Configure SAP SuccessFactors HCM Suite SSO to use SAP Cloud Platform Identity Authentication
SAP SuccessFactors Administrators
This document describes the steps necessary to establish the integration between SAP Cloud Platform Identity Authentication, formerly known as SAP Cloud Identity service, and SAP SuccessFactors HCM Suite. We use one application in the SAP SuccessFactors HCM Suite, the learning management systems (LMS), as an example application here.
In this integration Identity Authentication service can act either as an authenticating authority for the users that access the LMS application, or as a proxy for the authentication of the users that access the LMS application via a corporate identity provider.
The scope of this document is the steps performed on the SuccessFactors HCM Suite side. The steps performed on the Identity Authentication service side are described in the documentation of Identity Authentication service and linked here.
The configuration of SAP SuccessFactors HCM Suite for this integration is one and the same, no matter whether Identity Authentication service acts as an authenticating authority, or as a proxy. The configurations in Identity Authentication service, on the other hand, depend on the specific scenario, and that’s why they are described separately for each scenario.
- You have an SAP SuccessFactors LMS application integrated to SAP SuccessFactors HCM Suite.
- You have a tenant of Identity Authentication service.
- You have the Identity Authentication service SAML 2.0 metadata file provided by the tenant administrator.
The trust configurations on the SAP SuccessFactors HCM Suite side are done in the Provisioning tool of SAP SuccessFactors. If you do not have access to the Provisioning tool, ask your SAP SuccessFactors contact person to make the necessary settings.
Only the fields necessary for the configuration of Identity Authentication service as a trusted SAP SuccessFactors HCM Suite identity provider (IdP) are described here. The configurations of the other fields are not needed for this integration.
1. Open the SAP SuccessFactors Provisioning tool and select your company.
2. Choose Single Sign-On (SSO) Settings.
3. Configure SAML based SSO.
3.1 Select SAML v2 SSO. The SAML Asserting Parties(IdP) section is displayed.
3.2 Choose from the dropdown the Add a SAML Asserting Party option to add Identity Authentication service as a trusted IdP for the first time. Then enter the SAML Asserting Party Name. It should be a unique identifier.
Note: To save any consequent changes in the configuration of this SAML section, choose “Update the asserting party” button.
3.3 Fill in the following information for the trusted IdP:
- SAML Issuer: Specify Identity Provider name (entity ID). Take the Identity Authentication service SAML metadata file provided by the tenant administrator and extract the SAML issuer name. It is contained in the element entityID in the xml file.
- Require Assertion Signature: Choose a mandatory signature to assertion.
- Enable SAML Flag: Choose Enabled.
- Log in Request Signature(SF Generated/SP/RP): Choose No.
- SAML Profile: Choose Browser/Post Profile.
- SAML Verifying Certificate: Put here the Identity Authentication service IdP signing certificate.Note: This should be done in the following way. First, extract the certificate from the metadata file you have received from the tenant administrator of Identity Authentication service. The certificate is contained in the following element in the xml file: IDPSSODescriptor -> KeyDescriptor -> KeyInfo -> X509Data -> X509Certificate.After that, add the following to the certificate:
Above the copied text: ‐‐‐‐‐BEGIN CERTIFICATE‐‐‐‐‐
Below the copied text: ‐‐‐‐‐END CERTIFICATE‐‐‐‐‐
3.4 Configure SAML Redirects Section.
The SAML Redirects configurations allow you to specify what page the user sees if certain actions occur. The configuration of these fields is optional, but it is recommended to make them.
For example, when a user logs out of the LMS application, the first line “URL when logout” will take him or her to the URL that have been entered in the field.
For the integration with Identity Authentication service IdP you may wish to configure the logout URL to point to a link that is specific for the authenticating IdP.
If Identity Authentication service IdP is the authenticating IdP, then you could configure this field to point to the SSO endpoint of the IdP. Thus, after a successful logout, SAP SuccessFactors HCM Suite will redirect the user to the SSO endpoint of Identity Authentication service, and Identity Authentication service will display the login page to the user.
Take the Identity Authentication service SAML metadata file provided by the tenant administrator and extract the SSO endpoint. It is contained in the element SingleSignOnService in the xml file.
3.5 SAML v2 : SP-initiated logout section
Support SP-initiated Global Logout: Choose Yes.
SP-sign LogoutRequest: Choose Yes.
Global Logout Service URL (LogoutRequest destination): Take the Identity Authentication service SAML metadata file provided by the tenant administrator and extract the Single Logout Service URL. It is contained in the element SingleLogoutService in the xml file.
3.6 SAML v2: NameID Setting section:
Require sp must encrypt all NameID elements: Choose No
NameID Format: Choose unspecified
3.7 SAML v2 : SP-initiated login section
Enable sp initiated login (AuthnRequest): Choose Yes or No depending on your scenario.
Default issuer: Select the checkbox.
single sign on redirect service location (to be by idp): Paste the SSO endpoint from the metadata that you have received from Identity Authentication service. It is contained in the element SingleSignOnService in the xml file.
Send request as Company-Wide issuer: Choose Yes. Thus, during logout SAP SuccessFactors HCM Suite will send the correct entity ID as issuer in the logout request to the IDP.
This isn’t part of SAML and is saved separately with the SAVE button. If you set it and then hit Add or Update in the SAML section it won’t be saved.
After doing all the configurations from step 4, you should press “Add an asserting party” button in order to save you changes.
The SAML asserting party you have added is available in the dropdown list at the beginning of the SAML Asserting Parties(IdP) section.
4. Partial Organization SSO: The configuration of this section is optional. Choose the Save button to save your changes.
5. Configure Single Sign On Features general settings.
5.1 Under Single Sign On Features enter a user-defined token in the Reset Token field, for example, 123.
Note: For SAML 2, you can type anything in the token. The Reset Token feature is just used as the ON or OFF switch. If any value is saved, the SAML SSO is switched on. If a blank value is saved, the SAML SSO is switched off.
5.2 Choose Save Token.
If you want to update some of the fields later, then you can choose the name of the IdP from the dropdown. After making the changes, choose “Update the asserting party” button in order to save your changes.
You can use the following tools for troubleshooting:
SSO Log Viewer
SSO Debug Tool.
Links to these tools are available in the Provisioning Tool, at the end of the Single Sign-On (SSO) Settings page.
Choose the scenario relevant for you.
1. Identity Authentication service acting as authenticating authority for the users that access the LMS applications
In the scenario Identity Authentication service is in the role of an identity provider for the LMS applications. You should configure trust with SAP SuccessFactors HCM Suite, which acts as a service provider for the LMS applications. For more information, see Configure a Trusted Service Provider.
2. SAP SuccessFactors HCM Suite uses Identity Authentication service as a proxy to a corporate IdP which actually authenticates the users
You can read more about this scenario in Configure IdP-Initiated SSO with Corporate Identity Providers.
The steps that need to be done are: