SAP IAS SAML App Configuration

SAP SuccessFactors supports the OAuth 2.0 SAML flow, which requires a signed SAML assertion issued by an external Identity Provider (IdP). This assertion is then exchanged for an access token when making requests to the SAP SuccessFactors API.

This guide outlines how to configure a SAML application in SAP Identity Authentication Service (IAS) to generate the required SAML assertion, which can then be exchanged for an SAP SuccessFactors access token as part of the authentication flow.

1. Retrieve the SAP IAS Signing Certificate.
   • In SAP IAS Admin page, navigate to: Applications & Resources > Tenant Settings > SAML 2.0 Configuration.
   • Under Signing Certificates, click the lens icon to view the active certificate.
   • Copy the entire certificate content under the Certificate Information section, this will be used to validate the SAML assertion signature.
2. Create an OAuth2 Client App in SAP SuccessFactors.
   • Navigate to Admin Center > Manage OAuth2 Client Applications.
   • Create a new application using the Register Client Application button.
   • Fill in the Application Name and the Application URL fields to your preferred values.
   • Paste the signing certificate content under the *X.509 Certificate field.
   • After saving, copy the generated API Key, this will be used as the OAuthClientId in your connection configuration.
3. Create a SAML Application in SAP IAS (if not already created).
   • In SAP IAS Admin Console, go to: Applications & Resources > Applications > Create.
   • Enter the below properties:
     • Display Name: (custom name)
     • Protocol: SAML 2.0
     • Home URL: Leave empty
     • Parent App: Leave as None
   • Click Create.
4. SAML 2.0 Configuration (skip this step if already done on existing app).
   • In SAP IAS Admin page, open the already existing or created SAML application used for SSO.
   • Go to Trust > Single Sign-On > SAML 2.0 Configuration.
   • Set the URL for Principal Propagation to <SAP SuccessFactors base url>/oauth/token (e.g. https://apisalesdemo2.successfactors.eu/oauth/token).
   • Under Subject Name Identifier, choose a value that matches the username of the API user in both SAP IAS and SAP SuccessFactors.
   • Under Default Name ID Format, select the Unspecified (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified) option.
   • Under Assertion Attributes, add a new attribute with the name api_key, and set the value to the API Key of the SAP SuccessFactors IAS app.
5. Enable Token Exchange Grant Flow.
   • Temporarily switch the application protocol to OpenID Connect, by clicking on the Edit button at the top right corner of the application screen and selecting the SAML 2.0 protocol type.
   • Go to Trust > Single Sign-On > OpenID Connect Configuration.
   • Enable your preferred Grant Types. The connector supports the grants below. The recommended are:
     • Authorization Code (with or without PKCE) or Password
     • Token Exchange (RFC 8693): Required to get the SAML assertion.
     • Refresh: Optional, but recommended if you want the connector to automatically refresh the access token.
   • Save and change the app back to the SAML2.0 protocol. Otherwise the SAML Token Exchange flow will not work with this app.
6. Configure Client Authentication.
   • Go to Applications > Application APIs > Client Authentication.
   • Create a client secret by clicking on the Add button on the Secrets section.
   • Copy the Client ID and Client Secret — these will be passed in the connector's SSOProperties:
     • OAuthClientId: The client Id of your SAP IAS OpenId application.
     • OAuthClientSecret: The client Secret you added to your SAP IAS OpenId application.

After completing the configuration steps above, you are ready to set the required connection properties and establish a connection using the connector.