Use this procedure to integrate SuccessFactors SSO with Okta via Proxy.
Before you begin, make sure you have the following prerequisites:
- Admin access to Okta IdP.
- Access to Skyhigh CASB and appropriate role/rights to manage the SuccessFactors service.
For the SSO integration, you have control only on the IdP (Okta) side and there is no visibility on the SP side configuration. To get the visibility on the SP side configuration, perform the following activities:
To integrate SuccessFactors SSO with Okta via Proxy:
- Log In to Okta and add the SuccessFactors application, then select the General tab, and under App Settings, enter the required details.
- Select the Sign On tab and click Edit.
- Download the Okta certificate (IdP certificate) from the IdP metadata.
- To send the username attribute extracted from the user email, enter the expression: String.substringBefore(user.email,"@") in the Application username format. For example, if the user has Tom@mcafee.com, this expression extracts Tom and drops @mcafee.com from the user email value. This validates the SuccessFactors SP side's SAML authentication process.
Configure SuccessFactors Proxy in Skyhigh CASB
- Log In to Skyhigh CASB.
- Go to Settings > Service Management.
- Select your SuccessFactors instance from the Services list. (If no services are listed, contact Skyhigh Security Support for help.)
- Click the Setup tab, and under Proxy, click Get Started.
- Configure the proxy for SuccessFactors. For details, see Configure Proxy for SuccessFactors.
- Under Configure SAML, click Configure.
- Upload the SP and IdP certificate and download the proxy certificate.
- Share the proxy certificates with the SuccessFactors team. They replace proxy certificates and update the existing IdP certificate (Okta Certificate) on the SP side configuration.
Now, you can validate the SuccessFactors SSO via proxy.
- Once the SuccessFactors proxy configuration is successful, go to Actions > Edit Properties and add the following Company ID property. This property allows users for seamless login to SuccessFactors via Reverse Proxy without double login prompts.
- Name : modify.query.param.data
- Value: A$hcm10preview.sapsf.com;company= <add Company ID of SuccessFactors>
Here, A$hcm10preview.sapsf.com refers to the URL of SuccessFactors.