Hello, readers! Today we are going to use the new SAP BTP functionality which allows you to configure the subaccount in SAP BTP as a trusted service provider in SAP SuccessFactors. This is achieved by registering an assertion consumer service (ACS) in your SAP SuccessFactors system without logging in to the Provisioning.
A lot of you may be migrating from SAP BTP, Neo environment and may have previously encountered the
hcmcloud-enable-application-access Neo CLI command which is used to register the extension application as an authorized assertion consumer service. So far there was no alternative to this in the SAP multi-cloud world and the configuration had to be done by hand. We have heard your feedback and have implemented a way for you to automate this setup.
To prepare for the next steps, make sure you have the following:
- A global account in SAP BTP for which you are an administrator
- A dedicated SAP SuccessFactors system and a user with permissions to access Extension Center in SAP SuccessFactors Admin Center that include the Manage Extensions on SAP BTP permissions. See:
- A registered system global account in SAP BTP, as described in Register an SAP SuccessFactors System in a Global Account in SAP BTP
What was the manual process for setting up Single Sign-On again?
The first part is to configure SAP SuccessFactors as a Trusted Identity Provider in your subaccount in SAP BTP. For that you need to open
https://<sap_successfactors_system>/idp/samlmetadata?company=<company_id>&cert=sha2 where <sap_successfactors_system> is the hostname of your SAP SuccessFactors system and <company_id> is the company ID of your SAP SuccessFactors system. Save the file and add an extension
.xml to it.
Then go to your subaccount in SAP BTP and on the left-hand side navigation, choose
Security >
Trust Configuration. Choose
New Trust Configuration and upload the previously downloaded XML file. Enter a meaningful Name and click Save. Make sure the new configuration is the only active one.


Now the second part is to register the subaccount in SAP BTP as a trusted service provider in SAP SuccessFactors. Until now your only option was to register the assertion consumer services manually as described in
Register the Assertion Consumer Service of the Subaccount in SAP BTP in SAP SuccessFactors and
Register the Assertion Consumer Service for Every Extension Application in SAP SuccessFactors.
First, in the SAP BTP cockpit, you need to go to your subaccount and on the left-hand side navigation, choose
Security >
Trust Configuration. Then click the
SAML Metadata download button.

Then, you open the SAP SuccessFactors Provisioning at
https://<sap_successfactors_system>/provisioning_login where <sap_successfactors_system> is the hostname of your SAP SuccessFactors system. Choose your system's name and then select
Authorized SP Assertion Consumer Service Settings.



Now click
Add another Service Provider ACS and a new row will appear where you can enter the URLs of the assertion consumer service that you are registering. You need to register the assertion consumer service of the subaccount in SAP BTP by entering the following values:
- Assertion Consumer Service should be the value of the Location attribute of the AssertionConsumerService element with the HTTP-POST binding from the SAML Metadata you have downloaded
- Logout URL should be the Location attribute of the SingleLogoutService element with the HTTP-POST binding from the SAML Metadata you have downloaded
- Audience URL should be the value of the EntityID attribute of EntityDescriptor element from the SAML Metadata you have downloaded
If you also want to also configure the
IdP initiated single logout (SLO), then you need to register an assertion consumer service for each application running on SAP BTP multi-cloud environment that should receive the SAML LogoutRequest. In this case the Assertion Consumer Service and Audience URL values are not relevant and could be anything, but the Logout URL should have the URL to the logout endpoint of the application that can accept the SAML LogoutRequest and terminate the server session.

Once you are done, make sure you click the
Save button to save the changes.
What has changed now?
A big problem with the manual registration was that you needed access to the SAP SuccessFactors Provisioning and that was not always available. Because of that, we have automated this part of the setup for registered systems in SAP BTP.
I will be using my already registered system
acs-automation-system in my global account and my subaccount
acs-automation to demonstrate the new process.
We now have a dedicated service plan -
sso-configuration - for the SAP SuccessFactors Extensibility service that allows you to create automatically an assertion consumer service in SAP SuccessFactors for the subaccount in which this service instance is created and an assertion consumer service with a logout URL for each extension application that you want.
In the SAP BTP cockpit, go to your global account and from the left-hand side navigation select
Entitlements >
Entity Assignments. Enter your subaccount name in the
Select Entities field. Now click the
Configure Entitlements button and then the
Add Service Plans button.


On the left, select the
SAP SuccessFactors Extensibility service. Then on the right, select your registered system from the dropdown, and then the
sso-configuration service plan. Choose
Add 1 Service Plan and then
Save.

Now you are ready to create an
SAP SuccessFactors Extensibility service instance of plan
sso-configuration. Keep in mind that this service instance is created on subaccount level. Go to your subaccount and from the left-side navigation select
Services >
Service Marketplace and click the
SAP SuccessFactors Extensibility tile.

Enter a name for your service instance and click
Next. On the
Parameters step you will be presented with a preconfigured JSON that you can use. By default, the
logoutURLs array parameter will be empty and only the subaccount Assertion Consumer Service will be registered in the SAP SuccessFactors system defined by the
systemName parameter.
If you want to register an application's assertion consumer service for the IdP initiated single logout (SLO) then you need to enter the URL to the logout endpoint of the application that can accept the SAML LogoutRequest and terminate the server session in the
logoutURLs array parameter.



Once you are done, click the
Create button. Now you can go to the
Services >
Instances and Subscriptions tab and check the status of your service instance. It should be in status
Created shortly.

You can check the result by logging into your SAP SuccessFactors system and going to the
Authorized SP Assertion Consumer Service Settings page.

I have already setup sso-configuration service instance but now I need an assertion consumer service for single logout to a new application I deployed. What can I do?
It's important to note that you can only have one
SAP SuccessFactors Extensibility service instance of plan
sso-configuration per subaccount so creating a second one is not an option. The good news is that the service instance
is updatable.
From the
Services >
Instances and Subscriptions tab, click your service instance, click the
three-dots button on the right and select
Update.

Click
Next to go to the
Parameters step and edit the JSON as necessary. You can also click the
View current configuration link to see what was the previously passed JSON. Once you click the
Update Instance button the following will happen:
- All the new assertion consumer service entries will be created to SAP SuccessFactors.
- All the assertion consumer service entries that were previously created but are not part of the new JSON file will be deleted.
- All the assertion consumer service entries that were previously created and are part of the new JSON file will be recreated.

Cool but can I clean up the assertion consumer service for the subaccount as well?
In case you no longer need the subaccount and application assertion consumer services, then you can delete the service instance. That way all the assertion consumer service entries created by this service instance will also be deleted.

Conclusion
This blog showed you how you can use the new service plan
sso-configuration of the
SAP SuccessFactors Extensibility service to automate you Single Sign-On configurations. We went through the manual flow for registering SAP SuccessFactors as a trusted identity provider in SAP BTP. Then we went through the manual and automatic ways to register subaccount and application specific asserting consumer services.
Finally, we covered how you can update the existing
sso-configuration service instance to add or remove application asserting consumer services and how you can clean up all the assertion consumer services created by the service instance.