SAP Knowledge Base Article - Public

2370144 - SSO: Multiple Asserting party for SAML IdP and SP-Initiated login methods

Symptom

  • Can we use Identity Provider Initiated login (IDP-Initiated login) for one Active Directory and Service Provider Initiated login (SP-Initiated login) for another Active Directory?
  • Does SuccessFactors support multiple asserting parties for SAML IDP and SP Initiated SSO?
  • What combinations can be successfully implemented?

Environment

SAP SuccessFactors HCM Suite

Resolution

If you have multiple identity providers, we can set up asserting parties for each one. This includes separate values for SAML issuer, signing certificate, and other settings. If one or more asserting parties are configured; in order to allow SP-initiated logins, one of the asserting parties must to be set to be the default asserting party. SuccessFactors does support multiple asserting parties, however, only the combinations below of IDP and SP for SAML SSO are allowed:

  1. Multiple IDP-Initiated asserting parties work and 2+ IDP-Initiated Asserting parties can be configured in an instance, provided each asserting party will have different Issuers.
  2. Multiple asserting parties with one IDP-Initiated and one SP-Initiated can be configured. In this case we can also have 2+ IDP-Initiated but only one SP-Initiated asserting party SSO.
  3. Multiple asserting party with SP-Initiated is not supported. Only one SP-Initiated asserting party is supported.

NOTE: If you want users from multiple asserting parties to deep link, you must use the Deep Link Redirect option rather than SP-Initiated. There must be zero asserting parties setup using SP-Initiated.

If you have multiple asserting parties and use deep linking, we need to identify to which IdP to send users for login information. If you have a default asserting party, we send them to that IdP. If not, we display a list of the available asserting parties and ask the user to select the appropriate one. Your administrator can configure the text identifying each available asserting party. After a user has logged on using a specific asserting party, we store a cookie in their browser. As long as they use the same browser and don’t clear their cookies, they don't need to select the asserting party again.

Keywords

Multiple asserting parties, asserting party, SSO, SAML, IdP, SP-Initiated, IDP-Initiated, deeplink, deep link redirect. , KBA , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-SEL , SSO Errors & Logs , Problem

Product

SAP SuccessFactors HCM Suite all versions