This article provides a step-by-step walkthrough for connecting EmpowerID to SAP Fieldglass, enabling seamless integration and management of your external workforce. By establishing this connection, you can efficiently synchronize worker data between the two systems, streamline access management, and maintain compliance with organizational policies.
Prerequisites
To create an account store with the SAP Fieldglass Connector, the following parameters must be provided:
ServiceUrl: The base URL of the SAP Fieldglass API.
ApiKey: The API key used for authenticating requests to the SAP FieldGlass system.
serviceUserName: The username for the service account to connect to SAP FieldGlass system.
servicePassword: The password for the service account to connect to SAP FieldGlass system.
baseUrl: The base URL of the Microservice.
clientID: The client ID for OAuth authentication of the Microservice.
clientSecret: The client secret for OAuth authentication of the Microservice.
accessTokenUrl: The URL to obtain the access token for OAuth authentication of the Microservice.
Procedure
Step 1 – Register a service principal application in Entra ID
Log in to your Azure portal as a user with the necessary permissions to create an application in Entra ID.
In Azure, navigate to your Microsoft Entra ID.
Navigate to Manage > App registrations and click New registration.
Name the application, select the scope for the application (single or multitenant), and click Register.
Once the application is registered, copy the Application (client) ID and Directory (tenant) ID from the Overview page. These values are used when configuring the SCIM app service.
Step 2 – Create an app service to host the SuccessFactors SCIM microservice
Log in to your Azure portal as a user with the necessary permissions to create an App Service.
In Azure, navigate to All Services > App Services and create a new App service.
Under Project Details, select a Subscription and then create a Resource Group for the App Service.
Under Instance Details, do the following:
Name – Enter a name.
Publish – Select Code.
Runtime Stack – Select .Net Core 8.
Operating System – Select Linux.
Region – Select the appropriate region.
Click Review + Create.
Click Create.
After the deployment of the app service completes, click Go to resource.
Change the platform for the app service to 64 Bit by doing the following:
On the app service navbar, under Settings, click Configuration.
On the Configuration blade, select the General settings tab.
Under Platform settings, change the Platform to 64 Bit and click Save.
Click Continue to confirm you want to save the changes.
Copy and save the URL on the app service's overview page. You will need it when configuring Entra ID Auth for the app service.
Step 3 – Configure authentication for the app service
Navigate to Settings > Authentication and click Add identity provider.
Select Microsoft.
Add the following identity provider information:
Choose a tenant for your application and its users – Select Workforce configuration (current tenant)
App registration type – Select Pick an existing app registration in this directory.
Name or app ID – Select the service principal application you created to provide Entra ID authentication for the microservice.
Issuer URL – Replace the default value with
https://login.microsoftonline.com/<Your Tenant ID>
Client application requirement – Select Allow requests only from this application itself
Identity Requirement – Select Allow requests from any identity
Tenant requirement – Select Allow requests from specific tenants
Allowed tenants – Ensure the Tenant ID matches the specific tenant
Restrict access – Select Require authentication.
Unauthenticated requests – Select HTTP 401 Unauthorized: recommended for APIs.
Token Store – Leave selected.
Click Add.
After adding the Identity provider, click the Edit link.
Set the Issuer URL to
https://login.microsoftonline.com/<Your Tenant ID>
.Under Allowed token audiences, enter the URL for the app service.
Click Save.
Go to the App Service Overview page and click Download publish profile. You will need this file when you publish the Fieldglass microservice to Azure.
Step 4 – Publish the Fieldglass Microservice to Azure
Prior to publishing the microservice, you will need to obtain the appropriate ZIP file from EmpowerID.
Copy the below PowerShell script into the text editor of your choice and save it as
zipdeploy_appService.ps1
.param( $pubProfileFilePath ,$zipFilePath ) $ErrorActionPreference = "Stop" $pubProfile = [xml](gc $pubProfileFilePath) $zipPubProfile = $pubProfile.publishData.publishProfile | where { $_.publishMethod -eq "zipdeploy" } $userAgent = "powershell/1.0" $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $zipPubProfile.userName, $zipPubProfile.userPWD))) $zipdeployUrl = "https://$($zipPubProfile.publishUrl)/api/zipdeploy" $deploymentsUrl = "https://$($zipPubProfile.publishUrl)/api/deployments" Invoke-RestMethod -Uri $zipdeployUrl -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -UserAgent $userAgent -Method Post -InFile $zipFilePath Invoke-RestMethod -Uri $deploymentsUrl -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -UserAgent $userAgent -Method Get
Open an administrative PowerShell session.
Navigate to the directory where you saved the script and execute the script, passing in the values of the
pubProfilePath
andzipFilePath
parameters via the command line, where the value ofpubProfilePath
is the path to the Fieldglass App Service Publisher Profile Settings file you downloaded from Azure, and the value ofzipFilePath
is the path to the microservice ZIP file you received from EmpowerID.The command to execute the script should look similar to that shown in the below image.
Step 5 – Create an account store for SAP Fieldglass
On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.
Select the Actions tab and then click Create Account Store.
Under System Types, search for SAPFieldGlass.
Click the record for SAPFieldGlassConnector to select the type and then click Submit.
This opens the connection details form for the account store.Enter the following information in the form:
Name: Unique name for the account store
ServiceUrl: The base URL of the SAP Fieldglass API.
Api Key: The API key used for authenticating requests to the SAP FieldGlass system.
Service UserName: The username for the service account to connect to SAP FieldGlass system.
Service Password: The password for the service account to connect to SAP FieldGlass system.
Base URL: The base URL of the Microservice.
Client ID: The client ID for OAuth authentication of the Microservice.
Client Secret: The client secret for OAuth authentication of the Microservice.
Access Token URL: The URL to obtain the access token for OAuth authentication of the Microservice.
When ready, click Submit to create the account store.
Step 6 – Configure Attribute Flow
Return to the Find Account Stores page and search for the account store you just created.
Click the Account Store link for the account store to navigate to the details page.
On the Account Store Details page, select the Attribute Flow Rules tab.
Review the attribute flow and revise as needed.
To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.
Step 7 – Configure the Fieldglass account store
Click the Edit link on the Account Store Details page for the Fieldglass account store to put the account store in Edit mode.
Edit the settings shown below as needed and save your changes.
Account Store Settings | |
---|---|
Setting | Description |
Authentication and Password Settings | |
Password Manager Policy for Accounts without Person | Specifies the Password Manager Policy to be used for user accounts not joined to an EmpowerID Person. |
Provisioning Settings | |
Allow Person Provisioning (Joiner Source) | Specifies whether EmpowerID Persons can be provisioned from user accounts in the account store. |
Allow Attribute Flow | Specifies whether attribute changes should flow between the account store and EmpowerID. |
Allow Provisioning (By RET) | Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts, but have not yet had them provisioned. |
Allow Deprovisioning (By RET) | Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision. |
Max Accounts per Person | This specifies the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person. |
Business Role Settings | |
Allow Business Role and Location Re-Evaluation | Specifies whether Business Role and Location re-evaluation should occur for the account store |
Business Role and Location Re-Evaluation Order | This is an optional policy setting that can be used by provisioning workflows to determine which Account Store has priority when determining the roles and locations that should be assigned to a person. Account Stores with a higher value take precedence. |
Inventory Auto Provision OUs as IT System Locations | Specifies whether OUs in the external system are added as IT System locations in EmpowerID. If true, the OUs appear under the All IT Systems location node. |
Inventory Auto Provision External Roles as Business Roles | Specifies whether EmpowerID should provision Business roles for external account store roles If you are using Dynamic Hierarchy policies to generate custom external roles and locations, this options should be left disabled. |
Default Person Business Role | Specifies the default EmpowerID Business Role to be assigned to each EmpowerID Person provisioned from the user accounts in the account store. |
Default Person Location (leave blank to use account container) | Specifies the default EmpowerID Location to be assigned to each EmpowerID Person provisioned from the user accounts in the account store. |
Special Use Settings | |
Automatically Join Account to a Person on Inventory (Skip Account Inbox) | Specifies whether EmpowerID should attempt to join user accounts in the account store to an existing EmpowerID Person during the inventory process. When enabled, the Account Inbox is bypassed. |
Automatically Create a Person on Inventory (Skip Account Inbox) | Specifies whether EmpowerID should create new EmpowerID Persons from the user accounts discovered in the account store during the inventory process. When enabled, the Account Inbox is bypassed. |
Inventory Settings | |
Inventory Schedule Interval | Specifies the time span that occurs before EmpowerID performs a complete inventory of the account store. The default value is 10 minutes. |
Inventory Enabled | Allows EmpowerID to inventory the user information in the account store. |
Step 8 – Enable Inventory on the account store
On the Account Store Settings page, select the Inventory tab.
Change the Inventory Schedule Interval as needed. By default, EmpowerID inventories account stores once every 10 minutes.
Toggle Inventory Enabled.
Click Save to save your changes to the account store.
Now that inventory is enabled for the account store, the next step is to turn on the Account Inbox permanent workflow. This workflow is responsible for fetching and processing new user accounts.
Step 9 – Enable the Account Inbox Permanent Workflow
On the navbar, expand Infrastructure Admin > EmpowerID Server and Settings and select Permanent Workflows.
On the Permanent Workflows page, click the Display Name link for Account Inbox.
On the Permanent Workflow Details page that appears, click the pencil icon to put the workflow in edit mode.
Check Enabled.
Click Save to save your changes.