This article covers Data model changes required for implementing Partial Organization Single Sign On.
- Single Sign-On is already implemented.
- You must have provisioning access
- You are familiar with the Succession Data Model.
"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."
SAP SuccessFactors HXM Suite
- Implementation Main steps:
The main steps for Implementing Partial Organization Single Sign On are:
- Enabling the loginMethod standard element in the Succession Data Model, and making it visible in the User data File (Employee Export)
- Enabling the Partial Organization feature in Provisioning
- Configuring the loginMethod to PWD for users that will be logging using the username & password instead of SSO.
Note: Steps 2 and 3 are interchangeable. As soon as Step 1 has been completed you will be able to setup the loginMethod even if Partial Organization SSO is not yet turned on.
- Step 1: Enabling the loginMethod standard element in the Succession Data Model, and making it visible in the User Data File (Employee Export) / Manage Users.
We have created a new standard element with id of “loginMethod”. This new field is needed only when "Partial Organization SSO" is enabled. It is not needed for any SSO customers that do not enable this feature.
This field will define whether a user comes in through SSO or not. The standard element will have three allowable values
SSO: A value of “SSO” means the user must login through the SSO method configured for this customer.
PWD: A value “PWD” means the user must login through the standard username/password login pages.
Null (no value specified): No value specified means the user must login through SSO
This "loginMethod" standard element must be enabled in the Succession Data Model. An example XML snippet appears below. If this field is not enabled in the Succession Data Model for the instance, then all users must login through SSO. This standard element will not be required at user import / user account creation time. If a value is not specified during user import, then the user will default to SSO login.
Standard Element Declaration
Add the following as a standard-element in the Succession Data Model
<standard-element id="loginMethod" max-length="8" required="false" matrix-filter="false">
Edits to the "sysAllUserDirectorySetting" Edit Template
Add a reference to this standard element in the "sysAllUserDirectorySetting" Edit Template that appears in the "sysUserDirectorySetting" View Template. This is to make the field visible in the Employee Export and/or Manage Users.
An example appears below:
<view-template id="sysUserDirectorySetting" visibility="none" pdf-printing-enabled="false">
<label>User Directory Setting</label>
<description>User Directory Setting</description>
<label>User Directory Setting(Entire Ordered List)</label>
<description>User Directory Setting(Entire Ordered List</description>
- Step 2: Enabling the Partial Organization feature in Provisioning
Enable the "Partial Organization SSO" feature in the provisioning tool under Single Sign-On (SSO) Settings.
- Step 3: Configuring the loginMethod to PWD for users that will be logging using the username & password instead of SSO
Once the data model has been configured per the instructions above, you can set the loginMethod for the user by setting values in the "loginMethod" field. This field can be edited either through the Employee Import, or other means (like Admin Tools to edit user information). You could even enable the value for editing in the Employee Profiles if desired.
If setting the PWD value on the employee data file, add a column titled in rows 1 and 2 "LOGIN_METHOD".
You can also download the employee import template from Admin tools as the new column should also be displayed there.
Or finally you can export the user data file and work with this file to set the values as required for all users in the LOGIN_METHOD column
It is expected that most customers will set this value through the Employee Import file, most likely as an automated FTP process.
For more details on the system behaviour of Partial SSO, refer to KBA 2088837 - [SSO] Partial Organization Single Sign-On - BizX Platform
Data model, Partial Single Sign On, configurations, provisioning, xml, login method, PWD, SSO, partner, consultant , KBA , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-PLT-SAM , SAML SSO First Time Setup , Problem