Integrations · SAML 2.0
SAP SuccessFactors SSO
Configure SAML 2.0 SSO for SAP SuccessFactors HXM Suite with Clavex as the Identity Provider. Covers metadata exchange, attribute mapping (including SAP User ID), and optionally SCIM provisioning for automatic account creation.
Prerequisites
- SAP SuccessFactors instance with Company ID
- SuccessFactors Super Admin or Security Administrator role
- Clavex at
https://id.acme.eu, org slugacme
Step 1 — Get SuccessFactors SP Metadata
Download the SuccessFactors Service Provider metadata. It is available at:
# Replace {datacenter} with your data center (e.g. hana, flp, etc.)
# Replace {companyID} with your SuccessFactors Company ID
$ curl -o sf-sp-metadata.xml \
"https://{datacenter}.successfactors.com/idp/samlmetadata?company={companyID}&site=api"
# Common data centers: hana1 (EU), hana2 (EU-GER), flp13 (US)
# Common data centers: hana1 (EU), hana2 (EU-GER), flp13 (US)
Step 2 — Configure Clavex IdP in SuccessFactors
- Log in to SuccessFactors as Admin → Admin Center → Company Settings → Single Sign-on Setting
- Click Add IdP
- Fill in the Clavex IdP values:
Field Value IdP name ClavexAssertion Consumer Service URL https://{datacenter}.successfactors.com/saml2/idp/acs?company={companyID}IdP Entity ID https://id.acme.eu/acme/samlIdP SSO URL https://id.acme.eu/acme/saml/ssoIdP certificate Upload PEM from Clavex metadata Name ID Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressLogin Name Source Login Name(maps tologinNamefield in SF)
Step 3 — Register SuccessFactors as SP in Clavex
$ curl -X POST https://id.acme.eu/api/v1/organizations/acme/saml/sp \
-H 'Authorization: Bearer $ADMIN_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"entity_id": "www.successfactors.com",
"acs_url": "https://hana1.successfactors.com/saml2/idp/acs?company=ACMECORP",
"name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"sign_assertions": true,
"sign_response": true
}'
Step 4 — Attribute Mapping
SuccessFactors expects the NameID to match the user's loginName field (not necessarily email). Configure a custom attribute mapper in Clavex if loginName differs from email:
| SuccessFactors field | SAML attribute / NameID | Clavex claim |
|---|---|---|
| loginName (required) | NameID | preferred_username or email |
| firstName | firstName | given_name |
| lastName | lastName | family_name |
email | email | |
| department | department | department (custom claim) |
Step 5 — Test SP-Initiated SSO
# SP-initiated login — opens SuccessFactors login page which redirects to Clavex
https://hana1.successfactors.com/sf/start#company={companyID}
# IdP-initiated deep link from Clavex https://id.acme.eu/acme/saml/initiate?entity_id=www.successfactors.com
# IdP-initiated deep link from Clavex https://id.acme.eu/acme/saml/initiate?entity_id=www.successfactors.com
SCIM Provisioning (optional)
SuccessFactors supports SCIM 2.0 for user provisioning. Configure Clavex to push user creates/updates to SuccessFactors Employee Central:
| Field | Value |
|---|---|
| SCIM base URL | https://api{dc}.successfactors.com/odata/v2/ |
| Auth | OAuth 2.0 Client Credentials (SuccessFactors OAuth app) |
| Supported operations | Create, Update users (deactivation via status=t attribute) |
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
This user is not found in the system |
NameID value doesn't match SF loginName | Verify that NameID sent by Clavex matches the loginName field in SuccessFactors exactly (case-sensitive) |
SAML assertion expired |
Clock skew > 5 minutes | Enable NTP sync on Clavex server |
| Redirect to SF login page in loop | IdP not set as active for the company | In SF Admin → SSO Settings, enable the IdP and set it as default |
| Cert not accepted | Self-signed cert not uploaded to SF | Use a CA-signed certificate or upload the self-signed cert to SF's trusted certificates |