2768478 - [SSO] How to change redirect URLs for Single Sign On - SuccessFactors

How to change the redirect URLs for Single Sign On?

• SAP SuccessFactors HCM Suite
• SAP Cloud Platform Identity Authentication Service 

When Single Sign On is enabled, there are 5 scenarios for redirect URLs:

• When users logout
• When there is a session timeout
• When there is an invalid login
• When missing credentials
• When there is an invalid manager

The default value of this redirections is null. SAP has a list with all the default pages that our customers can use, in case you don't have any particular page to set for this. You can check all these URLs for each DC in this KBA:  2278269 - [SSO] Default Redirect URL's for Single Sign On.

To change these redirect URL:

• If the instance is IAS enabled and IAS itself is being used as the IdP for login:

- Option 1 (Recommended): You can go to Manage SAML SSO Settings > Set Non SAML redirect Links and enter the redirect URLs as needed.
- Option 2: The Redirect URLs can also be set in Provisioning -> Single Sign-On (SSO) Settings. Considering that only Support and Implementation Partners have access to Provisioning, to change these URLs you need to contact your partner or create a case to Support under component LOD-SF-PLT-SAM.

• If the instance has IAS enabled and a Corporate IdP is connected to IAS (which will be acting as Proxy IdP):

You can access the Manage SAML SSO Settings in Admin Center and change the URL as described on the "Configure the URL redirect links" section of KBA 2569087. If the Corporate IdP entry is already created in that screen, just edit and input the redirect URLs as needed.

Note: If you do not have access to Manage SAML SSO Settings, check with your SuccessFactors Administrator to provide you with the permission to the feature as referred on KBA 2674588.

Additionally, for the Logout Redirect URL, it is necessary to configure from the IAS admin console side:

1. Go to "Identity Provider" > Corporate Identity Provider
2. Select the one being used
3. Go to the last configuration option named "Logout Redirect URL" and configure the URL from there
   
   

• If the instance does not have IAS enabled and is directly connected to any Corporate IdP (via Provisioning) for SSO login:

The Redirect URLs will need to be set in Provisioning > Single Sign-On (SSO) Settings. Considering that only Support and Implementation Partners have access to Provisioning, to change these URLs you need to contact your partner or create a case to Support under component LOD-SF-PLT-SAM providing the URLs.

Note: Beginning from the 2H2023 release, we will no longer verify whether a user has a valid manager in the system or not, irrespective of the login methods used. This change aligns with the removal of validation on invalid managers. Consequently, we have updated the default invalidmanager.html page to display an error message stating "Invalid Login Path by External User" instead of the previous message "Invalid Manager."

• 2278269 - [SSO] Default Redirect URLs for Single Sign On
• 2091975 - [SSO] Deeplinks within E-mail Notifications are not functional while on SSO - SAP for Me

Redirect URL, SSO, Single Sign On, URL, Logout, Session Timeout, Invalid Login, Missing Credentials, Invalid Manager , KBA , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , LOD-SF-PLT-SEL , SSO Errors & Logs , How To