SAP SuccessFactors SSO Integration with Azure AD via Proxy
Use this procedure to integrate SAP SuccessFactors SSO with Azure AD via Proxy.
Before you begin, make sure you have the following prerequisites:
- Admin access to Azure AD IdP.
- Access to Skyhigh CASB and appropriate role or rights to manage the SAP SuccessFactors service.
- Admin access to SAP SuccessFactors.
Configure the SAML Proxy for SAP SuccessFactors
Perform the following activities to configure the SAML proxy for SAP SuccessFactors.
Step 1: Download IdP Certificate from Azure AD
- Log in to Azure AD as an admin and go to Azure Active Directory > Enterprise Applications.
- Search for SAP SuccessFactors and add it.
- Click the SAP SuccessFactors app and select the Single Sign-On option to configure SSO.
- Under Set up Single Sign-On with SAML, click Edit.
- Under Basic SAML Configuration, configure the URIs based on the Users SuccessFactors instance and region. The instance name of the URI varies depending on the region. An example is shown below for URL format:
- Identifier (Entity ID). Enter the URL in the following format: https://<instance-name> successfactors.com.
- Reply URL (Assertion Consumer Service URL). Enter the URL in the following format: https:// instancename.successfactors.com
- Sign on URL. Enter the URL in the following format: https://instancename.successfactors/sso
NOTE: For more details on the SuccessFactors Base URIs and regions, see Base URIs.
- Click Save.
- Under SAML Signing Certificate, click the Certificate (Base64) Download link to download the IdP (Azure) certificate and save it in your local folder. This is your IdP Certificate used to configure the SAML proxy in Skyhigh CASB.
Step 2: Download the SP Certificate from SAP SuccessFactors
- Log in to SAP SuccessFactors portal as admin with SSO permissions.
- Go to Administration > Company > Authentication Admin and click Manage Single Sign-On.
- Under the IdP Metadata section, select the existing IdP and view metadata. Then proceed to export and save the metadata file in your local folder. This is your SP Certificate used to configure the SAML proxy in Skyhigh CASB.
Step 3: Configure SAML Proxy in Skyhigh CASB
- Log in to Skyhigh CASB.
- Go to Settings > Service Management.
- Select your SAP SuccessFactors instance from the Services list. (If no services are listed, contact MVISION Cloud Support for help.)
- Click the Setup tab, and under Proxy, click Get Started.
NOTE: To create and configure the proxy for the SAP SuccessFactors instance, see Configure Proxy for SAP SuccessFactors.
- Under Configure SAML, click Configure.
- Under Upload Identity Provider Certificate, upload the IdP Certificate downloaded earlier from Step 1 and click Next.
- Under Upload Service Provider Certificate, upload the SP Certificate downloaded earlier from Step 2 and click Next.
- Under Download SAML Certificate, download the Proxy Certificate and save it in your local folder. This certificate is used in Step 5.
- Once the SAP SuccessFactors SAML proxy configuration is successful, go to Actions > Edit Properties and add the following Company ID property.
- Name : modify.query.param.data
- Value: er10. successfactors.com;company= <add Company ID of SuccessFactors>
Here, er10. successfactors.com refers to the URL of SuccessFactors.
NOTE: The Company ID differs for each customer depending on their SuccessFactors instance. To find SuccessFactors access URL (or IdP URL), see How to Find the SuccessFactors Company ID.
Step 4: Configure SSO in Azure AD
- Log in to Azure AD admin portal.
- Go to Enterprise application > SAP SuccessFactors > Single Sign-on > SAML-based Sign-on.
- Click the pencil icon to edit Basic SAML Configuration and replace the Reply URL (Assertion Consumer Service URL) and Sign-On URL with the Skyhigh CASB proxy URLs then click Save.
Step 5: Integrate SSO for SAP SuccessFactors
- Log in to SAP SuccessFactors as an admin.
- Go to Application Security > Single Sign-On > Edit Basic SAML Configuration.
- Under For SAML based SSO, configure these:
- SAML Verifying Certificate Status. Make sure the status shows as a Certificate is valid.
- SAML Verifying Certificate. Replace the SAML Verifying Certificate with the proxy certificate downloaded from Skyhigh CASB in Step 3.
- In the SAML Setting Configuration, for Name ID Format. Leave this field unspecified. By default, it is set to unspecified.