Integrating SailPoint with

SuccessFactors Connector
Version: 8.2 Patch 2

This document and the information contained herein is SailPoint Confidential Information
Copyright and Trademark Notices
Copyright © 2022 SailPoint Technologies, Inc. All Rights Reserved.

All logos, text, content, including underlying HTML code, designs, and graphics used and/or depicted on these written
materials or in this Internet website are protected under United States and international copyright and trademark laws
and treaties, and may not be used or reproduced without the prior express written permission of SailPoint Tech-
nologies, Inc.

"SailPoint," "SailPoint & Design," "SailPoint Technologies & Design," "Identity Cube," "Identity IQ," "IdentityAI," "Iden-
tityNow," "SailPoint Predictive Identity" and "SecurityIQ" are registered trademarks of SailPoint Technologies, Inc.
None of the foregoing marks may be used without the prior express written permission of SailPoint Technologies, Inc.
All other trademarks shown herein are owned by the respective companies or persons indicated.

SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual or the information included
therein, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
SailPoint Technologies shall not be liable for errors contained herein or direct, indirect, special, incidental or con-
sequential damages in connection with the furnishing, performance, or use of this material.

Patents Notice. https://www.sailpoint.com/patents

Restricted Rights Legend. All rights are reserved. No part of this document may be published, distributed, reproduced,
publicly displayed, used to create derivative works, or translated to another language, without the prior written consent
of SailPoint Technologies. The information contained in this document is subject to change without notice.

Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii)
of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and sub-
paragraphs (c)(1) and (c)(2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for
other agencies.

Regulatory/Export Compliance. The export and re-export of this software is controlled for export purposes by the U.S.
Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign
export laws and regulations as they relate to software and related documentation. Licensee will not export or re-export
outside the United States software or documentation, whether directly or indirectly, to any Prohibited Party and will not
cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a party in a U.S.
embargoed country or country the United States has named as a supporter of international terrorism; a party involved
in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the U.S. Department of
Commerce’s Entity List in Supplement No. 4 to 15 C.F.R. § 744; a party prohibited from participation in export or re-
export transactions by a U.S. Government General Order; a party listed by the U.S. Government’s Office of Foreign
Assets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that licensee knows
or has reason to know has violated or plans to violate U.S. or foreign export laws or regulations. Licensee shall ensure
that each of its software users complies with U.S. and foreign export laws and regulations as they relate to software
and related documentation.
Contents

Integrating SailPoint with SuccessFactors 1

Supported Features 1

Prerequisites 2

Required Permissions 3

Upgrade Considerations 4

Connecting SailPoint and SuccessFactors 6

Enable the SOAP API 6

Register a Client Application in SuccessFactors 6

Picklist Configuration 7

Configuring the Connector in SailPoint 12

Configuration Parameters 12

Schema attributes 15

Account Attributes 15

Group Attributes 18

Provisioning Policy Attributes 19

Additional Parameters 19

Customizing Attribute Mapping 21

Mapping Attributes for Aggregation 21

Enabling Logging 25

Enabling a Welcome Message 26

Troubleshooting 27
Integrating SailPoint with SuccessFactors

Integrating SailPoint with SuccessFactors

Connecting SailPoint to your SAP SuccessFactors Employee Central module allows you to seamlessly automate your
Joiner, Mover, and Leaver functions. This guide provides the information you need to configure bidirectional usage of
SuccessFactors in SailPoint either as a managed resource or a source of identity data. You can use this connector to
manage both users and employees.

Employee Central and user management modules must be enabled in SuccessFactor to use this SailPoint connector.
For additional prerequisites, see Prerequisites.

SailPoint aggregates the following information:

l person
l personal_information
l address_information
l email_information
l phone_information
l employment_information
l job_information

Supported Features
SailPoint SuccessFactors Connector supports the following features based on account types:

Operations Users Employees

Aggregation Yes Yes

Get Account Yes Yes

Create Yes No

Update* Yes Yes

Delete No No

Enable/Disable Users Yes No

Set Password Yes No

Add/Remove Entitlements (Static Group) Yes Yes

Group Management

Manages SuccessFactors Roles as Account-Groups

Yes Yes
Manages SuccessFactors Group as Account-Groups

Aggregation, Refresh Groups

SailPoint SuccessFactors Connector 1

Integrating SailPoint with SuccessFactors

For user management, SuccessFactors connector also provides support for provisioning of additional
schema attributes.
Update operation is supported only for the list of attributes mentioned in Provisioning Policy Attributes.

For Employee Management, the identity status is mapped to EmployeeStatus and for User Management it
is based on User.Status.

Supported Use Cases

l Full Account Aggregation
l Single Account Aggregation
l Full Group Aggregation
l Single Group Aggregation
l Create Account Provisioning
l Update Account Provisioning
l Enable / Disable Account Provisioning
l Unlock Account Provisioning
l Change Account Password

Customization Rule (Applicable only for Employees)

Modify Rule

The rule name is defined as Example Rule For Modifying Attributes In SuccessFactors. This is a sample rule to
assign and update the E-mail, Phone numberand User Name.

Prerequisites
Configuration details for this connector may vary not only by release version but also by patch version. Be
sure to refer to the correct documentation for your specific release and patch level.

Employee Central and user management modules must be enabled in SuccessFactor to use this SailPoint
connector.

To perform connection tasks, you must have the following permissions for the Manage Integration Tools category:

l Administrator access to OData API

l Manage OAuth2 Client Application

SailPoint SuccessFactors Connector 2

Integrating SailPoint with SuccessFactors

Required Permissions
For specific operations, you need these required permissions for SuccessFactors Connector:

Operation Required permissions

Test Connection Test Connection

Aggregation Test Connection and Aggregation

Provisioning Test Connection , Aggregation and Required Permissions

Test Connection

Category Permission

General User Permission SFAPI User Login

Employee Central API Employee Central HRIS SOAP API

Aggregation

Category Permission

Manage User Employee Export

Metadata Framework Admin access to MDF OData API

Manage System Properties Picklist Management and Picklists Mappings Set Up

Employee Central Foundation OData API (read-only)

Employee Central API Employee Central HRIS OData API (read-only)

NA Manage Role-Based Permission Access

Provisioning Permissions

Category Permission

Manage User Import Employee Data

Employee Central API Employee Central HRIS OData API (editable)

Assigning Permissions to a Role In SuccessFactors

These steps provide the basic information for assigning permissions to a role in SuccessFactors. See the Suc-
cessFactors User Assistance Documentation for current detailed information about role-based permissions.

1. In the Permission Settings section, click the Permission button to specify the permission you want to assign
to the role.
The Permission Settings window appears.

SailPoint SuccessFactors Connector 3

Integrating SailPoint with SuccessFactors

2. On the left side of the page, are the different permission categories. Click a permission category to reveal the dif-
ferent permissions.
The list of permissions associated with this category appears.

3. Select the checkboxes for the permissions you'd like to grant to the role.

4. Click the Done button when you finish marking your selections.

5. Click Save Changes.

Providing Permissions to Service Accounts

To perform the group aggregation for the manually added group schema attributes, perform the following steps to
provide the Manage Role-Based Permission Access to the service account:

1. Navigate to Admin Center and search for Manage Role-Based Permission Access.

2. Click on Add User button.

3. Search through User Name and select the required user.

4. Click on Grant Permission.

Upgrade Considerations
l If User Management is selected, user must add the following parameters for create policy:

Field Name Help Text Type

Username Name of the user. String

Password Password of the user. Secret

Userid ID of the user. String

User.Status User status (Active/Inactive). String

User.FirstName First name of the user. String

User.LastName Last name of the user. String

User.Email Email address of the user. String

l The Termination Date attribute support is provided for Employees and Contingent workers. In order to lever-
age this functionality customer must add Termination Date attribute manually with property as String and
Description as ‘It populates Termination Date for Employees and WorkOrder End Date for Contingent Work-
ers’.
l Secure communication is enforced. This may cause the Test Connection to fail with the following error if IBM
JDK 1.8 is used:
[ConnectorException] [Possible suggestions] Ensure configuration parameters
are correct with a valid format, Ensure active network connectivity between
Source and Target system. [Error details]
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

SailPoint SuccessFactors Connector 4

Integrating SailPoint with SuccessFactors

In order to resolve this issue, set the value of com.ibm.jsse2.overrideDefaultTLS property to true in Java prop-
erties.
l To support enable/disable and change password operation after upgrading, add the following featuresString to
the existing application:
featuresString=“SEARCH, PROVISIONING, SYNC_PROVISIONING, MANAGER_LOOKUP,
ENABLE, PASSWORD, ADDITIONAL_ACCOUNT_REQUEST, ACCOUNT_ONLY_REQUEST”

l SuccessFactors Connector provides support for aggregation of roles and groups. In order to leverage this func-
tionality customer must add the following schema attributes manually:
l Account Attributes: Add Groups and Roles attributes.
l For more information see, Account Attributes.
l Group Attributes: Add all the attributes listed in Group Attributes section.

When you add the above attributes in upgraded applications, ensure that their type and property is cor-
rect as follows:

l For Roles type: role and Properties: Multi-Valued

l For Groups type: group and Properties: Managed, Entitlement, Multi-Valued

l To perform the aggregation, see Required Permissions to provide the Manage Role-Based Permission
Access to the service account.

SailPoint SuccessFactors Connector 5

Connecting SailPoint and SuccessFactors

Connecting SailPoint and SuccessFactors

To connect SailPoint and SuccessFactors, perform the following tasks:

l Configuring the Connector in SailPoint

Enable the SOAP API

1. In SuccessFactors, log in to the Provisioning Access Console. Select your company and navigate to Com-
pany Settings.

See the SuccessFactors product documentation for detailed information.

2. Under Web Services enable the following checkboxes:

l SFAPI - The SFAPI is SuccessFactors Data API. It is a SOAP Web Service designed for importing and
exporting data to and from your SuccessFactors instance. For more information, https://apps.sup-
port.sap.com.
l Employee Central SOAP API
l To provide information about global assignments, such as dependents accompanying an employee on a
global assignment:
l Enable Global Assignment Management
l Enable Dependents Management

Register a Client Application in SuccessFactors

Register SailPoint with the managed system so the connector can access SuccessFactor REST APIs.

Registering a client application includes client application registration, certificate generation, and obtaining Client ID
attributes. For detailed information about registering a client application in SuccessFactors, see Registering Your Cli-
ent Application in the SAP Help Portal.

1. Register your client application with SuccessFactors by navigating to Admin Center > Company Settings >
Manage OAuth2 Client Applications > Register Client Application.

2. Provide information for the mandatory fields such as Application Name, Description, and Application URL.
For example, Application name value can be SailPointApp and URL can be https://SailPointApp.

3. Click on Generate X.509 Certificate button and enter the values as required.

4. Click Generate and download a copy of the X.509 certificate on your computer.

5. Open the X.509 certificate file. The X.509 certificate includes :

l Private key
l Certificate

6. Copy the characters between —BEGIN ENCRYPTED PRIVATE KEY— and —END ENCRYPTED PRIVATE
KEY— and paste it in the Private Key field. This Private key is used as a configuration parameter for Test

SailPoint SuccessFactors Connector 6

Connecting SailPoint and SuccessFactors

connection operation.

7. Click Register.

Save the generated API Key. The key is used as the ‘Client ID’ configuration parameter for Test connection
operation.

Picklist Configuration
SailPoint aggregates the data from the SuccessFactors managed system based on the Picklist configuration.
SailPoint provides a default picklist but you can add additional custom or standard attributes.

For information about adding attributes, see Customizing Attribute Mapping.

A picklist is a configurable set of options or selection lists used to populate a data input field having one or
more predefined values in the SuccessFactors system. It is basically a set and the values in the set.

Picklist Sets and Values

The following tables list the default picklist sets and values used in the SuccessFactor Connector.

For Life cycle events:

^picklistId OptionID external_code en_US

Event 3669 H Hire

Event 3676 R Rehire

Event 30768 SCWK SCWK

For Employee Status:

^picklistId OptionID external_code en_US

employee-status 4595 A Active

employee-status 4596 U Unpaid Leave

employee-status 4597 P Paid Leave

employee-status 4598 R Retired

employee-status 4599 S Suspended

employee-status 4600 T Terminated

employee-status 4601 F Furlough

employee-status 4602 O Discarded

employee-status 4603 D Dormant

SailPoint SuccessFactors Connector 7

Connecting SailPoint and SuccessFactors

For EmailType:

^picklistId OptionID external_code en_US

ecEmailType 8448 B Business

For PhoneType:

^picklistId OptionID external_code en_US

ecPhoneType 10605 B Business

Exporting and Verifying the Picklist Values

Export the picklist values from your SuccessFactors instance and compare the values to the default values listed in
Picklist Configuration. If the default values set in the SuccessFactor Connector are not aligning with the managed sys-
tem values, then the corresponding account is not aggregated. To change the default values, add the attributes men-
tioned in Extending Your Integration .

For the most up-to-date and detailed instructions for obtaining picklist values, see Exporting Picklists in the
SAP Help Portal.

Perform the following procedure to export picklist values:

1. Navigate to Admin Center.

2. Search for and select Import and Export Data.

The Import and Export Data page appears.

3. In the Select the action to perform dropdown, select Export Data.

4. In the Select Generic Object dropdown, select Picklist.

Keep the default settings for the other settings.

5. Click Export.
A new job request is submitted for Picklist export.

6. Search for and select Monitor Job.

The Monitor Jobs page appears.

7. Refresh your browser until the job is complete and appears in the jobs list. Once the job is complete, click on
Download Status of the respective Job Name to download the zip file.

8. Extract the downloaded zip file.

This zip file contains the Picklist.

l (For Life cycle events) Search for the event associated with the pickistId and use the OptionId value
as required.
l (For Employee Status) Search for the Employee Status associated with the pickistId and use the
OpitionId value as required.

SailPoint SuccessFactors Connector 8

Connecting SailPoint and SuccessFactors

l (For Termination Date) Search for the Employee Status associated with the picklistId and use the
external_code as required.
l (For EmailType) Search for the ecEmailType associated with the pickistId and use the OptionId
value for type Business.
l (For PhoneType) Search for the ecPhoneType associated with the pickistId and use the OptionId value
for type Business.

If the default values set in the Success Factor Connector are not aligning with the managed system values as
mentioned above, then the corresponding account is not aggregated. To change the default values, add the
attributes mentioned in Extending Your Integration section below.

Extending Your Integration

If you need to change the default values, you can use certain data points to modify those.

Add the odataEventOptionIdMap attribute in the application debug page as follows:

For Life cycle events

The odataEventOptionIdMap attribute can be used to aggregate employee based on the Picklist id events - option id
values.

Any changes in these values, must be updated using the odataEventOptionIdMap entry key as follows:

<entry key="odataEventOptionIdMap">
<value>
<Map>
<entry key="Hire" value="<optionid>"/>
<entry key="Rehire" value="<optionid>"/>
<entry key="SCWK" value="<optionid>"/>
</Map>
</value>
</entry>

For example,

<entry key="odataEventOptionIdMap">
<value>
<Map>
<entry key="Hire" value="3669"/>
<entry key="Rehire" value="3676"/>
<entry key="SCWK" value="30768"/>
</Map>
</value>
</entry>

For Employee Status

Identity status connected to the account would be based on employee status as specified below:

SailPoint SuccessFactors Connector 9

Connecting SailPoint and SuccessFactors

Employee Status IdentityIQ Status

Active

Dormant

unpaid leave

paid leave Enabled

Suspended

Furlogh

Discarded

Retired Disabled

Terminated

Employee Status
For the SuccessFactors source, the identity status connected to an account is now based on employee status as spe-
cified. The default statuses are:

Enabled Disabled

Active Furlough

Dorman Discarded

Unpaid Leave Retired

Paid Leave Terminated

Suspended

Default behavior can be modified by specifying odataEventOptionIdMap entry key in the application debug page as
follows:

<entry key="odataEventOptionIdMap">
<value>
<Map>
<entry key="EmplStatus-ActiveOptionIds" value="<OptionIdvalue1>,
<OptionIdvalue2>"/>
<entry key="EmplStatus-InActiveOptionIds" value="<OptionIdvalue1>,
<OptionIdvalue2>"/>
</Map>
</value>
</entry>

For example:

<entry key="odataEventOptionIdMap">

SailPoint SuccessFactors Connector 10

Connecting SailPoint and SuccessFactors

<value>
<Map>
<entry key="EmplStatus-ActiveOptionIds" value="4595,4603,4596,4597,4599"/>
<entry key="EmplStatus-InActiveOptionIds" value="4601,4602,4598,4600"/>
</Map>
</value>
</entry>

Termination Date
By default the SuccessFactors source will aggregate the termination date for following employee statuses:

l F - Furlough
l R - Retired
l T - Terminated

For other status like Suspended and Discarded, if customer wants to aggregate termination date add the following
entry key in the application debug page:
<entry key="terminationDateCodes" value="<externalcodevalueforemployee-status>"/>

For example,
<entry key="terminationDateCodes" value="O,S"/>

where externalcodevalueforemployee-status is the externalcodevalue associated with the PicklistId

employee-status.

Picklist Configuration Map

Update Picklist configurations to include employee-class, employee-type and employee-status.

Modify the default behavior by specifying the picklistConfigMap entry key in the application debug page as follows:

<entry key ="picklistConfigMap'>

<value>
<Map>
<entry key ="employeeClassPickList" value="<Picklist.Code>"/>
<entry key ="employeeTypePicklist" value="<Picklist.Code>"/>
<entry key ="employeeStatusPickList" value="<Picklist.Code>"/>
</Map>
</value>
</entry>

For example,

<entry key="picklistConfigMap">
<value>
<Map>
<entry key="employeeClassPickList" value="employee-class"/>

SailPoint SuccessFactors Connector 11

Connecting SailPoint and SuccessFactors

<entry key ="employeeStatusPickList" value="employee-status"/>

<entry key ="employeeTypePicklist" value="employee-type"/>
</Map>
</value>
</entry>

Configuring the Connector in SailPoint

Use the Edit Application page to define the application in your enterprise.

This procedure provides the basic information necessary to connect your connector. For additional inform-
ation, see the IdentityIQ Application Configuration Guide.

1. Navigate to Applications > Applications Definitions.

The Edit Application page appears.

2. Enter the following information on the Edit Application page:

l Name - The name of the application. This is the named used to identify the application throughout Iden-
tityIQ.
l Owner - The owner of the application. The owner specified here is responsible for certifications and
account group certifications requested on this application if no revoker is specified.

Application ownership can be assigned to an individual identity or a workgroup. If the application own-
ership is assigned to a workgroup, all members share certification responsibilities, are assigned cer-
tification request associated with the application, and all can take action on those requests.
l Application Type - The Application Type drop-down list contains the types of application to which
IdentityIQ can connect. This list will grow and change to meet the needs of IdentityIQ users.

3. Select the Configuration > Settings tabs and enter the information required for IdentityIQ to connect and inter-
act with the application. The information required varies by application.

4. Click Save.
The Edit Application <application> page appears.

5. Click Test Connection to verify the information is correct.

Configuration Parameters
This section contains the information that the connector uses to connect and interact with SuccessFactors system
through the application. Each application type requires different information to create and maintain a connection.
l All the attributes marked with * are mandatory attributes.

l For more information about adding additional schema attributes, see Mapping Attributes for Aggreg-
ation

Connection Settings
Base Company URL*

SailPoint SuccessFactors Connector 12

Connecting SailPoint and SuccessFactors

Unique endpoint URL to connect SuccessFactors system through API.

For example, https://<hostname>.successfactors.com:<port>
Authentication Type*
Select the authentication type provided by SuccessFactors.
Grant Type*
Authorization grant to used to obtain access token.
Company ID*
Enter the company ID for user provisioning. During licensing of SuccessFactors solution, a unique company ID is
provided. The OData API uses the company ID attribute to validate your access token.
Client ID*
Enter the client identifier (a unique string) issued by the authorization server to your client application during the
registration process. You obtained the client ID while performing the procedure specified in section Register a Cli-
ent Application in SuccessFactors.

Client ID information is required for OAUTH2 authentication.

User ID*
ID of the user with the required permissions mentioned in the Required Permissions.
Private Key*
Extracted key from X.509 Certificate of SuccessFactors using OAuth2 client application.

Private key information is required for OAUTH2 authentication for accessing SuccessFactors Odata API.

Picklist Mapping
SuccessFactors picklist mapping for update operations only. Enter the picklist mapping as per your tenant con-
figuration. For multiple entries use newline as a separator. For example,

l BusinessEmail =<Picklist optionID>

l BusinessPhone=<Picklist optionID>

Account Types to Manage Under Account Settings

Indicates whether application is used to manage Employees or Users.

l Employees: Aggregate employees

l Users: Aggregate users

Filter Criteria for Employees

Not applicable for Users.

Aggregate Future Hires

Select this checkbox to aggregate Future Hires.
Include All Hires Starting Within X Days

SailPoint SuccessFactors Connector 13

Connecting SailPoint and SuccessFactors

Indicates the number of days to aggregate the future hires. It can have following values

l Default: 30
l 0: aggregates no future hires.
l A positive value: aggregates FutureHires within the specified number of days.
l -1: aggregates all future hires until 9999-12-31

Aggregate Inactive Employees

Select this checkbox to aggregate inactive employee records.
Include All Employees Inactive Within X Days
Enter the number of past days to aggregate inactive employees. The Inactive Employees Offset would have the
following values:

l Default:30
l 0: aggregates only the active Employee
l Any positive value: indicates the number of days in past since when the inactive accounts must be
aggregated.
l -1: aggregates all inactive employees.

Filter Criteria For Users

Not applicable to Employees.

Aggregate Inactive Users

Select this checkbox to aggregate inactive users.

Additional Attribute Mapping

Include Compound Employee API Entities
Enter the name of the compound employee API extended sub-structures/entities to query for additional attrib-
utes. Use commas to separate multiple values.

SailPoint SuccessFactors Connector 14

Schema attributes

Schema attributes
This section provides the different attributes of the Account attributes for SuccessFactors connector.
l In the case of employee management, identity status is mapped to ‘EmployeeStatus’ and for user
management it is based on ‘User.Status’.

l The identity attribute has pre-defined schema. Do not to change the native identity (primary) attribute
during aggregation.

l For more information on adding the additional schema attributes, see Mapping Attributes for Aggreg-
ation.

Account Attributes
The application schema is used to configure the objects returned from a connector.When the connector operations are
performed the schema is supplied to the methods on the connector interface. This connector currently supports
account objects, Account objects are used when building identities Link objects.

PersonID
ID of the person
Username
Username
Userid
User ID
Salutation
Salutation
FormalName
Formal name
FirstName
First name
MiddleName
Middle name
LastName
Last name
PreferredName
Preferred name
Date of Birth
Date of birth for Employee
Gender
Gender
Department

SailPoint SuccessFactors Connector 15

Schema attributes

Department name
Division
Represent Division name in the organization data
Company
The company under which Employee belongs
Location
Work location name
Country
Name of the country
Nationality
Nationality
PositionNumber
Represent position number associated with Employee
JobTitle
Represent job title associated with Employee
EmployeeType
Represent Employee type
EmployeeStatus
Represent Employee Status
PrimaryEmailAddress
Primary email address
Job Classification
Job classification
CostCenterID
Cost center ID associated with Employee
IsContigentWorker
Represent whether Employee is Contingent Worker or not
FLSA
FLSA status code
AssignmentType
Assignment type
ManagerID
Manager ID
CostCenter
Represent Cost center associated with Employee
EmployeeClass
Represent Employee Class

SailPoint SuccessFactors Connector 16

Schema attributes

IsFullTime
Represent whether Employee is Full Time or Part Time
ServiceDate
Service start date
JobInfoLastModified
Date when Job Information was Last Modified
Position Entry Date
Position Start date for Employee
LastDateWorked
Last date worked
Address
Address of Employee
BusinessPhone
Business phone
BusinessPhoneCountryCode
Business phone country code
BusinessExtension
Business extension
Cell
Primary cell
CellCountryCode
Primary Cell Code
Fax
Fax number
FutureActions
Stores Information about Future Actions in the following JSON format:
{"Actions": [{"ActionType" : "<ActionCode>","ActionReason" : "<Action Reason
value>","ActionStartDate" : "<Start date>","ActionEndDate" : "<End date>"}]}
For example,
{"Actions": [{"ActionType" : "SCWK","ActionReason" : "Start
CWK","ActionStartDate" : "2018-08-26","ActionEndDate" : "2018-09-08"}]}

This attribute will aggregate only the future employment actions.

Person ID External
Person ID External
BusinessUnit
BusinessUnit Name

SailPoint SuccessFactors Connector 17

Schema attributes

Termination Date
It populates Termination Date for Employees and WorkOrder End Date for Contingent Workers.
For more information, see Upgrade Considerations.
Groups
Groups associated to the user.
Roles
Roles associated to the user.

Following attributes are applicable only for Users

User.Status
Status of the user.
User.FirstName
First name of the user.
User.LastName
Last name of the user.
User.Email
Email address of the user.

Group Attributes
Following are the list of group attributes for Group and Role object type:

Object Type is Group

GroupName
Name of the group.
GroupID
ID of the group.
GroupType
Type of the group.
CreatedBy
User ID of the creator.
LastModifiedDate
Date on which last modification on group is done.
IsStaticGroup
Group is of type static or dynamic.
Roles
Roles associated to the access group.

SailPoint SuccessFactors Connector 18

Schema attributes

Object Type is role

RoleName
Name of the role.
RoleID
Internal ID of the role.
Groups
Access groups associated to the role.

Provisioning Policy Attributes

The following table lists the provisioning policy attributes for update operation that is supported only for the following
attributes:

Attributes Users Employees

Username Yes Yes

PrimaryEmailAddress Yes Yes

BusinessPhone Yes Yes

BusinessExtension Yes Yes

BusinessCountryCode Yes Yes

Following attributes are applicable only for Users

User.Status Yes No

User.FirstName Yes No

User.LastName Yes No

User.Email Yes No

Additional Parameters
SuccessFactors Connector provides support for the following additional parameters:

Aggregation Page Size

Value can be set as follows:
<entry key="aggPageSize" value="200"/>
aggPageSize value is Number of records per page. Default: 200
apiServerUrl
Value can be set as follows:
<entry key="apiServerUrl" value="https://HOST:PORT"/>
where apiServelUrl value is the base URL for the REST API server.
Default Time Out
Value can be set as follows:

SailPoint SuccessFactors Connector 19

Schema attributes

<entry key="apiTimeout" value="5"/>

apiTimeout value is in minutes.
batchSizeUserRole
Determines the number of requests combined for getting role details for multiple users using single suc-
cessfactor odata batch operation. For example:
<entry key="batchSizeUserRole" value="20"/>
By default value is set to 100 (max allowed value).
batchSizeUserGroup
Determines the number of requests combined for getting group details for multiple users using single suc-
cessfactor odata batch operation. For example:
<entry key="batchSizeUserGroup" value="10"/>
By default value is set to 100 (max allowed value).
includeWorkflowGroups
Set the value of the includeWorkflowGroups parameter to true to aggregate the workflow group in the group
aggregation. For example:
<entry key ="includeWorkflowGroups" value="true"/>

includeInactiveGroupsOfRole
Set the value of the includeInactiveGroupsOfRole parameter to true to aggregate the inactive roles assigned
to a group. For example:
<entry key ="includeInactiveGroupsOfRole" value ="true"/>

SailPoint SuccessFactors Connector 20

Customizing Attribute Mapping

Customizing Attribute Mapping

You can add custom and standard attributes as well as Compound Employee attributes to your aggregation. Define
the additional attribute name along with navigation path which connector would aggregate from SuccessFactors.

Additional Attribute Mapping

In the Include Compound Employee API Entities field, enter the name of the compound employee API exten-
ded sub-structures/entities to query for additional attributes. Use commas to separate multiple values.
Attribute Mapping
Define the schema attribute name and the navigation path the connector uses to aggregate the data from Suc-
cessFactors.

Mapping Attributes for Aggregation

You can customize the aggregation of attributes or add custom attributes by defining the attribute name and the nav-
igation path which the connector uses to aggregate from SuccessFactors. You can locate the SFAPI path for the attrib-
ute in SuccessFactors data dictionaries. To see a list of default attributes, see Schema attributes.

Parameters Description

Schema Attribute Name of the attribute.

Navigation path of attribute as defined in SFAPI (For example, /per-

Navigation Path (SFAPI Path)
son/employment_information/job_information/pay).

Adding Attributes From ODATA API Data Dictionary

SuccessFactors Connector provides support for the aggregation of additional account schema attributes for user man-
agement that belongs to the user entity with Navigation Target property as blank.

User attributes must use the user prefix. For example, user.city.

In SuccessFactors:

Find the supported attributes you want to add:

1. Navigate to Admin Centre.

2. Search for and select either OData API Data Dictionary

3. Search for User. This displays the list of supported attributes.

4. Copy the attribute name.

In SailPoint:

Add the attribute name to the schema:

1. Navigate to Applications > Application Definition then select SuccessFactors type from the list.

2. Select the Schema tab, and select the Object Type: Account.

SailPoint SuccessFactors Connector 21

Customizing Attribute Mapping

3. Click Add New Schema Attribute.

4. Add the name of the attribute in the Name field.

Adding Custom Attributes From SFAPI Data Dictionary

You can use attributes from the SFAPI Data Dictionary to add custom attributes SailPoint. To add the custom attrib-
utes, perform the following:

In SuccessFactors:

Find the Value for Navigation Path (SFAPI Path):

1. Navigate to Admin Center.

2. Search for and select SFAPI Data Dictionary.

The SFAPI Data Dictionary page appears.

3. Expand the appropriate entity to display the attribute fields.

4. Find the required attribute and the path displayed under the Name field and copy the path. For example:

Label: Nationality

Name (Path): /person/personal_information/nationality

The Name path is the required field value for Navigation Path (SFAPI Path) in SailPoint.

In SailPoint:

Add the Navigation Path (SFAPI Path):

1. Navigate to Applications > Application Definition then select SuccessFactors from the list.

2. Select the Configuration tab.

3. In the Additional Attribute Mapping section:

a. Add a name for Schema Attribute.

For example: Nationality).

b. Add the Navigation Path (SFAPI Path) that you copied from SuccessFactors.

Compound Employee API Sub-Structures

To aggregate the value of additional account schema attributes for Compound Employee API sub-structures, you
need to add the attribute name to the account schema and the navigational path. The following Compound Employee
API sub-structures are standard:

l person l job_relation
l personal_information l direct_deposit
l address_information l national_id_card
l phone_information l deduction_recurring
l email_information l deduction_non_recurring

SailPoint SuccessFactors Connector 22

Customizing Attribute Mapping

l person_relation
l global_assignment_information
l employment_information
l ItDeclaration
l job_information
l dependent_information
l compensation_information
l personal_documents_information
l paycompensation_recurring
l EmployeeDataReplicationElement
l paycompensation_non_recurring
l associated_employee_information
l payment_information
l emergency_contact_primary
l accompanying_dependent
l DRTMPurgeStatusOverview
l alternative_cost_distribution

Add sub-structures:

You can include additional sub-structures by providing the sub-structure name in the Include Compound Employee
API Entities field. To add multiple entities, separate the names with commas. For example:
WorkOrder, SecondaryAssignments

Find the Value for Navigation Path (SFAPI Path) In SuccessFactors:

1. Navigate to Admin Center.

2. Search for and select SFAPI Data Dictionary.

The SFAPI Data Dictionary page appears.

3. Search for and expand the CompoundEmployee entity to display the attribute fields.

4. Find the required attribute and the path displayed under the Name field and copy the path. For example:

Label: Nationality

Name (Path): /person/personal_information/nationality

The Name path is the required field value for Navigation Path (SFAPI Path) in SailPoint.

In SailPoint:

1. Navigate to Applications > Application Definition then select SuccessFactors from the list.

2. Select the Configuration tab.

3. In the Additional Attribute Mapping section:

a. Add a name for Schema Attribute.

For example: Nationality).

b. Add the Navigation Path (SFAPI Path) that you copied from SuccessFactors.

Specifying Values Included in Multiple Sub-Structures

By default, the connector aggregates the values without logic. It fetches the value that matches the specified SFAPI
path. If an attribute value includes multiple sub-structures and you want to aggregate the data from a specific entity,

SailPoint SuccessFactors Connector 23

Customizing Attribute Mapping

you can provide the XPath 2.0 value.

Example:

If you want to aggregate the country value for address_type but address_type could have multiple values such as
home or payroll. To specify the payroll address, the Navigation Path (SFAPI Path) would be:
/person/address_information[address_type= "Payroll"]/country

Example:

By default, the SuccessFactors connector aggregates the PrimaryEmailAddress. If you want to return specific
email addresses, such as the Office type email address, use this Navigation Path (SFAPI Path):
/person/email_information[email_type=''O'']/email_address

where O represents that the email address is of type Office.

Example:

An employee is being promoted and you want to aggregate information based on the future position to trigger
approvals by the future manager. In this scenario, the employee has two sets of job information - the current and
future. To fetch the future manager information, use this Navigation Path (SFAPI Path):
/person/employment_information/job_information[xs:date(start_date) ge current-
date()]/manager_person_id_external

Example:

A user has concurrent assignments and you want aggregate the primary position. The Navigation Path (SFAPI Path)
would be:
/person/employment_information[not(SecondaryAssignmentPeriod)]/job_information
[xs:date(start_date) le current-date()and xs:date(end_date) ge current-date
()]/position"

SailPoint SuccessFactors Connector 24

Enabling Logging

Enabling Logging
To enable logging, specify the logging as sail-
point.connector.successfactors.SuccessFactorsAccountAggregator and sail-
point.connector.SuccessFactorsConnector.

For example,
logger.connector.name=sailpoint.connector.SuccessFactorsConnector
logger.connector.level=debug
logger.connector.name=sailpoint.connector.successfactors.SuccessFactorsAccountAgg
regator
logger.connector.level=debug

SailPoint SuccessFactors Connector 25

Enabling a Welcome Message

Enabling a Welcome Message

This option is only available for User Management.

To enable sending a welcome message to newly created users, in SuccessFactors:

1. Navigate to Admin Center and search for Platform Feature Settings.

2. Select the Send Welcome Message checkbox.

3. Click Save.

SailPoint SuccessFactors Connector 26

Troubleshooting

Troubleshooting
Test Connection Errors
Error:
[ ConnectorException ] [ Possible suggestions ] Ensure configuration parameters
are correct with a valid format, Ensure active network connectivity between
Source and Target system. [ Error details ] javax.net.ssl.SSLHandshakeException:
Received fatal alert: handshake_failure
Test connection failed with IBM JDK 1.8 error.
Resolution: Set the following jvm parameter:
-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12

Error:
Unable to verify the signature of the SAML assertion
Resolution: The Client ID and Private key values should be correctly provided. These values must be a part of
the same OAuth2 Client Applications.

Error:
Unable to authenticate the client (Login failed - Invalid user)
Resolution: Ensure that the User ID value is correct.

Error:

Test Connection fails with the following error message even if valid certificates are added:
"javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"
The above issue might be due to mismatch of TLS Communication Server and Client version.
Resolution: Add the following JVM argument and set it to true:
Dcom.ibm.jsse2.overrideDefaultTLS

Time-out Errors
Error:
java.lang.RuntimeException - java.lang.RuntimeException:
java.lang.InterruptedException: Timeout waiting for response to message 3 from
client 84a5de19-2861-4ca5-a8a1-ed4481e43e60 after 180 seconds
Resolution: Increase the timeout value using IdentityNow REST API:
POST <url>/api/source/update/<sourceID>

l <url> is the URL for the customer's IdentityNow instance

l <sourceID> is the Source ID (number) obtained through the UI

In the body of the POST, use form-data as follows:

l Key: connector_aggregateTimeout
l Value: add as time in milliseconds, for example you can use 1000.

SailPoint SuccessFactors Connector 27

Troubleshooting

Aggregation Errors
Error:
Your permissions and additional picklist values are not completely aligned with
recommended practices. Refer connector guidelines to set expected values.
Zero accounts are returned with this message.
The possible reasons could be as follows:

l Service account does not have required permission as documented in Required Permissions
l Picklist values are different from what is set as the default value in the Connector as documented in Pick-
list Configuration

Resolution: Ensure that:

l the required permissions mentioned in Required Permissions are added and perform the aggregation
again
l the Picklist values are correct or configured as mentioned in the Picklist Configuration.

Error:

Fewer accounts than expected are returned even after successful account aggregation
One of the possible reason could be that the Picklist values are different from what is set as the default value in
the Connector as documented in Picklist Configuration.
Resolution: Ensure that the Picklist values are correct or configured as mentioned in the Picklist Configuration.

Error:
User '[<userId>]' does not have permission to manage roles.
Aggregation fails with this message.
Resolution: Ensure that Manage Role-Based Permission Access is assigned to the user. For more inform-
ation, see Required Permissions.

Error:
Unable to create iterator sailpoint.connector.InsufficientPermissionException:
[ InsufficientPermissionException ] [ Possible suggestions ] Provide the required
permissions for the user. [ Error details ] "error" : { "code" : "COE_GENERAL_
FORBIDDEN", "message" :{ "lang" : "en-US", "value" : "[COE0020]User [UserId]
attempted to access dynamic group module [permission] without proper access
privilege." }
Exception during aggregation of Object Type account on Application SF.
Resolution: Ensure that Manage Role-Based Permission Access is assigned to service account user when
Roles and Groups attributes are added in the account schema object. For more information, see Required Per-
missions.

Error:
Entity FOLocation is not found. Please check the entity in Admin Center &gt;
OData API Data Dictionary or contact your system administrator
Aggregation fails with this error message even if all the required permissions are provided.

SailPoint SuccessFactors Connector 28

Troubleshooting

Resolution: Perform the following:

1. Navigate to Admin Center and search for OData API Metadata Refresh And Export.

2. Click on Refresh.

3. Wait for the task to be completed.

Error:
User [userId] attempted to access dynamic group module [permission] without
proper access privilege.
and
User "[userId]" does not have permission to manage roles
Resolution: Ensure the Manage Role-Based Permission Access permission is correctly assigned.
Provisioning Errors
Error:
Error in provisioning the httpcode: 500 error messsage: Only one record can be
set as primary record for <PersonID>.
If other email/phone is marked as primary and rule is configured for application, this error message appears:
Resolution: Ensure that you perform the following:

1. Modify the rule to set the isPrimary flag to false.

2. Make the email/phone as non primary on native system.

Error:
sailpoint.connector.InvalidRequestException: No data exists for the provided
user, please check nativeIdentity identityName(for e.g TestUser1)
Error message appears during provisioning/get operation.
Resolution: Perform the following:

1. Check the target population in the group which is assigned to the service account role.

2. Ensure that the Manage Role-Based Permission Access permission is assigned to service
account user, when the Roles and Groups attributes are added in the account schema object.

Error::

Older employment information data is displayed for an account after Provisioning.

Resolution: Check if the permissions have been properly given to the service account. Remove any extra per-
missions that have not been mentioned in this guide.

SailPoint SuccessFactors Connector 29