SAP Knowledge Base Article - Public

2238736 - [SSO] SAML2 Single Sign On: How to enable SSO on my environment?

Symptom

  • What is Single Sign On?
  • How does SAML2 work?
  • How to enable SAML2 SSO on my environment?
  • What are other functionalities I can enable to improve my experience with SAML2 SSO on SuccessFactors?

Environment

SAP SuccessFactors HXM Suite

Resolution

SingleSign-On (SSO) is a property of access control of multiple related, but independent software systems. With this property, a user logs in once and gains access to all systems without being prompted to log in to each of them.

SuccessFactors offers a number of SSO options to allow users to access the application without entering their SuccessFactors username and password. This document describes the SAML2 option, but if you would like to check what other methods are supported, you can check this KBA: 2088827.

How does SAML2 work?

SSO generally takes place between two parties. The Identity Provider (IdP) has information to authenticate the users and generate SSO logins. The Service Provider (SP) offers a service that is accessible using your SSO. The SP must be able to accept customer-generated SSO logins and identify the user who you want to log in. This document covers the SAML2 SSO standard. In general, any SAML2 SSO software should work with the SuccessFactors application. We support the following SAML2 protocols:

  • IdP-initiated login where a user starts the process internally (default);
  • SP-initiated login where a user starts the process by attempting to connect to SuccessFactors.

You can see below the difference between both protocols:

Comparison.png

How to enable SAML2 SSO on my environment?

The process for setting up SSO is as follows:

  1. You create a metadata file for the instance (contains all the information required from SF side): 2747798 - Creating the Metadata File for SSO Between SuccessFactors and Identity Provider;
  2. You give this to your IDP (Identity Provider) for configuration on their end;
  3. Open a ticket with Customer Support (LOD-SF-PLT-SAM);
  4. Then get a metadata file from your IDP and attach on the ticket. We will use this metadata file for configuration on our end.
  5. Please also let us know if you plan on having SP-Initiated login or Idp-Initiated login. The IDP initiated is the default method, if you would like to have SP initiated available too, refer to below KBA and provide us the information that is required: 2396645 - [SSO] SP Initiated Login.

You can see on the see also section some functionalities that you can enable to improve your experience with SAML2 SSO.

See Also

  • 2768478 - [SSO] How to change redirect URLs for Single Sign On;
  • 2088837 - [SSO] Partial Organization Single Sign-On - BizX Platform.
  • 2548905 - Cannot change login method back to blank/null value

Keywords

SAML2, Single Sign-On, SSO, SAML v2, IDP, SP , KBA , LOD-SF-PLT-SAM , SAML SSO First Time Setup , How To

Product

SAP SuccessFactors HXM Suite all versions