The implementation of People Analytics will lead to a change within the application landscape. This change is part of the new strategy of SAP to which all organizations shall migrate in the future. People Analytics, a product of SAP Analytics Cloud is embedded within SuccessFactors; this means that two applications are combining forces. The data from SuccessFactors and the reporting features from SAP Analytics Cloud.
In order to let this combination function optimally it’s necessary that users can easily switch between the two applications without having to log in again. By using Single Sign-On (SSO), People Analytics can be used within SuccessFactors.
To setup this SSO connection (Steps 1 to 4) and to successfully complete the implementation of People Analytics (steps 5 and 6), six implementation steps are listed:
- Implementing an upgrade which – if not activated – creates the SAP Identity Authentication Service and SAP Identity Provisioning Services tenant;
- Configuring the SAP Identity Authentication Service (IAS);
- Configuring the SAP Identity Provisioning Services (IPS);
- Implementing an upgrade which validates the configuration and integration of both the IAS and IPS with SuccessFactors;
- Implementing an upgrade which makes People Analytics available in SuccessFactors and provides access to the SAP Analytics Cloud tenant;
- Granting authorizations to the correct people within SuccessFactors.
Corporate IDP (optional)
Organizations using their own Corporate Identity Provider and log in through (partial) SSO to SuccessFactors, must apply several changes to the integration landscape. As the access to the various SAP Cloud application will handled by the IAS tenant, the Corporate IDP must be connected with the IAS tenant instead of SuccessFactors. In order words, the route for logging in will no longer go directly from the Corporate IDP to SuccessFactors, but will first pass through the IAS.
For SuccessFactors this means that Partial SSO will no longer be available and that the login page is replaced with the login page of IAS. After all, both have become obsolete as a result of this redesign of SAP. The end user will hardly notice this. Logging in from Corporate IDP to SuccessFactors remains available in one of two ways:
- Single Sign On
- Anyone who logs in to the corporate IDP can log in to SuccessFactors without having to log in again.
- Partial Single Sign On
- With Partial Single Sign On, there are multiple ways for the end users to log in. For example, It’s possible to log in through the corporate IDP or by entering a password on the login page of the IAS.
SAP Identity Authentication Service (IAS) (required)
IAS is the new Identity Provider of all SAP Cloud applications. This means one central place to log in for all SAP Cloud applications. SAP chose this because the IAS tenant can offer more for topics such as self-service, security and log in methods. Think of two factor authentication, Single Sign-on and Social Sign-on.
Additionally, IAS provides functionality to:
- Adopt the organization’s password policy (SuccessFactors password policy becomes obsolete);
- Send custom emails, such as a welcome email for first time users;
- Set up a custom login page for each Cloud application (for example SuccessFactors).
SAP Identity Provisioning Services (IPS) (required)
The IPS is the link between the various applications. The IPS is used to synchronize and validate users from one application (source: SuccessFactors) to another (target: IAS and SAC).
In practice, this means that when an employee is created within SuccessFactors, the IPS will make sure that this employee is also created within the IAS and SAC. Important to realize with this is the fact that the IPS tenant only creates users within IAS and SAC which have a unique email address and username, and for which the surname has been registered. If this is not the case, then the user is not created and will it not be possible to login to SuccessFactors.
In addition, the IPS tenant by default does not migrate the passwords from SuccessFactors. This is a specific part of the configuration which must be set up in the IPS. After this is set up, the password of the user trying to log in to the IAS will be mapped with the password policy in the IAS. If the password doesn’t comply with the policy, the employee will be asked to change his or her password.
SAP Analytics Cloud (SAC) (required)
After the IAS and IPS tenant is configured and validated through the upgrade (steps 1 to 4), it’s possible to active People Analytics within SuccessFactors (steps 5 and 6). The result of this upgrade is not only the addition of a new reporting tile within SuccessFactors (Story), but is SAP Analytics Cloud also added within the IPS tenant as target system. Good to know, because it may happen that this has not yet been enabled and therefore no users have been created within SAC. Consequence; users in SuccessFactors cannot use People Analytics – Story.
This blog is part of a series in which the impact of People Analytics and how the tooling can be used is explained. In the next part of the series we will dive deeper into the functional possibilities of People Analytics – Story.
SuccessFactors People Analytics Consultant at Nextmoves
Innovation Lead at Nextmoves