Federated Single Sign-On

Single sign-on (SSO) is a session/user authentication process that permits users to enter a single name and password to access multiple applications. While SSO uses a single login (username/password) to access all applications within the same organization, federated SSO (FSSO) goes a step further and extends SSO across enterprises. In other words, FSSO allows access to multiple systems across different organizations, benefitting both users and organizations.

For a list of common issues related to setting up the FSSO in SAP CPQ, see Federation Troubleshooting.


To be able to successfully use the FSSO in SAP CPQ, you must complete these steps:

  1. Contact the SAP CPQ Support team to enable access to the Federation Settings section of the Setup.
    In case multiple SAP CPQ domains on a single SAP CPQ environment are using the same identity provider, request federation support for your environment from your SAP CPQ contact person by providing a list of domains for which the federation dashboard needs to be enabled.
  2. Configure the settings in the Federation Settings section and set up an operational identity provider.
    You can do this independently.
  3. Form the federation URL for SAP CPQ SP-initiated FSSO for your environment.

SAP CPQ Federation Technical Overview

The SAP CPQ federated authentication uses the Security Assertion Markup Language (SAML) 2.0 protocol, allowing you to exchange authentication and authorization data between cross-domain applications. Consequently, this allows you to sign onto a remote IdP and to access the SAP CPQ application. The federated authentication using SAML can be enabled on request for your organization. Information about SAML 2.0 protocol details is available in Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. For remote IdPs, SAP CPQ acts as a Service Provider (SP). SAP CPQ never works as an IdP. In Microsoft terminology, Relaying Party (RP) stands for Service Provider.

SAP CPQ supports two major SAML 2.0 profiles:

More details about SAML 2.0 profiles is available in Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0.

SAP CPQ does not support the Web Service Federation protocol (WS-Federation/Ws-Fed).

Benefits of Single Sign-On

Setting up FSSO provides you with the following advantages:

  • Improved user experience - With SSO, users authenticate only once at a single point and enjoy a seamless experience across multiple domains. There is no need to remember separate credentials for each cross-domain because users retain only one set of credentials. This means they can securely move between services with no interruptions and without having to enter their credentials upon entering each new domain.
  • Saving time - When working with cross-domain applications, it can take up to 30 seconds to sign on to a web application or even longer if users mistype their username or password and have to re-enter it. SSO solves this problem by having the user enter credentials only once on the identity provider (IdP) side. By saving time, users also boost their productivity.
  • Enhanced security - User credentials are provided directly on the central SSO server, not on the actual service the user is trying to access. As a result, the credentials cannot be cached by the service. The central authentication point, the SSO service, reduces the possibility of phishing.
  • Simplified password management - Reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications.

Federated Single Sign-On

SAP CPQ supports the SP- and IdP-initiated single sign-on. SP FSSO is initiated by the SAP CPQ application. When SP FSSO is utilized, SAP CPQ, as a SaaS application, exposes the new URL address specific to your tenant environment. On the other hand, IdP-initiated FSSO begins from IdP and, following authentication, lands the user on the SAP CPQ default page.

  • Redirect binding is preferred for the FSSO profile (authentication flow): -urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
  • Artifact binding is not supported at this time: -urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

Binding details are specified in the SP metadata that is sent to you for the specific SAP CPQ environment.

Federated Single Sign-Out

For the FSLO profile (Sign-Out Flow), Redirect binding is preferred: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. You can find information about SAML 2.0 bindings in Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0.

SAP CPQ supports local and federated single sign-out scenarios. For the post sign-out, we support default and custom processing. Custom processing covers response actions received after sign-out (for example, redirecting to specific URL or calling a publicly visible API).

SAP CPQ can process two types of XML metadata files:

  1. files that describe a single entity, with the root element <EntityDescriptor>
  2. files that describe multiple entities, with the root element <EntitiesDescriptor>, containing a sequence of <EntityDescriptor> elements.

Furthermore, the federation is able to process a metadata file that contains either one or more federation signing and/or encryption certificates - that is, the file may include the certificate that is currently valid and one or more certificates that become valid after the currently valid certificate expires.

More Information
You are here: SAP CPQ Online HelpAdmin Page HelpFederated Single Sign-On