SAP Knowledge Base Article - Public

2088150 - Login: Troubleshooting login issues. All login issues including SSO configurations - Platform

Symptom

  • What to do if a user is unable to login to the SuccessFactors Application.

    Note: If you are seeing specific "System Unavailable" errors, HTTP 404 Error, and similar issues, then this may not be a 'login issue" but a system issue. Please also refer to our System Unavailable Solution.

Environment

  • BizX Platform

Resolution

  • There are many reasons as to why an end user may not be able to login to the SuccessFactors Application. This solution attempts to provide you the most common list of reasons for why a user or group of users may not be able to login. Please consider the current nature of the login issue, and then from the list below review the solutions that might apply.
     
     
  • If your Company is using Single Sign On (SSO) please see the section towards the bottom for steps on how to resolve login issues.

 

Error = Invalid username or password. Please re-enter your login info:

  • The number one reason a user is unable to login is that, contrary to their belief that they are entering the correct variables, they are not. Note that the variables for  Username and Password can be case sensitive.

    In the case of usernames; make sure they enter their username correctly as was created.  So Dave DAVE and dave are all different usernames. Tip: Try exporting the user data via admin tools to see exactly the values for username.

    In the case of passwords; these can be both case insensitive or enabled to be case sensitive via Admin Tools > System Properties > Password Policies and Settings > Case Sensitive Settings, so Password, PASSWORD and password are all different values.

    Note: Company ID is always case sensitive.
    1. Be sure to work with your end user to be absolutely sure that they are entering values correctly.
       
    2. A user may be directed to use the "forgot your password" hyperlink on login page to retrieve their password if it seems they maybe using the incorrect password. Anther option the company admin has, is to reset the user's password for them from Admin Tools > Manage Users > Reset User Password > Reset individual user password (with supplied password). Please Note: SuccessFactors customer support will NOT typically reset user passwords if a user is locked out for security reasons. We ask that the company administrator always perform this function after verifying the user is allowed access to the system.
       
      1. If your company is using SSO, then do NOT reset passwords unless you know the exact value your SSO system requires for each user. The Forgot Your Password functionality should be turned off. If it is still enabled, the user may have mistakenly reset their password using this feature. You may need to take very specific steps to reset the passwords. Please contact your SSO team or Customer Success for further help. Please see the SSO section below for more information.
      2. Active Users:onfirm that the user is in the system. Go to Admin Tools > Change User Information > Uncheck "Active Users Only" > Enter username and search for the user. This will return a list of both Active and Inactive users in the system that match that user. If the user is marked as inactive, then reset the user account from Admin Tools > Set User Status > Uncheck "Active Users Only" > Search for username > Select the user and set as Active > Click Save The Setting.
    3. Note: If after an import was done where maybe a user had been assigned to an invalid manager, where you then correct this user's manager, and where the employee is now getting the error "Invalid username or password. Please re-enter your login info:", it will be due to the fact the original invalid import also removed the user from the Default User Group because of the invalid manager data. You now need to reassign this user(s) back into the Default User Group. See below.
       
    4. Default User Group Assignment: A user MUST belong to this group to access the SuccessFactors Application. Another common reason that a user may see this error is that they have been removed from the default user group. All new users by default are assigned to this group which provides access to the SuccessFactors Application. If a user for some reason is removed from this group they will be unable to login. To check or reset a uer's status go to Admin Tools > Manage Security > Default User Group Assignment > It is suggested that since typically all users should be assigned to the default group that you simply select all employees and assign to group. If however you use defined groups, be sure to select the Default User Group or the group you wish to assign them to. You will see a notification as to how many users were successfully assigned to the group. Then ask the user to attempt to login. Being removed can occur when someone imports using Enforce Manager-only Implementation, as explained below.
       
    5. PASSWORD Column: Not so common is when an administrator imports a User File that includes the PASSWORD column, but the password column did not include anyone's passwords, and has therefore set all passwords to NULL. When the user tries to use the "Forgot Password Feature" to retrieve their password, it also contains a NULL. The user will need to have their password reset (depending on the scope of who was affected, this could mean others need it as well by an additional upload). You can upload a file with a password for all, or reset individually. If you are using SSO, then you may need to take very specific steps to reset the passwords. If you are not using SSO, then please see the solution on "How to Force Reset Passwords".
       

Error = You've reached the maximum number of login attempts. Your account is now locked. Contact your administrator for more details.

  • This message indicates to an end user that they have exceeded the limitations you have set in your password policies for invalid login attempts.
    1. To change this limit go to Admin Tools > System Properties > Password Policies and Settings > Maximum Successive Failed Login Attempts.
       
    2. To unlock an account go to Admin Tools > Manage Users > Reset User Account > find user and reset.
       

Login unsuccessful. Invalid manager detected. Please contact your local system administrator for assistance. Sorry for the inconvenience.

  • This message occurs when the users manager has for some reason been set as inactive.
    1. Valid Manager ID: Check to make sure their manager’s ID is valid. A user cannot login if they do not have a valid manager. Export your user file from Admin Tools > Employee Export and check the MANAGER field for the user. It must contain a valid Manager ID (check for spelling mistakes or incorrect numbers), or NO_MANAGER. These are the only acceptable values.
       
    2. Broken Hierarchy: If you have all of a sudden encountered large numbers of your population that are getting this message, the likely cause is a recent user import that had errors and has broken your hierarchy. You will need to begin immediate discovery of recent user imports to correct any errors such as incorrect usernames or IDs, or setting someone at the top of the hierarchy as inactive causing all direct reports to now be locked out. Please log a case with Customer Success to have an expert help troubleshoot this with you if the error is not apparent. Please note that SuccessFactors cannot correct your data or revert your hierarchy to a previous state. This will require that you correct the original import file and re-import it.

Enforce Manager-only Implementation:

  • Another common cause of large groups of employees to suddenly be locked out of the system is when a user import was done, and the administrator had accidentally checked the box: "Enforce Manager-only Implementation." If all the users locked out are non-managers, then it is likely this has occurred. Simply perform the import again making sure not to check the option for Enforce Manager-only Implementation.
  1. Error = Page not found:
    1. This error maybe due to the user trying to use an invalid URL. Please make sure the user is trying to access the system using the correct URL or login procedures.
    2. Have the user clear their browser cache.
    3. Verify the user is entering proper Company ID
    4. Is the user clicking on a URL that was sent to them in an email, even if from the SuccessFactors Application? If so, have the userattempt to login normally to determine if the URL is invalid. If they can successfully login, then you may need to open a support case with Customer Success to determine why the link in the email is not working.
       
  2. No Error Message. User is redirected to the default SuccessFactors login page: Verify the user is entering proper Company ID. Note that the variable for Company ID is case sensitive so SuccessFactors SUCCESSFACTORS and successfactors are three different companies.
     
  3. IP Restriction: Error - Your machine is not authorized to access this system. Your company is using IP restriction to prevent unauthorized access to the SuccessFactors Application and you are trying to access the system from an IP address that has not currently been authorized. Please log a case with SuccessFactors Support to have the new IP address added if this is an IP address that your company has authorized for access.

Clients Using Single Sign On (SSO)

    1. Companies using SSO are recommended to setup custom error pages so that users unable to access the system are directed to error pages that clearly indicate the nature of the error. Please let Support know the page your user(s) is directed to. Note: Please see the solution on "Landing Pages" if you would like to use our default error pages.
      1. If your users are being directed to one of your custom error pages, please be sure to indicate to Customer Support the error and page that your user is landing on.
      2. If your users are being directed to the default SuccessFactors login page, then either your company has not yet set up the appropriate error pages or the current reason preventing login is not a standard issue. Please provide Customer Success the URL of the page the user is directed to.
         
    2. To effectively troubleshoot SSO login issues, we require the support of your SSO experts, as only they can capture an SSO transaction before it is processed and encrypted and sent to the SuccessFactors Application for validation. Since most issues are a mismatch between the values you have imported into the SuccessFactors Application and the values you are sending in the encrypted URL, you need to have your SSO expert capture and provide the variables of a transaction in the server POST, before it is encrypted. We need to be able to see.
       
      1. URL that is being generated
      2. Username value before it is encrypted
      3. Password value being used
      4. Time stamp if used
      5. DO NOT simply provide these values from your records, we MUST see the actual values being processed in the actual SSO transaction via your system, pre and post encryption. Only then can we faithfully compare those with the values in the SuccessFactors Application being validated against.
         
    3. The most common reason for users to be unable to access the SuccessFactors Application with SSO enabled are due to a mismatch in the username/password combination. Note that the variables for  Username and Password can be case sensitive.

      In the case of usernames; make sure your system is sending the EXACT username currently on record in the system. Do NOT assume they are an exact match. "Dave" "DAVE" and "dave" are all different usernames. Tip: Try exporting the user data via admin tools to see exactly the values for username in SuccessFactors and then compare these values to the values your SSO team has provided from the actual SSO transaction. DO NOT simply go on the value the user is typing in, as that is not necessarily the value your system picks up from your LDAP etc. to send to us. You want to see absolute values, and not assume consistency between sources.
    1. User Import: If all users are locked out, then find out if a user import recently occured that might have changed passwords accidentally. Note that SSO often users the same password for all users, or may be configured where username = password. Performing a new import that is known to have the correct values is recommended as an immediate action as this may correct the issue if it was data related. 
       
    2. Please do NOT reset passwords unless you know the exact value your SSO system requires for each user. You may need to take very specific steps to reset the passwords. Please contact your SSO team or Customer Success for further help.  
       
    3. Reset Password: If you feel this might be the issue, you can test by using the "Reset Password with supplied password" feature in Admin Tools.
       
    4. Password Change: If you enforce users to change passwords regularly (eg. every 90 days), then your user may have changed their password today. If you use an SSO method that validates the password in your system to match password in SuccessFactors, then until that new value is fed into the SuccessFactors Application (usually via an overnight FTP import) the user may not be able to login to the SuccessFactors Application. You can manually update thier password by using the "Reset Password with supplied password" feature in Admin Tools, or the user can wait for the overnight feed to correct the issue if your import file includes a PASSWORD column.
       
    5. The user is a new user, you are using SAML, and your import was not set to USERNAME for the option "Default value for a new user's password:". If you have an automated FTP user import and are using SAML, please be sure to select "USERNAME" option on any manual imports. Also request that Customer Success change your import settings so that the setting: "Default value for a new user's password: " is set to equal USERNAME. This will ensure all new users automatically have thier username = password. If this is not done, new users will not be able to login to the SuccessFactors Application.
       
    6. Did the person's USERNAME change? If the person's username changed, and your configuration is set as username = password, then the password may be still set as the old username value. You may need to manually reset password  by using the "Reset Password with supplied password" feature in Admin Tools, or the user can wait for the overnight feed to correct the issue if your file includes a PASSWORD column.
          

              7.   Please have the administrator check the following settings for your instance. Go to Admin Tools > System Properties > Password Policies and Settings > Disable the following:

    1. Set “Maximum Password Age (in days)” to -1 (This will prevent passwords in our system from expiring and causing login issues for your users. If users are being prompted to change their password, you need to set this to -1. Also Go to Admin Tools > System Properties > Company System and Logo Settings, check "Hide the Personal Password Tab from users". That will prevent the system from asking users to update their passwords.

    2. Maximum Successive Failed Login Attempts Set to 0 will disable this option; You do not want the SuccessFactors Application to lock out users once you are on SSO. Your own internal authentication will control security and login attempts.

    3. Enforce Password Encryption
    4. Retrieve Password by providing Email Address
    5. Forget Password feature will generate new Password for user
    6. If these features had been enabled and the end user had mistakenly reset their password, then determine the value of the password that your company is using for all users and reset their password.9.

              9. Time Stamp: If your company is using a timeout variable and all users are unable to login, then the synchronization of the server time between your SSO server and SuccessFactors is off. To remove this as a possible cause request that SuccessFactors disable "Expiration of SSO Request (in seconds)" in provisioning.

             10. Time Stamp: Even if the timestamp is disabled, the client may be sending the timestamp variable. Make sure that this is synced to the correct time and using US/eastern variable, not EST.

             11. Was SuccessFactors working on your system? If you currently have support working on an unrelated issue, let Customer Support know this in case a setting was changed recently. Have support confirm your Token and Key settings.

Keywords

KBA , sf sso , sf login issues , LOD-SF-PLT , Foundational Capabilities & Tools , How To

Product

SAP SuccessFactors HCM Core all versions