Industry 2020

SAML integration between corporate Active Directory and SAP HCM

Food and dairy company with national operations in Colombia

Single Sign-On implemented between corporate Active Directory and SAP HCM via SAML 2.0 — elimination of duplicate credentials for the entire organization

The challenge

Employees maintained separate credentials for the corporate directory (Active Directory) and the SAP HR platform. This duplication created operational friction — users had to remember and manage two different passwords — and a real security risk: passwords for critical HR systems that were not subject to corporate directory policies and whose lifecycle management was independent.

The solution

We designed and implemented identity federation between the corporate Active Directory and SAP HCM using the SAML 2.0 protocol. Active Directory takes the role of Identity Provider (IdP): when a user accesses SAP HCM, the system verifies their identity against the corporate AD and, if they already have an active session, authenticates them automatically without requesting additional credentials. The implementation included user attribute mapping between the two systems, configuration of SAML metadata at both ends and testing with the organization's various user profiles.

Results

  • SSO implemented: employees access SAP HCM with their corporate credentials, no additional passwords required
  • Password lifecycle management unified in the corporate Active Directory
  • SAP HCM access auditing centralized: every access is recorded under the user's corporate identity
  • Reduction of support tickets related to HR password recovery

Identity integrations like this one are projects that look simple on paper and prove complex in practice — the complexity lies in the details: correct configuration of SAML metadata, precise attribute mapping between two systems with different data models, and handling edge cases — users with special profiles, access from outside the corporate network, expired session management — are the aspects that determine whether the implementation works reliably in production or generates intermittent incidents that are hard to diagnose.

The robustness of this implementation was demonstrated in the adoption: without any special training, users simply stopped seeing the SAP HCM login screen.

Technologies

  • SAML 2.0
  • Active Directory (AD)
  • SAP HCM / SuccessFactors
  • Identity Provider (IdP)

Services applied

For prospects in evaluation stage, we can facilitate reference contacts for this type of project. Contact us.

Have a similar project?

Tell us the challenge and we'll assess how to approach it.

Contact Us View more projects