SAP Knowledge Base Article - Public

2674232 - Manually configuring SSO between IAS Tenant and BizX Instance - BizX Platform

Symptom

Customer SF/IAS setups are no longer supposed to manual. This KBA is for reference only and for customer setups the following KBA (Upgrade Center based process) should be used 2791410

  • How to configure SSO between IAS Tenant and BizX Instance;
  • How to setup IAS - SuccessFactors integration;

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

  • SAP SuccessFactors HXM Suite
  • SAP Cloud Platform Identity Authentication Service

Resolution

SAML Communication.png

This integration is just related to SSO to authenticate on SuccessFactors, having no impact on 3rd Party Integrations such as Boomi or SF API connections.

ALL IAS-SUCCESSFACTORS INTEGRATION SHOULD BE DONE THROUGH UPGRADE CENTER AS REFERRED ON THIS KBA 2791410

MANUAL CONFIGURATION SHOULD BE LIMITED TO ADJUSTMENTS ON SPECIFIC BUSINESS CASES AND BE AVOIDED.

THIS KBA IS ONLY TO BE USED IN REFERENCE IN CASE YOUR CONFIGURATION FACES ISSUES OR YOU NEED A REFERENCE.

Initial Steps:

  • Create a metadata file specific for your BizX Instance for configuration on IAS side.
    • See KBA 2747798 - How to create the metadata file for Single Sign On between SuccessFactors and Identity Provider
  • Retrieve the IAS metadata file for BizX configuration for configuration on BizX Provisioning side.
    • See section "Retrieving IAS metadata file for BizX configuration" below.

SAP Cloud Platform Identity Authentication Service (IAS) Configuration:

  • You should have an existing IAS tenant to start this process.
  • To add the SuccessFactors configuration in IAS, follow these steps-
    • Applications > +Add > Choose type as SAP SuccessFactors > Provide any Name for the Application & save it
    • Then, click on SAML 2.0 Configuration to enter metadata file from BizX

IAS Configuration.png

    • Click Browse to select your saved SuccessFactors metadata file and import the same. It will auto-populate the required fields highlighted in the screenshot across

IAS Configuration2.png

    • These fields include the Identifier, ACS (Reply) URL, Signing Certificate and the Secure Hash Algorithm.
      With IAS, we can now leverage SHA-256 whereas before, we were limited to SHA-1. SHA-256 offers improved security and is one of the main drives behind moving to IAS.
    • Save the SAML 2.0 page.

  • After the SAML 2.0 settings are saved, you will need to select the right IAS user field as Subject Name Identifier. The selection for this screen will be dependent on which field in your IAS (example-> Login Name) stores the same data as SuccessFactors Username, since the SSO login will be based on that.
    Note: If IAS is being used just as a proxy to Corporate IdP, then this selection will not matter.

Retrieving SAP IAS metadata file for BizX configuration:

  • Tenant Settings > SAML 2.0 Configuration > Download Metadata file
    Retrieving IAS metadata file for BizX configuration.png

SAP SuccessFactors BizX Configuration: (Bizx Config done by Partner / Customer Support who has access to Provisioning)

The following are the SSO settings that should be configured.

BizX config1.png

  • Asserting Party Name can be anything. IAS_COMPANYID for example
  • Issuer from IAS metadata entityID section.
  • Certificate from IAS metadata X509Certificate section.
  • The Idp is signing the Assertion so we set 'Require Mandatory Signature' to ‘Assertion’
  • Enable SAML Flag always set to ‘Enabled’
  • Enforce the Signing certificate expiry set to ‘Yes’

SAP SuccessFactors BizX Configuration: SP-Initiated Login and Logout

SSO settings.png

  • Above is a screenshot of our internal instance setting, so that you can use to base your setup;
  • You can find the SingleSignOnService and SingleLogoutService URLs from the IAS metadata file;
  • Below for your reference is our instance URLs (our IAS example instance is sfbrazil.accounts400.ondemand.com);
    • For "Global Logout Service URL (LogoutRequest destination)":
      • https://sfbrazil.accounts400.ondemand.com/saml2/idp/slo/sfbrazil.accounts400.ondemand.com
    • For "single sign on redirect service location (to be provided by idp)":
      • https://sfbrazil.accounts400.ondemand.com/saml2/idp/sso/sfbrazil.accounts400.ondemand.com

With this configuration, we have completed setup SAML communication between IAS and SuccessFactors and users should be able to login using IAS, if the right user data is maintained.

SAP SuccessFactors user sync to SAP Idendity Authentication Service (IAS)

The step that might be missing to your landscape is to sync your SuccessFactors' users to IAS. In case you want to import users from your SuccessFactors instance, you can refer to this KBA 2813054 to sync users from SuccessFactors to IAS using IPS.

Note: For IDP initiated login from the Corporate IDP please see guide: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/LATEST/en-US/d483a52be22946d5a05951b0fa16221f.html
You will need to input the Guide URL, after customisation to your IAS instance, into the ACS Area of your IDP.

Keywords

 IAS, IAS Tenant, SSO, SSO Integration between IAS Tenant and BizX, Identity Authentication Service , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-PLT-SEL , SSO Errors & Logs , LOD-SF-PLT-SAM , SAML SSO First Time Setup , How To

Product

SAP SuccessFactors HXM Suite all versions