Dears,

We have a scenario in which users are connected to SuccessFactors and they can navigate to an SAPUI5 Application, which is served by an OnPremise SAP Gateway system.

SSO via SAML2 is in place between SuccessFactors and SAP Gateway, and was achieved by providing ACS and SLO links on SuccessFactors Provisioning side and by importing SuccessFactors IdP Metadata on SAP Gateway (SAML2 Application).

Everything works pretty good.

However, we are now trying to set up user auto creation on the OnPremise side. Following some standard procedures, here's what we did:

OnPremise side:

• Created "register" service under SICF
• Create external alias "/sap/saml2/sp/register"
• Implemented Badi BADI_SAML20_USER_CREATE_UPDATE
• Set Up "Persistent" NameID Format in SAML2 Application

SuccessFactors Provisioning:

• Replaced the ACS url from "/sap/saml2/sp/acs/<sap-client>" to "/sap/saml2/sp/register/<sap-client>"

This doesn't work at all:

Users that are already existing on the OnPremise side are capable of logging on without issues, but non existing users (= users without mapping) are bounced back from the system and Basic Authentication pop-up appears.

Notice that the register Badi does not kick in (shown also by SAML2 trace with SEC_DIAG_TOOL).

Anyone tried to achieve this?

Thanks for any hint!

Roberto.

PS: We noticed a strange behavior in SuccessFactors when changing some of its parameters as IdP on the OnPremise side.

In SAML2 Application -> Trusted Providers -> Authentication Requirements (last tab in the below section), if field "Assertion Consumer Service" is set to "Application URL", SuccessFactors sends the SAML2 Assertion to the application URL (the one described at the top of this question), which is taken into account by the SAML2 logon and processed.

If "Assertion Consumer Service" is set to "Default" (which should be meaning -> /sap/saml2/sp/acs/), SuccessFactors tries to send the SAML2 assertion and fails with a HTTP 500 error. In this case, SAML2 trace on the OnPremise doesn't show anything.