SAP Knowledge Base Article - Public

2391240 - [SSO] Partial Single Sign-On - Users are redirected to SSO login page instead of standard username and password page

Symptom

  • Invalid Username directs users to SSO IDP login page
  • Cancel from "forgot password" does not consider loginMethod parameter used previously if no existing cookie stored
  • Password users accessing the system for the first time get redirected to the SSO login page if they cancel out of "forgot password"

Environment

SAP SuccessFactors HXM Suite

Reproducing the Issue

Considering that the instance has Partial SSO enabled and the SSO configuration has SP Initiated method, there are two scenarios in which this behavior is expected:

Scenario 1

  1. New user is accessing the system via the URL containing loginMethod=PWD parameter.
    for example: https://salesdemo4.successfactors.com/login?company=XXXXX&loginMethod=PWD
  2. Enter in an invalid Username.
  3. User is taken to the SSO login page setup for SP Initiated login instead of landing on default username and password page.

Scenario 2

  1. New user is accessing the system via the URL containing loginMethod=PWD parameter.
    for example: https://salesdemo4.successfactors.com/login?company=XXXXX&loginMethod=PWD
  2. Navigate to forgot password page.
  3. Click on cancel.
  4. User is taken to the SSO login page setup for SP Initiated login.

Note: This behaviour is replicated even for users that have cleared the browser cache before step 1

Cause

This is due to the absence of a LoginMethod cookie in your browser cache.

In Partial Single Sign-On enabled systems, the login behavior is driven by the value in this cookie.
Once a user has successfully logged on to the system, this will store the cookie in the browser cache with this users login method (either PWD or SSO).

After this, it will re-use the cookie value for future logic and actions.
If this cookie is set to PWD, then the system behaves as expected.

However this cookie will only be set after a successful login!
Therefore, if a user enters an incorrect username the system only redirects to the standard Password login page if the PWD cookie has been stored in the browser i.e if the user already logged in using the PWD method previously.
Similarly, when accessing the forgot password feature, the system only defaults to the Password login page after canceling, if the user already logged in using the PWD method previously.
If not, then the system will use SSO login logic and redirect the user to the configured SP initiated SSO URL.

Resolution

This has been confirmed as Expected behavior by our Engineering team. Should you have any concerns with this you could use the following workaround for scenario 2 above:

    • New users have been created;
    • The users are provided with the login link however they do not know what the username / password combination is;
    • Use the reset password feature from Admin tools for affected users in order to trigger an email to those users informing them of their first time credentials;
    • After the first successful login, the loginMethod cookie will be set, and the users will be forced to reset the password;
    • Any navigation in the login screens thereafter will follow PWD login logic, as the cookie has been set and saved.

Please submit an (or review existing) enhancement request in the ideas page if you wish to change the standard behavior. 2090228- SuccessFactors Enhancement Request - Ideas for Product improvements

Keywords

Partial SSO, SSO, User Name, Password, Forgot Password, Redirect , KBA , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-PLT-SSO , Single Sign-on , Problem

Product

SAP SuccessFactors HXM Suite all versions