SAP Knowledge Base Article - Public

2408674 - [SSO] Single Sign-On using ADFS not working - Didn't get an assertion in ArtifactResponse

Symptom

  • You have your IDP initiated SSO connection setup and working;
  • You are experiencing issues with SP initiated SSO with ADFS as Identify provider.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors HXM Suite

Reproducing the Issue

  • Customer reports that SSO with ADFS in SP Initiated method is not working;
  • Support access Provisioning;
  • Go to Single Sign-On (SSO) Settings;
  • Go to the SSO Log Viewer;
  • Check the last error message in the logs saying: Didn't get an assertion in ArtifactResponse.

Cause

The Identity Provider (ADFS) cannot interpret the authentication request that is coming from SuccessFactors so it sends a "default" response without the assertion related information in the message.

Resolution

The information provided does not imply that SAP Cloud Product Support have any expertise in setting up ADFS systems for customers. These are merely bits of information that were gathered over time while configuring the SAML SSO with ADFS which may help you with a smoother setup. If you require assistance setting up your ADFS system, please reach out to your consultant, partner, or Microsoft support.

To resolve the issue you will need to verify and perhaps reconfigure the settings in your Identity Provider.

Customer Support do not have access to these configurations and so you will need to engage with the person who has access to the ADFS server to check the configurations mentioned on the points below:

  • In The relying party configuration identifier tab, check that the identifier value matches the EntityID value provided by Support via the metadata file for your instance. If it does not match, the ADFS system will not be able to select the correct configuration to use to respond to the message.
    2019-05-28_14-50-39.png
  • In the relying party configuration please ensure that in the advanced tab, the secure hash algorithm value is set to SHA1. By default the value is set to SHA256 which causes the authentication flow to.
    Advanced tab.jpg
  • In the relying party configuration please ensure that the SFAdmin certificate has been imported into the signature tab. If you do not have the certificate you can ask support to provide it.
    Signature tab.jpg

See Also

2674264 - Configuring SSO between Corporate IDP, IAS Tenant and BizX Instance when using IAS as a proxy to Corporate IDP - BizX Platform

Keywords

SSO, ADFS, Service Provider, Identity Provider BizX Platform, Microsoft ADFS, Didn't get an assertion in ArtifactResponse, error, Login , KBA , LOD-SF-PLT-SEL , SSO Errors & Logs , LOD-SF-PLT , Platform Foundational Capabilities , Problem

Product

SAP SuccessFactors HXM Suite all versions