The Deadline You Can’t Ignore

If you’re managing SAP SuccessFactors Onboarding, November 13, 2026 needs to be on your calendar. That’s when SAP will permanently remove basic authentication (username and password) for all SuccessFactors instances, including onboarding new hires.

This isn’t a soft deadline. SAP ended maintenance on June 2, 2025. After November 2026, if you haven’t migrated to Identity Authentication Service (IAS), your new hires won’t be able to log in. Period.

Source: SAP KBA 3472405 and the official SAP Help Portal page “Deprecation of Basic Authentication and Third-Party Corporate Identity Provider (IdP) Direct Integration with SAP SuccessFactors HCM suite”. SAP KBA 2791410 also confirms: “IAS adoption will become mandatory by November, 2026.”

The ones who started early had smooth rollouts. The ones who waited? Compressed timelines, production issues, and a lot of weekend work. This guide gives you the roadmap they wish they’d had.

What Is IAS and Why This Matters

SAP Identity Authentication Service (IAS) is SAP’s cloud-based authentication platform. It’s the future of access management across all SAP cloud solutions and part of SAP Cloud Identity Services alongside Identity Provisioning Service (IPS).

This migration isn’t just about checking a compliance box. IAS brings capabilities you can’t get with basic authentication:

Security That Meets Modern Standards
Multi-factor authentication, risk-based authentication, centralized password policies. Basic authentication has well-documented security vulnerabilities, and regulatory scrutiny around credential management keeps increasing.

Unified Access Across SAP Solutions
Authenticate once, access everything. SuccessFactors, SAP Analytics Cloud for Story Reports, other SAP solutions all integrate through IAS. No more juggling multiple credential sets.

Future-Ready Architecture
Story Reports in People Analytics already require IAS. New capabilities like Joule AI and advanced analytics follow the same pattern. SAP’s product roadmap assumes you have IAS.

Real-Time Provisioning
With the SCIM API and real-time sync, new hires receive credentials immediately when onboarding begins, not after a scheduled batch job runs hours later.

Understand Your Starting Point: The Three Integration Types

SAP has three distinct integration patterns. Your migration complexity depends entirely on which one applies to you.

The Type 1 / Type 2 / Type 3 framework used below is not original to this guide. It comes from the SAP-published community blog “Onboarding New Hires Authentication using SAP Identity Authentication Service (IAS)” on the SAP Community (under Human Capital Management Blog Posts by SAP ).

That post is the canonical reference and you should read it in full. The summary here exists only to orient you before you do.

Type 1: Newly Provisioned Instances (Post-December 9, 2022)

If your SuccessFactors instance was provisioned after December 9, 2022, you’re already on SCIM API. The backend integration happened automatically during provisioning.

How to verify: Navigate to Provisioning > Company Settings. Look for the “Onboardee Identity Authentication” switch. If it’s enabled and grayed out, you’re Type 1.

What this means: Your IAS/IPS infrastructure is ready. Your focus is configuration (email templates, real-time sync setup, and testing).

Type 2: Existing Instances with IAS Upgrade After December 2022

If you initiated an IAS upgrade through the Upgrade Center after December 9, 2022, you’re also on SCIM.

How to verify: Navigate to Admin Center > Monitoring Tool for Identity Authentication/Identity Provisioning Service Upgrade > Settings tab. If you see “Employee and Onboardee Application Completed” (grayed out), you’re Type 2.

What this means: Like Type 1, your backend is SCIM-ready. Configuration and testing are your focus areas.

Type 3: Legacy ODATA Connector (Pre-December 2022 IAS Integration)

If you integrated IAS before December 9, 2022, you’re on the legacy ODATA connector. This is the most complex scenario because you must upgrade from ODATA to SCIM before enabling onboarding authentication.

How to verify: Log into Identity Provisioning Service > Source Systems > Select your SuccessFactors source > Properties. Look for sf.api.version. Version 1 = ODATA. Version 2 = SCIM.

What this means: You have a two-phase migration. First upgrade ODATA to SCIM, then configure onboarding authentication. Budget 3-5 additional weeks for this.

Critical Limitations for ODATA Connectors:

• Onboarding new hires sync via scheduled IPS jobs only (no real-time sync available)
• New hires receive IAS activation email only after the IPS job runs
• Cancelled onboarding accounts deactivate only when the next IPS job runs
• Rehires require manual workarounds (deleting old email addresses)

This is why SAP strongly recommends migrating to SCIM if you’re still on ODATA. Budget 3–5 additional weeks for the ODATA→SCIM upgrade before you start the onboarding configuration.

Pre-Migration Planning: Answer These Questions First

1. Do You Have Corporate SSO for Employees?

If employees authenticate through Azure AD, Okta, Ping Identity, or another corporate IdP, you need conditional authentication in IAS so that employees route to your corporate IdP while pre-day-1 onboardees use IAS password authentication.

Without this: You’ll force new hires to authenticate through your corporate directory before they have corporate accounts. The classic chicken-and-egg problem.

Reference: SAP KBA 2954556 “How to implement Partial SSO after Identity Authentication implementation on SuccessFactors” covers conditional authentication patterns. 

2. What’s Your Rehire Strategy?

Rehires are the most common source of production issues. Here’s what should happen:

1. Employee terminates from Employee Central
2. Their IAS account gets deleted (not just deactivated). Set property: ips.delete.existedbefore.entities=true
3. When rehired through onboarding, a new IAS account is created
4. New account links to their reactivated Employee Central record
5. On hire date, their account transitions from “onboardee” to “employee” type

Source for this guidance: SAP Community blog “Considerations when implementing IAS for SuccessFactors Onboarding” (December 2025, post ba-p/14288604). The blog lays out the rehire flow and recommends the ips.delete.existedbefore.entities=true setting explicitly. The behavior of this property is also documented in SAP KBA 3017663 and KBA 3405942.

Test this flow extensively. We’ve seen multiple go-lives where rehire workflows failed because old IAS accounts weren’t properly deleted.

3. Are You Still on Onboarding 1.0?

“SAP is extending the End of Maintenance date from the Second Half 2025 Release to the First Half 2026 Release. This means that Onboarding 1.0 will now receive compliance updates and security patches through the 1H 2026 Release.”

Practically, that means:

• End of Maintenance: May 14, 2026 (1H 2026 release)
• Deletion: 1H 2026 Production release — Onboarding 1.0 and its data become inaccessible
• There is no automated migration tool from ONB 1.0 to the new Onboarding solution; it’s a reimplementation.

Decision point: Should you migrate to the new Onboarding first, then implement IAS? Or implement IAS on ONB 1.0, then migrate?

If you’re within 6 months of planning a new Onboarding migration, do that first. Implementing IAS twice (once on ONB 1.0, again on the new Onboarding) creates unnecessary complexity and risk.

Note: ONB 1.0 treats pre-day-1 users as “active employees,” so they sync through standard IPS jobs. The new Onboarding (formerly “ONB 2.0”) treats them as external users with the pm_product_name=ONB URL parameter handled differently.

4. Do You Have Learning-Only External Users?

External learning users (partners, contractors, customers) maintain separate IAS accounts from onboardees. Each requires a unique personal email address and username.

Naming convention matters. Plan how you’ll distinguish external learners from onboardees to avoid account collisions.

5. What’s Your Change Window?

IAS migration requires a service interruption. You cannot switch authentication methods seamlessly.

Best practices:

• Schedule during a period with no active onboarding processes
• Weekend or holiday window preferred
• Budget 4-6 hours for production migration (even if preview took 2 hours)
• Validate that all in-flight onboarding cases are completed or paused before starting

The 6-Phase Migration Strategy

Phase 1: Initiate IAS Integration via Upgrade Center

The phase structure below is a synthesis of the official SAP Help guide “Setting up SAP Identity Authentication Service for New Hires Using System for Cross-domain Identity Management (SCIM) API”, SAP KBA 2791410 (the master implementation guide), Jaideep Shetty’s three-part “IAS for ONB2.0 New Hires” SAP Community series (March 2023, posts ba-p/13549508, ba-p/13549763, and the transformations post on Technology Blog Posts by Members), and the series “IPS to IAS migration”.

Prerequisites:

• Upgrade Center access permission
• Customer S-User credentials (Partner S-Users cannot trigger this upgrade)
• If you already have an IAS tenant: URL and admin access
• Verify existing IAS tenants at https://iamtenants.accounts.cloud.sap/

Procedure:

Step 1: Navigate to Upgrade Center
Admin Center > Upgrade Center > Search for “Initiate the SAP Cloud Identity Services Identity Authentication Service Integration”

Step 2: Authenticate with S-User
Enter the S-User credentials you use to open support cases. If authentication fails, check SAP KBA 2944990 for common issues.

Step 3: Select or Create IAS Tenant
You’ll see a list of available IAS tenants. Since 2H 2025, the list shows an “Ownership” field:

• Owned: Registered under the same customer ID as your SuccessFactors system
• Trusted: Belongs to a different customer ID but accessible via trust relationship

Decision time: Use existing tenant or create new?

• 1 IAS per 1 SF approach: More IAS tenants to manage, more applications on corporate IdP, but simpler user management
• Shared IAS approach: Fewer tenants to manage, but you need to handle user matching between instances and customize IPS transformation rules

Step 4: Submit and Wait
The process takes 2+ hours. You’ll receive an email with IAS admin credentials if it’s a new tenant.

Important: For upgrades after 2H 2022, the IPS-to-SF connection uses certificate-based authentication (mTLS). The legacy IPSADMIN user is no longer created. This is documented in KBA 2791410 and discussed in the  post “Real-Time Sync of New Hires from SAP SuccessFactors to IAS”.

Phase 2: Configure IPS (Identity Provisioning Service)

Prerequisites:

• Completed Phase 1
• Admin access to IPS tenant (verify at https://iamtenants.accounts.cloud.sap/)

Critical Configuration Steps:

Configure Source System Properties (SuccessFactors)

Navigate to IPS > Source Systems > [Your SF System] > Properties

Required properties for SCIM (sf.api.version = 2):

For legacy ODATA connectors (sf.api.version = 1):

The filter looks different for ODATA:

sf.user.filter = status in 'active','active_external_suite' and (personKeyNav/userAccountNav/userType in 'employee', 'onboardee')

Configure Source System Transformation (ODATA only)

If you’re on ODATA, update the transformation JSON to distinguish employee vs onboardee. Navigate to IPS > Source Systems > [Your SF System] > Transformation and add:

{
    "condition": "($.status == 't') && ($.personKeyNav.userAccountNav.userType == 'employee')",
    "constant": "employee",
    "targetPath": "$.userType"
},
{
    "condition": "($.status == 'active_external_suite') && ($.personKeyNav.userAccountNav.userType == 'onboardee')",
    "constant": "onboardee2.0",
    "targetPath": "$.userType"
}

Configure Target System Transformation (IAS)

Navigate to IPS > Target Systems > [Your IAS System] > Transformation

Add this fragment to map onboardee user types:

{
    "condition": "$.userType contains 'onboardee'",
    "constant": "Public",
    "targetPath": "$.userType"
}

You need to tell IPS which IAS email template to use for onboardee activation emails.

First, find your template set ID:

• Log into IAS Admin Console
• Navigate to Email Templates > SF ONB 2.0 On-Behalf Registration
• Click on the template
• Copy the UUID from the URL (it’s the long string after “Template Sets”)

Then add to IPS Target System Transformation:

{
    "condition": "$.userType == 'onboardee2.0'",
    "constant": "c33e67c2-2c03-452f-86d7-7b40be5af9d4",
    "targetPath": "$.emailTemplateSetId",
    "scope": "createEntity"
}

(Replace the constant value with your actual template set ID)

Source: Jaideep’s “IAS for ONB2.0 New Hires – 3 (Transformations)” SAP Community post documents this exact pattern for separating onboardee vs. employee email templates. The approach also appears in SAP Community Q&A “IAS + ONB (Welcome Email Day 1)” (post qaq-p/14042943).

Configure SendMail Behavior

This is critical. These fragments control when IAS sends activation emails. Add to IPS Target System Transformation:

{ "constant": "false", "targetPath": "$.sendMail", "scope": "createEntity" },
{ "condition": "$.userType == 'onboardee2.0'", "constant": "true", "targetPath": "$.sendMail", "scope": "createEntity" },
{ "constant": "true", "targetPath": "$.mailVerified", "scope": "createEntity" },
{ "condition": "$.userType == 'onboardee2.0'", "constant": "false", "targetPath": "$.mailVerified", "scope": "createEntity" },
{ "constant": "disabled", "targetPath": "$.passwordStatus", "scope": "createEntity" },
{ "condition": "$.userType == 'employee'", "constant": "enabled", "targetPath": "$.passwordStatus", "scope": "createEntity" }

What this does:

• Onboardees receive IAS activation emails
• Employees don’t receive activation emails (they use corporate SSO)
• Onboardee accounts start with email unverified, forcing them to verify via the activation link

Schedule IPS Sync Job

Navigate to IPS > Jobs > Run Now (for testing) or set up a schedule.

Verify sync is working: IPS > Job Logs > Review last execution for read/write counts and errors.

Phase 3: Enable Real-Time Sync (SCIM Only)

Real-time sync means new hire accounts are created in IAS immediately when onboarding begins, not after a scheduled job runs hours later.

Source: The detailed real-time sync setup is documented in the SAP Help Portal page “Manage Real-Time Sync of New Hires from SAP SuccessFactors to Identity Authentication with Identity Provisioning” and in the post “Real-Time Sync of New Hires from SAP SuccessFactors to IAS > 3 of 4”. Jaideep Shetty’s “IAS for ONB2.0 New Hires – 2” covers the same ground from a different angle.

Prerequisites:

• SCIM connector (sf.api.version = 2)
• Admin access to both SuccessFactors and IAS

Procedure:

Generate X.509 Certificate in SuccessFactors

Admin Center > Security > Certificate Management > Generate new certificate

Important: Leave the “Login Name” field empty. A technical user in the backend handles permissions. If you populate this field, you can run into permission issues later.

Create System User in IAS

IAS Administration Console > Users > Create system user > Upload the X.509 certificate > Grant “Provisioning” permissions

Register Certificate in Integration Service

SuccessFactors > Integration Service Registration Center > Register the certificate

Destination URL format:

https://<ips-tenant-url>/ipsproxy/service/api/v1/systems/<source-system-id>

You can get the source-system-id from the IPS URL when you click on your source system. It’s in the browser address bar.

Enable Real-Time Sync

Admin Center > Manage Data > Manage Identity Provisioning Real Time Sync > Enable for Onboardee

Verify it’s working: Create a test onboarding case. Check Admin Center > Execution Manager > Pre-delivered Integration dashboard. You should see real-time sync events appearing.

Phase 4: Configure Email Templates

You have two approaches here. I’ve seen both work, but Option A tends to reduce support tickets.

Option A: Dual Email Flow (Recommended)

Send a welcome email from SuccessFactors explaining the process, followed immediately by the IAS activation email.

Attribution: This dual-email recommendation comes from SAP Community blog “Considerations when implementing IAS for SuccessFactors Onboarding” (post ba-p/14288604).

SuccessFactors Configuration:

1. Keep the (ONB) External User Welcome Message template active
2. Remove the password reset link token from the template (this is critical)
3. Add clear instructions that look something like this:

Welcome to [Company]! Your onboarding journey begins here.
You will receive a second email from SAP Cloud Identity Services within the next few minutes with your login credentials. Please wait for that email to access the onboarding system.
If you don't receive the activation email within 10 minutes, please contact [HR contact email/phone].

1. Translate this message into all your supported languages

IAS Configuration: Configure the activation email template in IAS Admin Console > Applications > SuccessFactors Application > Email Templates

Why this works: The first email sets expectations and provides context. The second email provides the actual credentials. Users understand it’s a two-step process instead of being confused about which email to use.

Option B: Single Email from IAS

Disable SuccessFactors welcome emails entirely. New hires receive only the IAS activation email.

SuccessFactors Configuration:

1. Navigate to Email Notification Templates
2. Disable these templates:
   • (ONB) External User Welcome Message
   • (ONB) Rehire User Welcome Message

The recommendation to disable these specific templates if going single-email comes from the SAP Community blog “Onboarding New Hires Authentication using SAP IAS”, which states: “It is recommended to Disable the following templates in Email Services: Template: (ONB) External User Welcome Message Template, Template: (ONB) Rehire User Welcome Message Template.”

IAS Configuration: Customize the IAS activation email to include onboarding context, not just login instructions.

Tradeoff: Simpler (one email instead of two), but less context for the new hire. They receive a generic IAS email without understanding it’s part of their onboarding journey.

Update Start Onboarding Template

Regardless of which option you chose, edit the (ONB) Start Onboarding process template to include:

Before proceeding, ensure you have activated your account using the activation email from SAP Cloud Identity Services.
If you have not received the activation email, please contact your HR administrator at [contact details].

Add this message in all your supported languages.

Phase 5: Configure IAS Application Settings

Set Home URL Redirect

IAS Admin Console > Applications > SuccessFactors Application > Authentication and Access > Home URL

Set it to:

https://<datacenter>.successfactors.com/login?company=<CompanyID>

Important note: Do NOT include the pm_product_name=ONB parameter. Onboarding 2.0 adds this automatically when needed.

Configure Password Policies

IAS Admin Console > Authentication > Password Policy

Recommended settings:

• Minimum length: 10-12 characters
• Complexity: Require uppercase, lowercase, numbers, special characters
• Password expiration: 90 days (or set to never expire for pre-day-1 users who convert to SSO on hire date)
• Failed login lockout: 5 attempts
• Password history: Don’t allow reuse of last 5 passwords

Configure Multi-Factor Authentication (Optional)

IAS Admin Console > Applications > SuccessFactors > Risk-Based Authentication

For email-based MFA (no third-party provider needed):

1. Create authentication rule: “Require email verification for all onboardee users”
2. Configure it to send a code via email when user logs in
3. User enters the code to complete authentication

For SMS-based MFA: You’ll need integration with Twilio, AWS SNS, or similar. More secure but requires additional setup.

Customize Login Page (Optional)

IAS Admin Console > Applications > SuccessFactors > Branding and Layout

Upload your company logo, adjust colors, add custom text. This reduces confusion and support calls from new hires who think they’re on the wrong website.

Phase 6: Enable Onboarding IAS Integration

Prerequisites:

• All previous phases completed and tested in Preview
• All active onboarding cases completed or paused in Production
• Stakeholders notified of migration window

Procedure:

Enable Provisioning Switch

Provisioning > Company Settings > Enable “Onboardee Identity Authentication”

CRITICAL WARNING: Once you enable this switch, you cannot revert it without opening a support ticket with SAP. Test everything in Preview first.

Verify Monitoring Tool Status

Admin Center > Monitoring Tool for Identity Authentication/Identity Provisioning Service Upgrade > Settings tab

You should see: “Employee and Onboardee Application Completed”

If you see warnings or a different status, resolve those issues before proceeding.

Disable Partial SSO (If Applicable)

If you have Partial Organization SSO enabled, disable it now:

Provisioning > Company Settings > Disable “Enable Partial Organization Single Sign-On”

IAS replaces this functionality.

Activate IAS Integration via Upgrade Center

Admin Center > Upgrade Center > “Activate SuccessFactors Identity Authentication Service Integration”

Critical step: Click “Test Now” BEFORE you activate.

During the test:

1. You’ll be redirected to IAS for authentication
2. Log in (IAS might redirect you to your corporate IdP depending on your configuration)
3. If successful, you’ll see a success message
4. Return to Upgrade Center and click “Confirm” to activate

If the test fails: Check SAP KBA 2954188 for IAS login troubleshooting steps before opening a support case.

After activation: Your instance is integrated with IAS. All users authenticate through IAS from this point forward.

Testing Strategy: Don’t Skip This Phase

The test scenarios below combine SAP’s official guidance, real-world failure modes documented in SAP KBA 3281873, and field experience reported across the SAP Community blogs cited throughout this guide.

Test Scenario 1: New Hire Happy Path (SCIM with Real-Time Sync)

1. Create a test onboarding case
2. Complete the New Hire Data Review step
3. Verify within 2 minutes: IAS activation email received at the test email address
4. Click the activation link and set a password
5. Verify redirect: You should be taken to the SuccessFactors onboarding home page
6. Complete at least one onboarding task to confirm full system access
7. Verify in IAS: User account exists with userType = “onboardee2.0”
8. Verify in SuccessFactors: User record shows extensionStatus = 0 (Active, synced to IAS)

Expected result: Seamless flow from start to finish. Emails arrive immediately, no login errors.

Test Scenario 2: New Hire Path (ODATA – Legacy)

Same steps as above, but expect this difference:

• Email arrives only after the next scheduled IPS job runs (not immediately)
• Check IPS job logs to confirm the user was synced

Test Scenario 3: Rehire Flow

1. Create an employee in Employee Central
2. Terminate the employee (note their userID and email address)
3. Verify in IAS: Account is deleted (not just deactivated) after the next IPS sync runs
4. Initiate a rehire through onboarding using the same personal email
5. Verify: New IAS activation email is sent
6. Complete onboarding and process the hire
7. Verify on hire date: IAS account transitions from “onboardee2.0” to “employee” type

Common failure point: The old IAS account wasn’t actually deleted, so the new account creation fails with “email already exists” error.

Test Scenario 4: Cancelled Onboarding

1. Create a test onboarding case
2. Let the IAS account get created (verify it exists in IAS)
3. Cancel the onboarding before completion
4. For SCIM with real-time sync: Account should be deactivated immediately
5. For ODATA: Account deactivates in the next IPS sync job

Test Scenario 5: Employee SSO vs Onboardee Password Auth

1. Log in as an employee. You should be routed to your corporate IdP (Azure AD/Okta)
2. Log in as an onboardee. You should be routed to IAS password login
3. Verify that conditional authentication routes each user type correctly

Test Scenario 6: Error Conditions

1. Try to create an onboardee with an email that already exists in IAS. Expect a clear error message.
2. Try to login with the wrong password 5 times. Verify the account gets locked out.
3. Use the password reset flow. Verify the reset email is sent and the reset actually works.
4. Try to access onboarding without completing IAS activation. Verify you’re blocked with a clear message.

Document every result. If preview testing shows issues, fix them before touching production. The cost of fixing issues in production is exponentially higher than fixing them in preview.

Common Issues and How to Fix Them

The issues below are documented across SAP KBAs (3281873, 3204536, 3017663, 3418406), SAP Community discussions, and troubleshooting series.

Issue 1: IAS Activation Email Not Sent

Symptoms:

• Onboarding process starts normally
• No IAS activation email arrives
• User can’t log in

Root causes (check in this order):

Real-time sync not configured (SCIM only)

• Verify: Admin Center > Execution Manager > Pre-delivered Integration dashboard
• Fix: Complete Phase 3 (Enable Real-Time Sync)

IPS filter missing active_external_suite status

• Verify: IPS > Source System > Properties > Check sf.user.filter value
• Fix: Add active_external_suite to the filter

New hire hasn’t passed New Hire Data Review (NHDR) step

• For SCIM: Sync only triggers after NHDR completion
• Verify: Check onboarding process to see which step the user is on
• Fix: Complete the NHDR step

SendMail transformation not configured

• Verify: IPS > Target System > Transformation > Look for SendMail conditions
• Fix: Add the SendMail fragment from Phase 2

Troubleshooting steps:

• Check Admin Center > Execution Manager > Admin Alerts Retry for IAS sync errors
• Look for specific error codes (the error message usually tells you exactly what’s wrong)
• For error code 531: There’s a manual retry option in Admin Alerts under “Failed Domain Events”

Issue 2: Dual Email Confusion

Symptom: New hires receive both SuccessFactors and IAS emails but don’t know which one to use first.

Root cause: Unclear messaging in the SuccessFactors welcome email.

Solution: Update the SF welcome email with crystal-clear sequencing:

STEP 1: Read this email (you're reading it now!)
STEP 2: Wait for a second email from SAP Cloud Identity Services. It arrives within 5 minutes.
STEP 3: Use the link in the second email to set your password.
STEP 4: Log in and begin your onboarding tasks.
IMPORTANT: Do not attempt to log in until you've received and used the password setup link from Step 2.

Make this text bold and impossible to miss in the email template.

Issue 3: Redirect Loop After Activation

Symptom: User sets their password in IAS successfully, then gets stuck in an infinite redirect loop instead of landing on the onboarding page.

Root cause: Home URL not configured correctly in IAS application settings.

Solution:

1. Log into IAS Admin Console
2. Navigate to Applications > SuccessFactors > Home URL
3. Verify the URL matches your SF login URL exactly:

   https://<datacenter>.successfactors.com/login?company=<CompanyID>

1. Make sure you did NOT include pm_product_name=ONB in the URL

Issue 4: Rehires Don’t Get New Credentials

Symptom: A rehired employee doesn’t receive an IAS activation email.

Root cause: The old IAS account wasn’t deleted when they terminated. It was just deactivated. IAS sees the email address as already in use and blocks the new account creation.

Prevention:

• Set ips.delete.existedbefore.entities=true in IPS source system properties
• Verify your termination process includes IAS account deletion

Fix for existing issue:

1. Manually delete the old IAS account in IAS Admin Console
2. OR: Update the email in SF to a temporary address, run sync, then update back to the original email

For ODATA connectors specifically, you need to follow the workaround from KBA 3204536:

• Delete the old Business type email in Employee Profile Contact Information
• OR: Change the email type to something other than Business
• Make sure Personal email is set as Primary during the rehire process

Issue 5: Corporate SSO Users Get Password Prompts

Symptom: Employees who should be using corporate SSO are being prompted for an IAS password instead.

Root cause: Conditional authentication isn’t configured properly in IAS.

Solution:

Log into IAS Admin Console > Applications > SuccessFactors > Risk-Based Authentication > Create a conditional rule

The rule logic should look like:

IF userType = "employee" AND loginMethod = "SSO"THEN route to Corporate IdP
IF userType = "onboardee2.0" OR loginMethod = "PWD"THEN use IAS password authentication

Check SAP KBA 2954556 for detailed conditional authentication examples.

Issue 6: Extension Status Shows “Pending” (Status 2)

Symptom: Onboardee record in SuccessFactors shows extensionStatus = 2 (Pending). User is not syncing to IAS.

What this means: The user won’t sync to IAS even though they’re marked as active. This is actually intentional for onboardees who haven’t reached the Pre-Day Content (PDC) stage yet.

When the status changes:

• Status automatically changes to 0 (Active) when the onboardee needs to provide input at the PDC step
• At that point, sync to IAS happens and the activation email gets sent

This is explained in SAP KBA 3281873 Q1.

Timeline and Resource Planning

For SCIM Implementations (Type 1 & 2)

Week 1: Planning and discovery

• Identify your implementation type
• Document corporate SSO requirements if applicable
• Map out rehire workflows
• Schedule your change window

Week 2-3: IPS and real-time sync configuration

• Configure source and target systems in IPS
• Set up transformations
• Enable real-time sync
• Configure email templates

Week 4-5: Preview testing

• Execute all 6 test scenarios
• Document any issues you find
• Fix issues and retest

Week 6: Production migration preparation

• Communicate with stakeholders
• Do final validation in preview
• Document your rollback plan

Week 7: Production migration

• Execute the migration
• Monitor closely for issues
• Support the first few new hires through the process

Week 8: Post-migration stabilization

• Monitor key metrics
• Address any edge cases that come up
• Document lessons learned

Total timeline: 8 weeks

For ODATA Implementations (Type 3)

Add 3-5 weeks at the beginning for the ODATA-to-SCIM upgrade before you start the onboarding configuration.

Total timeline: 11-13 weeks

Resource Requirements

Don’t try to do this with a single part-time resource. You need a small team with clear ownership of each area.

What You Should Do Next

Start Planning Now

The November deadline is still 7 months away, but experienced consultants and implementation partners are already booking slots for Q3/Q4 2026. Organizations that wait until September will run into resource constraints and compressed timelines.

Test Everything in Preview

Every production issue I’ve seen traced back to gaps in preview testing. Test each scenario twice. Use real email addresses. Include people who match your actual new hire profile, not just your project team.

Make Communication Crystal Clear

New hires don’t know what IAS is. They don’t care about authentication architecture. Your emails need to be absolutely clear:

• “You’ll get two emails”
• “The second one has your password”
• “Wait for it before trying to log in”

Use simple language. Make it bold. Make it impossible to miss.

Plan Extra Testing for Rehires

This scenario fails more often than any other. If you have significant rehire volume, allocate extra testing cycles and document the exact steps clearly.

Don’t Worry Too Much About Rollback

Rollback is technically possible but requires SAP support involvement and causes user disruption. The better strategy is thorough preview testing so you never need to roll back in the first place.

Think About ONB 2.0 Timing

If you’re still on ONB 1.0 and planning to migrate to ONB 2.0 within the next 6 months, do the platform migration first. Implementing IAS twice (once on ONB 1.0, then again on ONB 2.0) creates unnecessary work and risk.

Beyond Compliance: The Strategic Value

Yes, this migration is mandatory. But once you’re on IAS, you unlock capabilities that weren’t available with basic authentication:

Story Reports
People Analytics Story Reports require IAS. If you’ve been stuck with legacy Canvas or Dashboard reports, IAS opens the door to modern analytics capabilities.

Joule AI Integration
SAP’s AI copilot depends on IAS. As Joule capabilities expand into onboarding workflows, you’ll already be positioned to take advantage of them.

Advanced Security Controls
You can implement step-up authentication for sensitive tasks like bank account entry or tax form completion. Configure device trust and location-based access policies that weren’t possible before.

Unified Identity
When onboardees convert to employees on day one, they keep the same IAS account. This continuity reduces friction and cuts down on support tickets.

The deadline is forcing your hand. But the end result is a more secure, more capable, and more future-ready onboarding environment.

Organizations that started planning in Q1 2025 are finishing their controlled rollouts now. The ones waiting until Q3 2026 will be scrambling under deadline pressure with limited support availability.

Official SAP Resources

Primary SAP KBA Articles:

• SAP KBA 2791410 — Integrating SuccessFactors with Identity Authentication IAS through the Upgrade Center (the master implementation guide)
• SAP KBA 3204536 — How to Setup up Identity Authentication Service (IAS) for Onboarding External Users
• SAP KBA 3281873 — [Onboarding] IAS Main KBA (real-time sync, troubleshooting, FAQ)
• SAP KBA 3078444 — [Onboarding] FAQs on IAS for Onboarding (general onboarding-IAS FAQ)
• SAP KBA 2954556 — How to implement Partial SSO after Identity Authentication implementation on SuccessFactors (conditional authentication)
• SAP KBA 2954188 — IAS login troubleshooting
• SAP KBA 3344522 — Onboarding 1.0 Transformation Resources and Deprecation Announcement (current End of Maintenance dates)
• SAP KBA 3472405 — Deprecation of Basic Authentication (the November 13, 2026 deadline)
• SAP KBA 3017663 — Deleting the Inactive SF users from IAS via IPS provisioning job
• SAP KBA 3464278 — Which attributes of SF SCIM API version 2 can be used for sf.user.filter

SAP Help Portal:

• Deprecation of Basic Authentication and Third-Party Corporate Identity Provider (IdP) Direct Integration with SAP SuccessFactors HCM suite
• Setting up SAP Identity Authentication Service for New Hires Using System for Cross-domain Identity Management (SCIM) API
• Manage Real-Time Sync of New Hires from SAP SuccessFactors to Identity Authentication with Identity Provisioning
• Setting Up SAP SuccessFactors with Identity Authentication
• Using Stories in People Analytics

SAP Guided Answers:

• Integrating SuccessFactors with IAS (Step-by-step implementation wizard)

SAP Community:

• “Onboarding New Hires Authentication using SAP Identity Authentication Service (IAS)” — Human Capital Management Blog Posts by SAP
• “Considerations when implementing IAS for SuccessFactors Onboarding”
• Jaideep Shetty’s, “IAS for ONB2.0 New Hires” three-part series:
  • Part 1: Upgrade OData to SCIM
  • Part 2: Configuration steps
  • Part 3: Transformations  (Technology Blog Posts by Members)

• “Migrate to SCIM API for better User Identity Sync between SuccessFactors and IAS/IPS”
• SAP Community Q&A: “IAS + ONB (Welcome Email Day 1)” and “How do setup IAS login page for Onboardee and SSO page for Employee authentication?”

Support Components (Use these when opening support tickets):

• LOD-SF-OBX-IAS: Onboarding IAS User Authentication (For onboarding-specific IAS issues)
• LOD-SF-PLT-IAS: Identity Authentication Services (IAS) With BizX (For general IAS integration issues)
• BC-IAM-IDS: Identity Authentication Service (For IAS product issues)
• BC-IAM-IPS: Identity Provisioning Service (For IPS configuration issues)

This guide is intended as a practitioner’s consolidation of publicly available SAP and SAP Community guidance. Where specific frameworks, procedures, or recommendations originated with named authors, attribution has been provided inline. Your specific implementation may have unique requirements, so always validate everything in your Preview environment before making production changes.