SAP Knowledge Base Article - Public

2954188 - Failing to login to SuccessFactors instance through SAP IAS (Cloud Platform Identity Authentication Service)

Symptom

  • After migration to SAP Cloud Platform Identity Authentication (Upgrade referred on this KBA 2791410), you are facing login issues as the ones below:
    • Login is on a loop redirecting from SAP SuccessFactors domain to IAS domain continuously without login in;
    • When accessing the Error message "Identity Provider could not process the authentication request received", see below screenshot;

IAS error.PNG

    • Any other login issues like Missing Credentials page or Invalid Login page;

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

  • SAP SuccessFactors HXM Suite
  • SAP Cloud Platform Identity Authentication Service (SAP IAS)

Reproducing the Issue

  1. After the upgrade, try to log in to SuccessFactors through SuccessFactors login URL.
  2. It fails to login with one of the behaviors from the symptoms;

Cause

There is a missing configuration or a misconfiguration on your IAS or your Corporate Identity Provider/SSO Provider (Azure, ADFS, Okta, between others)

Resolution

Make sure that you are trying to login through a valid url. After the migration to IAS your old IDP Initiated login URL will no long be functional, you might need to use another URL. (check with your SSO Team)

For testing, use the SP-Initiated URL from SuccessFactors, SP-Initiated URL will be always on format <DC URL>/login?company=<CompanyID>&loginMethod=SSO.

Also, make sure that you have completed all the configurations needed and referred on KBA 2791410 and the guides that it refers to.

If you still face issue with the SP-Initiated URL, please check the below topics and take screenshots in case you need to engage with Product Support so that it speeds up the case resolution;

  1. Check your IAS Name so that it matches with the one created by the upgrade, for this follow steps below:
    1. Login to your IAS tenant on the admin Console with an IAS admin user;
      • Admin console is accessed by "<IAS URL>/admin";
    2. Go to Applications & Resources -> Tenant Settings;
    3. Click SAML 2.0 Configuration;
    4. On field Name, you can choose a name that is your URL with https:// or without. The upgrade will always create the SuccessFactors settings with the https://.
    5. Possible Solution: Name field should start with https://, if you need to change it, it is just change on the dropdown and save on the button of the page. Note that if you have already setup other integrations as the Corporate IDP, you will need to re-do those as the Name has changed;
    6. Please, take a screenshot of this page, so that you provide it if an incident is needed to be open (as screenshot below);

name.PNG

  1. Make sure that IAS is sending the correct parameter and the users are correctly setup;
    1. Login to your IAS tenant on the admin Console with an IAS admin user;
    2. Go to Applications & Resources -> Applications;
    3. Click the Application for your SuccessFactors instance, it will be the one that on the second line you have successfactor.com/<your instance company ID> (successfactors.eu for European Datacenters);
    4. Possible Solution: On the application, check and make sure of the below is setup:
      • Type is setup as SAML 2.0
      • SAML 2.0 Configuration is setup with your SF instance information as on metadata that you can create for SSO integration;
      • Subject Name Identifier is setup as Login Name;
      • Default Name ID Format is setup as Unspecified;
      • Apply Function to Subject Name Identifier is setup as None;
      • Conditional Authentication is setup with SAP Cloud Platform Identity Authentication if you do not have an SSO, or with the name that you give to your SSO setup on IAS in case you use SSO;
    5. Please, take a screenshot of the page as below example:

Application.png

    1. Go to User & Authorizations -> User Management;
    2. Take one user that you can replicate the login issue and search for their username or e-mail;
    3. Click the line for the user on the search results;
    4. Possible Solution: If you are not able to find the user, it is likely that your users are not synced correctly. Please, check on your IPS system and make sure that you have followed the User Sync Steps on 2791410.
    5. Check if on the Login Name, you have the username of the user on SuccessFactors. (it needs to be a perfect match)
    6. Take a screenshot of this page as below example:

user.PNG

    1. On SuccessFactors, do an Employee Export and check if you can find an user that has the Login name from step 5 as username;
    2. On this user, make sure that it is active and has a valid manager;
    3. Possible Solution: If the user is inactive or have an invalid manager, you need to correct this on SuccessFactors by re-activating or changing the user manager;
  1. (If your are using an SSO) Check on your SSO integration with IAS (you will need to have your SSO team engaged on this);
    1. Login to your IAS tenant on the admin Console with an IAS admin user;
    2. Go to Applications & Resources -> Tenant Settings;
    3. Click SAML 2.0 Configuration;
    4. Scroll all the way down to the end of the page and click Download MetaData File;
    5. Provide that metadata to your SSO team and ask them to make sure that they have one application created on your SSO with the information with that Metadata file;
    6. Possible Solution: Your SSO team, needs to make sure that the Claim Rules or the user attributes that are forward to IAS are the same from your previous SuccessFactors Application on SSO settings, so that you send us the username as the Name ID;
    7. Go to Identity Providers -> Corporate Identity Providers;
    8. Click the Identity Provider that you are using (it should be the same from step 2.4 on Conditional Authentication);
    9. Make sure that the below is correctly setup:
      • SAML 2.0 Configuration is setup with your SSO Metadata information (your SSO team needs to provide this information);
      • Identity Provider Type is setup as below:
        • Microsoft ADFS / Azure AD: If you are using as SSO either ADFS or Azure;
        • SAP Single Sign-On: If you using SAP Single Sign-On;
        • SAML 2.0 Compliant: For any other SAML SSO solution (note that we only support SAML2 SSOs)
      • Name ID Format is setup as Unspecified;
    10. Take a screenshot of this page as below example:

sso.png

  1. Generate and Check on SSO logs:
    1. To have understanding of what is happening while you are trying to access through SSO, it might be needed to check on what is your happening on the browser;
    2. Please, install SAML-Tracer extension to the Chrome or Firefox browser for one affected user;
      1. To Install it, you can search for it on Google for SAML-Tracer and follow the instructions to install it;
    3. With SAML-Tracer extension installed, start the Extension and then start the login process;
    4. It will have a second window open for the Extension where you will a similar log as below screenshot;

saml-tracer.PNG

    1. Note that you have a couple of lines with an Orange SAML tag, open the line with your IAS URL; 
    2. Go to the Tab SAML;
    3. Possible Solution: If the NameID attribute is not sent with the username from SuccessFactors and on unspecified format, you need to correct the claim rules (parameters) on SSO side;
      • Example of the NameID attribute on the SAML logs: <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">sfadmin</NameID>)
      • If the on the NameID, the format is "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", this indicates that your IAS assertion party on provisioning is setup to persistent, while it should be unspecified. Please, ask your partner to change it on provisioning to unspecified or raise an incident as referred below requesting support to update it.
    4. Export the SAML trace logs file by clicking on Export;

If after all the steps above, you were not able to solve the issue, please raise an incident to component LOD-SF-PLT-IAS with all highlighted elements (4 Screenshots compile on a file and SAML Tracer) plus the Support access to the instance.

Keywords

IAS SAC SSO Upgrade fail looping , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , BC-IAM-IDS , Identity Authentication Service , Problem

Product

SAP SuccessFactors HXM Suite all versions