Symptom
- Can we determine a Users login method?
- Is it possible to have some users login using SSO and others using the default Username and Password?
- We want to enable Partial Organization Single Sign-On to allow Admins choose who logs in through SSO.
- The Partial Organization SSO (Single Sign On) feature allows an organization to specify some users authenticate (login) through SSO while others authenticate through the username/password login page. This feature is opt-in and is enabled by Customer Support or Partners. All SSO methods are supported.
- How to enable Partial SSO?
Environment
SAP SuccessFactors HXM Suite
Resolution
Prerequisite
Single Sign-On should be configured and enabled prior to enabling Partial Organization Single Sign-On.
This KBA is only applied to instances that do not have IAS implemented, i.e., SSO is connected directly to the IDP with no IAS involved
Setup
The setup process is as follows: Needs to be done by SF Support or Partners.
- Succession Data Model Configuration - Enable the "loginMethod" field in the data model (CS or Partner)
- Provisioning Setup - Enable the feature in provisioning (CS or Partner)
- Setting the loginMethod for each User - Specify the desired value for each user in the "loginMethod" field. (Customer Admin)
- A user can be assigned to only one login method. A user cannot login through both SSO and standard username/password login. It is one or the other.
Step 3 will typically be done through Employee Import process, most likely as an automated FTP process.
For testing setup, you can edit this standard element manually either through Employee Import, or Admin Tools --> Manage Users.
Step 3 is outside the scope of support and can be done by a system admin or engage with a partner.
Login URL for end users
Once you have set the loginMethod value for your users, they will have to use one of two login methods to access the system:
- If the user has their loginMethod set to PWD, they will need to use a specific URL to access the normal login page because the system will default to SSO login logic if not instructed to bypass it.
In order to do this, users have to use this URL. The highlighted sections need to be replaced with the correct values for your datacenter and company ID: https://<yourdatacenterURL>/login?company=<yourcompanyID>&loginMethod=PWD
For example, if your instance is located in DC4 (Arizona), and your companyID is Company123.
Then your URL for PWD users would have to be:
https://performancemanager4.successfactors.com/login?company=Company123&loginMethod=PWD
Please note that the URL above is case sensitive. Using "loginmethod=" instead of "loginMethod=" will not work. - If the users have their loginMethod value set to SSO, or if it is blank, then they have to use the SSO login URL which is provided by your SSO Administrator.
Note: Although a "BLANK or null" value in the Login Method field should default users to SSO it is advised as a best practice to populate the field with either SSO or PWD.
Password Policy
When the “Partial Organization SSO” feature is enabled in provisioning, the password policy settings will apply only to users where “loginMethod” is specified as “PWD”. For these users, the system will enforce the system password policy settings specified in Admin Tools --> System Properties. This means:
- Enforce all password policy settings
- Allow them to access the password tab under Options --> Password
- Allow them to recover/change their passwords
For any user where “loginMethod” is not specified as “PWD” (meaning it is either set to “SSO” or is null), the user will NOT be subject to the password policy settings. This means:
- The password policy will not apply for this user
- This user will not be able to access the password tab under
- Options --> Password
- The user will never see a popup screen to change their password.
- The user will not be able to recover/change their password in any way.
- Password reset should not send any email notification to these users. However, password reset should actually perform the password reset – but it will not send an email notification. This is useful in SAML 2.0, where we no longer reference the system password during SAML authentication. In this case, administrators might prefer to set random passwords for each user in the system.
How to enable Partial SSO?
If you are a customer and you would like to set up Partial Organization Single Sign On for your company please reach out to your partner or open an case with Product Support (LOD-SF-PLT) if you are no longer working with your partner.
If you are a partner refer to KBA 2320766 - BizX Platform - Partial Organization SSO - Data model configuration, tips & tricks from Support for Partners for steps on enabling partial SSO.
Keywords
Partial, Single Sign-On, Password, PWD, Login Method, SSO , KBA , sf sso , LOD-SF-PLT-SAM , SAML SSO First Time Setup , How To