In this blog post we will learn about Identity authentication service(IAS), Single sign on Scenarios in SAP Success factors application and some basic terminologies.
- IAS integration with SAP Success Factors Application and delegate authentication to 2 corporate Identity Providers(one is Azure and another is some other corporate IDP) – segregation will be based on domain names of the user email address.
- Identifier is same for SAP Success Factors application and Corporate Identity provider-1
- Identifier is different for SAP Success Factors application and ADFS( Azure AD – Corporate Identity provider -2) – Mapping is required in IAS.
- Single URL for Corporate Users and External vendors. (password and single sign on users)
- For Corporate Users – It will act as proxy to delegate authentication to Corporate IDPs
- For External Vendors – It will act as identity provider.
Before going in details in implementation, in this blog post we will go through the basic terminologies which will mostly used and why we need IAS in this scenario.
Identity Authentication Service(IAS)
Identity Authentication is a cloud service for authentication, single sign-on, and user management in SAP cloud and on-premise applications. It can act as an identity provider itself, or be used as a proxy to integrate with an existing single sign-on infrastructure.
IAS provides a lot of flexibility and it is not possible to implement this scenario without IAS.
Single Sign on(SSO)
Authentication method that enables users to securely authenticate with multiple applications by using just one set of credentials. In our scenario we will authenticate in Corporate IDPs to login to SAP Success factors application.
There are 2 protocols available for SSO which are widely used in industry – IAS supports both the protocols:
SAML 2.0 – Most commonly used to help enterprise users sing in to multiple applications using SSO.
Open-ID connect – Widely used to enable user login on mobile apps. This protocol is build over OAuth (which is used for authorization) to support authentication scenarios.
We will use SAML2.0 for integration and establish SSO between SAP SuccessFactors, IAS, and Corporate IDPs.
How SAML2.0 works?
Establish Trust connection between Service Provider and Identity Provider (Exchange of metadata file)
User who wants to access Service must authenticate into IDP(Identity Provider)
If user manages to Successfully authenticate, IDP generates a SAML assertion
Assertion is sent to the application and since service provider Trust IDP, User is allowed access.
It contains details of
Entity ID – Unique identifier
Different URLs – When authentication is successful – how does identity provider knows where to redirect the request – Using different URLs configured in metadata file. It consists of ACS, SSO, SLO URLs.
Certificate details – so that application trust can be established.
It is required to perform mapping at the backend. It should be unique value which is supported by application and identity provider. From end user perspective – they need not to worry about it, Its something which is used at the backend. We can capture the details in SAML trace.
Restriction on SAP Success Factors application:
SAP SuccessFactors accepts two values to identify the user logging in using SAML2. The most common is NameID. It also support the UserName attribute. Whichever method is used, the value is compared with the UserName in the SAP SuccessFactors application.
In case of different Unique identifiers on IDP and SF application, we need to perform mapping on IAS. In our scenario:
For SF application – unique identifier is username (It will always be username – restriction from SF)
For Corporate IDP ADFS- unique identifier is email address.
To perform mapping in IAS – User details are required in IAS. To sync users SAP provides IPS (Identity Provisioning services) – which automates the process.
IPS (Identity Provisioning Services)
Allows to automate and manage the transfer of user data from Source system(SF) to target system(IAS) using sync jobs which can be configured as per our requirement.
In this blog post we have learnt about the basic terminologies and basic concepts related to Single Sign on. In next blog post we will start discussion on Integration process of IAS with SAP Success Factors application.
In case you are wondering why we are using IAS with SAP Success Factors Application – please check this blog post:Why Identity authentication is required for SAP SuccessFactors Application
See you in the next blog post where we will start the actual implementation of IAS with SAP Success Factors Application !
Click below to move to next step: