2391240 - Partial Single Sign On - Cancel from "forgot password" does not consider loginMethod parameter used and redirects pasword users to the SSO login page

SAP Knowledge Base Article - Public

2391240 - Partial Single Sign On - Cancel from "forgot password" does not consider loginMethod parameter used and redirects pasword users to the SSO login page

Symptom

  • Cancel from "forgot password" does not consider loginMethod parameter used previously if no existing cookie stored
  • Password users accessing the system for the first time get redirected to the SSO login page if they cancel out of "forgot password"

Environment

  • Bizx Platform

Reproducing the Issue

Relevant for :
Instance has Partial SSO enabled
User trying to login is a password user
SSO is setup to use SP-Initiated Single Sign On

  1. New user is accessing the system via the URL containing loginMethod=PWD parameter.
    for example: https://salesdemo4.successfactors.com/login?company=XXXXX&loginMethod=PWD
  2. Navigate to forgot password page
  3. Click on cancel
  4. User is taken to the SSO login page setup for SP Initiated login

Note: This also happens for users that have cleared the browser cache before step 1

Cause

This is due to the absence of a LoginMethod cookie in your browser cache.

In Partial single Sign On enabled systems, the login behavior is driven by the value in this cookie.
Once a user has successfully logged on to the system, this will store the cookie in thebrowser cache with this users login method (either PWD or SSO)

After this it will re-use the cookie vlaue for future logic and actions.
If this cookie is set to PWD, then the system behaves as expected - using forgot password feature and then clicking cancel brings the users back to the standard login screen.

However this cookie will only be set after a successful login !
Therefore, when accessing the forgot password feature, the system only defaults to the Password login page after cancelling, if the user already logged in using the PWD method previously.
If not, then the system will use SSO login logic and redirect the user to the configured SP initiated SSO URL.

Resolution

  • This has been confirmed as Expected behavior by our Engineering team. Should you have any concerns with this you could use the follwing workaround:
    • New users have been created
    • The users are provided with the login link however they do not know what the username / password combination is
    • Use the reset password feature from Admin tools for affected users in order to trigger an email to those users informing them of their first time credentials.
    • After the first successful login, the loginMethod cookie will be set, and the users will be forced to reset the password.
    • Any navigation in the login screens thereafter will follow PWD login logic, as the cookie has been set and saved.

  • Please submit an (or review existing) enhancement request in the ideas page if you wish to change the standard behavior. KBA 2248545 - SuccessFactors Enhancement Request - Ideas for Product improvements

Keywords

KBA , LOD-SF-PLT , Foundational Capabilities & Tools , LOD-SF-PLT-SSO , Single Sign-on , Problem

Product

SAP SuccessFactors HCM Core all versions