2674588 - [SSO] Manage SAML SSO Settings feature

•  Unsure of the functionality contained within Manage SAML SSO Settings page when browsing SuccessFactors. How to use it ?  what are the pre-requisites?
• Why Manage SAML SSO settings page is disabled ?  
• I have all the permissions but the  Manage SAML SSO settings page is still disabled, why?
• My IAS system user has a certificate based authentication where to find this certificate ?   

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

SAP SuccessFactors HXM Suite

SAP Cloud Identity Services – Identity Authentication IAS

📌 Manage SAML SSO Settings

This feature is meant to be used on IAS enabled tenants as an alternative to have to do updates via the IAS Admin console. This also allow the customer to setup redirects URLs that before where only available on provisioning.

1️⃣ - Pre-requisites

To have access to this feature the user must have permission "Manage Security" -> "Manage SAML SSO Settings" permission. To provide the permission follow the steps below:

1. Go to "Admin Center" -> "Manage Permission Roles"
2. Select the role to which you want to grant permission
3. On section "Permission Settings", click "Permissions...";
4. Go to section "Manage Security" and select the "Manage SAML SSO Settings" permission;
5. Save your changes

2️⃣ - How to use the feature

• This area does not add Asserting Parties to the SSO setup in Provisioning
• In ‘Manage SAML SSO Settings’, we are adding Corporate IDP Setups to the IAS Tenant. [Reference: KBA  2674264 ]
• This configuration of the Corporate IDP can also be done from your IAS Tenant, thorugh the Manage SAML SSO settings the user can download the Identity Authentication Service SAML Metadata to register the IAS as service provider for your IDP.
• As seen in the screenshot, if there is a Corporate IDP already setup in IAS, then it will now populate in the area
• The use of case-insensitive usernames with Identity Authentication, SAP SuccessFactors tenant usernames now remain case-insensitive even when Single Sign-On (SSO) is disabled. This setting could be disabled from within the Manage SAML SSO Settings screen or by disabling SSO in the Identity Authentication administration console. [Reference: KBA 2214831 ]

3️⃣ - If you face issues accessing Manage SAML SSO Settings

• While the functionality is now “clickable”, you are still seeing a permissions issue throwing an error (screenshot below) when ‘Adding an Asserting Party’ or enabling the other features which we need to resolve

• To fix this, we need to import a certificate into a System Admin User in the IAS Tenant
• The cert can be applied to any System User, it does not have to be named SAP HANA Cloud Platform like in the screenshot below (SAP HANA Cloud Platform is just an example System User I have in my Demo IAS Tenant)
• Creating a new System User in your IAS Tenant and importing the certificate (attached) to it ✅ 
• These Certificates must be retrieved by Support - They have access to Confluence (For SAP Support please see Internal Memo with link to Confluence)

4️⃣ - Upload Certificate to IAS Tenant System User (Only needed if you face issues accessing Manage SAML SSO Settings)

• Navigate to Users & Authorizations > Administrators > SAP HANA Cloud Platform > Certificate
• Once the certificate has been uploaded, all functionality within ‘Manage SAML SSO Settings’ is fully operational
• You can find the certificate in the attachment section.

⚠️ Please note that if your SSO setup does not include an IAS Tenant, you cannot use this feature, and this area will be greyed out; For you to have access to this feature, you need to have IAS implemented as referred on KBA 2791410;

• Enforcement of Case-Insensitive Usernames with SAP SuccessFactors and Identity Authentication | SAP Help Portal
• Configure Your Corporate Identity Provider | SAP Help Portal

Manage, SAML, SSO, IAS, Tenant, Corporate, IDP, configuration, SuccessFactors, sf, sfsf , sf sf, SuccessFactors, SuccessFactor, Success Factor, bizx, SF-IAS, IAS system user certificate, IAS corporate Identity Provider, case-insensitive username SuccessFactors, , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-SEL , SSO Errors & Logs , How To