SAP Knowledge Base Article - Public

2569087 - How to setup SAML 2.0 Single Sign-On via Admin Center - SuccessFactors (IAS Enabled instances only or that are under IAS implementation)


This KB article explains how clients are able to configure SAP SuccessFactors SAML 2.0 Single Sign-On (SSO) in order to use the SAP Cloud Platform Identity Authentication service via Admin Center


SAP SuccessFactors HXM Suite

Reproducing the Issue



This feature is only to have IAS integration setup with your Corporate IdP setup (as this basically access IAS through backend to setup Corporate IdP via APIs) and to setup the redirect URLs for logout, timeout, invalid login or invalid Manager.

Requesting an IAS Tenant

To create IAS and IPS tenants for SuccessFactors Identity Authentication Service Integration, please follow the KBA 2791410 - Integrating SuccessFactors with SAP Cloud Identity Authentication Through the Upgrade Center

Setting up SAML 2.0 Single Sign-On


  • Before you complete this step, you need to have an SAP Cloud Platform Identity Authentication service tenant and have SAML trust set up between it and your SuccessFactors system
  • Users who are granted access to the SAML 2.0 Single Sign On tool before the prerequisite steps are taken can still access the page in Admin Center but cannot use it. They only see an error message

Follow these steps to gain access to the SAML 2.0 Single Sign On tool:

      1. Go to "Admin Tools" > "Manage Permission Roles" and select the role to which you want to grant permission
      2. Go to "Administrator Permissions" > "Manage Security"
      3. Select the "Manage SAML SSO Settings" permission
      4. Save changes

Adding an Assertion Party

In this task, you are configuring SAP Cloud Platform Identity Authentication service via the SuccessFactors UI. We provide the SAML 2.0 Single Sign On tool to simplify the set-up process and focus on the fields required by SuccessFactors

    1. Go to "Admin Center" > "Tools" > "SAML 2.0 Single Sign On"
    2. Click "Add Asserting Party"
    3. Provide the required information in the form:
      1. SAML Asserting Party Name: Enter a name to identify the asserting party. It cannot be modified later
      2. SAML Issuer: Enter the name of the SAML issuer. Extract this from the SAML metadata file provided by the administrator of your corporate identity provider. It is contained in the element entityID in the xml file
      3. SAML Verifying Certificate: Enter the Identity Authentication service IdP signing certificate. First, extract this from the SAML metadata file provided by the administrator of your corporate identity provider. The certificate is contained in the following element in the xml file: IDPSSODescriptor -> KeyDescriptor -> KeyInfo -> X509Data -> X509Certificate. Then, add the following before and after the certificate:
        • Above the copied text: – – – – -BEGIN CERTIFICATE- – – – –
        • Below the copied text: – – – – -END CERTIFICATE- – – – –
      1. SAML Signing Algorithm: Choose the digest algorithm for signing outgoing messages. You have the following options:
        • SHA-1 - this is the default option
        • SHA-256
      1. Single Sign On Endpoint: Enter the service provider's endpoint URL that receives the response with the SAML assertion from Identity Authentication
      2. Global Logout Service URL (LogoutRequest destination): Enter the Identity Providers URL that will receive SAML Logout Requests
      3. Configure the URL redirect links:
        • Redirect URL when logout: Enter the URL of the page users should see when they logout of the service provider
        • Redirect URL when session timeout: Enter the redirect URL when the session times out and the user select the login option
        • Redirect URL for Invalid Login: Enter the URL for Invalid Login URL redirect
        • Redirect URL for Invalid Manager: Enter the URL for Invalid Manager URL redirect
    1. Click "Done" to save your changes

Configure your Corporate Identity Provider

In this step, Identity Authentication is the service provider configured in your corporate identity provider. Note: This configuration is made by the administrator of your corporate identity provider

    1. Download the service provider metadata for your Identity Authentication tenant:
      • Go to "Admin Center" > "Tools" > "SAML 2.0 Single Sign On"
      • Click "Download Service Provider Metadata"
    1. Register SAP Cloud Platform Identity Authentication service as a service provider for your corporate identity provider
    1. (Optional) If you are using IdP-initiated SSO, add the sp=<sp_name> parameter to the assertion consumer service (ACS) endpoint URL in your corporate identity provider, replacing the sp_name with the Entity ID of your Identity Authentication service tenant. NOTE: This parameter is needed for Identity Authentication to know where to redirect the user to after successful authentication.
      In IAS the Application has at "SAML 2.0 Configuration" a field "Name" for example:  .
      Then in this case  <sp_name>=
    1. Configure your corporate identity provider to send the Name-ID and NameIDFormat that are expected by SuccessFactors:
      • Name-ID: username
      • NameIDFormat: unspecified

Once the trust is  configured, users can access the application via the link sent by the corporate identity provider administrator

Note: To configure single sign-on without SAP Cloud Platform Identity Authentication, using other authentication services or identity providers or using non-SAML methods, use the Provisioning application. Remember that as a customer, you do not have access to Provisioning. To complete this task, please contact SAP Cloud Support

As with all new features, please take advantage of the SAP Help Portal for detailed information. To learn more about SSO with IAS, please click here: SAML 2.0 Single Sign-On with SAP Cloud Platform Identity Authentication

See Also


SSO, SAML, SAML 2.0, SSO setup, admin center, IAS, IdP, Identity Authentication Service, SAP Cloud Platform Identity Authentication service, SF, success factors, Biz X, PLT, platform

, KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-PLT-SAM , SAML SSO First Time Setup , Product Enhancement


SAP SuccessFactors HXM Suite all versions