中文版本:
https://blogs.sap.com/2023/06/02/%e9%9b%86%e6%88%90%e4%ba%86ias%e7%9a%84successfactors%e4%b8%8e%e5%b...
This article will explain how to use Microsoft account SSO to log in to a SuccessFactors system integrated with IAS (Identity Authentication Service).
As we know, the SF system only supports the SAML protocol and can only be configured with one IdP (Identity Provider). Therefore, customers typically configure SAML 2.0 SSO between SF and IAS, making IAS the unified authentication platform for SAP environments. If you want to enable Microsoft account login for SF, the configuration is done between IAS and Microsoft, and no additional configuration is required in the SF system.
Prerequisites for the configuration:
- Administrator privileges in Azure Tenant
- Administrator privileges in IAS
Firstly, we need to create an app in the "App Registrations" section of the Microsoft Azure Portal. In the "Authentication" option in the sidebar, click on "Add a platform" and configure the Redirect URL as shown in the figure. The URL should be your IAS domain followed by "/oauth2/callback". After the configuration, it should look similar to the provided image. The purpose of this configuration is to allow Microsoft to redirect to the specified URL after successful login. For security reasons, URLs that are not configured here will not be successfully redirected.
Next, we add a Client ID and Secret. It is straightforward, as shown in the figure. Remember to save your secret because it can only be viewed once.
Then, we go to IAS and select "Identity Providers" -> "Corporate Identity Providers". Click on "Create" to create a new IdP (Identity Provider) and select "OpenId Connect Compliant" as the Identity Provider Type.
Click on "OpenID Connect Configuration" and enter the discovery URL as "
https://login.microsoftonline.com/{TenantId}/v2.0". Click "Load", and the Name and Endpoints will be automatically populated.
Enter the Client ID, which should be the App ID from Microsoft, as shown in the figure. For the Secret, enter the Secret you created earlier.
Set the Login Hint and Subject Name Identifier to "Email" since Microsoft generally uses UPN (User Principal Name) for user propagation, and UPN is typically the same as the Email address. In the Single Sign-On section, enable "Forward All SSO Requests to Corporate IdP". In the Identity Federation section, you can enable or disable "Use Identity Authentication user store" (currently, it seems to have no impact). Configure the Logout Redirect URL as needed or leave it blank. The final configuration should resemble the provided image.
After completing these configurations, go to "Applications & Resources" -> "Applications" and select the SF application. Integrated SF applications should have this Application listed. Choose "Conditional Authentication" and set the Azure IdP (Identity Provider) you configured as the Default Identity Provider. In the parent menu, select "Trust All Corporate Identity Providers". The configuration should be as shown in the figures.
Now, all the configurations are complete. From now on, logging in to SF requires using a Microsoft account. The process is as follows:
- Navigate to SF (not logged in)
- IAS login page
- Microsoft account login
- IAS authentication
- SF login