SAP Knowledge Base Article - Public

2370144 - [SSO] Multiple Asserting parties for SAML IdP and SP-Initiated login methods

Symptom

  • Can we use Identity Provider Initiated login (IDP-Initiated login) for one Active Directory and Service Provider Initiated login (SP-Initiated login) for another Active Directory?
  • Does SuccessFactors support multiple asserting parties for SAML IDP and SP Initiated SSO?
  • What combinations can be successfully implemented?
  • How to redirect users to a default landing page when the user logs out of the system if multiple asserting parties are configured?

Environment

SAP SuccessFactors HXM Suite

Resolution

If you have multiple identity providers, we can set up asserting parties for each one. This includes separate values for SAML issuer, signing certificate, and other settings. If one or more asserting parties are configured; in order to allow SP-initiated logins, one of the asserting parties must to be set to be the default asserting party. SuccessFactors does support multiple asserting parties, however, only the combinations below of IDP and SP for SAML SSO are allowed:

  1. Multiple IDP-Initiated asserting parties work and 2+ IDP-Initiated Asserting parties can be configured in an instance, provided each asserting party will have different Issuers.
  2. Multiple asserting parties with one IDP-Initiated and one SP-Initiated can be configured. In this case we can also have 2+ IDP-Initiated but only one SP-Initiated asserting party SSO.
  3. Multiple asserting party with SP-Initiated is not supported. Only one SP-Initiated asserting party is supported.

NOTE: If you want users from multiple asserting parties to deep link, you must use the ID-Initiated option rather than SP-Initiated. There must be zero asserting parties setup using SP-Initiated.

If you have multiple asserting parties and use deep linking, we need to identify to which IdP to send users for login information. If you have a default asserting party, we send them to that IdP. If not, we display a list of the available asserting parties and ask the user to select the appropriate one. Your administrator can configure the text identifying each available asserting party. After a user has logged on using a specific asserting party, we store a cookie in their browser. As long as they use the same browser and don’t clear their cookies, they don't need to select the asserting party again.

Generic SSO landing page

It is currently not possibe to change the layout of the multiple asserting parties landing page. What can be changed is the asserting party name from Admin Center > Manage Asserting Parties.

Disabling generic SSO landing page for multiple asserting parties

By default, in case of logout, timeout, or invalid login, users are redirected to a generic landing page that lists all of the SSO redirects configured in the system. Now you can choose not to use this page and instead, choose a default one to which all users are redirected, regardless of the asserting party used to login.

Please contact SuccessFactors support or an implementation partner if you would like to activate the feature Disable Multiple Asserting Party Selection under Single Sign-On (SSO) Settings in Provisioning and confirm which Default Asserting Party the users should be redirected to in case of timeout / invalid login / logout.

Keywords

Multiple asserting parties, asserting party, SSO, SAML, IdP, SP-Initiated, IDP-Initiated, deeplink, deep link redirect, landing page, generic sso landing page, multiple asserting parties page, layout

assertion partie
, KBA , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-SEL , SSO Errors & Logs , Problem

Product

SAP SuccessFactors HXM Suite all versions