SAP Knowledge Base Article - Public

2449659 - SSO Implementation issues | SHA-256 vs SHA-1 encryption algorithms

Symptom

  • Screen keeps spinning on when trying to login via SSO;
  • Screen enter in a back and forth behavior between IdP login screen and SuccessFactor's;
  • Customer/Partner are encountering difficulty during SSO implementation;
  • SSO is not working correctly and customer/partner requests assistance with SSO Setup;

Environment

SAP SuccessFactors HXM Suite

Reproducing the Issue

  1. Access the IdP-Initiated login URL;
  2. Type your credentials and attempt to login;
  3. The authentication process behaves as following:
    • the screen keep spinning on in a endless loop, or;
    • it enter in a back and forth behavior between IdP and SuccessFactor's screens.

Cause

Customer's Identity Provider is using the SHA-256 algorithm — not supported — to encrypt the SAML Assertion Response when sending it to SuccessFactors.

Resolution

SuccessFactors only supports SHA-256 encryption algorithm after 2105 with IAS integration.

You have 2 options to fix this issue:

  • Please kindly access your IdP settings and ensure it's using the SHA-1 algorithm instead. SuccessFactors will always work with this one.
  • Or implement IAS on your SuccessFactors instance and use SHA-256 between your Corporate IdP-IAS and IAS-SuccessFactors;
    • For SF-IAS implementation, refer to KBA 2791410.

Important: some IdPs take a considerable time to effect the algorithm change, hence, you may wait a couple of minutes for the cache to refresh the settings.

Please, also check the KBA 2957157- When SSO BizX will upgrade the certificate based on SHA1?

Note: Supported algorithms - SF public certificate is RSA sha1. The exact encryption algorithm depends on how to handle encryption on IDP. Here is one sample.

<saml:EncryptedAssertion><EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="uuidb651afc1-0177-1b58-9ed5-dc0cb5f416b7" Type="http://www.w3.org/2001/04/xmlenc#Element"><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod><ds:KeyInfo><EncryptedKey Id="uuidb651afc2-0177-181f-be5d-dc0cb5f416b7"><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod><ds:KeyInfo><ds:KeyName>CN=SF Admin, OU=Ops, O=Successfactors.com,

(Full Sample in internal notes)

Keywords

IdP, SSO, SSO configuration, spinning, spinning screen, back & forth screen, SSO issue. , KBA , LOD-SF-PLT-SEL , SSO Errors & Logs , How To

Product

SAP SuccessFactors HCM Suite all versions