Symptom
- Screen keeps spinning on when trying to login via SSO;
- Screen enter in a back and forth behavior between IdP login screen and SuccessFactor's;
- Customer/Partner are encountering difficulty during SSO implementation;
- SSO is not working correctly and customer/partner requests assistance with SSO Setup;
Environment
SAP SuccessFactors HXM Suite
Reproducing the Issue
- Access the IdP-Initiated login URL;
- Type your credentials and attempt to login;
- The authentication process behaves as following:
- the screen keep spinning on in a endless loop, or;
- it enter in a back and forth behavior between IdP and SuccessFactor's screens.
Cause
Customer's Identity Provider is using the SHA-256 algorithm — not supported — to encrypt the SAML Assertion Response when sending it to SuccessFactors.
Resolution
SuccessFactors only supports SHA-256 encryption algorithm after 2105 with IAS integration.
You have 2 options to fix this issue:
- Please kindly access your IdP settings and ensure it's using the SHA-1 algorithm instead. SuccessFactors will always work with this one.
- Or implement IAS on your SuccessFactors instance and use SHA-256 between your Corporate IdP-IAS and IAS-SuccessFactors;
- For SF-IAS implementation, refer to KBA 2791410.
Important: some IdPs take a considerable time to effect the algorithm change, hence, you may wait a couple of minutes for the cache to refresh the settings.
Please, also check the KBA 2957157- When SSO BizX will upgrade the certificate based on SHA1?
Note: Supported algorithms - SF public certificate is RSA sha1. The exact encryption algorithm depends on how to handle encryption on IDP. Here is one sample.
<saml:EncryptedAssertion><EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="uuidb651afc1-0177-1b58-9ed5-dc0cb5f416b7" Type="http://www.w3.org/2001/04/xmlenc#Element"><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod><ds:KeyInfo><EncryptedKey Id="uuidb651afc2-0177-181f-be5d-dc0cb5f416b7"><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod><ds:KeyInfo><ds:KeyName>CN=SF Admin, OU=Ops, O=Successfactors.com,
(Full Sample in internal notes)
Keywords
IdP, SSO, SSO configuration, spinning, spinning screen, back & forth screen, SSO issue. , KBA , LOD-SF-PLT-SEL , SSO Errors & Logs , How To