Symptom
Customers can no longer access their instance in the same way as before. This is because GET Login Method has been retired
"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."
Environment
SuccessFactors BizX Platform
Cause
Some customers in non-SSO instances have built their Usernames and Passwords into their Login URL's and then bookmarked them so that they could access SuccessFactors with a single click
Example:
https://performancemanager.successfactors.com/login?company=XXXXXX&username=YYYYYY&password=ZZZZZZ
This type of URL invokes GET login method which is insecure as the variables are built into the URL
Resolution
As of 1811 Release, we will retire non-SSO GET method for SuccessFactors login and enforce POST login method to protect customer's sensitive data
Customers who still use the GET method login with username and password embedded in the login URL will be redirected to the login page with an error message. Users have to input username and password manually for a successful login
Why is it important?
GET login is not secure and puts customers sensitive data at risk. The POST login method is more secure and protects customers sensitive data
Prerequisites
If customers used to use GET method login to do system integration with non-SSO, they should change the integration from GET to POST accordingly to avoid the login page redirection
--------------------------------------------------------------------------------
Possible Workaround to engage POST login with built-in variables:
Note - There is no action on SuccessFactors side for the following workaround. You must engage your Internal IT team to see if the following can be achieved in your organisation.
Suppose your current login URL is: https://hcm.sapsf.com/login?company=c&username=u&password=p, and you are using http GET to login.
To use http POST form instead, you can create a HTML page accessed by your network with below form, for instance company intranet.
<form id="loginForm" action="https://hcm.sapsf.com/login" method="POST" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="company" value="c" />
<input type="hidden" name="username" value="u" />
<input type="hidden" name="password" value="p" />
</form>
<script type="text/javascript">
document.getElementById("loginForm").submit();
</script>
NOTE: If users are using the URL https://<yourdatacenterURL>/login?company=<yourcompanyID>&loginMethod=PWD to access SuccessFactors, there is no action required in customer environment.
Keywords
Retire GET method, Enforce POST, Non-SSO login , KBA , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-PLT-LPG , Log In Page Issues (Non SSO) , Product Enhancement