SAP Knowledge Base Article - Public

2707993 - [SSO] Metadata file for SSO | How to generate it for either SF x IDP and Outbound SSO scenarios

Symptom

  • How to generate the metadata file to integrate SuccessFactors and a Identity Provider;
  • How to generate the metadata file to implement SSO for SuccessFactors;
  • How to generate the metadata file for Outbound SSO;
  • How to generate metadata file for SSO;
  • Is there any difference in the metadata file for different SSO implementation scenarios?
  • The metadata file I've generated is failing during the SSO implementation process.

Environment

SAP SuccessFactors HXM Suite 2311

Resolution

Starting 2H 2023 release, There are two different structures of metadata file for SSO implementation purposes. Each will depend on your use case scenario. 

⚠️ if you are still running an earlier release, both scenarios are still not available for you.

 

# Scenario 1: SSO between BizX SuccessFactors (as the Service Provider) and a Identity Provider (most common);

This is the most common implementation scenario, and  metadata file generation pattern as below:

As per the release enhancement in H2 2023  which will let customers get the SF metadata XML via API call-> Public API to Retrieve Customer SSO Service Provider Metadata | SAP Help Portal

  1. Put the below URL in the browser (without browsing yet):
    • https://SFTenantAccessURL/saml2/spmetadata?company=<company_id>
  2. Replace either the highlighted tokens by the instance's server URL and Company ID;
    • Example: https://performancemanager5.successfactors.eu/saml2/spmetadata?company=<company_id>
  3. Once the URL is ready, just press enter;
  4. The metadata file will be automatically generated.

⚠️ This is a public API, so no user authentication is needed

⚠️ This API will  generate the metadata with the Common Super Domain, once the tenant is migrated to the new domains

⚠️ Please do NOT use Firefox browser to generate the metadata file currently. Firefox browser has a defect that it does not display "xmlns" attributes in the metadata xml, which will cause the xml to be broken and will not be read correctly by IDP.

 

# Scenario 2: SSO between BizX SuccessFactors (as the Identity Provider) and a third-party system (less common);

This is the most uncommon scenario — and the second and last possible one.

For this, you have the possibility to automatically generate the metadata file. Please follow the below steps:

  1. Put the below URL in the browser (without browsing yet):
    • https://[datacenter URL]/idp/samlmetadata?company=[sf_company_instance];
  2. Replace either the highlighted tokens by the instance's server URL and Company ID;
    • Example: https://hcm8preview.sapsf.com/idp/samlmetadata?company=companyID;
  3. Once the URL is ready, just press enter;
  4. The metadata file will be automatically generated.

⚠️ KBA 2441407 brings further guidance on how to proceed on this scenario when an implementation request arrives.

See Also

  • 2441407 - Outbound SSO to 3rd party guide and support scope - BizX Platform;
  • 2912495 - Outbound SSO - Qualtrics

Keywords

Metadata File, metadata, metadata for SSO, sso metadata, Outbound SSO, outbound metadata, IDP, SP, identity provider, service provider, sf, sfsf , sf sf, SuccessFactors, SuccessFactor, Success Factor, bizx, SAP SuccessFactors HXM Suite 2311 , KBA , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-SEL , SSO Errors & Logs , How To

Product

SAP SuccessFactors HCM all versions