2674588 - [SSO] Manage SAML SSO Settings feature

• Unsure of the functionality contained within Manage SAML SSO Settings page when browsing SuccessFactors. How to use it? What are the pre-requisites?
• Why Manage SAML SSO settings page is disabled?  
• I have all the permissions but the Manage SAML SSO settings page is still disabled, why?
• My IAS system user has a certificate based authentication, where to find this certificate?
• When accessing Manage SAML SSO Settings page, the error "Failed to load asserting party list" appears. 
• I see the error "Failed to set Trust All Identity Providers" when accessing Manage SAML SSO Settings page. 

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

SAP SuccessFactors HCM Suite

SAP Cloud Identity Services – Identity Authentication IAS

📌 Manage SAML SSO Settings

This feature is meant to be used on IAS enabled tenants as an alternative to have to do updates via the IAS Admin console. This also allows the customer to setup redirecting URLs that previously were only available on provisioning. If you don't have IAS enabled, this feature won't be functional and you might see the error "Failed to load asserting party list" when accessing it.

1️⃣ - Pre-requisites

To have access to this feature the user must have "Manage Security" -> "Manage SAML SSO Settings" permission. To provide the permission follow the steps below:

1. Go to "Admin Center" -> "Manage Permission Roles";
2. Select the role to which you want to grant permission;
3. On section "Permission Settings", click "Permissions...";
4. Go to section "Manage Security" and select the "Manage SAML SSO Settings" permission;
5. Save your changes.

2️⃣ - How to use the feature

• This area does not add Asserting Parties to the SSO setup in Provisioning.
• In ‘Manage SAML SSO Settings’, we are adding Corporate IDP Setups to the IAS Tenant. [Reference: KBA  2674264 ]
• This configuration of the Corporate IDP can also be done from your IAS Tenant. Thorugh the Manage SAML SSO settings the user can download the Identity Authentication Service SAML Metadata to register the IAS as service provider for your IDP.
• As seen in the screenshot, if there is a Corporate IDP already setup in IAS with type “SAML 2.0 compliant” or “Microsoft ADFS/Azure AD”, then it will now populate in the area. [Reference: KBA 3492922 ]
• The use of case-insensitive usernames with Identity Authentication, SAP SuccessFactors tenant usernames now remain case-insensitive even when Single Sign-On (SSO) is disabled. This setting could be disabled from within the Manage SAML SSO Settings screen or by disabling SSO in the Identity Authentication administration console. [Reference: KBA 2214831 ]

3️⃣ - If you face issues accessing Manage SAML SSO Settings

• While the functionality is now “clickable”, you are still seeing a permission issue throwing an error (screenshot below) when ‘Adding an Asserting Party’ or enabling the other features which we need to resolve.

• To fix this, we need to import a certificate into a System Admin User in the IAS Tenant
• The certificate can be applied to any System User, it does not have to be named SF Admin Center like in the screenshot below (SF Admin Center is just an example System User in IAS Tenant Demo)
• Creating a new System User in your IAS Tenant and importing the certificate (attached) to it ✅ 
• These certificates must be retrieved by Support - They have access to Confluence (For SAP Support please see Internal Memo with link to Confluence)

4️⃣ - Upload Certificate to IAS Tenant System User (Only needed if you face issues accessing Manage SAML SSO Settings)

• Navigate to Users & Authorizations > Administrators > SF Admin Center > Certificate.
• Once the certificate has been uploaded, all functionality within ‘Manage SAML SSO Settings’ is fully operational.
• You can find the certificate in the attachment section.

⚠️ Please note that if your SSO setup does not include an IAS Tenant, you cannot use this feature, and this area will be greyed out; For you to have access to this feature, you need to have IAS implemented as referred on KBA 2791410;

• Enforcement of Case-Insensitive Usernames with SAP SuccessFactors and Identity Authentication | SAP Help Portal
• Configure Your Corporate Identity Provider | SAP Help Portal
• 3492922 - Unable to see Corporate identity Provider (IdP) in SuccessFactors Manage SAML SSO Settings page - SAP for Me

Manage, SAML, SSO, IAS, Tenant, Corporate, IDP, configuration, SuccessFactors, sf, sfsf , sf sf, SuccessFactors, SuccessFactor, Success Factor, bizx, SF-IAS, IAS system user certificate, IAS corporate Identity Provider, case-insensitive username SuccessFactors, error , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-SEL , SSO Errors & Logs , How To