SAP Knowledge Base Article - Public

2320766 - [SSO] Partial Organization Single Single-On: Data model configuration, tips & tricks from Support for Partners

Symptom

This article covers Data model changes required for implementing Partial Organization Single Sign On.
Prerequisites are:

  • Single Sign-On is already implemented.
  • You must have provisioning access
  • You are familiar with the Succession Data Model.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

SAP SuccessFactors HXM Suite

Resolution

  • Implementation Main steps:
    The main steps for Implementing Partial Organization Single Sign On are:

    1. Enabling the loginMethod standard element in the Succession Data Model, and making it visible in the User data File (Employee Export)
    2. Enabling the Partial Organization feature in Provisioning
    3. Configuring the loginMethod to PWD for users that will be logging using the username & password instead of SSO.

Note: Steps 2 and 3 are interchangeable. As soon as Step 1 has been completed you will be able to setup the loginMethod even if Partial Organization SSO is not yet turned on.

  • Step 1: Enabling the loginMethod standard element in the Succession Data Model, and making it visible in the User Data File (Employee Export) / Manage Users.

We have created a new standard element with id of “loginMethod”. This new field is needed only when "Partial Organization SSO" is enabled. It is not needed for any SSO customers that do not enable this feature.
This field will define whether a user comes in through SSO or not. The standard element will have three allowable values
SSO: A value of “SSO” means the user must login through the SSO method configured for this customer.
PWD: A value “PWD” means the user must login through the standard username/password login pages.
Null (no value specified): No value specified means the user must login through SSO

This "loginMethod" standard element must be enabled in the Succession Data Model. An example XML snippet appears below. If this field is not enabled in the Succession Data Model for the instance, then all users must login through SSO. This standard element will not be required at user import / user account creation time.  If a value is not specified during user import, then the user will default to SSO login.

Standard Element Declaration
Add the following as a standard-element in the Succession Data Model
 
<standard-element id="loginMethod" max-length="8" required="false" matrix-filter="false">
    <label>Login Method</label>
</standard-element>

Edits to the "sysAllUserDirectorySetting" Edit Template
Add a reference to this standard element in the "sysAllUserDirectorySetting" Edit Template that appears in the "sysUserDirectorySetting" View Template. This is to make the field visible in the Employee Export and/or Manage Users.
An example appears below:

<view-template id="sysUserDirectorySetting" visibility="none" pdf-printing-enabled="false">
    <label>User Directory Setting</label>
    <description>User Directory Setting</description>
    <edit-template id="sysAllUserDirectorySetting">
      <label>User Directory Setting(Entire Ordered List)</label>
      <description>User Directory Setting(Entire Ordered List</description>
      <standard-element-ref refid="username"/>
      <standard-element-ref refid="firstName"/>
      ....
      <standard-element-ref refid="loginMethod"/>
    </edit-template>
    <edit-template>
      .....
    </edit-template>
</view-template>

  • Step 2: Enabling the Partial Organization feature in Provisioning

Enable the "Partial Organization SSO" feature in the provisioning tool under Single Sign-On (SSO) Settings.

Partial&#x20;SSO&#x20;Feature&#x20;Switch.png

  •  Step 3:  Configuring the loginMethod to PWD for users that will be logging using the username & password instead of SSO

Once the data model has been configured per the instructions above, you can set the loginMethod for the user by setting values in the "loginMethod" field.  This field can be edited either through the Employee Import, or other means (like Admin Tools to edit user information).  You could even enable the value for editing in the Employee Profiles if desired.
If setting the PWD value on the employee data file, add a column titled in rows 1 and 2 "LOGIN_METHOD". 
You can also download the employee import template from Admin tools as the new column should also be displayed there.
Or finally you can export the user data file and work with this file to set the values as required for all users in the LOGIN_METHOD column

It is expected that most customers will set this value through the Employee Import file, most likely as an automated FTP process.

 

See Also

For more details on the system behaviour of Partial SSO, refer to KBA 2088837 - [SSO] Partial Organization Single Sign-On - BizX Platform

Keywords

Data model, Partial Single Sign On, configurations, provisioning, xml, login method, PWD, SSO, partner, consultant , KBA , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-PLT-SAM , SAML SSO First Time Setup , Problem

Product

SAP SuccessFactors HXM Suite all versions