Manual Steps to Enable SSO between SF and IAS tenant
There are blogs and SAP notes available on how to enable IAS authentication for Success Factor (SF) tenant using Upgrade Center available under SF -> Admin Center.
In order to perform SSO enablement using this SF upgrade center process, your SF tenant must be a productive one and IAS tenant needs to be in the same region (where the SF tenant is residing). Or, in most of the cases, SAP enables required configuration in both SF and IAS instance while provisioning the same.
But if your SF tenant is a DEMO one (you can create demo SF tenant for practice using your S-id), in order to enable SSO between SF and IAS, you need to manually perform the trust configuration between this two systems.
This blog is to give the manual steps for enabling SSO between IAS and SF system. In this blog, for the SF instance I’ve taken my DEMO SF instance and IAS is a DEV IAS instance (productive one).
Note: My IAS instance is not in same region where SF instance resides, and SF instance is a DEMO one which SF offers using any S-id. IAS used by me, is a non-prod IAS instance (Europe Rot) and SF instance is DEMO SF from DC8 https://pmsalesdemo8.successfactors.com/login?company=#########
Prerequisite: You have an SF instance, SF provisioning instance & IAS instance. You SF account should be already configured in your provisioning account.
TECHNICAL STEPS FOR CONFIGURATION
STEP 1: Initial configuration inside SF tenant for enabling SSO to SF roles
Follow SAP note for 2569087 initial configuration inside SF tenant. Screenshots for the same given below.
Go to admin center-> manage permission rules -> select any role (I’ve selected Sandbox-Employee Self Service)
Select the role -> click on ‘permission’ button as shown below
Go to administrator permissions option -> click on ‘manage security’ as shown below
Check ‘manage SAML SSO settings’ checkbox and click on done.
STEP 2: Download the METADATA file from IAS tenant
Go to IAS admin page -> Application & Resources -> Tenant Settings -> Click on ‘SAML2 Configuration’ -> click on download metadata file
Keep the metadata file open using notepad/notepad++
Login into SF provisioning account. Make sure you are able to see your company name in the list. Select the company name.
Go inside by selecting the company name -> click on ‘Single Sign-On (SSO) Settings’ available under edit company settings option
Go to section ‘For SAML based SSO’ -> choose radio button option SAML v2 SSO -> In SAML Asserting parties (IdP) option, choose ‘Add a SAML Asserting Party’
Parameter to provide as below –
SAML Asserting Party Name: Provide a name (without blankspace. You can use ‘_’ if needed)
SAML Issuer: Copy ENTITYID from the IAS metadata file & paste here
Require mandatory signature: select ‘Assertion’
Enable SAML Flag: select ‘Enabled’
Login Request Signature: select ‘No’
SAML Profile: select ‘Browser/Post Profile’
Enforce Certificate Valid Period: select ‘No’
SAML Verifying Certificate: This one is little tricky. Type ‘—–BEGIN CERTIFICATE—–’ and ‘—–END CERTIFICATE—–‘ in 2 line. ‘-‘ symbol is 5 times in all the place. Copy X509Certificate value from the IAS metadata file and paste in the middle. (Go to IAS metadata file -> copy any value as shown in red correct sign below.
Go to SAML v2: SP -initiated logout section. Make changes as shown below.
For the logout service URL, copy the ‘SingleLogoutService’ URL from IAS metadata file
For the single sign on redirect url, copy the ‘SingleSignOnService’ URL from IAS metadata file
Click on ‘Add an asserting party’ button. You now should be able to see the newly added SAML asserting party. Select the same from the dropdown. Click on ‘Save’ at top right section of screen.
Scroll to top of the screen on the same page. Put any number in ‘Reset Token’ field under Single Sign-on Features section (this is to enable SSO). Click on ‘Save Token’.
STEP 3: Create METADATA file for SF tenant
Check SAP note – 2707993 for guidance on how to generate the metadata. I’ve used scenario 1 (mostly used). My SF demo tenant in from DC8. Below is the metadata screenshot (as reference) which I generated.
STEP 4: Import SF metadata into IAS tenant
Login into IAS -> Go to applications & resources -> applications -> click on ‘Add’ and create a new application (provide any name). I had given – ‘SuccessFactors BizX’
Go to SAML 2.0 Configuration -> upload the SF metadata which you’ve created in previous step.
Few points here. Make sure, in the assertion consumer service endpoint section, ‘Default’ check button is selected. Make a small change in this URL by changing the host name of your SF tenant here (copy the link from your SF tenant URL, as shown below. Rest part of the URL remains same)
Same is done with HTTP-POST URL under Single Logout Endpoint section (as shown below)
Change the ‘Subject name Identifier’ to Login Name (as shown below)
Change ‘Default Name ID Format’ to Unspecified (as shown below)
Make sure Login Name attribute is added in the ‘Assertion Attributes’ section
Go to Home -> Applications & Resources -> Tenant Settings -> Logon Identifier & User Attributes -> make sure Login Name is showing ‘ON’ (as shown below)
STEP 5: User Profile setting in IAS and SF tenant
Generally, all SF users needs to be imported into IAS using IPS (which is done in productive use case) so that SF user’s can login into SF using their existing SF credentials.
Since I’m working with demo SF instance here, I’ve single SF user which is ‘SFADMIN’. ‘SFADMIN’ is the user id required for login into SF URL. To enable this thru IAS, below setting needs to be done –
Go to home -> Users & Authorizations -> User Management – Select any P user in IAS (or create a new one) which you want to map with ‘SFADMIN’. In my case I’ve used my user id in IAS (which was created using my S-id).
Select the user. Update login name attribute as ‘SFADMIN’ (as shown below).
Note: If you have multiple SF user, need to map all of them in IAS manually. (This is why IPS is used in productive use case)
Login into SF tenant using ‘SFADMIN’ (before login, ensure you’ve turned off SSO enabled by going into SF provisioning account)
Login into SF provisioning -> select your company name -> Click on ‘Single Sign-On Settings’ -> delete content from ‘Reset Token’ field and click on ‘Save Token’
Login into SF tenant (using SFADMIN) -> on search field on top left, search for ‘SFADMIN’ and open the profile (profile of ‘Aanya Singh’ would be opened) -> Click on ‘ME’ tab (this would be selected by default) -> go to Contact Information section -> click on edit -> update business email to the IAS user’s mail id (in my case I’ve updated with my company mail id which is associated with my S-id and the same is there in IAS)
And with that, all the configurations are done. You should be able to go ahead with testing now.
STEP 6: Check SF Login
Open browser -> put SF url on the browser and hit. You should get below screen (IAS login screen)
For the above E-Mail and Password fields, provide ‘SFADMIN’ in E-Mail and provide IAS password for this P-user. In my case, I’ve used SFADMIN and my IAS password (as I edited my P-id with ‘SFADMIN’ as Login Name).
Once you provide those credentials & hit log on, you should be redirected to SF landing page (as shown below)
You should be able to customize your SF login screen to IAS login screen or any other Corporate Identity Provider login screen using this process.
Note: Here, we have not used IPS service which you’ll find in most of the Notes/Blog. because, as I said earlier, IPS is just to pull minimum details of all users from SF into IAS so that you don’t need to manually create all SF user’s into IAS tenant.
In case of you have any other identity provider, i.e., ADFS/Azure AD, etc., you need to configure the same inside IAS. In that case IAS becomes proxy between your IdP and SF. There are blogs/notes available on how to perform this part.
Well written. Good job!
Thank you, very informative!
Nice blog Prodyot!
May be you want to add for provisioning settings:
SAML v2: NameID Setting
NameID Format : unspecified
Good day Prodyot, thanks for the useful information. I have a question
Do you know if AIS can connect directly into SF, or is CPI necessary? We are stuck with a scenario of 3 SF tenants needing to integrate into one SAP instance, hence the need for AIS.