This article assumes that an IDP initiated SSO connection is already setup and working. If this is not the case, we would advise focusing on the IDP initiated setup first and foremost.
This will ensure that other possible points of failure related to the overall configuration of the SSO setup can be ignored.
If you already have a working IDP Initiated SSO working and are experiencing issues with SP initiated SSO and ADFS then this article should help.
- Single Sign On
- Bizx Platform
Reproducing the Issue
- SP initiated with ADFS SAML causes errors in SSO log viewer in provisioning: Didn't get an assertion in ArtifactResponse
- The IDP cannot interpret the authentication request that is coming from Successafactors so it sends a "default" response without the assertion related information in the message.
- In The relying party configuration identifier tab, check that the identifier value matches the EntityID value provided by Support via the metadata file for your instance. If it does not match, the ADFS system will not be able to select the correct configuration to use to respond to the message
- In the relying party configuration please ensure that in the advanced tab, the secure hash algorithm value is set to SHA1. By default the value is set to SHA256 which causes the authentication flow to fail.
- In the relying party configuration please ensure that the SFAdmin certificate has been imported into the signature tab. If you do not have the certificate you can ask support to provide it.
DISCLAIMER: The information provided does not imply that SAP Cloud Product Support have any expertise in setting up ADFS systems for customers.
These are merely bits of information that were gathered over time while configuring the SAML SSO with ADFS which may help you with a smoother setup.
If you require assistance setting up your ADFS system, please reach out to your consultant, partner, or Microsoft support.
KBA , LOD-SF-PLT-SSO , Single Sign-on , LOD-SF-PLT , Foundational Capabilities & Tools , How To