2144707 - Single Sign-On and Server Time Synchronization - Platform

SAP Knowledge Base Article - Public

2144707 - Single Sign-On and Server Time Synchronization - Platform

Symptom

When connecting to SuccessFactors using various Single Sign-On methods it is possible to add an additional level of security by specifying a limited time interval for when the sign-on transaction is valid.

Environment

  • BizX Success Factors Platform

Resolution

The method for specifying this for SAML type SSO is to set a parameter in the setup in your security utility.  Check with your vendor for the specifics for their product. These values appear in the transaction as NotBefore, NotAfter or a similar parameter. We strongly recommend that customers allow some amount of NotBefore range in addition to the NotOnOrAfter range they set in each login. If the NotBefore range is zero, login failures can occur due to very minor variations in server clocks. One minute is a common setting.

For non-SAML methods part of the packaging of the data being sent to SF is a time stamp. When SF receives the package, the time stamp will be checked. If the stamp is not within a predefined period (SSO expiration), 30 seconds, for example, the login will be rejected.  This parameter can be set in the SuccessFactors customer configuration. Expiration of SSO Request (in seconds), If there is no expiration it can be turned off with the value -1.

To minimize the number of discrepancies, server time clocks should be synchronized with a standard time provider.  There are many services available.

Our servers are synchronized with the following servers:

clock.via.net prefer

t2.timegps.net

But any accurate time server will do. An up to date list can be found at

http://support.ntp.org/bin/view/Servers/StratumOneTimeServers

Keywords

Condition NotOnOrAfter, SSO, validate assertion fail, SAML SSO , KBA , LOD-SF-PLT , Foundational Capabilities & Tools , How To

Product

SAP SuccessFactors HCM Core all versions