SAP Knowledge Base Article - Public

2674264 - Configuring SSO between Corporate IDP, IAS Tenant and BizX Instance when using IAS as a proxy to Corporate IDP - BizX Platform

Symptom

 How to configure SSO between Corporate IDP, IAS Tenant and BizX Instance when using IAS as a proxy to Corporate IDP

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

BizX

Resolution

 SAML Communication Proxy Scenario.png

Initial Steps:

  • Support creates and attaches metadata file of customers BizX Instance to incident for configuration on IAS side.
  • Get IAS metadata file from customer for configuration on BizX Provisioning side.

IAS Configuration:

IAS Configuration.png

  • Support Engineer needs to configure / troubleshoot through a screenshare session as the customer has the access to their IAS tenant.
  • Applications > +Add > Name your Custom Application > click on SAML 2.0 Configuration to enter metadata file from BizX

IAS Configuration2.png

  • Browse to your saved metadata file and import
  • It will auto-populate the required fields highlighted in the screenshot across
  • These fields include the Identifier, ACS (Reply) URL, Signing Certificate and the Secure Hash Algorithm
  • With IAS, we can now leverage SHA-256 whereas before, we were limited to SHA-1
  • SHA-256 offers improved security and is one of the main drives behind moving to IAS



Retrieving IAS metadata file for BizX configuration:

Retrieving IAS metadata file for BizX configuration.png

  • Tenant Settings > SAML 2.0 Configuration > Download Metadata file

BizX Configuration: IDP-Initiated Login (Bizx Config done by Support / Partner who has access to Provisioning)

BizX config1.png

  • Asserting Party Name can be anything. IAS_COMPANYID for example
  • Issuer from IAS metadata
  • Certificate from IAS metadata
  • The Idp is signing the Assertion so we set to ‘Assertion’
  • Enable SAML Flag always set to ‘Enabled’
  • Enforce the Signing certificate expiry set to ‘Yes’

BizX Configuration: SP-Initiated Login

BizX config2.png

  • Same as IDP-Initiated Login covered above but with the added configuration of the SP-Initiated areas as shown
  • Search IAS metadata file for the SingleSignOn and SingleLogout URL’s

Corporate IDP / IAS Config:

  • Export IAS metadata file from IAS Tenant (shown above) and give this to Corporate IDP for configuration on their end
  • Customer requests the metadata file from their Corporate IDP to configure their IAS Tenant

Corporate IDP config.png

  • Go to the area in the screenshot across and import the metadata file under ‘Corporate Identity Providers > SAML 2.0 Configuration’

Identity Federation Switch:

Identity Federation Switch.png

  • When OFF, the Corporate IDP sends it’s User attribute straight to SuccessFactors for authentication
  • This makes sense as we are only using IAS as a Proxy to customers Corporate IDP in this scenario
  • When ON, the Corporate IDP sends its User attribute to IAS, then IAS send its User attribute (e.g. UserID) to SuccessFactors for authentication
  • Therefore, IAS also needs the User Repository that exists at the Corporate IDP which doesn’t make sense in this Proxy scenario (if IAS has no users, how can it pass on its user attributes to SuccessFactors)

Proxying through the IAS Tenant to the configured Corporate IDP:

Conditional Authentication.png

  • The customer will use the same Login URL for SuccessFactors regardless of whether they have a straight integration with IAS or whether they are using IAS as a Proxy to their Corporate IDP
  • Therefore, we must tell IAS where to send the customer for User Authentication
  • If we want the User to land on the Login screen of their Corporate IDP for authentication, we must select it from the dropdown in ‘Conditional Authentication’
  • If you know the customer is using IAS as a Proxy but they are landing at the IAS Login screen rather than their Corporate IDP Login screen, this is why.

Ensuring SHA-256 communication between IAS and Corporate IDP:

Forcing SHA-256 communication.png

  • Go to Corporate Identity Providers > ADFS Test (for example) > Identity Provider Type > choose MS ADFS 2.0
  • This is a hidden feature that forces SHA-256 communication and should be selected if you want SHA-256
  • This applies to all Corporate IDP's

Keywords

 IAS, IAS Tenant, SSO, SSO Integration between IAS Tenant and BizX, SSO between Corporate IDP, IAS Tenant and BizX Instance when using IAS as a proxy to Corporate IDP, SHA-256, SHA-256 communication , KBA , LOD-SF-PLT , Foundational Capabilities & Tools , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-SEL , SSO Errors & Logs , How To

Product

SAP SuccessFactors HCM Suite all versions