2768478 - [SSO] How to change redirect URLs for Single Sign On

How to change the redirect URLs for Single Sign On?

• SAP SuccessFactors HCM Suite
• SAP Cloud Platform Identity Authentication Service 

When you enable Single Sign On on your instance, you have 5 scenarios where you can set a redirect URL:

• When users do logout
• When there is a session timeout
• When there is an invalid login
• When missing credentials
• When there is an invalid manager

These settings are done in Provisioning, in the Single Sign On page. The default value of this redirections is null. SAP has a list with all the default pages that our customers can use, in case you don't have any particular page to set for this. You can check all these URLs for each DC in this KBA:  2278269 - [SSO] Default Redirect URL's for Single Sign On.

Note: Beginning from the 2H2023 release, we will no longer verify whether a user has a valid manager in the system or not, irrespective of the login methods used. This change aligns with the removal of validation on invalid managers as documented in the SAP Help Portal (WNV: Removed Validation on Invalid Manager). Consequently, we have updated the default invalidmanager.html page to display an error message stating "Invalid Login Path by External User" instead of the previous message "Invalid Manager."

To change these redirect URL:

• If the instance has IAS enabled and a Corporate IdP is connected to IAS (which will be acting as Proxy IdP) for login:

You can access the Manage SAML SSO Settings in "Admin Center" > "Tools" > "SAML 2.0 Single Sign On" and change the URL as described on the "Configure the URL redirect links" section of KBA 2569087. If the Corporate IdP entry is already created in that screen, just edit and input the redirect URLs as needed.

⚠️ Note: If you do not have access to Manage SAML SSO Settings, check with your SuccessFactors Administrator to provide you with the permission to the feature as referred on KBA 2674588

Additionally, for the Logout Redirect URL, it is necessary to configure from the AIS admin console side: under "Identity Provider" > Corporate Identity Provider > Select the one being used > go to the last configuration option named "Logout Redirect URL" and configure the URL from there.

• If the instance has IAS enabled and IAS itself is being used as the IdP for login:
  
  There are two options to update the redirect URLs -
  
  - 1️⃣ (Recommended) You can go to "Admin Center" > "Tools" > "SAML 2.0 Single Sign On"  > Set Non SAML redirect Links: > Redirect URL when session timeout: Enter the redirect URL when the session times out and the user select the login option.
  
  - 2️⃣ The Redirect URLs can also be set in Provisioning -> Single Sign-On (SSO) Settings. ⚠️ Note: Considering that only Support and Implementation Partners have access to Provisioning, to change these URLs you need to contact your partner or create an case to Support (under component LOD-SF-PLT-SAM)
  
  
  

• If the instance does not have IAS enabled and is directly connected to any Corporate IdP (via Provisioning) for SSO login:

The Redirect URLs will need to be set in Provisioning -> Single Sign-On (SSO) Settings. Further details? Check KBA  2091975 ⚠️ Note: Considering that only Support and Implementation Partners have access to Provisioning, to change these URLs you need to contact your partner or create an case to Support (under component LOD-SF-PLT-SAM)

• 2278269 - [SSO] Default Redirect URLs for Single Sign On
• 2091975 - [SSO] Deeplinks within E-mail Notifications are not functional while on SSO - SAP for Me

Redirect URL, SSO, Single Sign On, URL, Logout, Session Timeout, Invalid Login, Missing Credentials, Invalid Manager , KBA , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , How To