SAP Knowledge Base Article - Public

2449659 - SSO Implementation issues | SHA-256 vs SHA-1 encryption algorithms

Symptom

  • Screen keeps spinning on when trying to login via SSO;
  • Screen enter in a back and forth behavior between IdP login screen and SuccessFactor's;
  • Customer/Partner are encountering difficulty during SSO implementation;
  • SSO is not working correctly and customer/partner requests assistance with SSO Setup;

Environment

SAP SuccessFactors HXM Suite

Reproducing the Issue

  1. Access the IdP-Initiated login URL;
  2. Type your credentials and attempt to login;
  3. The authentication process behaves as following:
    • the screen keep spinning on in a endless loop, or;
    • it enter in a back and forth behavior between IdP and SuccessFactor's screens.

Cause

Customer's Identity Provider is using the SHA-256 algorithm — not supported — to encrypt the SAML Assertion Response when sending it to SuccessFactors.

Resolution

SuccessFactors Provisioning doesn't work with the SHA-256 encryption algorithm.

Please kindly access your IdP settings and ensure it's using the SHA-1 algorithm instead. SuccessFactors will always work with this one.

Important: some IdPs take a considerable time to effect the algorithm change, hence, you may wait a couple of minutes for the cache to refresh the settings.

Please, also check the KBA 2957157 - When SSO BizX will upgrade the certificate based on SHA1?

Keywords

IdP, SSO, SSO configuration, spinning, spinning screen, back & forth screen, SSO issue. , KBA , LOD-SF-PLT-SEL , SSO Errors & Logs , How To

Product

SAP SuccessFactors HXM Suite all versions