- SAP Managed Tags:
Introduction to Single Sign-On (SSO)
Single Sign-On (SSO) is a user authentication process that enables users to access multiple applications with a single set of login credentials. Implementing SSO for SAP SuccessFactors enhances security, reduces password fatigue, and improves user experience. This guide provides a detailed, step-by-step approach to configuring SSO using SAP Identity Authentication Service (IAS) and Azure Active Directory.
Prerequisites
Before starting the configuration, ensure you have the following:
Administrative access to SAP SuccessFactors, SAP Identity Authentication Service (IAS),
Administrative access to Azure Active Directory (Azure AD).
An understanding of SAML-based authentication.
Step-by-Step Configuration
- IAS Tenant preparation: Log onto Identity Authentication service
- Navigate to Identity provisioning > Source > Properties > sf.user.filter make it (active eq "true")
- Navigate to Identity provisioning > Source > Outbound Certificates and make sure that the certificate is valid, if not generate a new one and delete the old one and activate the automatic generation
- Go to Identity provisioning > Target > Outbound Certificates and make sure that the certificate is valid, if not generate a new one and delete the old one and activate the automatic generation
Note: If the IAS tenant links were not provided from SAP, you can activate from the Upgrade Center, and after completing the configuration, testing and activation will be done again from the Upgrade Center
- Created trust between Azure Active Directory and Identity Authentication service
Step 1: Download Identity Authentication service tenant metadata
Navigate to Applications and resources > Tenant Setting > Single Sign-On > SAML 2.0 Configuration and download the IAS Meta data file
Download the metadata file.
Step 2: Create enterprise application in Azure Active Directory
Navigate to the Enterprise applications, Click New application.
Azure Active Directory has templates for a variety of applications, one of them is the SAP Cloud Platform Identity Authentication Service. Search for this and select it.
A new column on the right side will appear to give the application a name. Give the application a name and click Add.
Go to Single sign-on and select SAML as Single-Sign On method.
STEP 3: Upload the IAS tenant metadata file you get from the step 1
Select the application you just created, Click Upload metadata to upload the metadata file from Identity Authentication service.
All the details are now taken from the metadata file. There’s nothing to do for you other than saving the details. Therefore, click Save.
STEP 4: Download single sign-on metadata from Azure Active Directory
Download the federation metadata as shown below.
With this information we can setup the trust between Azure Active Directory and Identity Authentication service.
Step 5: Create corporate identity provider in IAS
Go back to IAS and navigate to Identity provider > Create > Microsoft ADFS / Entra AD (SAML 2.0) Type
STEP 6: Upload Azure Active Directory federation metadata file
Click SAML 2.0 Configuration and to upload the recently downloaded federation metadata from Azure Active Directory.
Choose the file from your local file system.
All fields below are automatically going to be filled due to the information provided through the uploaded file.
Click Save at the top of the page.
STEP 6: Add a new user in the Users and groups Microsoft Azure application
Go back to your overview of enterprise applications in Microsoft Azure AD and click your application. Add a new user by clicking Add user in the Users and groups submenu, as shown on the screenshot.
By hitting the result tile, you select the user, which should appear under Selected members panel. Finish your user assignment with clicks on Select and Assign.
Congrats Now you created trust between Azure Active Directory and Identity Authentication service.
- IAS Tenant Final Preparation:
Navigate to Identity provisioning > Source > Jobs and run now read job to get all users from SF then schedule the job for future new hires.
Navigate to Applications and resources > Applications > SuccessFactors > Conditional Authentication and create a rule for all domains you need it to access the system from the identity provider you created... this step will define the domains witch will access as SSO, any other domain will access from the default identity provider.
Set the Default Identity Provider as Identity Authentication.
Navigate to Identity provider > Identity Federation > switch On Use Identity Authentication user store and Switch On User Access
Now you can test and be sure that the user you are try to test with is already added to the SF tenant.
Troubleshooting & Common Issues
Issue Possible Cause Solution
| Users cannot log in via SSO | Misconfigured SAML settings | Verify SAML assertion parameters and ACS URL |
| Error: "User not found" | Incorrect attribute mapping | Ensure Azure AD user attributes match SuccessFactors fields |
| Logout not working properly | Logout URL missing | Configure the logout URL in both Azure AD and SAP IAS |
References & Additional Resources
SAP Identity Authentication Service (IAS) Documentation – Comprehensive guide on configuring IAS for SSO.
Azure AD SSO Configuration – Microsoft documentation on setting up SAML-based SSO in Azure AD.
SAP IAS Documentation – Administration Guide | PUBLIC 2025-03-05.
By following these steps, organizations can successfully implement SSO for SAP SuccessFactors, enhancing security and user experience. If you encounter issues, refer to the troubleshooting section or consult the official documentation.
Hope you enjoy the process.
Thanks
Ahmed Aranda
