In my last blog on the platform series for SAP SuccessFactors, I covered Single Sign On (SSO) capabilities. In this blog I’ll cover the actual setup of SSO using the SAML option with Okta as the Identity Provider. If you are not familiar with Okta, they are the leading provider of Identity and Access Management as a Service.
Okta provides a free one-month trial that you can use to test it out for yourself. They offer two products: Okta for IT and Okta for Developers. In this blog, I will show you how to set up Okta for IT.
To complete the setup, here are the four steps you will need to follow:
- Ensure that your test users are both in the Okta system and also in SAP SuccessFactors
- Complete the SSO setup in the Okta application
- Export the Issuer ID and Certificate from Okta
- Complete the SSO setup in SAP SuccessFactors
We have a video tutorial available for how to set up SSO with Okta or you can read through the steps below.
Step 1: Setting up the Test users
First, we will add a test user to Okta. Once you receive the email with the trial membership information, log into the Okta system and select the Admin option on the top right of the home page.
Next, click on the Add People link and follow the steps to add and activate a new user.
To expedite the setup and testing of the SSO, we will use an existing user in the SAP SuccessFactors instance.
Step 2: SSO setup in Okta
To complete the SSO setup in Okta, you need to configure the pre-delivered SAML application that Okta has created for SAP SuccessFactors. This can be done by going back to the Admin page and selecting the Add Applications link.
On the Add Application screen, enter SuccessFactors in the search box and then add the SAML application.
Then, complete the first 5 fields in the General setup tab as shown in the image below. In this example, I am using a SalesDemo instance that is located on the pmsalesdemo8 servers. If you are setting this up for an actual production instance, then all references to https://pmsalesdemo8.successfactors.com in the setup screen below should be replaced with the URL for the data center where the instance is located. So for example, if the instance is on the DC4 preview server (HCM4), then any reference to https://pmsalesdemo8.successfactors.com will be replaced with https://hcm4preview.sapsf.com. The SAML URL value will be partially hidden. Here is the full value: https://pmsalesdemo8.successfactors.com/saml2/SAMLAssertionConsumer
Click Next, and on the next screen, select the SAML option. Leave the ‘Relay State’ field blank.
Click Next until you get to the Assign to People setup screen as shown below.
This is where you will identify which users can access which application via SSO. Okta has the capability to create groups to make this management and assignment easier. However, for this example, select the test user account that was created in the first step, and assign them to the SAP SuccessFactors SSO app that was just created.
To ensure that the Username of the test user account in Okta matches what is in the SAP SuccessFactors instance, there is an edit feature that allows you to change the username for the app. You can click on Edit to do this. In this case, I have changed the username to ‘aaaa so it matches the username for Alex Anderson in the SuccessFactors.
Step 3: Export the Issuer ID and Certificate
Before we can work on the Provisioning SSO setup in SAP SuccessFactors, we need to extract the Issuer ID and Certificate information from Okta. This can be done from the same page where the test user account was assigned. Click on the Sign On tab and then click on View Setup Instructions to get the details. If you encounter any difficulties getting the Issuer ID and the Certificate from the ‘View Setup Instructions’ button, you can click on Identify Provider Metadata to download a copy of the Metadata file.
Once the file is downloaded, open it with an XML Editor. I typically use Notepad++. Look for the Entity tag to get the Issuer ID and the 509 Certificate tags to get the Certificate. I have highlighted the tags in the screenshot below.
Step 4: Provisioning SSO setup in SAP SuccessFactors
To complete the last step, we need to go to the Provisioning Setup screens in SAP SuccessFactors. Once you have logged into Provisioning for the SAP SuccessFactors instance, click on the SSO link as shown below.
Scroll down to the middle of the page and select the SAML v2 SSO option and then fill the fields with the following information.
Finally, copy and paste the certificate from the Metadata file into the certificate section. Remember to add the begin and end certificate entries as they are not automatically included.
Next, you can click on Add an Asserting Party to add this entry into the system. The setup is now complete.
Step 5: Testing and validation
To test your setup, enable SSO for this instance. This is done from the top of the same page in Provisioning by entering any value in the Token field.
Log back into Okta as the test user we created in the first step. You should now see a new button for the SAP SuccessFactors instance.
Once you click on the button, the system will connect you to SAP SuccessFactors.
Conclusion
Typically, SSO is implemented by specialized technical staff in the IT department. With the pre-packaging of SAP SuccessFactors in the Okta system, it is now easier to setup. For a review of this process, watch the video. Watch Now
About the author