Configuring MS ADFS 3.0 as Identity Provider for SuccesFactors
A few days ago I helped some colleagues in order to configure the MS ADFS connection with SuccessFactors cloud service. So I’ve decided to prepare this blog with the steps for ADFS configuration, as well as some advice about the tasks and responsibilities.
The picture below is a basic scenario for MS ADFS integration with SuccessFactors:
Due to the nature of the integration between two or more systems, it’s necessary some explanation about the tasks and responsibilities. The table below is a responsibility matrix, keep in your mind that’s a basic suggestion and the idea is to identify the tasks of each team or person.
Please see the responsibility matrix on my site.
Step 1 – MS ADFS 3.0 Version and Patches
I really recommend you to check on the Microsoft site if there are patches to be applied in your environment.
Step 2 – Metadata and certificates from SAP/SuccessFactors
In order to configure the MS ADFS you need to request some files from SuccessFactors. These files will provide a metadata and certificates to be used in ADFS.
Also you need to send the metatada from ADFS to SuccessFactors. It’s quite simple, just open your browser and use the following URL https://<SERVER>/FederationMetadata/2007-06/FederationMetadata.xml. Do not forget to repalce <SERVER> with your server address. Below you’ll find an example of metadata.xml file.
Export certificates used by ADFS to communicate, sign and encrpyt is not mandatory, but you can save some time doing it. To export them, open your ADFS Management from Server Manager and follow the sequence below:
2.1 In the left side of the ADFS Management has a tree view, click on Service node.
2.2 Go to Certificates, all certificates will appear in the right side of the ADFS Management.
2.3 Perform and right click on the commnication certificate and choose “view certificate”.
2.4 In a new window select the folder “Details” and click on button labeled as “Copy to File…”
2.5 In the certificate export wizard window click on “Next” button.
2.6 Select the option “No, do not export the private key” in order to export only the Public key. Click on “Next” button.
2.7 Select BASE-64 encoded X.509 in order to export the certificate as BASE64. Click on “Next” button.
2.8 Select the path and the file name which will be created.
2.9 Repeat the process for Encryption and Signature certificates, do not forget to give a unique file name for each certificate.
These files will be sent to SAP/SFSF together with the metadata xml file.
Step 3 – Configure MS ADFS
3.1 Open ADFS Management (Start the ADFS Management in the server) and start the wizard to add a Relying Party Trust for SFSF Cloud Service.
3.2 Select option “Import data about the relying party from a file”.
3.3 Add the configuration from Metadata.xml file.
3.4 Specify the display name of the Claim.
3.5 Check the option “Permit all user to access this relying party”.
3.6 Confirm the certificate for Encryption.
3.7 Flag this option in order to configure the Claim Rules.
3.8 Click on the “Add Rule” button to create new rules. Two new rules must be configured in Claim Rules.
3.9 The new rule is related to LDAP attributes; Therefore choose “Send LDAP Attributes as Claims” and click on “Next”.
3.10 Define the rule name as you want, choose Active Directory in the attribute store. In the mapping select SAM-Account-Name for LDAP Attribute and choose Given Name for Outgoing Claim. Click on the “Finish” button.
3.11 Create another rule.
3.12 Choose the option “Transform an Incoming Claim” and click on “Next”.
3.13 Give some name for the rule. Incoming type is “Given Name” and outgoing type is “Name ID”. Outgoing name ID forma must be “Unspecified”. Finish this configuration.
3.14 Close this window clicking on OK button.
It will work only after the SuccessFactors team have configured their environment.
In the same way MS ADFS can be configured to provide identity for SAP NW GATEWAY and SAP PORTAL.
If you want to see the screenshots and more details, please visit my site.