When you have IAS integrated with an IdP, on below scenarios (might others not mapped), there will be cases that authentication to IAS will fail and IAS will send a SAML request to SuccessFactors informing that its authentication has failed as example at the end.
- User not replicated to IAS and feature Allow Identity Authentication users only enabled:
- Under Identity Providers -> Corporate Identity Providers -> Federation, Allow Identity Authentication users only is ON;
- User that is trying to access does not exist on IAS;
- SAML Authentication request sent from IdP does not have Name ID parameter;
Example of the SAML response that IAS sends to SF to inform the failure.
<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://salesdemo4.successfactors.com/saml2/SAMLAssertionConsumer?company=SFPART051986" ID="RES-SSO-20f4b5b6-0106-4e77-ba83-7e1ddeba153b" InResponseTo="_c014201e-505f-4ad3-a29f-c75bc842f30d" IssueInstant="2021-08-27T13:14:07.419Z" Version="2.0" > <ns2:Issuer>sfbrazil.accounts400.ondemand.com</ns2:Issuer> <Status> <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> <StatusMessage>Failed to authenticate user.</StatusMessage> </Status> </Response>
- SAP SuccessFactors HXM Suite
- SAP Identity Authentication
The cause of this issue is a configuration issue that generates the loop as the authentication has failed on IAS, though currently SuccessFactors does not treat the IAS response to inform the Failed to authenticate user.
The solution for any of the problems on this situation is an configuration issue and you can refer to this KBA https://launchpad.support.sap.com/#/notes/2954188 to resolve the configuration and allow the user access to the system, then solving the loop problem.
About the loop happening instead of a error message, currently that is a product limitation and as that is result of an configuration issue already addressed on our documentation, it is not consider an issue, but an enhancement for future releases.
Please, follow this KBA for update on the behavior and the enhancement as we will keep this KBA updated once a decision if and when we are going to change this behavior.
- Currently it is planned to be enhanced by 2111, though it is not yet confirmed (for internal reference PLT-78808)
SSO loop issue error IAS , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , BC-IAM-IDS , Identity Authentication Service , Problem