SAP Knowledge Base Article - Public

2091975 - [SSO] Deeplinks within E-mail Notifications are not functional while on SSO

Symptom

  • We are not able to click/access links within E-mail Notifications
  • Links in notifications received via email prompt user to enter credentials (username and password)
  • Unable to access links in emails
  • Emails are not working
  • Dynamic deep links are not working

Environment

  • SAP SuccessFactors HCM Suite
  • SAP SuccessFactors Learning

Reproducing the Issue

  1. The user is not logged into SuccessFactors
  2. The user clicks on a link within email notification received from SuccessFactors - Example: Document Creation Notification.
  3. Instead of directing the user to the destination Page, the links would be taken either to the SuccessFactors login page or another page different from the expected page the link in the email was supposed to redirect

Cause

This happens when the SuccessFactors instance is set up with SSO and the user is not logged into SF (or authenticated at the IDP).

Due to the SuccessFactors application sends out automated email notifications for form creations, updates, and other events. These emails normally contain links that allow the user to login to the form directly without landing on the Home page first. Since SSO requires the user to login using the customer created SSO login process, these deep links don't work and therefore end user are directed to an unexpected page.

Resolution

We Support Two options for dealing with email links while on SSO - Dynamic Deep links:

  1. 1️⃣ Standard Emails with IDP Redirect or SP
    • With this option, the customer doesn’t need to change our default email links.
    • The users will be able to get to the specific resources the email links point to.
    • The customer needs to provide SuccessFactors with a URL value that we configure as the SSO  URL for “Deeplink IDP Login redirect"
    • it is recommended to configure customers “Internal SSO URL” (from where the SSO authentication starts) in the Deeplink IDP Login redirect so that whenever there is no active session while accessing the link in notification, users will be redirected to the internal SSO link which will trigger users to authenticate themselves and creates a session required.
    • We recommend that it’s a page where the user stops and selects a link, rather than just sending them back to SuccessFactors automatically. Here is how this process works:
      • If a user is already logged in to SuccessFactors and clicks on an email link, the link will open and show them their resource.
      • If the user is not logged in to SuccessFactors and clicks on an email link, their login will fail. We will set a cookie storing the email resource details in their browser. We redirect the customer to the  Deeplink IDP Login redirect. They perform whatever action the customer requires on this page to login to SuccessFactors using SSO. As long as this action is taken within five minutes of the initial failure, they will get logged in to the email resource. If the login happens after five minutes, they will go to the home page.

⚠️ Note 1: Cookie must be enabled in the browser.

⚠️ Note 2: As customers do not have access to provisioning, you will need to request your Partner or Customer Support and provide the internal URL to include the respectively on URL for Deeplink IDP Login redirect.

⚠️ Note 3: For Partner or Support Engineer:

  1. Access the Provisioning backend
  2. Go to  Single Sign-On (SSO) Settings
  3. Include the URL provided by the customer on the field "Please enter the URL for Deeplink IDP Login redirect:"
  4. Click on Save


Note: If you are using SP initiated login, the deep link URL box should be left blank, and will be grayed out.

 

  1. 2️⃣ Modify Emails to point to generic SSO logins

With this option form links in emails should be replaced with the generic link to the customers SSO login process. The system administrator for your SuccessFactors application should change all email links that look like below to something appropriate for their specific SSO setup, such as:

  • Example 1: You can access this document at the following URL: [[DOC_ACCESS_URL]]
  • OR, Example 2: You can access the PerformanceManager at the following URL: [[LOGIN_URL]]

⚠️ Side Note: If you are facing issues with Learning Management System (LMS) email notification links, please refer for the following articles:

See Also

Support please view internal memos for additional information.

2317944 - [SSO] SAML 2.0 Provisioning Guide for BizX - Troubleshooting Tips and Tricks - Common Errors and Resolutions

Keywords

SSO, stands, Single Sign On, IDP, Identity, Provider, deeplinking, deeplink, “Deeplink IDP Login redirect", SuccessFactors, Deep Link, SAML , KBA , sf platform , sf email , LOD-SF-PLT-SEL , SSO Errors & Logs , LOD-SF-PLT , Platform Foundational Capabilities , Problem

Product

SAP SuccessFactors HCM Suite all versions ; SAP SuccessFactors Learning all versions