1 Single Sign-On between SAP Portal and SuccessFactors Dimitar Mihaylov 7/1/2012
2 Contents 1. Overview Trust between SAP Portal 7.3 and SuccessFactors Initial configuration in SAP Portal Add SuccessFactors system as trusted SAML 2.0 service provider Add Portal 7.3 as a trusted identity provider in SuccessFactors Create in SAP Portal an URL iview to SuccessFactors Additional configuration required for SAP Portal 7.0x Establish trust between the AS Java 7.3 system (IDP) and the SAP Portal 7.0x Enable authentication with SAP Logon Tickets in the IDP User Mapping Troubleshooting Security Troubleshooting Wizard on AS Java 7.2/ Web Diagnostic Tool on SAP Portal 7.0x SuccessFactors Copyright... 34
3 1. Overview This document describes how to enable single sign-on from a customer s on-premise SAP Portal to SuccessFactors. Single sign-on is based on standard SAML 2.0 mechanisms and the Identity Provider of SAP Netweaver Single Sign-On is used. For simplicity, the example setup assumes that the user IDs in SAP Portal and SuccessFactors are the same. However, you can set up the same scenario when the user IDs in the two systems are different, as briefly described in section 4 of this document. You can configure a direct trust relationship between the systems if you are using SAP Portal 7.3. In this case, the SAP Portal can act directly as SAML 2.0 identity provider (IDP), and the SuccessFactors system can act as SAML 2.0 service provider (SP).
4 If you are using SAML Portal 7.0x, an additional NetWeaver Application Server Java 7.2 or 7.3 is required. Note: In order for an SAP NetWeaver Application Server 7.2 or 7.3 to act as a SAML 2.0 identity provider, you need to install the IDMFEDERATION software component (SCA), which is included in both SAP NetWeaver Single Sign-On or SAP NetWeaver Identity Management..
5 2. Trust between SAP Portal 7.3 and SuccessFactors 2.1. Initial configuration in SAP Portal 7.3 Open http(s)://<portalhost>:<port>/nwa -> Configuration -> Authentication and Single Sign-On. Select the SAML 2.0 tab and click the Enable SAML 2.0 Support button.
6 Enter the name of the local provider and select operational mode Identity Provider. Click the Browse button for the signing key-pair. A signing key-pair should be generated for the local provider. It will be used as an encryption key-pair as well.
7 Here are the next steps: Step 1 Step 2
8 Step 3 Step 4
9 Continue with the initial wizard. Use the default settings (might differ from the screenshot) and click Finish.
10 2.2. Add SuccessFactors system as trusted SAML 2.0 service provider Click on link Trusted Providers Click Add and select Manually.
11 Enter the name of the service provider. Check the information provided by SuccessFactors for the correct name - in most of the cases this is After entering the name, click Next to continue. Click Browse to select the signing and encryption certificates.
12 Click Import Entry to upload the certificate provided by SuccessFactors. Select type X.509 Certificate, find the file, and click Import.
13 Select the newly imported certificate and click OK. Select the same certificate as an encryption certificate and click Next.
14 Add an Assertion Consumer Service. Note: Check the documentation provided by SuccessFactors for the correct URL. Optionally you may also add a Single Logout Service.
15 Do not enter other endpoints. Click Next to the end, then click Finish. Click Edit, then click Add under Supported Name ID Formats. Select format Unspecified and source Logon ID.
16 Afterwards click OK, Save, and Enable.
17 2.3. Add Portal 7.3 as a trusted identity provider in SuccessFactors In order to perform the next steps, you need to have a provisioning account in SuccessFactors. If you do not have this yet, the SuccessFactors administrators have to establish the trust relationship. As a first step, you need to export the signing certificate of the Portal 7.3 identity provider. Open NetWeaver Administrator and go to Configuration Certificates and Keys.
18 Select the view SAML2 and the entry portal73-cert. Then click Export Entry. Select the export format to be Base64 and click Download.
19 Save the file and open it with a text editor. The content should look like this: Now that you have the signing certificate, you can start with the configuration in the SuccessFactors system. There, open the Single Sign-On (SSO) Settings :
20 The minimal set of settings is the following: The SAML Issuer field has to be the same as the name of the identity provider entered in the SAP Portal 7.3 system. The SAML Asserting Party Name is just an alias and could have any value. In SAML Verifying Certificate, paste the signing certificate you have exported from the identity provider. Finally do not forget to click the button Add an asserting party.
21 To enable the SAML login, you also have to enter a Reset Token and save it Create in SAP Portal an URL iview to SuccessFactors
22 Enter the host name of the SAP Portal 7.3 system and the path /saml2/idp/sso. Edit the newly created iview, then add two parameters: saml2sp and RelayState. In our case, they have the following values: saml2sp:
23 RelayState: Please note that you need to consult the SuccessFactors documentation to find the correct values for your configuration. Save the changes and close the iview.
24 Now you can test your configuration by logging in with a user that has accounts in both the SAP Portal and SuccessFactors. Then navigate to this URL iview. You may change the options of the URL iview and open the SuccessFactors application in a new browser window, for example.
25 3. Additional configuration required for SAP Portal 7.0x If you have a SAP Portal 7.0x version, the Identity Provider cannot be deployed on this system directly. You need an additional SAP NetWeaver Application Server Java 7.2 or 7.3 for the Identity Provider. Besides that, the scenario is identical to the one previously described. Thus, the difference is that the user will first authenticate to the SAP Portal 7.0x system, and then navigate to the IDP in order to get an SAML 2.0 assertion to access the SuccessFactors system. To establish single sign-on between the SAP Portal 7.0x and the IDP, we will use the SAP Logon Ticket which the SAP Portal 7.0x issues by default. This cookie is then returned as a domain cookie with the name MYSAPSSO2. Please note that both systems, SAP Portal 7.0x and IDP, have to be in the same domain for the cookie to be sent to the IDP.
26 3.1. Establish trust between the AS Java 7.3 system (IDP) and the SAP Portal 7.0x You should configure the IDP system to trust SAP Logon Tickets issued by the SAP Portal 7.0x system. Go to NetWeaver Administrator Configuration Trusted Systems. Connect to the Portal 7.0x system to obtain its signing certificate. First click on Add Trusted Systems button and select the option By Querying Trusted System. If you have previously exported the certificate, you may use also the other option.
27 Enter the connection data into the SAP Portal 7.0x system. Confirm the creation of the trust relationship by clicking Finish
28 Now you will see that the system was added to the list of trusted systems.
29 3.2. Enable authentication with SAP Logon Tickets in the IDP By default, the IDP will accept authentication with user name and password. In order to enable authentication with SAP Logon Tickets, open the SAML 2.0 configuration. In Local Provider, select the tab Identity Provider Settings.
30 Click on Edit and the table Supported Authentication Contexts. Select SAPLogonTicket. Select Default HTTPS Authentication Contexts from Copy to. Save the changes. The list of Default HTTP Authentication Contexts should contain SAPLogonTicket as shown in the screenshot.
31 4. User Mapping If the user identifiers in the SAP Identity Provider (IDP) and the SuccessFactors system are not identical, you can configure a user mapping at the identity provider side. Please note that the user ID for the SuccessFactors system has to be available as a user attribute in the User Management Engine (UME) of the IDP. Change the following configuration: In the SAML 2.0 configuration UI, select Trusted Providers SuccessFactors system Identity Federation Select source User Attribute, then enter the name of the attribute. In our case, this is sfuserid : Note: This is the only configuration change you have to perform for user mapping.
32 5. Troubleshooting 5.1. Security Troubleshooting Wizard on AS Java 7.2/7.3 See SAP Note Web Diagnostic Tool on SAP Portal 7.0x See SAP Note SuccessFactors A link to the SSO Log Viewer is available at the end of the Single Sign-On (SSO) Settings page.
33 You will find information on failed SSO attempts there.
SAP Master Data Governance- Hiding fields in the change request User Interface Applies to: ERP 6 Ehp 5 SAP Master Data Governance. For more information, visit the Master Data Management homepage. Summary
Maintaining Different Addresses and Email Ids for a Business Partner via CRM Web UI Applies to: CRM 7.0 SP09. For more information, visit the Customer Relationship Management homepage. Summary This article
Integrating Easy Document Management System in SAP DMS Applies to: SAP Easy Document Management System Version 6.0 SP12. For more information, visit the Product Lifecycle Management homepage. Summary This
Business One in Action - How can we post bank fees and charges while posting Incoming or Outgoing Payment transactions? Applies to: SAP Business One, Accounting, Banking and Reconciliation Summary: This
NetWeaver Business Client (NWBC) for Incentives and Commissions Management (ICM) Applies to: Enhancement Pack 5 (Ehp5), EA-APPL, Incentives and Commissions Management (FS-ICM). Summary This article discusses
Sending Additional Files from SAP Netweaver PI to third Party System Applies to: SAP Netweaver PI. Summary The document describes about a scenario where the requirement is to send multiple files from one
TM111 ERP Integration for Order Management (Shipper Specific). COURSE OUTLINE Course Version: 15 Course Duration: 2 Day(s) SAP Copyrights and Trademarks 2014 SAP SE. All rights reserved. No part of this
How to Find Database Index usage per ABAP Report and Creating an Index Applies to: SAP NETWEAVER WEB AS ABAP. For more information, visit the ABAP homepage Summary The aim of this article is to show how
Process Archiving using NetWeaver Business Process Management Applies to: NetWeaver Composition Environment 7.2, 7.3. For more information, visit the Business Process Modeling homepage. Summary This document
Data Archiving in CRM: a Brief Overview Applies to: Developing Archiving Solutions in SAP CRM technology. For more information, visit the Customer Relationship Management homepage. Summary This document
Enterprise Software - Applications, Technologies and Programming Dr. Uwe Kubach, Dr. Gregor Hackenbroich, Dr. Ralf Ackermann SAP Research 2010 SAP AG. All rights reserved. / Page 1 Abstract This lecture
Log Analysis Tool for SAP NetWeaver AS Java Applies to: SAP NetWeaver 6.40, 7.0x, 7.1x, 7.20 and higher Summary Log Analysis is an SAP tool for analyzing list formatted logs and traces in Application Server
Understanding HR Schema and PCR with an Example Applies to: SAP ECC 6.0 version, SAP HCM module. For more information, visit the Enterprise Resource Planning homepage. Summary This document will provide
How to Create a Support Message in SAP Service Marketplace Summary This document explains how to create a message (incident) on the SAP Service Marketplace. It is assumed that the customer has never logged
Third Party Digital Asset Management Integration Objectives At the end of this unit, you will be able to: Assign Digital Assets to CRM Objects Work with the Where-Used List Describe the necessary customizing
K in Identify the differences between the universe design tool and the information design tool The information design tool is a new modeling tool for the semantic layer that enables you to manipulate metadata
Sample Universe on Microsoft OLAP Cube Applies to: SAP BusinessObjects XI4, the information design tool and Microsoft Analysis Services 2005 & 2008. For more information, visit the Business Objects homepage.
Integration of Universal Worklist into Microsoft Office SharePoint Applies to: SAP NetWeaver Portal 7.01 SP3 Microsoft Office SharePoint 2007 For more information, visit the Portal and Collaboration homepage.
HR400 SAP ERP HCM Payroll Configuration. COURSE OUTLINE Course Version: 15 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2014 SAP AG. All rights reserved. No part of this publication may be reproduced
SAP Business One Budget Control by Cost Center Ecosystem & Channels Readiness July 2011 Allows a precise follow up of costs booked using the cost accounting dimensions functionality as introduced in SAP
SAPFIN Overview of SAP ERP Financials. COURSE OUTLINE Course Version: 15 Course Duration: 2 Day(s) SAP Copyrights and Trademarks 2014 SAP AG. All rights reserved. No part of this publication may be reproduced
Consume an External Web Service in a Nutshell with good old ABAP Applies to: SAP_BASIS, Release 701, SP Level 8 Summary Have you ever tried to consume an external web service out of ABAP? This document
Configuring Single Sign-on for SAP HANA Applies to: SAP BusinessObjects Business Intelligence platform 4.0 Feature Pack 3. For more information, visit the Business Objects homepage. Summary This document
Data Source Enhancement Using User Exit Applies to: Any SAP system from which data needs to be pulled into SAP BI system. Summary This document describes how to enhance a data source in the source system
Secure MobiLink Synchronization using Microsoft IIS and the MobiLink Redirector A whitepaper from ianywhere Author: Joshua Savill, Product Manager This whitepaper was written in the context of SQL Anywhere
Integration of SAP Netweaver User Management with LDAP Applies to: SAP Netweaver 7.0/7.1 Microsoft Active Directory 2003 Summary The document describes the detailed steps of configuring the integration
UI Framework Task Based User Interface SAP Enhancement Package 1 for SAP CRM 7.0 1 Agenda 1. Overview 2. Task Based User Interface 3. Further Information SAP 2009 / Page 2 2 Objectives of the Presentation
Portfolio and Project Management 5.0: Excel Integration for Financial and Capacity Planning Applies to: Portfolio and Project Management 5.0 Summary Financial and Capacity planning for item, initiative
How to Add an Attribute to a Case, Record and a Document in NW Folder Management (ex-records Management) Applies to: SAP Folder Management 2.4 & 3.0. For more information, visit the Enterprise Performance
Variable Exit in Sap BI 7.0 - How to Start Applies to: This article is applicable to SAP BI 7.0. For more information, visit the Business Intelligence homepage. Summary This document provides an introduction
How To Guide SAP Business One Document Version: 1.0 2012-09-02 Applicable Releases: SAP Business One 8.81 PL10 and higher, SAP Business One 8.82 Typographic Conventions Type Style Example Description Words
Mass Maintenance of Procurement Data in SAP Applies to: SAP ECC 5.0 & SAP ECC 6.0. For more information, visit the Enterprise Resource Planning homepage. Summary: This document helps the P2P consultants
Xcelsius Dashboards on SAP NetWaver BW Implementation Best Practices Patrice Le Bihan, SAP Intelligence Platform & NetWeaver RIG, Americas Dr. Gerd Schöffl, SAP Intelligence Platform & NetWeaver RIG, EMEA
How To Use the ESR Eclipse Tool with the Enterprise Service Repository Applies to: SAP NetWeaver Process Orchestration 7.31 SP2 SAP NetWeaver Process Integration PI 7.31 SP2 Summary With PI 7.31 SP2, an
How To Use the BPC Mass User Management Tool in BPC 10.0 NW Applies to: SAP BusinessObjects Planning & Consolidation 10.0, version for SAP NetWeaver. For more information, visit the Enterprise Performance
BW Workspaces Use Cases Applies to SAP NetWeaver Business Warehouse 7.30 (BW7.30) SP05 and SAP NetWeaver Business Warehouse Accelerator 7.20 (BWA7.20)/HANA 1.0 running as a database for SAP NetWeaver BW
Application Lifecycle Management Best Practice Process Document ALM Process: ITSM - Incident Management Application Lifecycle Management Process ITSM Incident Management Problem Description: How to create,
ERP Quotation and Sales Order in CRM WebClient UI Detailed View SAP Enhancement Package 1 for SAP CRM 7.0 CRM Sales - SFA ERP Quote, Order, Quantity Contract in CRM WebClient UI Recognizing that many SAP
Duet Enterprise Add SAP ERP Reports and SAP BI Queries/Workbooks to Duet Enterprise Configuration Applies to: Duet Enterprise 1.0, Feature Pack 1 for Duet Enterprise Summary This paper gives an overview
Using User Exit for Variables in BEx Reporting Applies to: SAP BI system & BEx. For more information, visit the Business Intelligence homepage. Summary To describe the process followed to use a user exit
SAP How-to Guide Mobile Device Management SAP Afaria How to Configure Access Control for Exchange using PowerShell Cmdlets A Step-by-Step guide Applicable Releases: SAP Afaria 7 SP3 HotFix 06, SAP Afaria
Implementing SSO between the Enterprise Portal and the EPM Add-In Applies to: SAP BusinessObjects Planning and Consolidation 10, version for SAP NetWeaver SP1 and higher EPM Add-In, SP3 and higher. For
ODATA SERVICE Query, Read, Create and Update CLOUD FOR CUSTOMER ODATA SERVICE QUERY, READ, CREATE AND UPDATE Version Date Completed Author Description/Comment 1.0 12-06-2014 Raghavendra Jadi, Unnati Hasija,
SAP NetWeaver BPM Tutorial for Beginners: My Name and Age BPM Tutorial Applies to: SAP NetWeaver Composition Environment 7.20 SAP Business Process Management/ SAP BPM. Summary SAP BPM-Tutorial for Beginners.
SAP Sustainability Solutions: Achieving Customer Strategies BALAMURUGAN KALIA Vice President, Strategic Business Development SAP SEE YOUR WAY CLEAR Strategies for Success in the New Reality Pop Quiz? SAP
Learning Series: SAP NetWeaver Process Orchestration, secure connectivity add-on 1c SFTP Adapter Applies to: SAP NetWeaver Process Orchestration, Secure Connectivity Add-on 1.0 SP0 Summary This article
Compliant, Business-Driven Identity Management using SAP NetWeaver Identity Management and SBOP Access Control February 2010 Disclaimer This presentation outlines our general product direction and should
SAP How-To Guide: Develop a Custom Master Data Object in SAP MDG (Master Data Governance) Applies to: SAP Master Data Governance running on SAP ERP 6 EhP 6 Master Data Governance. The Guide can also be
Installation Guide Customized Installation of SQL Server 2008 for an SAP System with SQL4SAP.VBS Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.00 09/16/2008 Document
Supporting SAP POS Best Practices Setting Log File Sizes and Retention Summary: This paper will serve as a primer in order to familiarize users of SAP POS with the log configuration and location of SAP
How-to-Guide: Middleware Settings for Download of IPC Configuration (KB) Data from R/3 to CRM System Applies to: The IPC (Internet Pricing and Configurator). For more information, visit the Customer Relationship
OData in a Nutshell August 2011 INTERNAL Objectives At the end of this module, you will be able to: Understand the OData Standard and how it works. Understand how OData uses the Atom Protocol. Understand
SAP Portfolio and Project New Features and Functions in 5.0 Suite Solution, SAP AG November 2010 Legal Disclaimer This presentation outlines our general product direction and should not be relied on in
SAP Business ByDesign Reference Systems Scenario Outline SAP ERP Integration Scenarios Content Scenario Overview Business Scenarios in a Reference System Introduction Typical Usage Process Illustration
LO Extraction Part 1: SD Application Short Overview Applies to: SAP BI, NW2004s Business Intelligence, ABAP, BI. For more information, visit the EDW homepage. Summary This article explains about LO extraction
Configuring Distribution List in Compliant User Provisioning Applies To: GRC Access Control Suite for 5.3 Summary: Configuration of Distribution List in Compliant User Provisioning will allow a group of
SAP DSM/BRFPlus System Architecture Considerations Applies to: SAP DSM and BRFPlus all releases. For more information, visit the SAP NetWeaver Decision Service Management Summary This document throws some
AP 7.00 Integration with BRFplus VERSION V1.00 22 APRIL 2011 - SAP AG Table of Contents 1. Introduction... 3 1.1 Time based prices... 3 1.2 Usage of BRFplus... 3 1.3 About this document... 3 1.4 Target
Finding the Leak Access Logging for Sensitive Data SAP Product Management Security Disclaimer This document does not constitute a legally binding proposal, offer, quotation or bid on the part of SAP. SAP
Accounts Receivable SAP Best Practices Purpose, Benefits, and Key Steps Purpose This scenario deals with posting accounting data for customers in Accounts Receivable. Benefits The Accounts Receivable is
Sales Planning Detailed View SAP Enhancement Package 1 for SAP CRM 7.0 CRM Sales - SFA Table of Contents 1. Overview of Sales Planning 2. Key Features of Sales Planning 3. Architecture 4. Further Information
BW362 SAP BW powered by SAP HANA. COURSE OUTLINE Course Version: 10 Course Duration: 5 Day(s) SAP Copyrights and Trademarks 2015 SAP SE. All rights reserved. No part of this publication may be reproduced
RUN BETTER Become a Best-Run Business with Remote Support Platform for SAP Business One September 2013 Customer External Become a Best-Run Business with Remote Support Platform for SAP Business One Run
SAP Service Tools for Performance Analysis Kerstin Knebusch Active Global Support Month 05, 2013 Public Performance Analysis Wait event based Focus on statements causing high load and / or high wait time
SAP Strategy - Timeless Software Frank Stienhans on behalf of Kaj van de Loo SAP Decades-Long Relationships With the World s Largest Enterprises Trading Industries Consumer Industries Financial Process
Quick Guide EDI/IDoc Interfacing to SAP ECC from External System Applies to: Up to ECC 6.0. For more information, visit the ABAP homepage. Summary IDoc Interface: EDI Application Scenario The application
Project Governance The Role Of The Business Process Owner Applies to: The Role of the Business Process Owner in Project Governance. For more information, visit the Organizational Change Management homepage.
Intelligent Business Operations Chapter 1: Overview & Strategy Legal Disclaimer The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission
BICS Connectivity for Web Intelligence in SAP BI 4.0 John Mrozek / AGS December 01, 2011 Introduction Business Intelligence Consumer Services connectivity for Web Intelligence in SAP BI 4.0 This presentation
Thread Dump Viewer for SAP NetWeaver AS Java Applies to: SAP NetWeaver AS Java 6.40 / 7.0X / 7.11 / 7.20 / 7.30 / 7.31 Summary The Thread Dump Viewer is a tool for reading thread dumps from SAP NetWeaver
Matthias Steiner SAP SAP HANA Cloud Platform A guided tour SAP HANA Cloud Platform A guided tour Matthias Steiner April, 2011 Overview Platform Capabilities Portal Mobile Collaboration Integration Analytics
Run SAP like a Factory Best Practice Process Document ALM Process: Technical Operations Service Level Reporting Process Health Service Level Reporting ALM Process Technical Operations Process Health Service
SOP through Long Term Planning Transfer to LIS/PIS/Capacity SAP Best Practices Purpose, Benefits, and Key Steps Purpose Check if the budgeted sales quantities can be produced, assess material requirements
Production Subcontracting (External ing) SAP Best Practices Purpose, Benefits, and Key Steps Purpose During the Manufacturing process, when a "Planned Order" for Production is converted to a "Production
Unified Service Description Language Enabling the Internet of Services Dr. Kay Kadner, SAP AG, SAP Research, Chair USDL XG firstname.lastname@example.org, 2011-05-16 Growth due to increasing service orientation Source:
Learning Series: SAP NetWeaver Process Orchestration, business to business add-on EDI Separator Adapter Applies to: SAP NetWeaver Process Orchestration, business to business add-on 1.0 SP00 Summary This
SAP HANA Cloud Integration Document Version: 1.0-2012-12-22 Template Guide for SAP Sales and Operations Planning Table of Contents 1 About the templates....3 2 Sales and Operations Planning templates....5
Creating New Dashboard Packages for SAP Business One 8.8 Applies to: SAP Business One versions 8.8 PL12 or higher SAP Business One Integration Component (B1iC) SAP Business One Dashboard Packaging Wizard
Account and Contact Management (C66) Business Process Documentation SAP CRM 7.0 September 2010 English SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany Copyright 2010 SAP AG. All rights reserved. No
Certificate SAP INTEGRATION CERTIFICATION SAP AG hereby confirms that the ABAP interface software for the product SmartExporter 3.0 of the company AUDICON GmbH has been certified for integration with SAP
Introducing the SAP Business One starter package A Great Start to help you to Streamline Your Small Business Most Small Businesses Strive for the Same Thing An Easy to Follow Roadmap to Better Profitability
Ariba Network Integration to SAP ECC Mark Willner Principal Technical Solutions Consultant Ariba an SAP Company» October 2014 ERP Materials Management Core Integration Scenario Ariba Collaborative Commerce,
How to configure BusinessObjects Enterprise with Citrix Presentation Server 4.0 Applies to: BusinessObjects Enterprise XI 3.0 Summary The objective of this document is to provide steps to install and configure
LO Extraction Part 2 Database Update Logic Applies to: SAP BI, NW2004s Business Intelligence, ABAP, BI For more information, visit the EDW homepage. Summary This article explains about LO extraction logic,