SAP Knowledge Base Article - Public

2088837 - SSO: Partial Organization Single Sign-On - BizX Platform

Symptom

  • Can we determine a Users login method?
  • Is it possible to have some users login using SSO and others using the default Username and Password?
  • We want to enable Partial Organization Single Sign-On to allow Admins choose who logs in through SSO.
  • The Partial Organization SSO (Single Sign On) feature allows an organization to specify some users authenticate (login) through SSO while others authenticate through the username/password login page. This feature is opt-in and is enabled by Customer Support or Partners.  All SSO methods are supported.

Environment

SAP SuccessFactors HCM Suite

Resolution

Prerequisite

Single Sign-On should be configured and enabled prior to enabling Partial Organization Single Sign-On.

Setup

The setup process is as follows: Needs to be done by SF Support or Partners.

  1. Succession Data Model Configuration - Enable the "loginMethod" field in the data model  (CS or Partner)
  2. Provisioning Setup - Enable the feature in provisioning (CS or Partner)
  3. Setting the loginMethod for each User - Specify the desired value for each user in the "loginMethod" field. (Customer Admin)
    - A user can be assigned to only one login method. A user cannot login through both SSO and standard username/password login. It is one or the other.

Step 3 will typically be done through Employee Import process, most likely as an automated FTP process. 
For testing setup, you can edit this standard element manually either through Employee Import, or Admin Tools --> Manage Users.

Login URL for end users

Once you have set the loginMethod value for your users, they will have to use one of two login methods to access the system:

  • If the user has their loginMethod set to PWD, they will need to use a specific URL to access the normal login page because the system will default to SSO login logic if not instructed to bypass it.
    In order to do this, users have to use this URL. The highlighted sections need to be replaced with the correct values for your datacenter and company ID: https://<yourdatacenterURL>/login?company=<yourcompanyID>&loginMethod=PWD

    For example, if your instance is located in DC4 (Arizona), and your companyID is Company123.
    Then your URL for PWD users would have to be:
    https://performancemanager4.successfactors.com/login?company=Company123&loginMethod=PWD

    Please note that the URL above is case sensitive. Using "loginmethod=" instead of "loginMethod=" will not work.

  • If the users have their loginMethod value set to SSO, or if it is blank, then they have to use the SSO login URL which is provided by your SSO Administrator.

Note: Although a "BLANK or null" value in the Login Method field should default users to SSO it is advised as a best practice to populate the field with either SSO or PWD.

Password Policy

When the “Partial Organization SSO” feature is enabled in provisioning, the password policy settings will apply only to users where “loginMethod” is specified as “PWD”.  For these users, the system will enforce the system password policy settings specified in Admin Tools --> System Properties. This means:

  • Enforce all password policy settings
  • Allow them to access the password tab under Options --> Password
  • Allow them to recover/change their passwords

For any user where “loginMethod” is not specified as “PWD” (meaning it is either set to “SSO” or is null), the user will NOT be subject to the password policy settings. This means:

  • The password policy will not apply for this user
  • This user will not be able to access the password tab under
  • Options --> Password
  • The user will never see a popup screen to change their password.
  • The user will not be able to recover/change their password in any way.
  • Password reset should not send any email notification to these users. However, password reset should actually perform the password reset – but it will not send an email notification. This is useful in SAML 2.0, where we no longer reference the system password during SAML authentication. In this case, administrators might prefer to set random passwords for each user in the system.

If you are a customer and you would like to set up Partial Organization Single Sign On for your company please reach out to your partner or open an incident with Product Support if you are no longer working with your partner.

If you are a partner refer to KBA 2320766 - BizX Platform - Partial Organization SSO - Data model configuration, tips & tricks from Support for Partners for steps on enabling partial SSO.

Keywords

Partial, Single Sign-On, Password, PWD, Login Method, SSO , KBA , sf sso , LOD-SF-PLT , Foundational Capabilities & Tools , How To

Product

SAP SuccessFactors HCM Suite all versions