2674588 - [SSO] Manage SAML SSO Settings feature

• Overview of the functionality contained within Manage SAML SSO Settings page when browsing SuccessFactors. How to use it? What are the pre-requisites?
• Why Manage SAML SSO settings page is disabled?  
• User has all permissions, but "Manage SAML SSO Settings" page is still disabled, why?
• Customer's IAS system user has a certificate based authentication, where to find this certificate?
• When accessing Manage SAML SSO Settings page, the error "Failed to load asserting party list" appears. 
• When accessing Manage SAML SSO Settings page, the error "Failed to set Trust All Identity Providers" appears. 

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

SAP SuccessFactors HCM Suite

SAP Cloud Identity Services – Identity Authentication IAS

📌 Manage SAML SSO Settings

This feature is meant to be used on IAS enabled tenants as an alternative to have to do updates via the IAS Admin console. This also allows the customer to setup redirecting URLs that previously were only available in Provisioning. For customers that do not have IAS enabled, this feature will not be functional and users might see the error "Failed to load asserting party list" when accessing it.

1️⃣ - Pre-requisites

To have access to this feature the user must have "Manage Security" -> "Manage SAML SSO Settings" permission. To provide the permission follow the steps below:

1. Navigate to Admin Center > Manage Permission Roles.
2. Select the role you wish to modify.
3. Click Edit in the upper-right corner.
4. Click Next in the bottom-right corner to access the Add Permissions section.
5. Search Manage Security, and enable the Manage SAML SSO Settings permission.
6. Click Save to apply your changes. 
7. To see changes applied, users might logout and login again.

2️⃣ - How to use the feature

• This area does not add Asserting Parties to the SSO setup in Provisioning.
• In ‘Manage SAML SSO Settings’, customers can add Corporate IDP Setups to the IAS Tenant. [Reference: KBA  2674264 ]
• This Corporate IDP configuration can also be done from Customer's IAS Tenant. Through the 'Manage SAML SSO Settings', users can download the Identity Authentication Service SAML Metadata to register the IAS as service provider for their IDP.
• As seen in the screenshot, if there is a Corporate IDP already setup in IAS with type “SAML 2.0 compliant” or “Microsoft ADFS/Azure AD”, it will be populated in this area. [Reference: KBA 3492922 ]
• The use of case-insensitive usernames with Identity Authentication, SAP SuccessFactors tenant usernames now remain case-insensitive even when Single Sign-On (SSO) is disabled. This setting could be disabled from within the 'Manage SAML SSO Settings' screen or by disabling SSO in the Identity Authentication administration console. [Reference: KBA 2214831 ]

3️⃣ - In case of facing issues accessing Manage SAML SSO Settings

• While the functionality is now “clickable”, users are still facing an error  "Failed to load asserting party list. Unauthorized to access Identity Authentication service" (screenshot below)

• To fix this, a certificate has to be imported into a System Admin User in the IAS Tenant.
• The certificate can be applied to any existing System Admin user or by creating a new one (from screenshot below, SF Admin Center is just an example System Admin user in IAS Tenant Demo)
• The certificate can be found in the attachment section. In case the attached certificate is expired, open a case under LOD-SF-PLT-IAS and Support Team will provided a valid certificate (For SAP Support team, please check Internal Memo)

4️⃣ - Uploading a Certificate into IAS Tenant System User (Only needed for users facing issues accessing Manage SAML SSO Settings)

• Navigate to Users & Authorizations > Administrators > choose a System Admin user > Certificate

• Once the certificate has been uploaded, all functionalities within ‘Manage SAML SSO Settings’ are fully operational.

⚠️ Please note that for Customers that SSO setup does not include an IAS Tenant, this feature cannot be used and this area will be grayed out; To have access to this feature, customers have to have IAS implemented as referred on KBA 2791410;

• Help Guide - Enforcement of Case-Insensitive Usernames with SAP SuccessFactors and Identity Authentication
• Help Guide - Configure Your Corporate Identity Provider
• KBA - 3492922 - Unable to see Corporate identity Provider (IdP) in SuccessFactors Manage SAML SSO Settings page

Manage, SAML, SSO, IAS, Tenant, Corporate, IDP, configuration, SuccessFactors, sf, sfsf , sf sf, SuccessFactors, SuccessFactor, Success Factor, bizx, SF-IAS, IAS system user certificate, IAS corporate Identity Provider, case-insensitive username SuccessFactors, error, "Failed to load asserting party list", "SAML 2.0 Single Sign On", RBP, Manage SAML SSO Settings, Manage Security, import certificate into IAS System Admin, "Unauthorized to access Identity Authentication service" , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-PLT-SEL , SSO Errors & Logs , How To