/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
This KB article explains how clients are able to configure SAP SuccessFactors SAML 2.0 Single Sign-On (SSO) in order to use the SAP Cloud Platform Identity Authentication service via Admin Center
Environment
SAP SuccessFactors HXM Suite
Resolution
This feature is only to have IAS integration setup with your Corporate IdP setup (as this basically access IAS through backend to setup Corporate IdP via APIs) and to setup the redirect URLs for logout, timeout, invalid login or invalid Manager.
Requesting an IAS Tenant
To create IAS and IPS tenants for SuccessFactors Identity Authentication Service Integration, please follow the KBA 2791410 - Integrating SuccessFactors with SAP Cloud Identity Authentication Through the Upgrade Center
Setting up SAML 2.0 Single Sign-On
Pre-requisites
- Before you complete this step, you need to have an SAP Cloud Platform Identity Authentication service tenant and have SAML trust set up between it and your SuccessFactors system
- Users who are granted access to the SAML 2.0 Single Sign On tool before the prerequisite steps are taken can still access the page in Admin Center but cannot use it. They only see an error message
Follow these steps to gain access to the SAML 2.0 Single Sign On tool:
- Go to "Admin Tools" > "Manage Permission Roles" and select the role to which you want to grant permission
- Go to "Administrator Permissions" > "Manage Security"
- Select the "Manage SAML SSO Settings" permission
- Save changes
Configure your Corporate Identity Provider
In this step, Identity Authentication is the service provider configured in your corporate identity provider. Note: This configuration is made by the administrator of your corporate identity provider
- Download the service provider metadata for your Identity Authentication tenant:
- Go to "Admin Center" > "Tools" > "SAML 2.0 Single Sign On"
- Click "Download Service Provider Metadata"
- Register SAP Cloud Platform Identity Authentication service as a service provider for your corporate identity provider
- (Optional) If you are using IdP-initiated SSO, add the sp=<sp_name> parameter to the assertion consumer service (ACS) endpoint URL in your corporate identity provider, replacing the sp_name with the Entity ID of your Identity Authentication service tenant. NOTE: This parameter is needed for Identity Authentication to know where to redirect the user to after successful authentication.
In IAS the Application has at "SAML 2.0 Configuration" a field "Name" for example: https://www.successfactors.com/SFPART088872 .
Then in this case <sp_name>=https://www.successfactors.com/SFPART088872
- Configure your corporate identity provider to send the Name-ID and NameIDFormat that are expected by SuccessFactors:
- Name-ID: username
- NameIDFormat: unspecified
Once the trust is configured, users can access the application via the link sent by the corporate identity provider administrator
Note: To configure single sign-on without SAP Cloud Platform Identity Authentication, using other authentication services or identity providers or using non-SAML methods, use the Provisioning application. Remember that as a customer, you do not have access to Provisioning. To complete this task, please contact SAP Cloud Support
As with all new features, please take advantage of the SAP Help Portal for detailed information. To learn more about SSO with IAS, please click here: SAML 2.0 Single Sign-On with SAP Cloud Platform Identity Authentication
Keywords
SSO, SAML, SAML 2.0, SSO setup, admin center, IAS, IdP, Identity Authentication Service, SAP Cloud Platform Identity Authentication service, SF, success factors, Biz X, PLT, platform
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)