SAP Knowledge Base Article - Public

2874083 - Enable SuccessFactors Learning third-party cookie mechanism - What does it mean - [LMS]

Symptom

We keep receiving "Failed to authenticate the SAML response" in our iOS devices when we go from BizX to LMS instance

Environment

SAP SuccessFactors LMS system

iOS devices

Reproducing the Issue

Logon to SuccessFactors application on any Mobile/iOS Devices->Learning Module->A message pops up with error message "Failed to authenticate the SAML response"

Cause

This happens when the cookies setting at the browser level is not enabled.

Resolution

Solution 1: Follow the KBA-https://launchpad.support.sap.com/#/notes/2620693 -> close the current application ->Log into the LMS system and check again.

--If you cannot modify those two settings as explained in the KBA above for security concerns or company policy or if its not iOS device, please follow the solution below--

Solution 2: KBA-https://launchpad.support.sap.com/#/notes/2654897 says that we should enable "Enable SuccessFactors Learning third-party cookie mechanism" which should be done at the provisioning level.

FAQs on Solution-2

********************************************************************************************************************************************* 

Q: What does it mean to have the following setting checked in Provisioning - "Enable SuccessFactors Learning third-party cookie mechanism"?

A: 

  • Some websites use third-party content providers (communicating from one webpage/site with the help of another webpage/site). A third-party content provider can track you across websites to advertise products and services. SuccesFactors do use cookies to store session information (to constantly validate the user sessions and store values for faster page/data processing) but not for any advertising purpose, so no need to worry on that.
  • BizX and LMS are two different sites that works with each other by communicating with cookies and other internal logic so we expect the browser setting to enable 3rd party cookie communication.
  • But this has recently become an issue as browsers are disabling third party cookie by default. This means that every user has to change their browser default setting and some companies consider this a security/privacy risk. It is actually a privacy thing and not a security risk.
  • To avoid depending on browser settings we introduced a setting at the Provisioning side called "Enable SuccessFactors Learning third-party cookie mechanism" to handle the things differently than how it works with the setting to avoid the "Failed to Authenticate SAML Response" issue. 
  • How the above mentioned is achieved: we force the user to initially visit an LMS page in a main BizX window outside of an Iframe (usually LMS is loaded into the BizX via an IFrame). In that case any follow up persistence of LMS cookies even in an Iframe will no longer be considered 3rd party. So, this is what that Provisioning setting would do.

Q: Any possible implications on security or accessing SuccessFactors Learning via single sign-on?

A: No security or access issues would be caused by using that setting. It is explained above.

Q:  Do we need to schedule any background job after enabling the suggested setting?

A: No, there wont be any background job required to run to enable this for everyone

Q: Will the setting take place with immediate effect once enabled?

A: Yes, this would take immediate effect. After this is enabled, we would just need to request user to clear cookie and cache.

*********************************************************************************************************************************************

See Also

https://launchpad.support.sap.com/#/notes/2620693

https://launchpad.support.sap.com/#/notes/2654897

Keywords

Failed to authenticate the SAML response, Enable SuccessFactors Learning third-party cookie mechanism, 3rd party cookie , KBA , LOD-SF-LMS-MOB , Mobile Application , LOD-SF-LMS-ADM , Admin Tools , Problem

Product

SAP SuccessFactors Learning all versions