A request we often get from clients is whether SAP SuccessFactors can be a hub for employees to access other Human Resources Systems. The good news is that this capability is now supported. For many clients, SAP SuccessFactors will be one of the most widely used application suites, and having the capability to use it as a hub for linking to other applications will help your employees efficiently access this new, centralized Human Resources system.The two primary hubs used for linking to other applications are the corporate intranet and an Identify Management Services system such as OKTA or ADFS. The screen shot below shows the home page for the Okta app where a user can quickly access other systems they are permissioned to see.
The same concept can be applied to the SAP SuccessFactors home page and since Human Resources information is stored and maintained in SuccessFactors, it also makes sense to use this data to grant access to other applications. This is where the Role Based Permission (RBP) capabilities can be used to permission employee groups not only to access/update data within the system, but also to control the display of applications that they can access. For example, you can easily set filters so employees in each country can only see a tile link to the payroll provider for that country. The same concept can be applied to a Benefits provider. Here is a screenshot of the SuccessFactors home page with tiles to various applications.
There is also the capability to make this more granular where access to background screening or digital interviewing vendors can be limited to a smaller subset of users within specific departments or locations. One benefit of this approach is that you are automatically personalizing the home page of SAP SuccessFactors, so employees are only seeing content and systems that are both relevant and accessable to them.
From an overall system architecture perspective, system connectivity will be different if SuccessFactors is being used as a hub for accessing other Human Resources applications. The graphic below is a typical connectivity diagram showing the Identify Provider as being the central hub for connectivity to other systems. All connection requests will be authenticated by the Identify provider before being submitted to the third-party system.
The diagram below is an updated version of the same system landscape from above. The difference is that SAP SuccessFactors is used as the hub for accessing HR cloud applications. There is no need for a user to browse back to their corporate intranet or Identify Provider to link to these systems. This is particularly helpful if the user is accessing content in a third-party system based on employee or candidate information stored in SuccessFactors. The user can have a seamless link between the two systems without having to reference the employee or candidate identification.
SAP SuccessFactors supports multiple methods of using Single Sign On from their system to other third-party applications. There are pre-packed SSO connections to some supported vendors, Custom Navigation Links for token based SSO, and the Authorized SP Assertion Consumer Service option. This example highlighted above uses the Assertion Consumer Service option.
Clients can now consolidate and centralize Single Sign On access to other relevant Human Resource systems directly from within SAP. By using SAP SuccessFactors as a hub, employees can only see links to applications that they are permissioned to access and once an employee is terminated or moved to another department, the application links can be automatically updated in real time. This helps toimprove productivity, and security by ensuring employee access is updated based on changes to their employment status or job information.