Symptom
When trying to access the Learning system or add learning activities in Talent modules, the below error is received: "Failed to authenticate the SAML response. If this keeps happening, please contact administrator."
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Environment
- SAP SuccessFactors Learning
- SAP SuccessFactors Career Development Planning
- SAP SuccessFactors Performance Management
Reproducing the Issue
- Log in to the system >
- Navigate to the home dropdown > Learning >
- The user is redirected to the Learning module >
- Receive error.
OR
- Log in to the system >
- Navigate to the home dropdown > Goal >
- Select Development Goal tab >
- Locate a goal and select the 3 dots > Add Learning >
- The user is redirected to the Learning module >
- Receive error.
OR
- Log in to the system >
- Navigate to the home dropdown > Performance >
- Select a performance form >
- Locate a goal section and select Add New Learning Activity >
- The user is redirected to the Learning module >
- Receive error.
Cause
- Third party cookies deprecation in Google Chrome.
- Enable SuccessFactors Learning third-party cookie mechanism is not flagged in BizX Provisioning.
- The user was not synchronized from HXM/BizX to Learning.
Resolution
1. Third party cookies deprecation in Google Chrome
Browser vendors are in the process of deprecating or limiting the use of third-party cookies to prevent user tracking for data privacy reasons. Google Chrome begins its deprecation plans on January 4th, 2024 and will permanently block third-party cookies after 2024.
- Temporary Workaround: Please follow the steps from "The next step toward phasing out third-party cookies in Chrome" in the What to expect from Tracking Protection section. The KBA 2087462 can be reviewed as well.
- Long-term Solution: SAP will roll out an automated Common Super Domain solution to SuccessFactors customers. More information is in "Impact of third-party cookies deprecation on SAP SuccessFactors - Innovation Alert".
2. Enable SuccessFactors Learning third-party cookie mechanism is not flagged in BizX Provisioning
SAP SuccessFactors has a Provisioning setting called "Enable SuccessFactors Learning third-party cookie mechanism" which bypasses the need to use cookies as the Learning site is not loaded within an iframe. There are no security or access issues if this setting is enabled. Additional details about the "Enable SuccessFactors Learning third-party cookie mechanism":
- Some websites use third-party content providers (communicating from one webpage/site with the help of another webpage/site). A third-party content provider can track you across websites to advertise products and services. SAP SuccessFactors do use cookies to store session information (to constantly validate the user sessions and store values for faster page/data processing) but not for any advertising purpose, so no need to worry about that.
- BizX and Learning are two different sites that work with each other by communicating with cookies and other internal logic, so we expect the browser setting to enable 3rd party cookie communication.
- But this has recently become an issue as browsers are disabling third party cookies by default. This means that every user must change their browser default setting and some companies consider this a security/privacy risk. It is a privacy thing and not a security risk.
- To avoid depending on browser settings we introduced a setting at the Provisioning side called "Enable SuccessFactors Learning third-party cookie mechanism" to handle the things differently than how it works with the setting to avoid the "Failed to Authenticate SAML Response" issue.
- How the above mentioned is achieved: we force the user to initially visit a Learning page in a main BizX window outside of an iFrame (usually Learning is loaded into the BizX via an iFrame). In that case any follow up persistence of Learning cookies even in an iFrame will no longer be considered 3rd party. So, this is what that Provisioning setting would do.
- No security or access issues would be caused by using that setting. It is explained above. And there isn’t the need to schedule any background job to enable this for everyone. Once enabled, this would have immediate effect. After this is enabled, we would just need to request user to clear cookie and cache.
- As a customer, you do not have access to Provisioning. Please engage a Certified Partner or Product Support to assist with this configuration. If this setting needs to be enabled and a Partner is not engaged, please create a case with the LOD-SF-LMS-INT component.
- After the setting is enabled, cleared cache and cookies from the browser
3. The user was not synchronized from HXM/BizX to Learning
The error can occur if a user is not properly created in the Learning application. User creation in Learning differs but the standard process is via the User Connector - SF. Please see 2668004 for information on how to troubleshoot user creation via the connector.
Keywords
learning, lms, saml, validation, error, failed, to, authenticate, the, response, cookies, cookie, settings, 3rd, parties, cookies, validations, errors, cdp, pm, pmgm, goals, objectives , KBA , LOD-SF-LMS-INT , Integrations with BizX , LOD-SF-CDP-INT , CDP Integrations, LMS, PM, EC etc. , LOD-SF-CDP-LA , Learning Activity Plan (LMS) , LOD-SF-PM-GM , Goals in PM Form , Problem