cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

URGENT : Has Anyone Integrated SAP SuccessFactors with KeyCloak for SSO?

Mobilise
Discoverer

on ‎2024 Sep 18 7:10 AM

368

Hello SAP Community,

I am currently leading a project to integrate SAP SuccessFactors with KeyCloak for Single Sign-On (SSO). Our setup involves KeyCloak acting as the Identity Provider (IDP) for frontline users, who are already authenticated into another application via KeyCloak. We now need to extend this authentication mechanism to SuccessFactors.

Current Setup:

  • KeyCloak is fully operational, and we have a realm where users already exists
  • SAP SuccessFactors is already installed and running,

Objective:

We want to allow frontline users to authenticate into SAP SuccessFactors using KeyCloak as the IDP. KeyCloak supports both SAML and OIDC, but we’re leaning toward using SAML for this integration.

Request:

Has anyone in the community attempted or completed a similar integration? If so, could you share:

  • Best practices for configuring SAML-based SSO between KeyCloak and SAP SuccessFactors?
  • Any specific configurations or challenges encountered on the SAP SuccessFactors side?
  • Recommendations for handling user mapping and security considerations in this setup?

Any guidance, documentation, or tips would be greatly appreciated. Thanks in advance!

Best regards,
Ashish Sharam

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

umasaral
Contributor
‎2024 Sep 18 7:21 AM

Hi 

Please find the below some key points for integrating KeyCloak with SAP SuccessFactors using SAML for SSO:

Best Practices for SAML Configuration
1. Create a SAML Client in KeyCloak:
Go to your KeyCloak realm, create a new client for SAP SuccessFactors.
Set the client protocol to SAML.

2. Configure SAML Settings:
Client ID: Set it to the SuccessFactors entity ID.
Valid Redirect URIs: Add the SuccessFactors ACS URL.
Signing Algorithm: Use a secure algorithm (e.g., RSA_SHA256).

3. Metadata Exchange:
Export the KeyCloak SAML metadata and import it into SuccessFactors.
Obtain SuccessFactors' metadata and configure it in KeyCloak.

Specific Configurations in SuccessFactors
SAML Configuration: Navigate to the SSO settings in SuccessFactors. Input KeyCloak's SAML metadata and configure the attribute mappings.
Attribute Mapping: Ensure to map the user identifiers (like email or user ID) properly between KeyCloak and SuccessFactors.

User Mapping and Security Considerations
User Provisioning: Decide whether users will be provisioned automatically or managed manually in SuccessFactors.
Claims Mapping: Ensure KeyCloak is sending necessary user attributes as claims (e.g., email, role).
SSL: Always use SSL for secure communication between KeyCloak and SuccessFactors.

Common Challenges
Debugging SAML Assertions: Use tools like SAML-tracer to monitor SAML assertions and troubleshoot issues.
Time Synchronization: Ensure both KeyCloak and SuccessFactors have synchronized system times to avoid token expiry issues.

Resources
KeyCloak Documentation: Refer to [KeyCloak SAML documentation](https://www.keycloak.org/docs/latest/server_admin/#saml-identity-broker).
SuccessFactors Community: Check the SAP SuccessFactors community forums for specific examples.

Show replies
Show replies
Mobilise
Discoverer
‎2024 Sep 18 7:37 AM
0 Kudos
Thank you for your quick response. Is there a user guide that you can refer to me where i can read about this? Are there any used cases of any article that i can refer? Thank you in advance.
Ask a Question