SAP Knowledge Base Article - Public

2569087 - How to setup SAML 2.0 Single Sign-On via Admin Center - SuccessFactors

Symptom

This KB article explains how clients are able to configure SAP SuccessFactors SAML 2.0 Single Sign-On (SSO) in order to use the SAP Cloud Platform Identity Authentication service via Admin Center

Environment

SAP SuccessFactors HXM Suite

Resolution

IAS (Identity Authentication Service)

  • The SAP Cloud Platform Identity Authentication service (formerly known as SAP Cloud Identity or "SCI") can act as a proxy for your corporate identity provider, authenticating users accessing the SAP SuccessFactors application
  • SAP Cloud Platform Identity Authentication service is a cloud solution for identity lifecycle management. It can be used by SAP Cloud solutions like the SAP SuccessFactors HCM Suite, as well as for SAP Cloud Platform applications and on-premise applications. It provides services for authentication, single sign-on, and on-premise integration as well as self-services such as registration or password reset for employees, customer partners, and consumers. For administrators, Identity Authentication provides features for user lifecycle management and application configurations
  • To use the Identity Authentication service, you need to have an Identity Authentication tenant assigned to you. As an SAP SuccessFactors customer, you are entitled to one such tenant upon request. After your tenant has been created, we will set up SAML trust between the Identity Authentication service and your SuccessFactors system. Once that trust has been established, you can use a self-service admin tool in the Admin Center to set up trust between the Identity Authentication service and your corporate IDP

Requesting an IAS Tenant

To create IAS and IPS tenants for SuccessFactors Identity Authentication Service Integration, please follow the KBA 2791410 - Integrating SuccessFactors with SAP Cloud Identity Authentication Through the Upgrade Center

Setting up SAML 2.0 Single Sign-On

Pre-requisites

  • Before you complete this step, you need to have an SAP Cloud Platform Identity Authentication service tenant and have SAML trust set up between it and your SuccessFactors system
  • Users who are granted access to the SAML 2.0 Single Sign On tool before the prerequisite steps are taken can still access the page in Admin Center but cannot use it. They only see an error message

Follow these steps to gain access to the SAML 2.0 Single Sign On tool:

      1. Go to "Admin Tools" > "Manage Permission Roles" and select the role to which you want to grant permission
      2. Go to "Administrator Permissions" > "Manage Security"
      3. Select the "Manage SAML SSO Settings" permission
      4. Save changes

Adding an Assertion Party

In this task, you are configuring SAP Cloud Platform Identity Authentication service via the SuccessFactors UI. We provide the SAML 2.0 Single Sign On tool to simplify the set-up process and focus on the fields required by SuccessFactors

    1. Go to "Admin Center" > "Tools" > "SAML 2.0 Single Sign On"
    2. Click "Add Asserting Party"
    3. Provide the required information in the form:
      1. SAML Asserting Party Name: Enter a name to identify the asserting party. It cannot be modified later
      2. SAML Issuer: Enter the name of the SAML issuer. Extract this from the SAML metadata file provided by the administrator of your corporate identity provider. It is contained in the element entityID in the xml file
      3. SAML Verifying Certificate: Enter the Identity Authentication service IdP signing certificate. First, extract this from the SAML metadata file provided by the administrator of your corporate identity provider. The certificate is contained in the following element in the xml file: IDPSSODescriptor -> KeyDescriptor -> KeyInfo -> X509Data -> X509Certificate. Then, add the following before and after the certificate:
        • Above the copied text: – – – – -BEGIN CERTIFICATE- – – – –
        • Below the copied text: – – – – -END CERTIFICATE- – – – –
      1. SAML Signing Algorithm: Choose the digest algorithm for signing outgoing messages. You have the following options:
        • SHA-1 - this is the default option
        • SHA-256
      1. Single Sign On Endpoint: Enter the service provider's endpoint URL that receives the response with the SAML assertion from Identity Authentication
      2. Global Logout Service URL (LogoutRequest destination): Enter the Identity Providers URL that will receive SAML Logout Requests
      3. Configure the URL redirect links:
        • Redirect URL when logout: Enter the URL of the page users should see when they logout of the service provider
        • Redirect URL when session timeout: Enter the redirect URL when the session times out and the user select the login option
        • Redirect URL for Invalid Login: Enter the URL for Invalid Login URL redirect
        • Redirect URL for Invalid Manager: Enter the URL for Invalid Manager URL redirect
    1. Click "Done" to save your changes

Configure your Corporate Identity Provider

In this step, Identity Authentication is the service provider configured in your corporate identity provider. Note: This configuration is made by the administrator of your corporate identity provider

    1. Download the service provider metadata for your Identity Authentication tenant:
      • Go to "Admin Center" > "Tools" > "SAML 2.0 Single Sign On"
      • Click "Download Service Provider Metadata"
    1. Register SAP Cloud Platform Identity Authentication service as a service provider for your corporate identity provider
    1. (Optional) If you are using IdP-initiated SSO, add the sp=<sp_name> parameter to the assertion consumer service (ACS) endpoint URL in your corporate identity provider, replacing the sp_name with the Entity ID of your Identity Authentication service tenant. NOTE: This parameter is needed for Identity Authentication to know where to redirect the user to after successful authentication
    1. Configure your corporate identity provider to send the Name-ID and NameIDFormat that are expected by SuccessFactors:
      • Name-ID: username
      • NameIDFormat: unspecified

Once the trust is configured, users can access the application via the link sent by the corporate identity provider administrator

Note: To configure single sign-on without SAP Cloud Platform Identity Authentication, using other authentication services or identity providers or using non-SAML methods, use the Provisioning application. Remember that as a customer, you do not have access to Provisioning. To complete this task, please contact SAP Cloud Support

As with all new features, please take advantage of the SAP Help Portal for detailed information. To learn more about SSO with IAS, please click here: SAML 2.0 Single Sign-On with SAP Cloud Platform Identity Authentication

Keywords

SSO, SAML, SAML 2.0, SSO setup, admin center, IAS, IdP, Identity Authentication Service, SAP Cloud Platform Identity Authentication service, SF, success factors, Biz X, PLT, platform

, KBA , LOD-SF-PLT-SAM , SAML SSO First Time Setup , Product Enhancement

Product

SAP SuccessFactors HXM Suite all versions