SAP Knowledge Base Article - Public

2569087 - How to setup SAML 2.0 Single Sign-On via Admin Center?

Symptom

With the b1711 release, you can now configure SAP SuccessFactors SAML 2.0 Single Sign-On (SSO) to use the SAP Cloud Platform Identity Authentication service via Admin Center.

Environment

  • SAP SuccessFactors Platform/BizX
  • SAP SuccessFactors SSO

Resolution

Introduction to IAS (Identity Authentication Service):

The SAP Cloud Platform Identity Authentication service (formerly known as SAP Cloud Identity or "SCI") can act as a proxy for your corporate identity provider, which authenticates users accessing the SAP SuccessFactors application.

SAP Cloud Platform Identity Authentication service is a cloud solution for identity lifecycle management. It can be used by SAP Cloud solutions like the SAP SuccessFactors HCM Suite, as well as for SAP Cloud Platform applications and on-premise applications. It provides services for authentication, single sign-on, and on-premise integration as well as self-services such as registration or password reset for employees, customer partners, and consumers. For administrators, Identity Authentication provides features for user lifecycle management and application configurations.

To use the Identity Authentication service, you need to have an Identity Authentication tenant assigned to you. As an SAP SuccessFactors customer, you are entitled to one such tenant upon request. After your tenant has been created, we will set up SAML trust between the Identity Authentication service and your SuccessFactors system. Once that trust has been established, you can use a self-service admin tool in the Admin Center to set up trust between the Identity Authentication service and your corporate IdP.

How to request your IAS tenant?

Contact SAP SuccessFactors to request access to SAP Cloud Platform Identity Authentication service and have us set up SAML trust with your SuccessFactors system. As an SAP SuccessFactors customer, you are entitled to one Identity Authentication tenant upon request.

Setting up SAML 2.0 Single Sign-On:

Pre-requisites:

  • Before you complete this step, you need to have an SAP Cloud Platform Identity Authentication service tenant and have SAML trust set up between it and your SuccessFactors system.
  • Users who are granted access to the SAML 2.0 Single Sign On tool before the prerequisite steps are taken can still access the page in Admin Center but cannot use it. They can only see an error message.

Follow these steps to gain access to the SAML 2.0 Single Sign On tool:

      1. Go to "Admin Tools" > "Manage Permission Roles" and select the role to which you want to grant permission;
      2. Go to "Administrator Permissions" > "Manage Security";
      3. Select the "Manage SAML SSO Settings" permission;
      4. Save your changes.
  1. Adding an Assertion Party:  In this task, you are configuring SAP Cloud Platform Identity Authentication service via the SuccessFactors UI. We provide the SAML 2.0 Single Sign On tool to simplify the set-up process and focus on the fields required by SuccessFactors. 
    1. Go to "Admin Center" > "Tools" > "SAML 2.0 Single Sign On";
    2. Click "Add Asserting Party";
    3. Provide the required information in the form:
      1. SAML Asserting Party Name: Enter a name to identify the asserting party. It cannot be modified later;
      2. SAML Issuer: Enter the name of the SAML issuer. Extract this from the SAML metadata file provided by the administrator of your corporate identity provider. It is contained in the element entityID in the xml file;
      3. SAML Verifying Certificate: Enter the Identity Authentication service IdP signing certificate. First, extract this from the SAML metadata file provided by the administrator of your corporate identity provider. The certificate is contained in the following element in the xml file: IDPSSODescriptor -> KeyDescriptor -> KeyInfo -> X509Data -> X509Certificate. Then, add the following before and after the certificate:
        • Above the copied text: – – – – -BEGIN CERTIFICATE- – – – –
        • Below the copied text: – – – – -END CERTIFICATE- – – – –
      1. SAML Signing Algorithm: Choose the digest algorithm for signing outgoing messages. You have the following options:
        • SHA-1 - this is the default option
        • SHA-256
      1. Single Sign On Endpoint: Enter the service provider's endpoint URL that receives the response with the SAML assertion from Identity Authentication;
      2. Global Logout Service URL (LogoutRequest destination): Enter the Identity Providers URL that will receive SAML Logout Requests;
      3. Logout Redirect URL: Enter the URL of the page users should see when they logout of the service provider;
    1. Click "Done" to save your changes.
  1. Configure your Corporate Identity Provider: In this step, Identity Authentication is the service provider configured in your corporate identity provider. NOTE: This configuration is made by the administrator of your corporate identity provider.
    1. Download the service provider metadata for your Identity Authentication tenant:
      • Go to "Admin Center" > "Tools" > "SAML 2.0 Single Sign On";
      • Click "Download Service Provider Metadata".
    1. Register SAP Cloud Platform Identity Authentication service as a service provider for your corporate identity provider;
    1. (Optional) If you are using IdP-initiated SSO, add the sp=<sp_name> parameter to the assertion consumer service (ACS) endpoint URL in your corporate identity provider, replacing the sp_name with the Entity ID of your Identity Authentication service tenant. NOTE: This parameter is needed for Identity Authentication to know where to redirect the user to after successful authentication.
    1. Configure your corporate identity provider to send the Name-ID and NameIDFormat that are expected by SuccessFactors:
      • Name-ID: username
      • NameIDFormat: unspecified

Once the trust is configured, users can access the application via the link sent by the corporate identity provider administrator.

NOTE: To configure single sign-on without SAP Cloud Platform Identity Authentication, using other authentication services or identity providers or using non-SAML methods, use the Provisioning application. Remember that as a customer, you do not have access to Provisioning. To complete this task, please contact SAP Cloud Support.

As with all new features, please take advantage of the SAP Help Portal for detailed information. If you would like to learn more about SSO with IAS, please click here: SAML 2.0 Single Sign-On with SAP Cloud Platform Identity Authentication

Keywords

SSO, SAML, SAML 2.0, SSO setup, admin center, IAS, IdP, Identity Authentication Service, SAP Cloud Platform Identity Authentication service.

, KBA , LOD-SF-PLT-SAM , SAML SSO First Time Setup , Product Enhancement

Product

SAP SuccessFactors HCM Core 1711