SAP Knowledge Base Article - Public

2088058 - Is Partial SSO supported? - Platform

Symptom

Environment

  • BizX Platform

Resolution

  • YES partial SSO is a supported feature however we ask that you file a case with support as there is some configurations that needs to take place for this option.
     
     
  • The partial organization SSO (Single Sign On) feature allows an organization to specify some users authenticate (login) through SSO while others authenticate through the username/password login page. This feature is opt-in and is enabled in provisioning (see below).  All SSO methods are supported.
     
     
  • A user can be assigned to only one login option. A user cannot login through both SSO and standard username/password login. It is one or the other.

          Please file a ticket with the Support Team to help enable this

  • : Setting the loginMethod for each User - Specify the desired value for each user in the "loginMethod" field.
     
    These steps are described below.
     
  • Setting the loginMethod will typically be done through Employee Import process, most likely as an automated FTP process. For testing setup, you can edit this standard element manually either through Employee Import, or Admin Tools --> Manage Employee, or even through Employee Profile if you configure the field to appear in the profile.
     

Default System Behavior

   The feature is designed with default behavior to remain as SSO login for all users unless specified otherwise on a per user basis. When this feature is enabled, the system will look for the value set for each user in the "loginMethod" field.

  • If the "loginMethod" field is NOT enabled in Step 2 below, then all users will default to the SSO login method. 
  • If the "loginMethod" field is enabled, but no value is specified for a user in Step 3 below, the user will default to the SSO login method.

   Under this "Partial Organization SSO" feature, the only way a user can login through the standard password login field is if the following three things occur:

  1. This feature is enabled in provisioning per Step 1
  2. The "loginMethod" field is enabled in the Succession Data Model per Step 2
  3. A value of "PWD" is set for the user in the loginMethod field per Step 3

   In all other scenarios, users will login through the standard SSO login method set for the company. 

 

Setting the loginMethod for each User

  • Once the data model has been configured (Done by Support team) per the instructions above, you can set the loginMethod for the user by setting values in the "loginMethod" field.  This field can be edited either through the Employee Import, or other means (like Admin Tools to edit user information).  You could even enable the value for editing in Employee Files if desired.
     
  • It is expect that most customers will set this value through the Employee Import file, most likely as an automated FTP process.
     

Additional Details

  • Configuration is now complete. Below are details on system behavior under the Partial SSO feature.
     
     

Password Policy

   When the “Partial Organization SSO” feature is enabled in provisioning, the password policy settings will apply only to users where “loginMethod” is specified as “PWD”.  For these users, the system will enforce the system password policy settings specified in Admin Tools --> System Properties. This means:

  • Enforce all password policy settings
  • Allow them to access the password tab under Options --> Password
  • Allow them to recover/change their passwords

   For any user where “loginMethod” is not specified as “PWD” (meaning it is either set to “SSO” or is null), the user will NOT be subject to the password policy settings. This means:

  • The password policy will not apply for this user
  • This user will not be able to access the password tab under Options --> Password
  • The user will never see a popup screen to change their password.
  • The user will not be able to recover/change their password in any way.
  • Password reset should not send any email notification to these users. However, password reset should actually perform the password reset – but it will not send an email notification. This is useful in SAML 2.0, where we no longer reference the system password during SAML authentication. In this case, administrators might prefer to set random passwords for each user in the system. 

Keywords

KBA , sf sso , sf sso options , sf patrial sso , LOD-SF-PLT , Foundational Capabilities & Tools , How To

Product

SAP SuccessFactors HCM Core all versions