Symptom
SuccessFactors Outbound SSO setup with partner Applications need to be switched to SHA-256 encryption.
Environment
SAP SuccessFactors HXM Core
Benefitfocus
Workforce Software
OpenText
Skillsoft
Cause
Since SuccessFactors will be deprecating the SHA-1 support for Outbound SSO in future, any partner applications still using SHA-1 based setup with SuccessFactors (as IdP) should be switched to SHA-256 encryption.
Customer community blog for further updates - SHA-1 Deprecation and Impact on Third Party Applications
Resolution
0. Important
This KBA is meant to provide general guidance on how the SHA-256 setting for SuccessFactors Outbound SSO can be read/updated- in context of SuccessFactors SolEx partners (Benefitfocus, WorkForce Software, OpenText, Skillsoft).
- Any queries on how to do the implementation on the respective Partner Application end, will need to be raised to the concerned application support team (not SuccessFactors support).
Benefitfocus = XX-PART-BFT
WorkForce = XX-PART-WFR
OpenText = XX-PART-OPT
Skillsoft = XX-PART-SKL - Identifying the right solution
SolEx
Url Contains
OpenText
opentext.com
Benefitfocus
benefitfocus.com
Workforce Software
wfs.cloud
Skillsoft
percipio.com
- Any queries on how to use SuccessFactors APIs can be raised to LOD-SF-INT component.
1. Pre-Read
2. Audience relevance for this KBA
SAP SuccessFactors customers/Software Partners who have built SSO integration using SAP SuccessFactors as the identity provider, before 1H2021 release (B2105).
3. Abstract
As a customer, you will not have access to Partner provisioning screen, where the Assertion Consumer settings must be changed. Hence, SAP SuccessFactors introduced the UI replica of the provisioning screen in SAP SuccessFactors and changes can be made. Details can be found here- 3068321 - Outbound SSO migration to SHA-256 (section- "Change SuccessFactors (BizX) side").
4. Pre-Requisite
For migrating SHA-1 to SHA-256 certificate via SAP SuccessFactors UI:
As a customer, please ensure to have access for the “Authorized SP Assertion Consumer Service Settings” UI screen in Sap SuccessFactors
The page will only be accessible to the admin users having the permission- Manage System Properties-> Company System and Logo Settings
Key points about this UI:
- This is only used for migrating SHA-1 to SHA-256, and cannot be used for doing the settings from the scratch (Only for existing customers, for new customers please start with SHA-256 and complete the settings from the provisioning screens with the help of an implementation partner)
- This is read-only for the following fields
- Assertion Consumer Service
- Audience URL
- SP Mapping Key
- Prevent Proxy User
- Use Email Assertion
- Editable fields are
- Logout URL
- Application Name
- SHA-256 Certificate
- While saving on the UI, you might encounter a pop-up which prevents saving the settings. This is because you have not chosen the application names for all the Assertion consumer service settings on the UI, unless all the entries on the UI have the application name filled, the UI configuration cannot be saved.
5. Recommended Methodology for updating the Signature algorithm from SHA-1 to SHA-2
Key Points:
- SAP SuccessFactors recommends from SHA-1 to migrate to SHA-2 based signature algorithm on or before end of calendar year 2021.
- SAP SuccessFactors Product team is working closely with the Solution Extension partners (Benefitfocus, WorkForce Software, OpenText, Skillsoft) – all these partners support SHA-2 based signing algorithm.
- Please follow the Customer community blog for further updates - SHA-1 Deprecation and Impact on Third Party Applications.
- For Software Partners/Customers using SAP BTP applications please refer to this blog on Partner Delivery Community - Impact of change from SHA-1 to SHA-256 for Internal Applications.
6. How to obtain the SHA-2 based SAML metadata for the SuccessFactors tenant?
If you are a Partner:
Enter URL in a web browser’s address line which should be in following pattern and press enter
- https://<server URL>/idp/samlmetadata?company=<companyID>&cert=sha2
Example: https://pmsalesdemo8.successfactors.com/idp/samlmetadata?company=SFPART049902&cert=sha2
If you are a customer:
You can download the SHA-256 based certificate via SAP SuccessFactors UI
- Goto “Authorized SP Assertion Consumer Service Settings” UI
- Click on the “Download SuccessFactors IdP Metadata with SHA-256 Certificate”
7. Specifics on SAP SuccessFactors Solution Extension Partners
The following describes specific alignment with SAP SuccessFactors Solution Extension partners-
7.1 Benefitfocus
Benefitfocus, supports SHA-2 based signature algorithm.
SHA-2 based SAML metadata is already shared to Benefitfocus product team and the same is available in production servers in the partner software. Hence, you as a customer need not download the SHA-2 based SAML metadata and share it with Benefitfocus team.
Please follow the below procedure and make changes in SAP SuccessFactors side and migrate from SHA-1 to SHA-2 .
7.1.1 As a customer using Benefitfocus software what should I do?
Migration from SHA-1 certificate to SHA-256 on SAP SuccessFactors side can be done by selecting a checkbox as shown in the below UI and ensure to enter the application name as “Benefitfocus”
Note: No configuration changes needed in the Benefitfocus tenant
7.2 WorkForce Software
Following diagram depicts the process to be followed when migrating from SHA-1 to SHA-2, this is a jointly Co-ordinated effort between the SuccessFactors Customer team (Internal IT to customer/Implementation partner for SAP SuccessFactors) and WorkForce Software Product Support.
7.2.1 What should mutual customers do?
Migration from SHA-1 certificate to SHA-256 on SAP SuccessFactors side can be done by selecting a checkbox as shown in the below UI and ensure to enter the application name as “Workforce Software”
After enabling the SHA-2 based certificate please ensure to raise the customer support ticket via the SAP ticket system as suggested below to complete the migration process.
7.2.2 Reporting the case to WorkForce product support
- Download SHA-2 based SAML metadata from SAP SuccessFactors instance which is connected to WorkForce Software tenant (Please check the above instructions on how to download the SAML metadata with SHA2 based certificate).
- Please raise a case to the component XX-PART-WFR-SRV along with the downloaded metadata and the Workforce Product Support team will be responsible to perform WorkForce’s tasks in the Central Authentication Service for your WFS tenant.
Note: WorkForce Product Support is not responsible for testing the connection between SAP SuccessFactors and your WFS tenant. For additional background information on what steps will be performed, please refer to the following URL: https://workforcesoftware.my.site.com/customers/s/article/Successfactors-SAP-SHA-256-certificate-SSO (Workforce Community login required).
7.3 OpenText
7.3.1 What should customers using OpenText do?
OpenText customers can use self-service to make all necessary changes as outlined below:
Customers with SAP SuccessFactors Extended ECM by OpenText:
Please refer to chapter 2.2.5: Upgrade information: migrating existing authhandler to SHA-256, in OpenText Extended ECM for SAP SuccessFactors Cloud Edition: Business Administration Guide.
Customers with SAP SuccessFactors Document Management Core by OpenText:
Please refer to chapter 3.2 – Enabling SAML for SSO with SAP SuccessFactors as IdP, in OpenText Core for SAP SuccessFactors: Customizing Guide.
Section 6 described the way to download the SHA-256 certificate. While the process is the same for any SAP SuccessFactors tenant, it’s important to know which of the said tenants is involved in OpenText integrations.
Migration from SHA-1 certificate to SHA-256 on SAP SuccessFactors side can be done by selecting a checkbox as shown in the below UI and ensure to enter the application name as “OpenText”
In case you encounter any issues after enabling the SHA-2 based certificate, please raise a customer support ticket in SAP's ticketing system as suggested below:
7.3.2 Reporting the case to OpenText product support
- Download SHA-2 based SAML metadata from SAP SuccessFactors instance which is connected to OpenText’s OTDS server.
- Raise an case against one of the following components. The OpenText support and implementation teams will implement your changes.
-
- XX-PART-OPT-ECM-CLD --> for cloud edition SAP SuccessFactors Extended ECM by OpenText
- XX-PART-OPT-ECM --> for on-prem edition SAP SuccessFactors Extended ECM by OpenText
- XX-PART-OPT-ECM-DSF --> for SAP SuccessFactors Document Management Core by OpenText
Note: OpenText Product Support is not responsible for testing the connection between SAP SuccessFactors and your OpenText OTDS tenant.
7.4 Skillsoft
7.4.1 What should customers using Skillsoft do?
Section 6 described the way to download the SHA-256 certificate. While the process is the same for any SAP SuccessFactors tenant, it’s important to know which of the said tenants is involved in Skillsoft integrations.
Migration from SHA-1 certificate to SHA-256 on SAP SuccessFactors side can be done by selecting a checkbox as shown in the below UI and ensure to enter the application name as “Skillsoft”
7.4.2 Reporting the case to Skillsoft product support
- Download SHA-2 based SAML metadata from SAP SuccessFactors instance which is connected to Skillsoft.
- Raise an case against the component, XX-PART-SKL. The Skillsoft support and implementation teams will implement your changes.
Note: Skillsoft Product Support is not responsible for testing the connection between SAP SuccessFactors and Skillsoft.
See Also
Keywords
SHA-256,Outbound SSO,Solex,BenefitFocus,Skillsoft,Opentext,Workforce , KBA , LOD-SF-PLT-OBD , Outbound SSO , LOD-SF-EC , Employee Central , LOD-SF-INT , Integrations , How To