Federation Settings

The Federation Settings subsection of the Setup > Providers section allows administrators to independently download and upload metadata documents and to add, select and configure identity providers. That way, you can establish the Federated Single Sign-On (FSSO), which allows you to securely access multiple applications via a single set of credentials.

To enable access to the Federation Settings page in the Setup, please contact the SAP CPQ Support team.

Service Provider Settings

Here, you can find the option to download your service provider metadata document.

  • Download metadata document - click to download the service provider XML data file. This file contains information about the signing and encryption certificate that is used on your environment, but is otherwise not used for setting up an identity provider.

Identity Providers Settings

Here, you can add, select or configure your identity provider.

  • Select identity provider - select an existing identity provider from the dropdown menu. In order to appear in this menu, existing identity providers need to be enabled by the SAP CPQ Support team for each domain individually.
  • Add new identity provider - click to add a new identity provider. Once you fill in the fields below, make sure to save and activate your settings. Once you create a new identity provider, it is visible only in the domain where it was created. To make it visible on other domains, you need to contact the SAP CPQ Support team.

You can configure your identity provider via the following fields:

  • Name (required) - enter the identity provider application unique name.
  • Metadata location (required) - this field contains the relative path to the identity provider metadata XML file. The metadata file is typically stored in App_Data folder.
    • Download metadata document - click to download the identity provider XML data file.
    • Upload metadata document - click to upload the identity provider XML data file.
  • Entity ID - the unique entity ID of the entity provider. This field is automatically populated with the information from the metadata document.
  • ReadUIDFrom - determine where the User ID is read from:
    • Assertion - select this to make sure the Uid is read from the list of assertions in the SAML. If there is no Uid in the SAML, or if you want the Uid to be read from a different source, you need to select Assertion and then proceed to configure the Attribute Mappings below.
    • NameId - select this to make sure the User ID is a fixed value read from the NameId field in the SAML.
  • SignOut - select the sign-out method to be used with this identity provider.
    • Federated - after signing out, you are signed out of every application within the federation.
    • Local - after signing out, you are only signed out of the application you are in.
    • Custom - specify to which address the sign-out request is sent by selecting this option and setting a federation parameter with a SignOutAddress value.
  • PostSignOut - select the post sign-out method to be used with this identity provider. This method will be executed upon the sign-out response.
    • Default - no method is executed upon signing out.
    • Custom - specify to which address you are redirected after signing out by setting a federation parameter with a RedirectAddress value.
  • Description - enter a description for the identity provider.
  • Signing certificate (required) - select the signing certificate you wish to use with your identity provider. The dropdown menu lists all the certificates that your current environment supports, but only the selected certificate is in use.
  • Encryption certificate (required) - select the encryption certificate you wish to use with your identity provider. The dropdown menu lists all the certificates that your current environment supports, but only the selected certificate is in use.
  • Sign In Request Binding (required) - select the sign-in request binding protocol.
  • Sign Out Request Binding - select the sign-out request/response binding protocol.


You can further configure your identity provider settings via the following toggle switches:

  • Ignore assertion attributes validation - define whether or not received assertions should be validated against the expected attribute list.
  • Should the artifact resolve be signed - define whether or not post responses should be signed.
  • Should the sign out request be signed - define whether or not the sign-out request should be signed.
  • Should the sign out response be signed - define whether or not the sign-out response should be signed.

Federation Parameters

Here, you can edit the list of the defined federation parameters for the selected identity provider.

When adding new federation parameters, make sure that the parameter name is in one of the following recommended formats:

  • {IdentityProviderName} + {“RedirectAddress”, “SignOutAddress”}
  • “EntityIdForSAMLBearer_” + {IssuerLink}

Routings

In this section of the page, you can define the routings with the relative URL segments that will be used to access the application via the federation protocol. The URL segment is used for SP-initiated FSSO. The routing name and the URL should be unique. It is necessary to define and enable at least one routing in this section for the federated single sign-on to work.
You can create multiple routings to be used for accessing the same identity provider. The system generates every new routing based on your current tenant and the ordinal number of the newly created routing in the list of routings. To add a new routing, follow the procedure below.

  1. Click Edit under Routings.
    Save and Add buttons display.
  2. Click Add.
  3. In the Sign out relay state dropdown menu, select the tenant.
    Only one tenant is displayed, unless multiple tenants on a single environment have a single identity provider, in which case you should select the tenant for which you are setting up the routing.
  4. Click the Enabled toggle switch to enable the routing.
    Alternatively, you can disable a routing via the Enabled toggle switch.
  5. Click Save to save the changes made to routings.
    The routing with the defined relative URL segment is now enabled and can be used for accessing the application. You can now proceed to build the federation URL.

Attribute mappings

Here, you can edit the list of attribute mappings. Each mapping is processed with an authentication response received from the identity provider. Attribute mappings are used to override existing values or add new values to the ones from the metadata XML file. Mapping can change an existing atribute's name or value or add a new attribute with a constant value (such as application domain).

To make sure the User ID is read from a source that is neither the NameId field nor the list of assertions in the SAML, after selecting ReadUIDFrom > Assertion, follow the steps below.

  1. Under Attribute Mappings, click Add.
    A new row appears.
  2. Under Action (required), select OverrideName.
  3. Under Name (required), enter the name of the field in the SAML that you want to map to a different field (for example: email).
  4. Under Name Override, enter the name of the field to which you want to map the field you named in step 2 (for example: uid).
  5. Select Enable.
  6. Click Save.
    The uid field now receives data from the email field in the SAML.

Save and Activate

Once you have configured the settings of the identity provider, follow the instructions below to make your settings active.

  1. Click Save in the bottom right corner of the page.
    The settings are now saved, although they are still not active.
    Alternatively, click Delete in the bottom right corner of the page to delete the selected identity provider.
  2. Click Activate to make the settings active.
    Clicking Activate initiates a countdown of 300 seconds (by default). Once the countdown is over, the federation settings become active and can be used.
    Alternatively, click Deactivate to initiate a 300-second countdown after which the selected identity provider will be deactivated.

To set a specific duration for the activation/deactivation countdown, please contact the SAP CPQ Support team.

You are here: SAP Sales Cloud CPQ Online HelpAdmin Page HelpFederation Settings