Skip to Content
User Experience Insights
Author's profile photo j tamrakar

Configure SAP SuccessFactors solution Single Sign-On with SAP Cloud Platform Identity Authentication & MS Azure OpenID Connect


SAP Cloud Platform Identity Authentication can use an OpenID Connect identity provider as an external authenticating authority. SAP Cloud Platform Identity Authentication acts as a proxy to delegate authentication to the external corporate identity provider. The requests for authentication sent by the relying party will be forwarded to the corporate identity provider.

Note: Currently only Microsoft Azure Active Directory (Azure AD) is supported as OpenID Connect corporate identity provider.

To use SAP Cloud Platform Identity Authentication as a proxy to delegate authentication to an external OpenID Connect corporate identity provider, it is required to configure trust with that corporate identity provider.




Authentication Scenario



1)  SAP Cloud Platform Identity Authentication is enabled for SAP SuccessFactors solution Check SAP blog to enable SAP Cloud Platform Identity Authentication through Upgrade Center

2) Get below information from customer:

    1. Client ID
    2. Tenant ID
    3. Secret
    4. Tenant Issuer

3) You can retrieve the information by calling the discovery endpoint of the corporate identity provider:

Put above URL in browser and retrieve Issuer as below

4) Configure the callback endpoint of the SAP Cloud Platform Identity Authentication tenant as Redirect URI

https://<IAS tenant_id>

How-to configure OpenID Connect Corporate Identity Provider?

Step 1: Login into SAP Cloud Platform Identity Authentication as an Administrator

Step 2: Navigate to Application and Resources – > Select Talent Settings -> select OpenID Connect Configuration from right side panel

Step 3: Provide OpenID connect details for MS Azure setup

Step 4: From left hand panel select Identity Providers -> Corporate Identity Provider

Step 5: Create Identity Provide and give a name

Step 6:  Select newly created Identity Provider and in right hand side panel select Identity Provider Type

Step 7: Select OpenID Connect Complaint as Identity Provide Type

Step 8: Select OpenID Connect Configuration option from right hand side panel and maintain Issuer, Client ID and Client Secret and validate it.

Once it is successfully validated, save it.

Check Prerequisite 3 for issuer


Step 9: Navigate to Identity Providers – > Corporate Identity Providers -> Select Subject Name Identifier and select Email option.

Step 10: Navigate to Application and Resources -> Applications -> Select the correct SuccessFactors system from middle panel

And maintain Protocol as SAML 2.0 and Subject Name Identifier as Login Name


Step 11: Navigate to Application and Resources – > Select the correct SuccessFactors system from middle panel -> select Conditional Authentication from right panel


Step 12: In Conditional Authentication maintain MS Azure as Default Identity Provider


Note: To authenticate some users like external users from SAP Cloud Platform Identity  Authentication enable the option “Allow users stored in Identity Authentication service to logon and use the URL for external users.


Step 13: Once trust configuration is done with the corporate identity provider, whenever user login into SuccessFactors it will redirect user to MS Azure for authentication



With this process users would be authenticated by Microsoft Azure, when they login into SAP SuccessFactors solutions.

Thanks for the read! I will be happy to address any further question in the comments.

See you soon with a new blog!


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Shambhavi Thakur
      Shambhavi Thakur

      Thank you Jayshri. Very informative and detailed.

      Author's profile photo John Hormaechea
      John Hormaechea

      Thank you Jayshri for the blog. Are there plans to any plans to add other OpenID Connect corporate identity providers such as SAP IAS OpenID?

      Author's profile photo Bernhard Wolf
      Bernhard Wolf

      Thanks for the detailled blog.

      I wanted to check if there is any update for the SAP IAS OIDC connection? Is this currently in development or is it always required to use SAML 2.0 between SuccessFactors and SAP IAS?

      Author's profile photo Thanh Trung Doan
      Thanh Trung Doan

      Thank you Jayshri,

      How to turn on SSO for mobile app? via Azure AD?