SAP Knowledge Base Article - Public

2396645 - [SSO] SP Initiated Login

Symptom

  • How SP Initiated works?
  • How do I setup SP Initiated Login?
  • SP initiated use a GET or POST method?

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors HXM Suite

Resolution

How SP Initiated Login works

The main difference between the SP Initiated and the IDP Initiated methods is that in SP, the access starts from the Service Provider, which is the SuccessFactors in our SSO setups. In IDP Initiated, the access starts directly from the Identity Provider. The steps followed in SP Initiated are:

  1. Access starts from the SP;
  2. The SP redirects the user session to the IdP with a SAML request (Authentication request);
  3. The user logs into the IdP (manually or seamlessly);
  4. The IdP redirects the user session back to the SP with a SAML Response containing the user data and trust information;
  5. The service provider validates the response has been correctly built and signed;
  6. The end user is granted access to the Service provider.

SP Initiated Login Setup

The setup of SP Initiated Login is configured in Provisioning. This way, you need to contact your Implementation Partner or Customer Support to request the change. The default configuration is IDP Initiated, to have SP initiated method available too, we need to know values for:

  • Default Issuer:
    If you have more than one asserting party, which asserting party will be the default for SP-Initiated? (only one can be set here);
  • single sign on redirect service location (to be provided by IdP): 
    Which URL to send the SP Authentication request to. Typically this is provided by the IdP. It could be in the metadata file provided already (under SingleLogoutService section);
  • Send request as Company-Wide issuer:
    What EntityID to send in the authentication request. This needs to match the setup on the customer end. Setting value to No sends the generic value for the datacenter, and Yes sends the value with the company ID.
    For example, if they setup their system to recognize the SP using “www.successfactors.com” then our authentication request SAML message needs to contain the same value, so we set it to No.
    If we want to send “www.successfactors.com/CompanyID” then we set it to Yes.

Note: If this configurations is set as No and customer is using our issuer as “www.successfactors.com/CompanyID”, an error will happen in customer end (iDP end). That is why we must ensure that both sides are matching.

Setting up SP Login.png

Notes

  • We send the entire SAML Request as a GET and not a POST;
  • We are compliant with the SAML standard. However, we do want to increase our customer confidence in our technology and would like to address any security issue they see;
  • Our future direction and strategy is to use IAS (Identity Authentication Service) as our IDP that connects to the customer IDP. IAS supports both GET and POST.

See Also

2396658 - [SSO] SP Initiated Logout

Keywords

SAML, SAML2, Service Provider, Identity Provider, Single Sign On, SSO SP, GET, POST, method , KBA , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-SEL , SSO Errors & Logs , How To

Product

SAP SuccessFactors HXM Suite all versions