2088852 - [SSO] Checklist for Client When Enabling & Using SSO - SuccessFactors

• How do we retrieve passwords or see what someone's password is?
• What changes do I need to make in the email notifications?
• Why does the link in my email notification not work anymore?
• Can we easily enable and disable SSO?

SAP SuccessFactors HXM Suite

IMPORTANT: Available for Enterprise Subscription clients only. Not available for Professional Edition Subscription

SuccessFactors Single Sign-On Implementation was designed based on several key customer requirements

1. SuccessFactors should not directly attach or integrate into a customer’s corporate username and password repository.
2. SuccessFactors should store the user login credentials independent of the login credentials stored in the customer’s corporate repository. The login credentials for the user in both systems could be the same or different. If they are different, the customer needs to maintain the corporate repository credentials to SuccessFactors credentials mapping. For security reasons we recommend that they are different. The user’s credentials in both systems should be synchronized and is achievable via the SuccessFactorsUserSync process.
3. SuccessFactors will not allow password based logins while Single Sign-On is enabled. Once SSO is enables users cannot access the SuccessFactors Application via our standard login page anymore. This gives the customer additional control over logins and allows the use of common passwords. 
4. Users with bookmarks to our application will no longer be able to use these bookmarks and will now need to login via your SSO login page/portal only.
5. Can we easliy enable and disable SSO? Yes. Once your SSO configuration is successfully set up and working, it is an easy process for SuccessFactors Customer Success to disable SSO and re-enable at a later time. (You may need to supply your secret token to support to enable) You should keep in mind any security issues, and user login issues this might present if you have changed passwords. This is typically only done for troubleshooting issues or when you have some short-term need. 

Offline Documents

• SF supports SSO with the offline forms feature for all implementations of SSO except SAML. 

Email Notifications

• Once SSO has been enabled, you will need to update your email notifications. The SuccessFactors application sends out automated email notifications for form creations, updates and other events. These emails normally contain links that allow the user to login to the form directly without landing on the home page first. Since SSO requires the user to login using the customer created SSO login process, and not the default login page, this deep linking is not possible. We recommend that form links in emails be replaced with the generic link to the customers SSO login process.
• Email templates can be modified from Admin Tools > System Properties > E-Mail Notifications Template Settings. The system administrator should edit all templates and change email links that look like this:
• You can access this document at the following URL:
• DOC ACCESS URL
• Remove the DOC ACCESS URL tag and replace this with a link, messaging,  or something appropriate for your specific SSO setup. You may encounter other xxx type tags in email templates that no longer work once SSO is enabled. This indicates to you this variable is not supported. Please remove any unsupported tags from your email templates. 

 Can We Easily Enable & Disable SSO?

• Typically yes. Once your SSO configuration is successfully set up and working, it typically an easy process for SuccessFactors Customer Success to disable SSO and re-enable at a later time. (You may need to supply your secret token to support to enable) You should keep in mind any security issues, and user login issues this might present if you have changed passwords. This is typically only done for troubleshooting issues or when you have some short-term need.
• Some SSO methods are as simple as resetting the SSO token and updating user information, while others require a full implementation.
• You will want to make note of employee usernames to ensure that the usernames are as you expect. This can be verified via Admin Tools>>Manage Users>>Employee Export. With the SAML SSO method SuccessFactors will set the password = employees username. Hence, when disabling SSO the client also needs to reset passwords to prevent a security issue. This can be done using the reset password options in admin tools or via a regular user import file by adding a PASSWORD column.  

SF, success factors, PLT, platform, BizX, biz X , KBA , LOD-SF-PLT-SSO , Single Sign-on , How To