Dear Readers

In this blog, you will follow the steps on how to enable Commissions SAML Single sign-on (SSO) using Commissions Sales Portal Home (SPH)

Pre-Requisites

IdP.xml File (Identity Provider XML Configuration File) (Reach out to customer IT team)

Below are the steps to be followed :

Step 1. Log into the SAP Commissions portal, from the Home page, Administration screen, select Global Settings.

2. Go to SAML Authentication Settings and select Set Up New SAML Configuration Option.
Turn on FSSO SAML.

3. Enter the following under Service Provider Parameters

• SP EntityID:
  https://xxxx-yyy.callidusondemand.com (Replace xxxx with tenant id and yyy with the environment) -- for oracle customers
  
  https://xxxx.callidusondemand.com (Replace xxxx with tenant id) -- for HANA customers  

• Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

NOTE: We normally suggest that an unspecified Name ID Format be entered as mentioned above. However, if you have a specific Name ID Format that is different, like:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Please go ahead and enter that. Please note if the give Name ID Format does not work, we will request that you set up your system to use unspecified (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified) as the Name ID Format.

4. Turn on Use Name ID as SP User ID option



5. Upload IdP.xml file ( SAML 2.0 - Microsoft Azure, Okta, or any other identity providers)



6. Do not fill any other section or field at this point. If you do, please exit this page, and start the configuration process again and do not save anything.

- There are instances where your browser may fill additional fields automatically. Please stop your browser from doing this, and try again. If you fill out any fields and remove the information later, the configuration may not work.

7. Click Save SAML Authentication Settings to save to configuration and turn on your SAML SSO. Please review step number 6 before clicking Save SAML Authentication Settings.

8. Follow the steps 1 and then 2 from below screenshot..
Click Save SAML Authentication Settings and then click Mark configuration Validated after clicking.

Once you have validated that everything is working, and you want to turn on trusted mode, which will disable the ability to log in directly into the Commission Portal

If you need Non-Trusted Mode..
Please do not proceed with 2 step, if you also want to be able to login directly through the Commissions Portal, or if you also plan on using Salesforce Commissions Integration (Not SAML SSO Based.)  Admins can login through SSO with SP initiated (Reach out to me on how to setup)..

9. Click Save
10. After making these changes, the sp.xml file will be available to be downloaded from the same page.


11.  After completed, you will see from below screenshot

Comment:

If you had previously configured SAML SSO, and it was not through the portal, there is an important change you will have to make.

The previous POST URL that you were using will change from the following pattern:

https://xxxx-yyy.callidusondemand.com/saml2/sp/acs/post

to the following pattern:

https://xxxx-yyy.callidusondemand.com/CallidusPortal/startPortal.do?fssoLoginResponse=true

You will have to update this on your source system, so the request is sent to the correct location.

Conclusion: you can configure on our own from above without reaching out to the Customer IT team or SAP Commission Support team. Once it's enabled, users are secured to access the application.

Troubleshooting Resources

Online & Browser Tools:

➢ Allows you to validate a SAML Response for Chrome (see example in next slide, FF uses SAML Tracer) – https://www.samltool.com/validate_response.php

➢ Allows you to debug your SAML based implementation (see example in next slide, it is a way to validate if all of the related entries are valid) –
https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm?hl=e...

➢ https://www.base64decode.org/  – Decode from Base64 format.