2758051 - Change Authorized SP Assertion Consumer Service Settings via SuccessFactors Provisioning

• There is a requirement to add or modify a third-party Assertion Consumer Service (ACS) URL for a SuccessFactors environment.
• When reviewing the Authorized SP Assertion Consumer Service Settings in the SuccessFactors UI, there is a need to add or update values for one or more of the following fields:
  
  • Assertion Consumer Service
  • Logout URL
  • Audience URL
  • SP Mapping Key
  • Prevent Proxy User
  • Use Email Assertion

Image/data in this KBA is from SAP internal systems, sample data, or systems. Any resemblance to real data is purely coincidental.

SAP SuccessFactors HCM Suite

New URLs for Authorized SP Assertion Consumer Service Settings can only be configured through the Provisioning system (the instance back-end system).

In "Authorized SP Assertion Consumer Service Settings" from SuccessFactors UI, customers can only edit or delete existing entries for the following fields:

• Login URL
• Logout URL
• Application Name 

To add any new URL's to your Authorized SP Assertion Consumer Service Settings, please engage your Implementation Partner.

If there is no implementation partner available, a support case should be created under component LOD-SF-PLT-OBD, including the URLs that need to be added, changed, or deleted.

Note: It is not possible to have duplicate URLs. Should there be any requirement for a duplicate URL as a workaround, you could add an additional query string as an additional parameter that this ACS domain can accept without error. For example, add ?RelayState=??? or ?page=??? to the end of this ACS URL.

Important: When the Use Email Assertion checkbox is enabled, the system sends the Email Address as the NameID instead of the User ID in the SAML assertion.

The email address is not always a unique value. For this reason, by default, SuccessFactors sends the User ID as the NameID parameter in the SAML message. This is the recommended configuration because the User ID is a unique identifier.

If Use Email Assertion is enabled and multiple users share the same email address, the authentication process may fail. For this reason, SAP recommends not enabling the Use Email Assertion option unless it is ensured that email addresses are unique for all users.

3094102 - SuccessFactors - How to update the provisioning Assertion Consumer settings and change the signature algorithm?

SuccessFactors, Logout Url, Audience Url, SP Mapping Key, Prevent Proxy User, Use Email Assertion, ACS, HTML5 Apps,  Assertion Consumer Service, Platform, LOD-SF-PLT, LOD-SF-INT, Use Email Assertion, Authorized Service Provider Assertion Consumer Services , KBA , LOD-SF-PLT-OBD , Outbound SSO , LOD-SF-INT-PRV , Provisioning Changes , How To