As an SAP SuccessFactors Admin, you may have received an e-mail recently regarding the migration from SHA-1 to SHA-256 certificates. Although this is a more secure method of encryption, it can cause confusion on what exactly is required from you as the client. If you are flagged as a potential user of third-party application integrations, there's no reason to panic! In this blog, we'll walk you through everything you should be aware if you're contacted by SAP.
What This Means for Existing Third-Party Application Integrations
Any customer who has a custom developed, partner and/or third-party application integration will need to migrate to SHA-256 signing mechanism prior to December 31, 2021.
Note: If the signing option is not changed to SHA-256, the integration may stop working after December 31, 2021.
What This Means for New Third Party Application Integrations
All new custom developed, partner and/or third-party application integrations, must use the SHA-256 signing option after the Second Half 2021 release (Preview October 15, 2021 Production November 19, 2021).
Admin Center Access to Authorized SP Assertion Consumer Services Setting
After September 3,2021, you will have access to the Admin Center Authorized SP Assertion Consumer Service Settings and can use the link that allows you to Download the SuccessFactors IdP Metadata. This metadata file includes the SHA-256 certificate. This tool allows administrators to complete this task through the Admin Center. Please note that if this change is not completed prior to December 31, 2021 your integration may stop working.
So what are the next steps? There can be some confusion about what exactly constitutes a third-party integration especially because these integrations are stored in the same area as SuccessFactors standard integrations. The first thing to do is explore what integrations are not third-party outbound single-sign on (SSO) integrations and do not require any action. The following are the integrations that are not considered third-party custom integrations and should automatically be upgraded to the SHA-256 option:
The integrations belonging internal SAP SuccessFactors applications
All of integrations listed above should not require any action from SuccessFactors admins and are automatically upgraded to the new standard. As an added level of assurance, you can log into the Authorized SP Assertion Consumer Service Settings (which is now available through the Admin Center) and confirm the checkbox under “SHA-256 Certificate” is checked. When you see this option checked then you can confirm the connection is valid.
Now, let's discuss the third-party vendor integrations that do require an action on the customer side.
In these type of integrations, when a user is logged into SuccessFactors and clicks a link to these third-party applications, there is a SAML process to forward the username or email to the third-party application and if that value matches a user ID in the target application, the user is logged in automatically without having to enter the credentials again. It’s a useful feature and simplifies the user experience, but it also requires an action on the third-party vendor side. Some common third-party integrations for SSO include Benefitfocus and ADP. In these cases, you will need to download your SuccessFactors IDP metadata and send to the appropriate third-party vendor to update on their side.
Basically, the metadata they have setup with the SHA-1 standard will need to be updated to the SHA-256 standard going forward. This process is different depending on the third-party vendor and how you interact with their customer support team. For common third-party applications like ADP and Benefitfocus, they should be familiar with the process and opening a request with their support team should be a straightforward process to get the new metadata uploaded.
There is, however, no restriction on what third-party application can be forwarded this request so there may be situations where even a custom application might be configured in the Authorized SP Assertion Consumer Service Settings. In these cases, the process to update the metadata might not be as straight forward and the third-party application might need more guidance on the appropriate steps.
If you are unsure whether or not you have a third-party custom application setup using this standard or need guidance on how to work with a vendor to update the signing certificate on their side, don’t hesitate to reach out to to your SuccessFactors partner, or the AltaFlux team (would be a great opportunity to test drive our support) to confirm your setup and take the heavy lifting out of updating this certificate.
