As an SAP customer, first, you have to create and configure the application in the SAP Administration Console for SAP Cloud Platform Authentication. To do this, perform the following steps:

1. Click + Add at the bottom of the page.

2. Add application with the name “suite-sso”.

3. Select the newly created "suite-sso" application and open SAML 2.0 Configuration.

4. Add “suite-sso” to “Name”.

5. Click Add URL.

6. Add the URL for each account for which you want to enable SSO. Use the following links:

https://sso.gservice.emarsys.net/login/auth/{account_name1}

https://sso.gservice.emarsys.net/login/auth/{account_name2}

https://sso.gservice.emarsys.net/login/auth/{account_name3}

7. Click Save at the bottom of the page.

8. Select Assertion Attributes.

9. Replace the “mail” string with “email” for the attribute named “E-mail”.

10. Click + Add above the Attribute list, and select “E-mail”.

11. Replace the “mail” string with “username” for the newly created attribute named “E-mail”.

12. Click Save at the bottom of the page.

13. Go to the Tenant Settings in the Applications & Resources and make sure that the "IdP-Initiated SSO" is turned on.

14. Under Tenant Settings, select SAML 2.0 Configuration.

15. Click Download Metadata file at the bottom of the page to save the Metadata XML.

16. Share the Metadata.XML with the Emarsys Customer Success Manager.

To login to Emarsys with Single Sign-on, perform the following steps:

1. Open the Emarsys login page and click on Login with SSO.

2. Add the account name you want to login to and click Continue.

3. Log in with your SAP credentials.

4. You are redirected to the selected account.

Currently we do not have support for:

• Mixed setups: If a customer sets up SSO login, then all administrators must use this feature.
• Federated logout: The manual logout functionality and the session timeout is still available.
• User deprovisioning: If a user is deleted in the Identity Provider, it will not be automatically deleted from our systems but the user will not be able to log in.

There are small changes on the user management side:

• Administrators who belong to customers with the 'single_signon' feature enabled, are not disabled automatically (e.g., after long inactivity).
• Administrators can be deleted, but they will be re-created after the next login with no permissions.
• The 'administrator creation' functionality has not been disabled, however, administrators created manually in the user management will not be able to log in.
• The 'forgot password' functionality has not been disabled and a new password can be set up, however, this has no effect on the SSO login flow.
• Currently, the permissions and roles can be managed only in the Emarsys user management, the SAML2 SSO can be used only for authentication. New users are commissioned with "restricted role".