SAP Knowledge Base Article - Public

2348735 - Microsoft Azure Active Directory integration with SuccessFactors

Symptom

  • Azure ActiveDirectory integration with SuccessFactors.
  • We need to configure SP-Initiated Login Single Sign-On using Microsoft Azure as our IDP (Identity Provider).
  • We need a guide on how to configure SSO using Azure.

Environment

SAP SuccessFactors HCM Suite

Resolution

The objective of this article is to show the integration of Azure and SuccessFactors in SP-Initiated Single Sign-On mode.

The scenario outlined in this article assumes that you already have the following items:

  • A valid Azure subscription
  • A SuccessFactors single sign-on enabled subscription in SP initiated mode

After completing this tutorial, the Azure AD users you have assigned to SuccessFactors will be able to single sign into the application at your SuccessFactors company site (service provider initiated sign-on), or using the Introduction to the Access Panel.

The scenario outlined in this article consists of the following building blocks:

  1. Enabling the application integration for SuccessFactors
  2. Configuring single sign-on
  3. Assigning users

Enabling the Azure Application integration for SuccessFactors

The objective of this section is to outline how to enable the application integration for SuccessFactors.

  1. In the Azure classic portal, on the left navigation pane, click Active Directory.

  2. From the Directory list, select the directory for which you want to enable directory integration.

  3. To open the applications view, in the directory view, click Applications in the top menu.

  4. Click Add at the bottom of the page.

  5. On the What do you want to do dialog, click Add an application from the gallery.

  6. In the search box, type SuccessFactors.

  7. In the results pane, select SuccessFactors, and then click Complete to add the application.

Configuring Single Sign-On

The objective of this section is to outline how to enable users to authenticate to SuccessFactors with their account in Azure AD using federation based on the SAML protocol.

To get single sign-on configured, you will have to contact your SuccessFactors support team.

  1. In the Azure classic portal, on the SuccessFactors application integration page, click Configure single sign-on to open the Configure Single Sign On dialog.

  2. On the How would you like users to sign on to SuccessFactors page, select Microsoft Azure AD Single Sign-On, and then click Next.

  3. On the Configure App URL page, perform the following steps, and then click Next.

    1. In the * Sign on URL textbox, type your URL used by your users to sign on to your SuccessFactors application.
      Note: This URL is dependent on what Datacenter your instance is located. It should look like this: https://performancemanagerX.successfactors.YYY/sf/login?company=CompanyID&loginMethod=SSO
      E.g: https://performancemanager4.successfactors.com/sf/login?company=CompanyName&loginMethod=SSO 

    2. In the * Identifier textbox, type the SuccessFactor Entity ID.
      Note: This URL is dependent on what Datacenter your instance is located. It should look like this: https://www.successfactors.com/CompanyID or https://www.successfactors.eu/CompanyID
      Exception: If your instance is located on DC12 (https://performancemanager5.successfactors.eu) The Identifier should be www.successfactors.com/CompanyID

    3. In the * Reply URL textbox, type the Assertion Consumer Service URL.
      Note: This URL is dependent on what Datacenter your instance is located. It should look like this: https://performancemanagerX.successfactors.YYY/saml2/SAMLAssertionConsumer?company=CompanyID
      E.g: https://performancemanager4.successfactors.com/saml2/SAMLAssertionConsumer?company=CompanyName
  4. On the Configure single sign-on at SuccessFactors page, to download your certificate, click Download certificate, and then save the certificate file on your computer.

To get SAML based single sign-on configured on SuccessFactors end there are configurations required in provisioning.

Contact your Partner or SuccessFactors support team and provide them with the following:

  • XML Metadata File from Customers IDP (Microsoft Azure)
    This is an xml file that can be downloaded from the Azure application.

Assigning users

To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.

To assign users to SuccessFactors, perform the following steps:

  1. In the Azure classic portal, create a test account.

  2. On the SuccessFactors application integration page, click Assign users.

  3. Select your test user, click Assign, and then click Yes to confirm your assignment.

If you want to test your single sign-on settings, open the Access Panel. For more details about the Access Panel, see Introduction to the Access Panel.

Disclaimer: Configuration of the third party application (Microsoft Azure) should be done by a Microsoft Azure expert. The information provided does not imply that SAP Cloud Product Support have any expertise in setting up Microsoft Azure Application for customers. These are merely bits of information that were gathered over time while configuring the SAML SSO with Microsoft Azure which may help you with a smoother setup. Please reach out to your Consultant, Partner or Internal IT Team who should have expertise in this area. The links in this document are owned and maintained by Microsoft. 

See Also

Keywords

Azure, ActiveDirectory, integration, SuccessFactors, Tutorial, Microsoft, SSO, SAML, SP, Single Sign-On, Metadata, ACS, Identifier, , KBA , LOD-SF-PLT-SSO , Single Sign-on , How To

Product

SAP SuccessFactors HCM Suite all versions

Attachments

Azure_Active_Directory_integration_with_SuccessFactors.pdf