Skip to Content

 

The integration between Google Cloud Identity not only enables easier account management for users and administrators of SAP SuccessFactors but Google and SAP aim to complete automate user lifecycle management. With this integration, employees can automatically be provisioned on the right systems from the time of hire until such time as the employee departs the organization when de-provisioning from all systems will automatically occur. This reduces the workload, simplifies processes and ensures correct access control throughout the lifecycle of an employee.

In the following tutorial, you learn how to integrate and use Google Cloud Identity as the primary Identity Provider for SAP SuccessFactors.

Prerequisites

To configure Google Cloud Identity as an identity provider for SuccessFactors, you need the following:

  1. SAP SuccessFactors subscription
  2. Google Cloud Identity subscription
  3. SAP Cloud Platform Identity Authentication service subscription – such a subscription is provided free of charge for user authentication to SuccessFactors including the use of Google Cloud Identity as primary/corporate identity provider. Existing SuccessFactors customers may obtain a subscription via a ticket to SuccessFactors.
  4. SAP Cloud Platform Identity Provisioning service subscription – a limited subscription is provided free of charge for user provisioning only from SuccessFactors to Identity Authentication service. However, for user provisioning to Google Cloud Identity, a customer shall upgrade this subscription by purchasing SAP Cloud Platform Identity Provisioning in addition. If such a subscription is not obtained, customers might still use authentication and provision user accounts in a different way.

After completing this tutorial:

  • user accounts will be automatically provisioned in Google Cloud Identity for new employees, registered in SAP SuccessFactors Employee Central
  • users will be able to login via Google Cloud Identity in SAP SuccessFactors (as well as any other application that is connected)
  • user accounts will be automatically de-provisioned once the employee contract is terminated

To test the steps in this tutorial, you should follow these recommendations:

  • Use the test instances of all services – you can request a test SAP CP Identity Authentication tenant, based on your SuccessFactors test tenant
  • If you don’t have a full subscription to SAP CP Identity Provisioning, you can request a trial one via SAP Cloud Platform trial. As the trial is limited to user provisioning to just one target system, you can use the trial for provisioning to Google Cloud Identity and the test one you get from SuccessFactors for provisioning to SAP CP Identity Authentication

Configure Single Sign-On

SAP Cloud Platform Identity Authentication service is the recommended identity provider for SAP SuccessFactors. It can proxy authentication requests to another identity provider such as Google Cloud Identity, so that you use Google Cloud Identity as a primary identity provider, but SAP CP Identity Authentication mediates the authentication flow and can federate between the userID sent by Google Cloud Identity (such as the email address) and the login name that is expected by SuccessFactors. In addition, it is used to enable cross-SAP services scenarios such as SuccessFactors and SAP S/4HANA Cloud.

When requesting SAP CP Identity Authentication for SuccessFactors, SAP sets up automatically the trust between SAP CP Identity Authentication and SuccessFactos. To configure Google Cloud Identity as primary identity provider, you need to setup a mutual trust between Google Cloud Identity and SAP CP Identity Authentication:

Configure Google Cloud Identity to trust SAP CP Identity Authentication

  1. In Google Admin console go to Apps -> SAML apps and press the Add (+) buttonSearch for SAP and select SAP Cloud Platform Identity Authentication:
  2. In the wizard, chose option 2 and download the IDP metadata:
  3. On the last step of the wizard, replace {your-domain} with the Identity Authentication tenant name and check Signed Response. Note that ACS URL contains {your-domain} twice:
  4. After completing the wizard, turn on the application for everyone

Configure SAP CP Identity Authentication to trust Google Cloud Identity

  1. Switch to SAP CP Identity Authentication Administration Console and go to Identity Providers -> Corporate Identity Providers. Click the Add button and enter any name.
  2. Click on SAML 2.0 Configuration and press Browse. Select the IdP metadata that was downloaded in a previous step:
  3. As Google Cloud Identity does not support Single Logout yet, scroll down to Single Logout Endpoint, press Add URL, chose binding HTTP-Redirect and enter any URL users shall see when they attempt to logout from SuccessFactors to remind them to logout also from Google Cloud Identity, e.g. https://apps.google.com/user/hub.
  4. Save and turn on Identity Federation. This is required as SuccessFactors expects a login name and not an email address as sent by Google Cloud Identity. Prerequisite for federation  is to have the users provisioned from SuccessFactors to Identity Authentication. To do so, in the free-of-charge SAP CP Identity Provisioning that is provided with SuccessFactors, activate the default identity provisioning, if not done already.  
  5. Navigate to Applications -> SAP SuccessFactors application entry and choose Conditional Authentication. Select Google Cloud Identity either as the default identity provider or configure appropriate authentication rules if only a subset of the users would login with Google Cloud Identity:

 

Configure Identity Provisioning

To configure Identity Provisioning from SuccessFactors to Google Cloud Identity you need to upgrade SAP CP Identity Provisioning that you get with SuccessFactors to a full subscription.

SAP CP Identity Provisioning uses a service account to (de-)provision users in Google Cloud Identity. Thus a service account needs to be created first and afterwards Google Cloud Identity shall be registered as a target system in SAP CP Identity Provisioning

Create a Service Account in Google

  1. Navigate to Google Developers Console. Select or create a new project and click ENABLE APIS AND SERVICES
  2. Search for Admin SDK and enable it
  3. Navigate to Credentials, click Create credentials and choose Service account key
  4. Enter a name, leave JSON as Key type and click on Create. If asked, create it without a role. 
  5. As a result you would get a JSON file downloaded with the private key of the service account. Thus, keep it on a safe place and even destroy it once the configuration is over.
  6. Click on Manage Service Accounts and edit the service account just created. Turn on Enable G Suite Domain-wide Delegation
  7. Navigate to Google Admin Console and go to Security -> Advanced settings -> Manage API Client Access
  8. As client name enter the value of client_id from the JSON file you downloaded previously
  9. For scopes enter https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group and click Authoriza. Make sure there are no spaces between the different scopes or enter them one by one (if there is a space, Google rejects the call although scopes show correctly as assigned)

Configure Google Cloud Identity as Target System for Identity Provisioning

  1. Navigate to SAP CP Identity Provisioning administration console and click Target Systems
  2. Click on Add, choose Google G Suite as type and enter a name
  3. Select SuccessFactors as a Source System and Save
  4. Go to Properties and enter all properties as defined in the SAP CP identity Provisioning documentation. The appropriate values can be obtained from the downloaded JSON file when the service account was created.
  5. Go to SuccessFactors source system and trigger the provisioning job. The job shall create users successfully in Google Cloud Identity.

Login to SuccessFactors with Google Cloud Identity

  1. Open SuccessFactors with a link like https://<successfactors_datacenter>/login?company=<COMPANY_ID>
  2. That would redirect you to Google Cloud Identity for login. Sign-in with your Google Account
  3. As a result you should enter successfully in SuccessFactors

 

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply