2408674 - [SSO] Single Sign-On using ADFS not working - Didn't get an assertion in ArtifactResponse

• You have your IDP initiated SSO connection setup and working;
• You are experiencing issues with SP initiated SSO with ADFS as Identify provider.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

SAP SuccessFactors HCM Suite

• Customer reports that SSO with ADFS in SP Initiated method is not working;
• Support access Provisioning;
• Go to Single Sign-On (SSO) Settings;
• Go to the SSO Log Viewer;
• Check the last error message in the logs saying: Didn't get an assertion in ArtifactResponse.

The Identity Provider (ADFS) cannot interpret the authentication request that is coming from SuccessFactors so it sends a "default" response without the assertion related information in the message.

The information provided does not imply that SAP Cloud Product Support have any expertise in setting up ADFS systems for customers. These are merely bits of information that were gathered over time while configuring the SAML SSO with ADFS which may help you with a smoother setup. If you require assistance setting up your ADFS system, please reach out to your consultant, partner, or Microsoft support.

To resolve the issue you will need to verify and perhaps reconfigure the settings in your Identity Provider.

Customer Support do not have access to these configurations and so you will need to engage with the person who has access to the ADFS server to check the configurations mentioned on the points below:

• In The relying party configuration identifier tab, check that the identifier value matches the EntityID value provided by Support via the metadata file for your instance. If it does not match, the ADFS system will not be able to select the correct configuration to use to respond to the message.
  

• In the relying party configuration please ensure that in the advanced tab, the secure hash algorithm value is set to SHA1. By default the value is set to SHA256 which causes the authentication flow to.
  

• In the relying party configuration please ensure that the SFAdmin certificate has been imported into the signature tab. If you do not have the certificate you can ask support to provide it.
  

You can also check if the ADFS configuration is correct and if the claim rules were properly set, as is explained in: Configuring MS ADFS 3.0 as Identity Provider for SuccesFactors

Another reason for this error is username case mismatch between ADFS and SuccessFactors. The username case should be the same for both ADFS and SF; if not, the login will fail.

Example: If the ADFS username is in all lowercase, then the SuccessFactors username should be too and vice versa.

2674264 - Configuring SSO between Corporate IDP, IAS Tenant and BizX Instance when using IAS as a proxy to Corporate IDP - BizX Platform

SSO, ADFS, Service Provider, Identity Provider BizX Platform, Microsoft ADFS, Didn't get an assertion in ArtifactResponse, error, Login , KBA , LOD-SF-PLT-SEL , SSO Errors & Logs , LOD-SF-PLT , Platform Foundational Capabilities , Problem