• Link PingOne to an identity repository containing the users requiring application access.
  • Populate SuccessFactors with at least one user to test access.
  • You must have administrative access to PingOne.
  • You must have access to either SuccessFactors Customer Support or the SuccessFactors Provisioning tool.
  1. Copy the PingOne values for the supplied SuccessFactors application:
    1. Sign on to PingOne for Enterprise and go to Applications > Application Catalog.
    2. Search for SuccessFactors.
      Screen capture of PingOne Application Catalog with SuccessFactors entered in the search bar and the expansion arrow for the result highlighted in red.
    3. Expand the SuccessFactors entry and click the Setup icon.
    4. Copy the Issuer and IdP ID values.
    5. Download the signing certificate.
      Screen capture of PingOne SSO Instructions with the Signing Certificate Download hyperlink, IdP ID field, and Issuer field all highlighted in red.
  2. Add the PingOne IdP connection to SuccessFactors:
    1. Sign on to the SuccessFactors Provisioning application.
      Note:

      If you do not have access to this application, you will need to contact SuccessFactors’ Customer Support.

    2. Search for your company and click its name link.
      Screen capture of SuccessFactors Companies List with Your Company highlighted in red.
    3. Click Single Sign-On (SSO) Settings.
      Screen capture of SuccessFactors Edit Company Settings with Single Sign-On (SSO) Settings highlighted in red.
    4. In the For SAML based SSO section, click SAML v2 SSO.
    5. In the SAML Asserting Parties (IdP) list, select Add a SAML Asserting Party, and enter the following.
      Field Value

      SAML Asserting Party Name

      PingOne

      SAML Issuer

      The PingOne Issuer value.

      Require Mandatory Signature

      Assertion

      Enable SAML Flag

      Enabled

      Login Request Signature (SF Generated/SP/RP)

      Select No.

      SAML Profile

      Browser/Post Profile

      SAML Verifying Certificate

      Paste the PingOne signing certificate contents.
      Screen capture of SuccessFactors SAML settings with SAML v2 SSO checked and highlighted in red. Below, Add a SAML Asserting Party is highlighted in red, as well as the fields for SAML Asserting Party Name, SAML Issuer, Require Mandatory Signature, Enable SAML Flag, Login Request Signature(SF Generate/SP/RP), SAML Profiled, and SAML Verifying Certificate.
    6. In the SAML v2: SP-initiated login section, enter the following.
      Field Value

      Enable sp initiated login (AuthnRequest)

      Select Yes.

      Default Issuer

      Selected.

      single sign on redirect service location (to be provided by idp)

      https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<IdP ID value>

      Send request as Company-Wide issuer

      Select Yes.
      Screen capture of SuccessFactors SAML v2 : SP-initiated login section with all its applicable fields highlighted in red.
    7. Click Add an asserting party to save the configuration.
      Screen capture of SuccessFactors SAML Asserting Parties(IdP) section with Add an asserting party highlighted in red.
    8. In the SAML Asserting Parties (IdP) list, select the asserting party that you created.
      Screen capture of SuccessFactors SAML Asserting Parties(IdP) dropdown menu with test highlighted in red.
    9. In the Single Sign On Features section, enter any text value in the Reset Token field.

      A value is only required to switch on SSO.

    10. Click Save Token.
      Screen capture of SuccessFactors Single Sign On Features section with the Reset Token field and Save Token field highlighted In red. Token is required for all SSO is also noted in red.
    11. Record the SuccessFactors Assertion Consumer Service URL value containing your SuccessFactors Hostname and Company ID.

      (https://<your hostname>.successfactors.com/saml2/SAMLAssertionConsumer?company=<your Company ID>)

  3. Complete the SuccessFactors setup in PingOne:
    1. Continue editing the SuccessFactors entry in PingOne for Enterprise.
      Note:

      If the session has timed out, complete the initial steps to the point of clicking Setup.

    2. Click Continue to Next Step.
    3. Set the ACS URL to be the SuccessFactors Assertion Consumer Service URL value.

      (https://<your hostname>.successfactors.com/saml2/SAMLAssertionConsumer?company=<your Company ID>)

    4. Leave the preset Entity ID.
    5. In the Target Resource field, replace ${sfdatacenter} with the hostname from the ACS URL value.
      Screen capture of PingOne SSO attribute values with the fields for ACS URL, Entity ID, and Target Resource all highlighted in red.
    6. Click Continue to Next Step.
    7. Map the SAML_SUBJECT attribute to the similar attribute names in your environment and click Advanced.
      Screen capture of PingOne Attribute Mapping section. In the SAML_SUBJECT* row and Identity Bridge Attribute or Literal Value column, SAML_SUBJECT and Advanced are highlighted in red.
    8. Set the Name ID Format to send to SP to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. Click Save.
      Screen capture of PingOne Advanced Attribute Options with the field for Name ID Format to send to SP highlighted in red, as well as the Save button at the bottom of the screen.
    9. Click Continue to Next Step twice.
    10. Click Add for all user groups that should have access to SuccessFactors.
      Screen capture of PingOne Group Access page with option to remove/add Users@directory and Domain Administrators@directory.
    11. Click Continue to Next Step.
    12. Click Finish.
  4. Test the PingOne IdP-initiated SSO integration:
    1. Go to your Ping desktop as a user with SuccessFactors access.
      Note:

      To find the Ping desktop URL in the Admin console, go to Setup > Dock > PingOne Dock URL.

    2. Complete the PingOne authentication.
      You're redirected to your SuccessFactors account.Screen capture of PingOne login screen.
  5. Test the PingOne SP-initiated SSO integration:
    1. Go to your SuccessFactors URL.
    2. When you're redirected to PingOne, enter your PingOne username and password.
      Screen capture of PingOne login screen.
      You're redirected back to SuccessFactors.