Configure Automatically the Subaccount in SAP BTP as a Trusted Service Provider in SAP SuccessFactors
Hello, readers! Today we are going to use the new SAP BTP functionality which allows you to configure the subaccount in SAP BTP as a trusted service provider in SAP SuccessFactors. This is achieved by registering an assertion consumer service (ACS) in your SAP SuccessFactors system without logging in to the Provisioning.
A lot of you may be migrating from SAP BTP, Neo environment and may have previously encountered the hcmcloud-enable-application-access Neo CLI command which is used to register the extension application as an authorized assertion consumer service. So far there was no alternative to this in the SAP multi-cloud world and the configuration had to be done by hand. We have heard your feedback and have implemented a way for you to automate this setup.
To prepare for the next steps, make sure you have the following:
- A global account in SAP BTP for which you are an administrator
- A dedicated SAP SuccessFactors system and a user with permissions to access Extension Center in SAP SuccessFactors Admin Center that include the Manage Extensions on SAP BTP permissions. See:
- Permission to Access Admin Center
- Necessary permissions description in the Prerequisites section of Register an SAP SuccessFactors System in a Global Account in SAP BTP
- A registered system global account in SAP BTP, as described in Register an SAP SuccessFactors System in a Global Account in SAP BTP
What was the manual process for setting up Single Sign-On again?
The first part is to configure SAP SuccessFactors as a Trusted Identity Provider in your subaccount in SAP BTP. For that you need to open https://<sap_successfactors_system>/idp/samlmetadata?company=<company_id>&cert=sha2 where <sap_successfactors_system> is the hostname of your SAP SuccessFactors system and <company_id> is the company ID of your SAP SuccessFactors system. Save the file and add an extension .xml to it.
Then go to your subaccount in SAP BTP and on the left-hand side navigation, choose Security > Trust Configuration. Choose New Trust Configuration and upload the previously downloaded XML file. Enter a meaningful Name and click Save. Make sure the new configuration is the only active one.
Now the second part is to register the subaccount in SAP BTP as a trusted service provider in SAP SuccessFactors. Until now your only option was to register the assertion consumer services manually as described in Register the Assertion Consumer Service of the Subaccount in SAP BTP in SAP SuccessFactors and Register the Assertion Consumer Service for Every Extension Application in SAP SuccessFactors.
First, in the SAP BTP cockpit, you need to go to your subaccount and on the left-hand side navigation, choose Security > Trust Configuration. Then click the SAML Metadata download button.
Then, you open the SAP SuccessFactors Provisioning at https://<sap_successfactors_system>/provisioning_login where <sap_successfactors_system> is the hostname of your SAP SuccessFactors system. Choose your system’s name and then select Authorized SP Assertion Consumer Service Settings.
Now click Add another Service Provider ACS and a new row will appear where you can enter the URLs of the assertion consumer service that you are registering. You need to register the assertion consumer service of the subaccount in SAP BTP by entering the following values:
- Assertion Consumer Service should be the value of the Location attribute of the AssertionConsumerService element with the HTTP-POST binding from the SAML Metadata you have downloaded
- Logout URL should be the Location attribute of the SingleLogoutService element with the HTTP-POST binding from the SAML Metadata you have downloaded
- Audience URL should be the value of the EntityID attribute of EntityDescriptor element from the SAML Metadata you have downloaded
If you also want to also configure the IdP initiated single logout (SLO), then you need to register an assertion consumer service for each application running on SAP BTP multi-cloud environment that should receive the SAML LogoutRequest. In this case the Assertion Consumer Service and Audience URL values are not relevant and could be anything, but the Logout URL should have the URL to the logout endpoint of the application that can accept the SAML LogoutRequest and terminate the server session.
Once you are done, make sure you click the Save button to save the changes.
What has changed now?
A big problem with the manual registration was that you needed access to the SAP SuccessFactors Provisioning and that was not always available. Because of that, we have automated this part of the setup for registered systems in SAP BTP.
I will be using my already registered system acs-automation-system in my global account and my subaccount acs-automation to demonstrate the new process.
We now have a dedicated service plan – sso-configuration – for the SAP SuccessFactors Extensibility service that allows you to create automatically an assertion consumer service in SAP SuccessFactors for the subaccount in which this service instance is created and an assertion consumer service with a logout URL for each extension application that you want.
In the SAP BTP cockpit, go to your global account and from the left-hand side navigation select Entitlements > Entity Assignments. Enter your subaccount name in the Select Entities field. Now click the Configure Entitlements button and then the Add Service Plans button.
On the left, select the SAP SuccessFactors Extensibility service. Then on the right, select your registered system from the dropdown, and then the sso-configuration service plan. Choose Add 1 Service Plan and then Save.
Now you are ready to create an SAP SuccessFactors Extensibility service instance of plan sso-configuration. Keep in mind that this service instance is created on subaccount level. Go to your subaccount and from the left-side navigation select Services > Service Marketplace and click the SAP SuccessFactors Extensibility tile.
Enter a name for your service instance and click Next. On the Parameters step you will be presented with a preconfigured JSON that you can use. By default, the logoutURLs array parameter will be empty and only the subaccount Assertion Consumer Service will be registered in the SAP SuccessFactors system defined by the systemName parameter.
If you want to register an application’s assertion consumer service for the IdP initiated single logout (SLO) then you need to enter the URL to the logout endpoint of the application that can accept the SAML LogoutRequest and terminate the server session in the logoutURLs array parameter.
Once you are done, click the Create button. Now you can go to the Services > Instances and Subscriptions tab and check the status of your service instance. It should be in status Created shortly.
You can check the result by logging into your SAP SuccessFactors system and going to the Authorized SP Assertion Consumer Service Settings page.
I have already setup sso-configuration service instance but now I need an assertion consumer service for single logout to a new application I deployed. What can I do?
It’s important to note that you can only have one SAP SuccessFactors Extensibility service instance of plan sso-configuration per subaccount so creating a second one is not an option. The good news is that the service instance is updatable.
From the Services > Instances and Subscriptions tab, click your service instance, click the three-dots button on the right and select Update.
Click Next to go to the Parameters step and edit the JSON as necessary. You can also click the View current configuration link to see what was the previously passed JSON. Once you click the Update Instance button the following will happen:
- All the new assertion consumer service entries will be created to SAP SuccessFactors.
- All the assertion consumer service entries that were previously created but are not part of the new JSON file will be deleted.
- All the assertion consumer service entries that were previously created and are part of the new JSON file will be recreated.
Cool but can I clean up the assertion consumer service for the subaccount as well?
In case you no longer need the subaccount and application assertion consumer services, then you can delete the service instance. That way all the assertion consumer service entries created by this service instance will also be deleted.
This blog showed you how you can use the new service plan sso-configuration of the SAP SuccessFactors Extensibility service to automate you Single Sign-On configurations. We went through the manual flow for registering SAP SuccessFactors as a trusted identity provider in SAP BTP. Then we went through the manual and automatic ways to register subaccount and application specific asserting consumer services.
Finally, we covered how you can update the existing sso-configuration service instance to add or remove application asserting consumer services and how you can clean up all the assertion consumer services created by the service instance.