Configuration Guides

Configuring SAML SSO with SuccessFactors and PingOne for Enterprise

Learn how to enable SuccessFactors sign-on from the PingOne for Enterprise console (IdP-initiated sign-on) and direct SuccessFactors sign-on using PingOne for Enterprise (SP-initiated sign-on).

Before you begin

  • Link PingOne for Enterprise to an identity repository containing the users requiring application access.

  • Populate SuccessFactors with at least one user to test access.

  • You must have administrative access to PingOne for Enterprise.

  • You must have access to either SuccessFactors Customer Support or the SuccessFactors Provisioning tool.

Obtain the PingOne for Enterprise values for the SuccessFactors application

  1. Sign on to PingOne for Enterprise and go to Applications → Application Catalog.

  2. Search for SuccessFactors.

    Screen capture of Application Catalog with SuccessFactors entered in the search bar and the expansion arrow for the result highlighted in red.
  3. Expand the SuccessFactors entry and click the Setup icon.

  4. Copy the Issuer and IdP ID values.

  5. Download the signing certificate.

    Screen capture of SSO Instructions with the Signing Certificate Download hyperlink, IdP ID field, and Issuer field all highlighted in red.

Add the PingOne for Enterprise IdP connection to SuccessFactors

  1. Sign on to the SuccessFactors Provisioning application.

    If you do not have access to this application, you will need to contact SuccessFactors’ Customer Support.

  2. Search for your company and click its name link.

    Screen capture of SuccessFactors Companies List with Your Company highlighted in red.
  3. Click Single Sign-On (SSO) Settings.

    Screen capture of SuccessFactors Edit Company Settings with Single Sign-On (SSO) Settings highlighted in red.
  4. In the For SAML based SSO section, click SAML v2 SSO.

  5. In the SAML Asserting Parties (IdP) list, select Add a SAML Asserting Party, and enter the following.

    Field Value

    SAML Asserting Party Name

    PingOne for Enterprise

    SAML Issuer

    The PingOne for Enterprise Issuer value.

    Require Mandatory Signature

    Assertion

    Enable SAML Flag

    Enabled

    Login Request Signature (SF Generated/SP/RP)

    Select No.

    SAML Profile

    Browser/Post Profile

    SAML Verifying Certificate

    Paste the PingOne for Enterprise signing certificate contents.

    Screen capture of SuccessFactors SAML settings with SAML v2 SSO checked and highlighted in red. Below, Add a SAML Asserting Party is highlighted in red, as well as the fields for SAML Asserting Party Name, SAML Issuer, Require Mandatory Signature, Enable SAML Flag, Login Request Signature(SF Generate/SP/RP), SAML Profiled, and SAML Verifying Certificate.
  6. In the SAML v2: SP-initiated login section, enter the following.

    Field Value

    Enable sp initiated login (AuthnRequest)

    Select Yes.

    Default Issuer

    Selected.

    single sign on redirect service location (to be provided by idp)

    Send request as Company-Wide issuer

    Select Yes.

    Screen capture of SuccessFactors SAML v2 : SP-initiated login section with all its applicable fields highlighted in red.
  7. Click Add an asserting party to save the configuration.

    Screen capture of SuccessFactors SAML Asserting Parties(IdP) section with Add an asserting party highlighted in red.
  8. In the SAML Asserting Parties (IdP) list, select the asserting party that you created.

    Screen capture of SuccessFactors SAML Asserting Parties(IdP) dropdown menu with test highlighted in red.
  9. In the Single Sign On Features section, enter any text value in the Reset Token field.

    A value is required only to switch on SSO.

  10. Click Save Token.

    Screen capture of SuccessFactors Single Sign On Features section with the Reset Token field and Save Token field highlighted In red. Token is required for all SSO is also noted in red.
  11. Record the SuccessFactors Assertion Consumer Service URL value containing your SuccessFactors Hostname and Company ID.

    (`https://your-hostname.successfactors.com/saml2/SAMLAssertionConsumer?company=your-company-ID)

Complete the SuccessFactors setup in PingOne for Enterprise

  1. Continue editing the SuccessFactors entry in PingOne for Enterprise for Enterprise.

    If the session has timed out, complete the initial steps to the point of clicking Setup.

  2. Click Continue to Next Step.

  3. Set the ACS URL to be the SuccessFactors Assertion Consumer Service URL value.

    (https://your-hostname.successfactors.com/saml2/SAMLAssertionConsumer?company=your-company-ID)

  4. Leave the preset Entity ID.

  5. In the Target Resource field, replace ${sfdatacenter} with the hostname from the ACS URL value.

    Screen capture of SSO attribute values with the fields for ACS URL, Entity ID, and Target Resource all highlighted in red.
  6. Click Continue to Next Step.

  7. Map the SAML_SUBJECT attribute to the similar attribute names in your environment and click Advanced.

    Screen capture of Attribute Mapping section. In the SAML_SUBJECT* row and Identity Bridge Attribute or Literal Value column, SAML_SUBJECT and Advanced are highlighted in red.
  8. Set the Name ID Format to send to SP to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. Click Save.

    Screen capture of Advanced Attribute Options with the field for Name ID Format to send to SP highlighted in red, as well as the Save button at the bottom of the screen.
  9. Click Continue to Next Step twice.

  10. Click Add for all user groups that should have access to SuccessFactors.

    Screen capture of Group Access page with option to remove/add Users@directory and Domain Administrators@directory.
  11. Click Continue to Next Step.

  12. Click Finish.

Test the PingOne for Enterprise IdP-initiated SSO integration

  1. Go to your Ping desktop as a user with SuccessFactors access.

    To find the Ping desktop URL in the Admin console, go to Setup → Dock → PingOne Dock URL.

  2. Complete the PingOne for Enterprise authentication.

    You’re redirected to your SuccessFactors account.

    Screen capture of login screen.

Test the PingOne SP-initiated SSO integration

  1. Go to your SuccessFactors URL.

  2. When you’re redirected to PingOne for Enterprise, enter your PingOne username and password.

    Screen capture of login screen.

    You’re redirected back to SuccessFactors.