• Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.
  • Populate SuccessFactors with at least one user to test access.
  • You must have administrative access to PingFederate.
  • You must have access to either SuccessFactors Customer Support or the SuccessFactors Provisioning tool.
  1. Create a PingFederate SP connection for SuccessFactors:
    1. Sign on to the PingFederate administrative console.
    2. Create an SP connection for SuccessFactors in PingFederate:
      1. Configure using Browser SSO profile SAML 2.0.
      2. Set Partner’s Entity ID to https://www.successfactors.com.
      3. Enable the following SAML Profiles:
        • IdP-Initiated SSO
        • SP-Initiated SSO
      4. In Assertion Creation: Attribute Contract, extend the contract to add an attribute named SAML_NAME_FORMAT.
      5. In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment, map SAML_SUBJECT and map SAML_NAME_FORMAT to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
      6. In Protocol Settings: Assertion Consumer Service URL, set binding to POST, and set Endpoint URL to http://placeholder.

        You will update this value later.

      7. In Protocol Settings: Allowable SAML Bindings, enable POST.
      8. In Credentials: Digital Signature Settings, select the PingFederate signing certificate.
    3. Save the configuration.
    4. Export the signing certificate.
    5. Export and then open the metadata file, and copy the value of:
      1. The entityID
      2. The Location entry (https://<your value>/idp/SSO.saml2)
  2. Add the PingFederate IdP Connection to SuccessFactors:
    1. Sign on to the SuccessFactors Provisioning application.
      Note: If you do not have access to this application, you will need to contact SuccessFactors’ Customer Support.
    2. Search for your company and click its name link.
      Screen capture of SuccessFactors Companies page with Your Company hyperlink highlighted in red.
    3. Click Single Sign-On (SSO) Settings.
      Screen capture of SuccessFactors Edit Company Settings section with the Single Sign-On (SSO) Settings hyperlink highlighted in red.
    4. In the For SAML based SSO section, click SAML v2 SSO.
    5. In the SAML Asserting Parties (IdP) list, select Add a SAML Asserting Party, and enter the following.
      Field Value

      SAML Asserting Party Name

      PingFederate

      SAML Issuer

      The PingFederate Issuer value.

      Require Mandatory Signature

      Assertion

      Enable SAML Flag

      Enabled

      Login Requested Signature (SF Generated/SP/RP)

      Select No.

      SAML Profile

      Browser/Post Profile

      SAML Verifying Certificate

      Paste the PingFederate signing certificate contents.
      Screen capture of SuccessFactors SAML based SSO settings with SAML v2 SSO selected and highlighted in red. The fields for Add a SAML Asserting Party, SAML Asserting Party Name, SAML Issuer, Require Mandatory Signature, Enable SAML Flag, Login Request Signature, SAML Profile, and SAML Verifying Certificate are also highlighted in red.
    6. In the SAML v2: SP-initiated login section, enter the following.
      Field Value

      Enable sp initiated login (AuthnRequest)

      Select Yes.

      Default issuer

      Selected.

      single sign on redirect service location (to be provided by idp)

      https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<IdP ID value>

      Send request as Company-Wide issuer

      Select Yes.
      Screen capture of SuccessFactors SAML v2 : SP-initiated login section with all fields highlighted in red.
    7. Click Add an asserting party to save the configuration.
      Screen capture of SuccessFactors SAML Asserting Parties(IdP) section with Add an asserting party highlighted in red.
    8. In the SAML Asserting Parties (IdP) list, select the asserting party that you created.
      Screen capture of SuccessFactors SAML Asserting Parties(IdP) dropdown menu with test selected and highlighted in red.
    9. Go to Single Sign On Features.
    10. In the Single Sign On Features section, enter any text value in the Reset Token field.

      A value is only required to switch on SSO.

    11. Click Save Token.
      Screen capture of SuccessFactors Single Sign On Features section with the Reset Token field and Save Token hyperlink both highlighted in red. Token is required for all SSO also appears as red text.
    12. Record the SuccessFactors Assertion Consumer Service URL value containing your SuccessFactors Hostname and Company ID.

      (https://<your hostname>.successfactors.com/saml2/SAMLAssertionConsumer?company=<your Company ID>)

  3. Update the ACS URL values in PingFederate:
    1. Sign on to the PingFederate administrative console.
    2. Edit the SP connection for SuccessFactors.
    3. Set Assertion Consumer Service URL > Endpoint URL to the SuccessFactors Assertion Consumer Service URL value.

      (https://your hostname.successfactors.com/saml2/SAMLAssertionConsumer?company=your Company ID)

    4. Save the changes.
  4. Test the PingFederate IdP-initiated SSO integration:
    1. Go to the PingFederate SSO Application Endpoint for the SuccessFactors SP connection.
    2. Complete PingFederate authentication.
      You're redirected to your SuccessFactors domain.