2088837 - SSO: Partial Organization Single Sign-On - BizX Platform

SAP Knowledge Base Article - Public

2088837 - SSO: Partial Organization Single Sign-On - BizX Platform

Symptom

  • Available for Enterprise Subscription clients only
  • Not available for Professional Edition Subscription

  • The partial organization SSO (Single Sign On) feature allows an organization to specify some users authenticate (login) through SSO while others authenticate through the username/password login page. This feature is opt-in and is enabled by CustomerSuccess.  All SSO methods are supported.

  • A user can be assigned to only one login option. A user cannot login through both SSO and standard username/password login. It is one or the other.

  • The setup process is as follows: (To be done by SF Support)

    Step 1: Succession Data Model Configuration - Enable the "loginMethod" field in the data model  (CS or Partner)

    Step 2: Provisioning Setup - Enable the feature in provisioning (CS or Partner)

    Step 3: Setting the loginMethod for each User - Specify the desired value for each user in the "loginMethod" field. (Customer Admin)

  • Step three will typically be done through Employee Import process, most likely as an automated FTP process.
    For testing setup, you can edit this standard element manually either through Employee Import, or Admin Tools --> Manage Users, or even through Employee Profile if you configure the field to appear in the profile.

Environment

  • BizX Platform

Resolution

Password Policy

When the “Partial Organization SSO” feature is enabled in provisioning, the password policy settings will apply only to users where “loginMethod” is specified as “PWD”.  For these users, the system will enforce the system password policy settings specified in Admin Tools --> System Properties. This means:

  • Enforce all password policy settings
  • Allow them to access the password tab under Options --> Password
  • Allow them to recover/change their passwords

For any user where “loginMethod” is not specified as “PWD” (meaning it is either set to “SSO” or is null), the user will NOT be subject to the password policy settings. This means:

  • The password policy will not apply for this user
  • This user will not be able to access the password tab under
  • Options --> Password
  • The user will never see a popup screen to change their password.
  • The user will not be able to recover/change their password in any way.
  • Password reset should not send any email notification to these users. However, password reset should actually perform the password reset – but it will not send an email notification. This is useful in SAML 2.0, where we no longer reference the system password during SAML authentication. In this case, administrators might prefer to set random passwords for each user in the system.

Login URL for end users

Once you have set the loginMethod value for your users, they will have to use one of two login methods to access the system:

  • If the user has their loginMethod set to PWD, they will need to use a specific URL to access the normal login page because the system will default to SSO login logic if not instructed to bypass it.
    In order to do this, users have to use this URL. The highlighted sections need to be replaced with the correct values for your datacentre and company ID: https://<yourdatacenterURL>/login?company=<yourcompanyID>&loginMethod=PWD

    For example, if your instance is located in DC4 (Arizona), and your companyID is Company123.
    Then your URL for PWD users would have to be:
    https://performancemanager4.successfactors.com/login?company=Company123&loginMethod=PWD

    Please note that the URL above is case sensitive. Using "loginmethod=" instead of "loginMethod=" will not work.

  • If the users has their loginMethod value set to SSO, or if it is blank, then they have to use the SSO login URL which is provided by your Identity provider (your SSO system).

If you are a customer and you would like to set up Partial Organization Single Sign On for your company please open an incident with Product Support.

If you are a partner refer to KBA 2320766 - BizX Platform - Partial Organization SSO - Data model configuration, tips & tricks from Support for Partners for steps on enabling partial SSO.

Keywords

KBA , sf sso , LOD-SF-PLT , Foundational Capabilities & Tools , How To

Product

SAP SuccessFactors HCM Core all versions