value Workzone_User_Type_${type}.
  • Add another Default Attributes
    • Click +Add
    • Add a new attribute sfsf_userid with the value ${customAttribute}
  • Create Groups in the Identity Authentication Service and Assign Users
  1. Login to your IAS Admin console.
  2. Click on Users and Authorization —> User Groups
  3. Choose the User Groups tile.
  4. Click + Add to add the following groups:
  • Workzone_Admin
  • Workzone_Area_Admin
  • Workzone_Support_Admin
  • Workzone_Page_Content_Admin
  • Workzone_End_User
  • Workzone_User_Type_public

5. Choose the User Management tile.

6. Assign yourself to the Workzone_Admin group.

  • Create a Role Collection for Accessing XSUAA

In this step, you’ll create a role collection for accessing XSUAA, which is required for setting a trust.

  1. In the SAP BTP cockpit of your subaccount, go to Security–>Role Collections.
  2. Click New Role Collection.
  3. Specify a name such as XSUAA_Access_RoleCollection, and click Save.
  4. Edit the new role collection, and in the Roles section, select the role name XSUAA_Access from the list.
  5. Click Save.
  • Map Identity Authentication Groups to a Role Collection
  1. In the SAP BTP cockpit, go to Security Trust Configuration.
  2. Click the Active trust configuration link.
  3. Go to the Role Collection Mappings screen.
  4. Add a new role collection mapping. In the dialog that opens, select a role collection and assign it to an Identity Authentication group In the Attribute field enter Groups :
  • Create Service Key & Service Instance for SAP Success Factors Work in your SAP BTP Subaccount

Navigate to instance & Subscriptions , click on Create to create Service Key & Service Instance.

  • Connect your Subaccount to IPS

SAP SuccessFactors Work Zone uses the Identity Authentication service as the user management system, and the Identity Provisioning service as the user provisioning system.

To be able to use Identity Provisioning for user and user group provisioning, complete the following procedure:

  1. In the SAP BTP cockpit, Services Instances and Subscriptions, open the Subscriptions tab.
  2. Click the (Actions) next to the SAP SuccessFactors Work Zone entry, and then select Go to Application.
  3. In the Work Zone Manager, open the Settings screen from the left-side menu.
  4. Go to the Identity Provisioning tab, and click the Connect button.
    • If your subaccount is not yet connected to the Identity Provisioning service, a new tenant will be created for your subaccount, and it will include the SAP SuccessFactors Work Zone connectors. In addition, a connection will be created between the Identity Authentication service and the Identity Provisioning service.
    • If your subaccount already has an Identity Provisioning tenant connected to the Identity Authentication service, clicking Connect will expand the scope of the tenant to include the SAP SuccessFactors Work Zone connectors.

In case of not getting connection kindly raise an OSS to SAP to connect it under component “EP-CPP-CF-IPS”.