SAP Knowledge Base Article - Public

3094102 - SuccessFactors - How to update the provisioning Assertion Consumer settings via API and change the signature algorithm?

Symptom

SuccessFactors Outbound SSO setup with partner Applications need to be switched to SHA-256 encryption.

Environment

SAP SuccessFactors HXM Core

Benefitfocus

Workforce Software

OpenText

Skillsoft

Cause

Since SuccessFactors will be deprecating the SHA-1 support for Outbound SSO in future, any partner applications still using SHA-1 based setup with SuccessFactors  (as IdP) should be switched to SHA-256 encryption.

Customer community blog for further updates - SHA-1 Deprecation and Impact on Third Party Applications

Resolution

0. Important

This KBA is meant to provide general guidance on how the SHA-256 setting for SuccessFactors Outbound SSO can be read/updated via APIs- in context of SuccessFactors SolEx partners (Benefitfocus, WorkForce Software, OpenText, Skillsoft).

  • Any queries on how to do the implementation on the respective Partner Application end, will need to be raised to the concerned application support team (not SuccessFactors support).
    Benefitfocus = XX-PART-BFT
    WorkForce = XX-PART-WFR
    OpenText = XX-PART-OPT
    Skillsoft = XX-PART-SKL

  • Any queries on how to use SuccessFactors APIs can be raised to LOD-SF-INT component.


1. Pre-Read

Application Name and SHA-256 Added to Authorized Service Provider Assertion Consumer Services (ACS) Provisioning Settings

 

2. Audience relevance for this KBA

SAP SuccessFactors customers/Software Partners who have built SSO integration using SAP SuccessFactors as the identity provider, before 1H2021 release (B2105).

 

3. Abstract

As a customer, you will not have access to Partner provisioning screen, where the Assertion Consumer settings has to be changed.

As a Software Partner, you will not have access to customer’s provisioning instance.

Hence, SAP SuccessFactors Product team has provided ODataV2 APIs (function imports) to perform the changes on the provisioning screens.

 

Note:
SuccessFactors has introduced a new Admin Center tool which will allow SHA-256 to be enabled for existing Assertion URL entries without having to access provisioning. Details can be found here- 3068321 - Outbound SSO migration to SHA-256 (section- "Change SuccessFactors (BizX) side").
This KBA is specifically to provide guidance on the API-based way of doing the same. 

 

4. Pre-Requisite

Permission for the API user –

  • Manage Permission Roles > Select the role assigned to the API user > Manage Integration Tools > OData API SAML2 Setting

5. Understanding the APIs

The function imports are as follows:

Note: While updating the SFIDPCertType, please ensure to update the module accordingly, please refer to the module types - Application Names and Keys

 

6. Recommended Methodology for updating the Signature algorithm from SHA-1 to SHA-2

Key Points:

  • SAP SuccessFactors recommends from SHA-1 to migrate to SHA-2 based signature algorithm on or before end of calendar year 2021.
  • SAP SuccessFactors Product team is working closely with the Solution Extension partners (Benefitfocus, WorkForce Software, OpenText, Skillsoft) – all these partners support SHA-2 based signing algorithm.
  • Please follow the Customer community blog for further updates - SHA-1 Deprecation and Impact on Third Party Applications.
  • For Software Partners/Customers using SAP BTP applications please refer to this blog on Partner Delivery Community - Impact of change from SHA-1 to SHA-256 for Internal Applications.

 

7. How to obtain the SHA-2 based SAML metadata for the SuccessFactors tenant?

Enter URL in a web browser’s address line which should be in following pattern and press enter

  • https://<server URL>/idp/samlmetadata?company=<companyID>&cert=sha2  

Example: https://pmsalesdemo8.successfactors.com/idp/samlmetadata?company= SFPART049902&cert=sha2

 

8. Failover plan/Roll Back Plan

As you start your testing in the lower environment (Development/Staging/Test), if the SHA-2 flag is checked and due to some mis-configuration on the Service Provider/Software Partner side the SSO fails, you can undo the SHA-2 checkbox in provisioning by sending an API Update

Note: Please ensure to check the SHA-2 support on the Software Partner/Service Provider side, before updating the SHA-1 to SHA-2 certType. This method of Failover should only be used for critical cases.

Sample call

POST https://apisalesdemo8.successfactors.com/odata/v2/updateSFIDPCertType

Request body

{

"acsurl""<acsurl_for_which_the_certType_needs_to_be_reverted>",

"module":"<supported module value>",

"certType":"sha1"

}

Response

<?xml version="1.0" encoding="utf-8"?>

<d:updateSFIDPCertType m:type="SFOData.updateSFIDPCertType" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <d:errorMessage m:null="true"></d:errorMessage>

    <d:status>Success</d:status>

</d:updateSFIDPCertType>

 

9. Specifics on SAP SuccessFactors Solution Extension Partners

The following describes specific alignment with SAP SuccessFactors Solution Extension partners-


9.1 Benefitfocus

Benefitfocus, supports SHA-2 based signature algorithm.

SHA-2 based SAML metadata is already shared to Benefitfocus product team and the same is available in production servers.

9.1.1 What does this mean to mutual SAP SuccessFactors customers?

Customer can run the “getSFIDPCertType” API call, check if the certType in the response is SHA-1

Following are the ACS URL’s for Benefitfocus

 Production URL 

POD

URL

PODA

https://www.secure-enroll.com/sso/saml

PODB

https://www.secure2-enroll.com/sso/saml

PODC

https://www.secure3-enroll.com/sso/saml

 

Sample call

GET https://apisalesdemo8.successfactors.com/odata/v2/getSFIDPCertType?acsurl='https://www.secure-enroll.com/sso/saml'

Response

<?xml version="1.0" encoding="utf-8"?>

<d:getSFIDPCertType m:type="SFOData.getSFIDPCertType" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <d:errorMessage m:null="true"></d:errorMessage>

    <d:result>{"acsurl":"https://www.secure-enroll.com/sso/saml","certType":"sha1","module":""}</d:result>

    <d:status>Success</d:status>

</d:getSFIDPCertType>

 

Once this response is received, and it is confirmed that SHA-1 based certificate is used, please update the certType to SHA-2 and module to Benefitfocus accordingly in the SAP SuccessFactors tenant.

Sample call

POST https://apisalesdemo8.successfactors.com/odata/v2/updateSFIDPCertType

Request body

{

"acsurl""https://www.secure-enroll.com/sso/saml",

"module":"benefitfocus",

"certType":"sha2"

}

 

Response

<?xml version="1.0" encoding="utf-8"?>

<d:updateSFIDPCertType m:type="SFOData.updateSFIDPCertType" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <d:errorMessage m:null="true"></d:errorMessage>

    <d:status>Success</d:status>

</d:updateSFIDPCertType>

 

Note: No configuration changes needed in the Benefitfocus tenant.


 

9.2 WorkForce Software

Following diagram depicts the process to be followed when migrating from SHA-1 to SHA-2, this is a jointly Co-Ordinated effort between the SuccessFactors Customer team (Internal IT to customer/Implementation partner for SAP SuccessFactors) and WorkForce Software Product Support.

9.2.1 Checking the certificate type in SAP SuccessFactors

Using the function import of SAP SuccessFactors, you can check the certificate type currently used for SSO.

 

Sample call for Hub configuration

GET https://apisalesdemo8.successfactors.com/odata/v2/getSFIDPCertType?acsurl='https://cas-us2.wfs.cloud/auth/realms/demo_box_54/broker/successfactors/endpoint/'

 

Response

<?xml version="1.0" encoding="utf-8"?>

<d:getSFIDPCertType m:type="SFOData.getSFIDPCertType" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <d:errorMessage m:null="true"></d:errorMessage>

    <d:result>{"acsurl":"https://cas-us2.wfs.cloud/auth/realms/demo_box_54/broker/successfactors/endpoint/","certType":"sha1","module":"workforce"}</d:result>

    <d:status>Success</d:status>

</d:getSFIDPCertType>

 

Sample call for WT&A configuration

GET

https://apisalesdemo8.successfactors.com/odata/v2/getSFIDPCertType?acsurl='https://demo-demobox54-demo.wfsaas.com.wfsaas.com/workforce/SSO.do?%26RelayState=True'

Response

<?xml version="1.0" encoding="utf-8"?>

<d:getSFIDPCertType m:type="SFOData.getSFIDPCertType" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <d:errorMessage m:null="true"></d:errorMessage>

    <d:result>{"acsurl":"https://demo-demobox54-demo.wfsaas.com.wfsaas.com/workforce/SSO.do?&amp;RelayState=True","certType":"sha1","module":""}</d:result>

    <d:status>Success</d:status>

</d:getSFIDPCertType>

 

 

Note: Please look into this blog to understand the URL pattern for the acsurl SAP and T&A Steps needed to embed the WFS Suite (force.com)- Needs WorkForce community login credentials.

 

9.2.2 Reporting the incident to WorkForce product support

  1. Download SHA-2 based SAML metadata from SAP SuccessFactors instance which is connected to WorkForce Software tenant (Please check the above instructions on how to download the SAML metadata with SHA2 based certificate).
  2. Please raise an incident to the component XX-PART-WFR-SRV (SAP Support Launchpad) along with the downloaded metadata and the Workforce Product Support team will be responsible to perform WorkForce’s tasks in the Central Authentication Service for your WFS tenant.

 

Note: WorkForce Product Support is not responsible for testing the connection between SAP SuccessFactors and your WFS tenant.

 

9.2.3 Updating the certType to SHA-2 in SAP SuccessFactors tenant

After completing the configuration settings on WFS tenant, please update the module name and the certType on the connected SAP SuccessFactors tenant. The below sample call is for Hub configuration, please follow the same format for WT&A configuration by replacing the acsurl.

 

Sample call for Hub configuration

POST https://apisalesdemo8.successfactors.com/odata/v2/updateSFIDPCertType

Request body

{

"acsurl""https://cas-us2.wfs.cloud/auth/realms/demo_box_54/broker/successfactors/endpoint/",

 

"module":"workforce",

 

"certType":"sha2"

}

 

Response

<?xml version="1.0" encoding="utf-8"?>

<d:updateSFIDPCertType m:type="SFOData.updateSFIDPCertType" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <d:errorMessage m:null="true"></d:errorMessage>

    <d:status>Success</d:status>

</d:updateSFIDPCertType>

 

9.3 OpenText

9.3.1 Identifying your SAP SuccessFactors tenant and downloading metadata

Section 7 described the way to download the SHA-256 certificate. While the process is the same for any SAP SuccessFactors tenant, it’s important to know which of the said tenants is involved in OpenText integrations.

 

9.3.2 Checking the certificate type in SAP SuccessFactors

Using the function import of SAP SuccessFactors, you can check the certificate type currently used for SSO. This OData API function import is fully documented at https://help.sap.com/viewer/28bc3c8e3f214ab487ec51b1b8709adc/latest/en-US/8d5e8e93f4be4c1dadda42626940cc45.html

Sample call for OpenText OTDS configuration. The sample calls here are made against OpenText’s demo tenant, SFPART050885 on DC8.The same process must be followed for any SAP SuccessFactors tenant integrated with OpenText.

GET https://apisalesdemo8.successfactors.com/odata/v2/getSFIDPCertType?acsurl='https://pkaur-otds.eastus.cloudapp.azure.com:8443/otdsws/login

Response

<?xml version="1.0" encoding="utf-8"?>

<d:getSFIDPCertType m:type="SFOData.getSFIDPCertType" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <d:errorMessage m:null="true"></d:errorMessage>

    <d:result>{"acsurl":"https://pkaur-otds.eastus.cloudapp.azure.com:8443/otdsws/login","certType":"sha1","module":""}</d:result>

    <d:status>Success</d:status>

</d:getSFIDPCertType>

 

9.3.3 Reporting the incident to OpenText product support

  1. Download SHA-2 based SAML metadata from SAP SuccessFactors instance which is connected to OpenText’s OTDS server.
  2. Raise an incident  against the component, XX-PART-OPT-ECM-DSF. The OpenText support and implementation teams will implement your changes.

Note: OpenText Product Support is not responsible for testing the connection between SAP SuccessFactors and your OpenText OTDS tenant.

 

9.3.4 Updating the certType to SHA-2 in SAP SuccessFactors tenant

After completing the configuration settings on OTDS tenant, please update the module name and the certType on the connected SAP SuccessFactors tenant. The below sample call is for the OpenText demo tenant configuration.

POST https://apisalesdemo8.successfactors.com/odata/v2/updateSFIDPCertType

Request body

{

"acsurl": "https://xecm012.idea.eimdemo.com/otdsws/login/",

"module":"opentext",

"certType":"sha2"

}

 

 

Response

<?xml version="1.0" encoding="utf-8"?>

<d:updateSFIDPCertType m:type="SFOData.updateSFIDPCertType" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <d:errorMessage m:null="true"></d:errorMessage>

    <d:status>Success</d:status>

</d:updateSFIDPCertType>

 

9.4 Skillsoft

9.4.1 Identifying your SAP SuccessFactors tenant and downloading metadata

Section 7 described the way to download the SHA-256 certificate. While the process is the same for any SAP SuccessFactors tenant, it’s important to know which of the said tenants is involved in Skillsoft integrations.

 

9.4.2 Checking the certificate type in SAP SuccessFactors

Using the function import of SAP SuccessFactors, you can check the certificate type currently used for SSO. This OData API function import is fully documented at https://help.sap.com/viewer/28bc3c8e3f214ab487ec51b1b8709adc/latest/en-US/8d5e8e93f4be4c1dadda42626940cc45.html

 

The sample calls here are made against Skillsoft’s demo tenant, SFPART056587 on DC8.The same process must be followed for any SAP SuccessFactors tenant integrated with Skillsoft.

GET https://apisalesdemo8.successfactors.com/odata/v2/getSFIDPCertType?acsurl='https://partlms0154.scdemo.successfactors.com/learning/saml/SSO'

 

Response:

<?xml version="1.0" encoding="utf-8"?>

<d:getSFIDPCertType m:type="SFOData.getSFIDPCertType" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <d:errorMessage m:null="true"></d:errorMessage>

    <d:result>{"acsurl":"https://partlms0154.scdemo.successfactors.com/learning/saml/SSO","certType":"sha1","module":""}</d:result>

    <d:status>Success</d:status>

</d:getSFIDPCertType>

 

 

9.4.3 Reporting the incident to Skillsoft product support

  1. Download SHA-2 based SAML metadata from SAP SuccessFactors instance which is connected to Skillsoft.
  2. Raise an incident  against the component, XX-PART-SKL. The Skillsoft support and implementation teams will implement your changes.

Note: Skillsoft Product Support is not responsible for testing the connection between SAP SuccessFactors and Skillsoft.


9.4.4 Updating the certType to SHA-2 in SAP SuccessFactors tenant

After completing the configuration settings on Skillsoft, please update the module name and the certType on the connected SAP SuccessFactors tenant. The below sample call is for the Skillsoft demo tenant configuration.

POST https://apisalesdemo8.successfactors.com/odata/v2/updateSFIDPCertType

Request body

{

"acsurl": "https://partlms0154.scdemo.successfactors.com/learning/saml/SSO",

"module":"skillsoft",

"certType":"sha2"

}

 

<?xml version="1.0" encoding="utf-8"?>

<d:updateSFIDPCertType m:type="SFOData.updateSFIDPCertType" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

    <d:errorMessage m:null="true"></d:errorMessage>

    <d:status>Success</d:status>

</d:updateSFIDPCertType>

See Also

3068321 - Outbound SSO migration to SHA-256

Keywords

SHA-256,Outbound SSO,Solex,BenefitFocus,Skillsoft,Opentext,Workforce , KBA , LOD-SF-PLT-OBD , Outbound SSO , LOD-SF-EC , Employee Central , LOD-SF-INT , Integrations , How To

Product

SAP SuccessFactors HXM Suite all versions