2088865 - SSO: Single Sign-On and User Passwords - BizX Platform

SAP Knowledge Base Article - Public

2088865 - SSO: Single Sign-On and User Passwords - BizX Platform

Symptom

  • The following is an overview of how SSO works with regard to user name/password.
  • Due to the encrypted and secure nature of SSO, passwords are not key to the security of most of the SuccessFactors supported methods.. However SuccessFactors system requires a password for all users in case SSO is ever turned off. In this event, the assigned passwords will become the only barrier to getting into the application. If weak passwords are set while using SSO, then all passwords will need to be reset if it is turned off.  We have a feature which allows customers to decide on a per employee basis whether they must use SSO or can continue to use the password login method (PWD).  This value can be changed at any time so it is more important than in the past to user secure passwords for all employees.

Environment

  • BizX Platform

Resolution

  • Customers using Partial SSO
    • With the Partial SSO feature enabled, the SuccessFactors application defaults password settings based on the Login Method assigned to the user.
    • SSO users will not be affected by password aging. They will not be able to or be forced to change their password. They won’t be able to see the password change tab.
    • PWD users will access all of the SuccessFactors password features. Password aging, the password options tab, forgot password features etc.
    Note: Users with a blank setting for login method are treated as SSO users.

 

  • Password Encryption in SF
    • Some of the SSO Methods do not work with our encrypted passwords. For
    • MD5/Base64
    • SHA-1
    • SAML 1.1
    • SAML 2.0

 

  • Turn this off if you are using SSO for any users
    Go to Admin Tools and Password Policy and Login Settings. Check the setting for Enforce Password Encryption.  By default, this is off. If it’s on, turn it off. Passwords will need to be reset to clear the encrypted values before these SSO methods will work. Please discuss this change with your SuccessFactors consultant before taking any action.

 

  • Strong Passwords
    System generated passwords - this option is only compatible with MD5/Base64 and SHA-1 which do not require the password in the SSO login info. When importing a user list that lacks a password column, the password will be System Generated if this option is selected during the user import using either FTP or the user interface.
    Unique password - this option requires the customers to provide unique passwords for each user and to be able to retrieve them as needed during the SSO login process. If this option has been selected, please note that a password column is required in the user import file uploaded via FTP or the user interface.

 

  • Weak Passwords.
    Global password - this option gives everyone in the company the same password.  If this option has been selected, please note that a password column is required in the user import file uploaded via FTP.  The same password should be applied to everyone being imported.
    Password=Username – this option sets the password to the username when new users are added to the system. If this option is selected, Username must be specified as the Default Password setting whenever a User Import is run from either FTP or the user interface.
    Note: SuccessFactors does not recommend Username passwords.  Customer supplied passwords must be at least 8 characters long, and contain a combination of numbers and letters. In addition they must adhere to the customer’s password policy.

 

  • Password Case Sensitivity
     It is strongly recommended that customers using SSO turn on our Case Sensitive Passwords option. Most SF customers already have this set to Yes.

 

  • Go to Admin Tools and Password Policy Settings. Turn on
  • Case Sensitive (recommended)    

 

  • Changing this option will force all users to change their passwords. Please discuss this change with your SuccessFactors contact before doing it.

Keywords

KBA , sf sso , sf passwords , sf partial sso , LOD-SF-PLT , Foundational Capabilities & Tools , How To

Product

SAP SuccessFactors HCM Core all versions