SAP Knowledge Base Article - Public

3094102 - SuccessFactors - How to update the provisioning Assertion Consumer settings and change the signature algorithm?

Symptom

SuccessFactors Outbound SSO setup with partner Applications need to be switched to SHA-256 encryption.

Environment

SAP SuccessFactors HXM Core

Benefitfocus

Workforce Software

OpenText

Skillsoft

Cause

Since SuccessFactors will be deprecating the SHA-1 support for Outbound SSO in future, any partner applications still using SHA-1 based setup with SuccessFactors  (as IdP) should be switched to SHA-256 encryption.

Customer community blog for further updates - SHA-1 Deprecation and Impact on Third Party Applications

Resolution

0. Important

This KBA is meant to provide general guidance on how the SHA-256 setting for SuccessFactors Outbound SSO can be read/updated- in context of SuccessFactors SolEx partners (Benefitfocus, WorkForce Software, OpenText, Skillsoft).

  • Any queries on how to do the implementation on the respective Partner Application end, will need to be raised to the concerned application support team (not SuccessFactors support).
    Benefitfocus = XX-PART-BFT
    WorkForce = XX-PART-WFR
    OpenText = XX-PART-OPT
    Skillsoft = XX-PART-SKL

  • Identifying the right solution

    SolEx

    Url Contains

    OpenText

    opentext.com

    Benefitfocus

    benefitfocus.com

    Workforce Software

    wfs.cloud

    Skillsoft

    percipio.com



  • Any queries on how to use SuccessFactors APIs can be raised to LOD-SF-INT component.

 

1. Pre-Read

Application Name and SHA-256 Added to Authorized Service Provider Assertion Consumer Services (ACS) Provisioning Settings

 

2. Audience relevance for this KBA

SAP SuccessFactors customers/Software Partners who have built SSO integration using SAP SuccessFactors as the identity provider, before 1H2021 release (B2105).

 

3. Abstract

As a customer, you will not have access to Partner provisioning screen, where the Assertion Consumer settings must be changed. Hence, SAP SuccessFactors introduced the UI replica of the provisioning screen in SAP SuccessFactors and changes can be made. Details can be found here- 3068321 - Outbound SSO migration to SHA-256 (section- "Change SuccessFactors (BizX) side").

As a Software Partner, you will not have access to customer’s provisioning instance.

Hence, SAP SuccessFactors Product team has provided with ODataV2 APIs (function imports) to perform the changes on the provisioning screens. .

 

4. Pre-Requisite

For migrating SHA-1 to SHA-256 certificate via SAP SuccessFactors UI:

As a customer, please ensure to have access for the “Authorized SP Assertion Consumer Service Settings” UI screen in Sap SuccessFactors

The page will only be accessible to the admin users having the permission- Manage System Properties-> Company System and Logo Settings

Key points about this UI:

  • This is only used for migrating SHA-1 to SHA-256, and cannot be used for doing the settings from the scratch (Only for existing customers, for new customers please start with SHA-256 and complete the settings from the provisioning screens with the help of an implementation partner)
  • This is read-only for the following fields
    • Assertion Consumer Service
    • Audience URL
    • SP Mapping Key
    • Prevent Proxy User
    • Use Email Assertion
  • Editable fields are
    • Logout URL
    • Application Name
    • SHA-256 Certificate
  • While saving on the UI, you might encounter a pop-up which prevents saving the settings. This is because you have not chosen the application names for all the Assertion consumer service settings on the UI, unless all the entries on the UI have the application name filled, the UI configuration cannot be saved.

For Updating via SAP SuccessFactors APIs:

Permission for the API user – Manage Permission Roles > Select the role assigned to the API user > Manage Integration Tools > OData API SAML2 Setting



Note: Please refer to the Attachments section of the KBA for sample API calls.

5. Understanding the APIs

The function imports are as follows:

Note: While updating the SFIDPCertType, please ensure to update the module accordingly, please refer to the module types - Application Names and Keys

 

6. Recommended Methodology for updating the Signature algorithm from SHA-1 to SHA-2

Key Points:

  • SAP SuccessFactors recommends from SHA-1 to migrate to SHA-2 based signature algorithm on or before end of calendar year 2021.
  • SAP SuccessFactors Product team is working closely with the Solution Extension partners (Benefitfocus, WorkForce Software, OpenText, Skillsoft) – all these partners support SHA-2 based signing algorithm.
  • Please follow the Customer community blog for further updates - SHA-1 Deprecation and Impact on Third Party Applications.
  • For Software Partners/Customers using SAP BTP applications please refer to this blog on Partner Delivery Community - Impact of change from SHA-1 to SHA-256 for Internal Applications.

 

7. How to obtain the SHA-2 based SAML metadata for the SuccessFactors tenant?

If you are a Partner:

Enter URL in a web browser’s address line which should be in following pattern and press enter

  • https://<server URL>/idp/samlmetadata?company=<companyID>&cert=sha2  

Example: https://pmsalesdemo8.successfactors.com/idp/samlmetadata?company=SFPART049902&cert=sha2

If you are a customer:

You can download the SHA-256 based certificate via SAP SuccessFactors UI

  1. Goto “Authorized SP Assertion Consumer Service Settings” UI
  2. Click on the “Download SuccessFactors IdP Metadata with SHA-256 Certificate”

 

8. Failover plan/Roll Back Plan

If you are a partner

As you start your testing in the lower environment (Development/Staging/Test), if the SHA-2 flag is checked and due to some mis-configuration on the Service Provider/Software Partner side the SSO fails, you can undo the SHA-2 checkbox in provisioning by sending an API Update

Note: Please ensure to check the SHA-2 support on the Software Partner/Service Provider side, before updating the SHA-1 to SHA-2 certType. This method of Failover should only be used for critical cases.

Sample call

POST https://apisalesdemo8.successfactors.com/odata/v2/updateSFIDPCertType

Request body

{

"acsurl""<acsurl_for_which_the_certType_needs_to_be_reverted>",

"module":"<supported module value>",

"certType":"sha1"

}

Response

<?xml version="1.0" encoding="utf-8"?>

<d:updateSFIDPCertType m:type="SFOData.updateSFIDPCertType" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <d:errorMessage m:null="true"></d:errorMessage>

    <d:status>Success</d:status>

</d:updateSFIDPCertType>

If you are a customer:

You can un-check the checkbox in the “Authorized SP Assertion Consumer Service Settings” UI and save it.

 

9. Specifics on SAP SuccessFactors Solution Extension Partners

The following describes specific alignment with SAP SuccessFactors Solution Extension partners-

9.1 Benefitfocus

Benefitfocus, supports SHA-2 based signature algorithm.

SHA-2 based SAML metadata is already shared to Benefitfocus product team and the same is available in production servers in the partner software. Hence, you as a customer need not download the SHA-2 based SAML metadata and share it with Benefitfocus team.

Please follow the below procedure and make changes in SAP SuccessFactors side and migrate from SHA-1 to SHA-2 .

9.1.1 As a customer using Benefitfocus software what should I do?

Migration from SHA-1 certificate to SHA-256 on SAP SuccessFactors side can be done by selecting a checkbox as shown in the below UI and ensure to enter the application name as “Benefitfocus”

Note: No configuration changes needed in the Benefitfocus tenant

 

9.2 WorkForce Software

Following diagram depicts the process to be followed when migrating from SHA-1 to SHA-2, this is a jointly Co-Ordinated effort between the SuccessFactors Customer team (Internal IT to customer/Implementation partner for SAP SuccessFactors) and WorkForce Software Product Support.

9.2.1 What should mutual customers do?

Migration from SHA-1 certificate to SHA-256 on SAP SuccessFactors side can be done by selecting a checkbox as shown in the below UI and ensure to enter the application name as “Workforce Software”

 

After enabling the SHA-2 based certificate please ensure to raise the customer support ticket to SAP as suggested below to complete the migration process .

9.2.2 Reporting the incident to WorkForce product support

  1. Download SHA-2 based SAML metadata from SAP SuccessFactors instance which is connected to WorkForce Software tenant (Please check the above instructions on how to download the SAML metadata with SHA2 based certificate).
  2. Please raise an incident to the component XX-PART-WFR-SRV (SAP Support Launchpad) along with the downloaded metadata and the Workforce Product Support team will be responsible to perform WorkForce’s tasks in the Central Authentication Service for your WFS tenant.

Note: WorkForce Product Support is not responsible for testing the connection between SAP SuccessFactors and your WFS tenant.

9.3 OpenText

9.3.1 What should customers using OpenText do?

Section 7 described the way to download the SHA-256 certificate. While the process is the same for any SAP SuccessFactors tenant, it’s important to know which of the said tenants is involved in OpenText integrations.

Migration from SHA-1 certificate to SHA-256 on SAP SuccessFactors side can be done by selecting a checkbox as shown in the below UI and ensure to enter the application name as “OpenText”

 

 

After enabling the SHA-2 based certificate please ensure to raise the customer support ticket to SAP as suggested below to complete the migration process

 

9.3.2 Reporting the incident to OpenText product support

  1. Download SHA-2 based SAML metadata from SAP SuccessFactors instance which is connected to OpenText’s OTDS server.
  2. Raise an incident  against the component, XX-PART-OPT-ECM-DSF. The OpenText support and implementation teams will implement your changes.

Note: OpenText Product Support is not responsible for testing the connection between SAP SuccessFactors and your OpenText OTDS tenant.

 

9.4 Skillsoft

9.4.1 What should customers using Skillsoft do?

Section 7 described the way to download the SHA-256 certificate. While the process is the same for any SAP SuccessFactors tenant, it’s important to know which of the said tenants is involved in Skillsoft integrations.

Migration from SHA-1 certificate to SHA-256 on SAP SuccessFactors side can be done by selecting a checkbox as shown in the below UI and ensure to enter the application name as “Skillsoft”

 

9.4.2 Reporting the incident to Skillsoft product support

  1. Download SHA-2 based SAML metadata from SAP SuccessFactors instance which is connected to Skillsoft.
  2. Raise an incident  against the component, XX-PART-SKL. The Skillsoft support and implementation teams will implement your changes.

Note: Skillsoft Product Support is not responsible for testing the connection between SAP SuccessFactors and Skillsoft.

See Also

3068321 - Outbound SSO migration to SHA-256

Keywords

SHA-256,Outbound SSO,Solex,BenefitFocus,Skillsoft,Opentext,Workforce , KBA , LOD-SF-PLT-OBD , Outbound SSO , LOD-SF-INT , Integrations , LOD-SF-EC , Employee Central , How To

Product

SAP SuccessFactors HXM Suite all versions

Attachments

Pasted image.png
how to use getSFIDPCertType for OpenText SolEx.txt
how to use getSFIDPCertType for Skillsoft SolEx.txt
how to use getSFIDPCertType for WorkForce Software SolEx.txt
how to use getSFIDPCertType for Benefitfocus SolEx.txt