SAP Knowledge Base Article - Public

2370144 - SSO: Multiple Asserting party for SAML IdP and SP-Initiated login methods

Symptom

  • Does Successfactors Support Multiple asserting parties for SAML IDP and SP Initiated SSO?
  • What combinations can be successfully implemented?

Environment

SAP SuccessFactors Platform / BizX

Resolution

If you have multiple identity providers, we can set up asserting parties for each one. This includes separate values for SAML issuer, signing certificate, and other settings. If one or more of the asserting parties is set to use SP-initiated logins, one of them has to be set to be the default asserting party. Successfactors does support multiple asserting parties, however, only the combinations below of IdP and SP for SAML SSO are allowed:

  1. Multiple IDP asserting parties work and we can have more than 2 IdP Asserting parties configured for an instance, provided each asserting party will have different Issuers.
  2. Multiple asserting party with one IdP and one SP-Initiated can be configured. In this case we can more 2 IdPs but only one SP-Initiated SSO.
  3. Multiple asserting party with SP-Initiated is not supported. Only one SP asserting party is supported.

NOTE: If you want users from multiple asserting parties to deep link, you must use the Deep Link Redirect option rather than SP-Initiated. There must be zero asserting parties setup using SP-Initiated.

If you have multiple asserting parties and use deep linking, we need to identify to which IdP to send users for login information. If you have a default asserting party, we send them to that IdP. If not, we display a list of the available asserting parties and ask the user to select the appropriate one. Your administrator can configure the text identifying each available asserting party. After a user has logged on using a specific asserting party, we store a cookie in their browser. As long as they use the same browser and don’t clear their cookies, they don't need to select the asserting party again.

Keywords

Multiple asserting parties, asserting party, SSO, SAML, IdP, SP-Initiated, deeplink, deep link redirect. , KBA , LOD-SF-PLT-SSO , Single Sign-on , LOD-SF-PLT-SAM , SAML SSO First Time Setup , Problem

Product

SAP SuccessFactors HCM Core all versions