SAP SuccessFactors 2H 2023 Release Analysis: Technical

We’ve broken down the major H2 2023 SAP® SuccessFactors® updates to help you easily digest the latest changes. In this post, we’ll look at what’s new in the Technical space.

Deprecation of HTTP Basic Authentication for APIs

Access to APIs based on HTTP Basic Authentication will reach the end of maintenance on June 2, 2023, and will be deleted on November 20, 2026.

HTTP Basic Authentication (Basic Auth) is an authentication method to access APIs in SAP SuccessFactors. SAP made the retirement plan for HTTP Basic Authentication in favor of the more secure OAuth 2.0 authentication method.

OAuth 2.0 is now supported in both OData API and SFAPI. We recommend you start migrating from HTTP Basic Authentication to OAuth 2.0 for better security and complete the migration before the deletion date.

Key Dates for Replacement:

End of Development Phase: Since the 2H 2020 release (November 20, 2020), SAP hasn’t enhanced HTTP Basic Authentication.
End of Maintenance: By 1H 2023 (June 2, 2023), SAP SuccessFactors will stop the maintenance for HTTP Basic Authentication.
Replacement Date: As of the 1H 2023 release, SAP plans to decommission on 2H 2026 (November 20, 2026). SAP uses deprecation to indicate the removal of a feature from the system. You should now be using an alternative method for your business scenario.

Deprecation of SAP SuccessFactors HXM Suite Single Sign-On Certificate

SAP will expire the SAP SuccessFactors HXM Suite Single Sign-On certificate on June 2, 2025.

If you are currently using a third-party corporate IDP solution such as (Microsoft Azure AD, Okta, Google, OneLogin, etc.) or Basic Authentication (username and password), we ask that your organization migrate to Identity Authentication since SAP SuccessFactors plan is to move all customers to the preferred method for SAP Cloud Identity Authentication.

When you migrate to Identity Authentication:

If you use Identity Authentication (either as a real IDP or proxy IDP to a 3rd party corporate IDP), Identity Authentication will automatically take care of your SuccessFactors certificate update.
If your Identity Authentication is the real Identity Provider (IdP) for SuccessFactors, then SAP will handle the upgrade necessary to minimize the impact of 3rd party cookie deprecation. If Identity Authentication is a proxy to a corporate IDP such as Microsoft Azure AD, Okta, Google, etc, SAP will provide automation to assist the upgrade necessary to minimize the impact of third-party cookie deprecation. Further configuration could be needed from your end, e.g., renewal of certificates from your Corporate IdP.

There are benefits of adopting Identity Authentication in your landscape:

When your SAP SuccessFactors tenant is connected to the Identity Authentication service, it handles all logins (including password, two-factor authentication, risk-based authentication, or corporate identity provider) for your SAP SuccessFactors system.
Identity Authentication allows you to complete a major Identity Authentication pre-requisite for some of the most important innovations in SAP SuccessFactors – i.e., Stories in People Analytics, Work Zone, Task Center, Internal Career Site, etc.
Faster innovation, better product quality, and support with one unified authentication service to develop, maintain, and innovate.
Better incorporation of new technologies and innovations in the security/authentication domain.
Streamlined user management and better user self-service.

Adoption of Common Superdomain for SAP SuccessFactors HXM Suite and Identity Authentication Tenant URLs

Major web browsers plan to discontinue third-party cookie support. As a result, SAP SuccessFactors HXM Suite and Identity Authentication are adopting a common superdomain for their tenant URLs.

This enhancement also includes Employee Centered Payroll (ECP), WorkForce Analytics (WFA), SAP Analytics Cloud (SAC) and Onboarding 1.0 (ONB1.0).

Tenant URLs now use the new superdomain cloud.sap and sapcloud.cn on tenant URLs during the initial tenant provisioning process and the Identity Authentication upgrade and change processes.

In the current version:

Your SAP SuccessFactors HXM Suite tenant URL will now follow the pattern

https://performancemanager.hr.cloud.sap/login?company=<company_id>

Your Identity Authentication tenant URL will now follow the pattern

https://<ias_tenant_name>.accounts.cloud.sap

We highly recommend you upgrade to Identity Authentication to avoid potential disruptions in SSO functionalities and use the upgrades provided by Identity Authentication to minimize the impact of third-party cookie deprecation.

Enforcement of Case-Insensitive Usernames with SAP SuccessFactors and Identity Authentication

To better enforce case-insensitive usernames with Identity Authentication, SAP SuccessFactors tenant usernames remain case-insensitive even when Single Sign-On (SSO) is disabled.

In the new release, case-sensitive usernames in SAP SuccessFactors are set to case-insensitive when the tenant integrates with Identity Authentication, and SSO is enabled. However, this setting could be disabled from the Manage SAML SSO Settings screen or by disabling SSO in the Identity Authentication administration console.

How to override this feature:

Auto-Renewal of X509 Certificates in Security Center

SAP SuccessFactors added an option to automatically renew your X509 certificates when they’re nearing expiration in the Security Center. This applies only to SAP Cloud Root CA type of Certificate Authority.

Once you set a validity for your certificate, you must choose the check box for Renew On Expiry to enable the automatic renewal function. The Renew On Expiry check box is disabled by default. Additionally, you can include email IDs in the Email field to receive notifications for certificates nearing their expiration date.

SAP SuccessFactors has added this feature to provide a seamless renewal process of X509 certificates.

How to configure this feature:

Deprecation of Packaged Integration SAP SuccessFactors Learning and SAP ERP Financials Integration

Packaged Integration SAP SuccessFactors Learning and SAP ERP Financials Integration will reach the end of maintenance and development on June 2, 2023, and will be deleted on May 17, 2024.

If this integration package is applied in your environment, you must seek an alternative method for your business scenario.

Key Dates for this deprecation:

End of Development Phase: As of 1H 2023 (June 2, 2023), SAP will stop enhancing these integrations. Customers can continue to use the software, but they should plan for when it will no longer be available. SAP will still fix high-priority bugs.
End of Maintenance: As of 1H 2023 (June 2, 2023), SAP will not deliver patches for the software. SAP will continue to answer your how-to questions.
Replacement Date: As of May 17, 2024, SAP will retire this integration. You should be using an alternative methods.

Enhancements to OData APIs

With the 2H 2023 release, SAP SuccessFactors is releasing several relevant enhancements related to OData APIs:

Learning API Permissions Enhancements

SAP enhanced the required permissions for several APIs in SAP SuccessFactors Learning. See a table with full details of the impacted APIs with the new additional required administrator and user permissions. You must review these API calls and update your permissions to continue using them.

New Parameters in createOnboardee Function Import

SAP SuccessFactors has added the internalUserId and hireType parameters to the createOnboardee OData API function import. With this enhancement, you can use an external Applicant Tracking System (ATS) to transfer an employee from one legal entity to another within the organization. Based on your requirement, you must select one of the following values for the hireType parameter:

NEW_HIRE for New Hire workflow
REHIRE_NEW_EMPLOYMENT for Rehire with New Employment workflow
REHIRE_OLD_EMPLOYMENT for Rehire with Old Employment workflow
LEGAL_ENTITY_TRANSFER_NEW_EMPL for Rehire with New Employment on Legal Entity Transfer workflow

New Retention Time for API Audit Logs

A 90-day retention period will be enforced for OData API and SFAPI audit logs in SAP SuccessFactors HXM Suite. Audit logs older than 90 days are automatically purged from the system. Previously, old audit logs were purged when the default number limit of a company was reached. Now, number limit and retention time are considered when the system determines which logs to purge. If you have incorporated API calls into your audit policy, you must review this enhancement and accommodate the changes.

Enhancements to ERP Integration (S/4 HCM & SAP ERP HCM)

With the 2H 2023 release, SAP is releasing several relevant enhancements related to ERP Integration:

Identifying Employees for Temporary Exclusion from Data Processing in the ERP System

SAP provides a new tool that helps you find an employee for whom an exceptional error occurred during data replication from Employee Central so that you can temporarily suspend the processing of their data in the SAP S/4HANA or SAP ERP HCM system.

In the previous version, SAP provided a tool to suspend the processing of the data replicated for a specific employee from Employee Central if an exceptional error occurred. Temporarily suspending the processing for the employee allows for the data of the other employees in the same package to be processed in SAP S/4HANA or SAP ERP HCM. The new tool helps you find the employee for whom you want to suspend processing temporarily.

How to turn it on: Support package 36 of the SFSF EC INTEGRATION (PA_SE_IN) add-on must be installed in your SAP S/4HANA or SAP ERP system.

This feature is currently unavailable for the SFSF EC S4 HCM INTEGRATION (ECS4HCM) add-on.

New Personnel Number in the ERP System for National Transfer Using the Same Employment Record in Employee Central

You can now create a new personnel number in the SAP S/4HANA or SAP ERP HCM system when an employee has been transferred within a country/region using the same employment record in Employee Central.

As a rule, the SAP S/4HANA or SAP ERP HCM system doesn’t create a new personnel number if an employee had a national transfer with the same employment record in Employee Central. Because it’s the same employment record in Employee Central, the SAP S/4HANA or SAP ERP HCM system retains the existing personnel number.

With this feature, you can deviate from this rule and assign employees a different personnel number when they change to a new company code, even if their country/region stays the same.

How to turn it on: If you use the SFSF EC S4 HCM INTEGRATION (ECS4HCM) add-on, support package 02 of this add-on must be installed in your SAP S/4HANA system. If you use the SFSF EC INTEGRATION (PA_SE_IN) add-on, support package 36 of this add-on must be installed in your SAP S/4HANA or SAP ERP system.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.