Configuration Guides

Configuring SAML SSO with SuccessFactors and PingFederate

Learn how to enable SuccessFactors sign-on from a PingFederate URL (IdP-initiated sign-on) and direct SuccessFactors sign-on using PingFederate (SP-initiated sign-on).

Before you begin

  • Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.

  • Populate SuccessFactors with at least one user to test access.

  • You must have administrative access to PingFederate.

  • You must have access to either SuccessFactors Customer Support or the SuccessFactors Provisioning tool.

Create a PingFederate SP connection for SuccessFactors

  1. Sign on to the PingFederate administrative console.

  2. Create an SP connection for SuccessFactors in PingFederate:

    1. Configure usingBrowser SSO profile SAML 2.0.

    2. Set Partner’s Entity ID to https://www.successfactors.com.

    3. Enable the following SAML Profiles:

      • IdP-Initiated SSO

      • SP-Initiated SSO

    4. In Assertion Creation: Attribute Contract, extend the contract to add an attribute named SAML_NAME_FORMAT.

    5. In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment, map SAML_SUBJECT and map SAML_NAME_FORMAT to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

    6. In Protocol Settings: Assertion Consumer Service URL, set binding to POST, and set Endpoint URL to http://placeholder.

      You will update this value later.

    7. In Protocol Settings: Allowable SAML Bindings, enable POST.

    8. In Credentials: Digital Signature Settings, select the PingFederate signing certificate.

  3. Save the configuration.

  4. Export the signing certificate.

  5. Export and then open the metadata file, and copy the following values:

    • The entityID

    • The Location entry (https://your-value/idp/SSO.saml2)

Add the PingFederate IdP Connection to SuccessFactors

  1. Sign on to the SuccessFactors Provisioning application.

    If you do not have access to this application, you will need to contact SuccessFactors’ Customer Support.

  2. Search for your company and click its name link.

    Screen capture of SuccessFactors Companies page with Your Company hyperlink highlighted in red.

  3. Click Single Sign-On (SSO) Settings.

    Screen capture of SuccessFactors Edit Company Settings section with the Single Sign-On (SSO) Settings hyperlink highlighted in red.

  4. In the For SAML based SSO section, click SAML v2 SSO.

  5. In the SAML Asserting Parties (IdP) list, select Add a SAML Asserting Party, and enter the following values:

    Field Value

    SAML Asserting Party Name

    PingFederate

    SAML Issuer

    The PingFederate Issuer value

    Require Mandatory Signature

    Assertion

    Enable SAML Flag

    Enabled

    Login Requested Signature (SF Generated/SP/RP)

    Select No.

    SAML Profile

    Browser/Post Profile

    SAML Verifying Certificate

    Paste the PingFederate signing certificate contents.
    Screen capture of SuccessFactors SAML based SSO settings with SAML v2 SSO selected and highlighted in red. The fields for Add a SAML Asserting Party, SAML Asserting Party Name, SAML Issuer, Require Mandatory Signature, Enable SAML Flag, Login Request Signature, SAML Profile, and SAML Verifying Certificate are also highlighted in red.

  6. In the SAML v2: SP-initiated login section, enter the following values:

    Field Value

    Enable sp initiated login (AuthnRequest)

    Select Yes.

    Default issuer

    Selected.

    single sign on redirect service location (to be provided by idp)

    https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=IdP-ID-value

    Send request as Company-Wide issuer

    Select Yes.
    Screen capture of SuccessFactors SAML v2 : SP-initiated login section with all fields highlighted in red.

  7. Click Add an asserting party to save the configuration.

    Screen capture of SuccessFactors SAML Asserting Parties(IdP) section with Add an asserting party highlighted in red.

  8. In the SAML Asserting Parties (IdP) list, select the asserting party that you created.

    Screen capture of SuccessFactors SAML Asserting Parties(IdP) dropdown menu with test selected and highlighted in red.

  9. Go to Single Sign On Features.

  10. In the Single Sign On Features section, enter any text value in the Reset Token field.

    A value is required only to switch on SSO.

  11. Click Save Token.

    Screen capture of SuccessFactors Single Sign On Features section with the Reset Token field and Save Token hyperlink both highlighted in red. Token is required for all SSO also appears as red text.

  12. Record the SuccessFactors Assertion Consumer Service URL value containing your SuccessFactors Hostname and Company ID.

    (https://your-hostname.successfactors.com/saml2/SAMLAssertionConsumer?company=your-company-ID)

Update the ACS URL values in PingFederate

  1. Sign on to the PingFederate administrative console.

  2. Edit the SP connection for SuccessFactors.

  3. Set Assertion Consumer Service URL → Endpoint URL to the SuccessFactors Assertion Consumer Service URL value.

    (https://your-hostname.successfactors.com/saml2/SAMLAssertionConsumer?company=your-company-ID)

  4. Save the changes.

Test the PingFederate IdP-initiated SSO integration

  1. Go to the PingFederate SSO Application Endpoint for the SuccessFactors SP connection.

  2. Complete PingFederate authentication.

    You’re redirected to your SuccessFactors domain.