SAP Knowledge Base Article - Public

2820544 - All Users Able To Log Via SSO Regardless Security Policy

Symptom

You have some of your business users which don't use SSO set to Security Policy S_BUSINESS_USER and others with S_BUSINESS_USER_WITHOUT_PASSWORD which are using SSO.

However the users which have S_BUSINESS_USER policy are also able to log using SSO if they add the tag "-sso" to the application URL (e.g. https://myXXXXXX-sso.crm.ondemand.com / https://myXXXXXX.sapbydesign.com).

Environment

  • SAP Cloud For Customer
  • SAP Business ByDesign

Reproducing the Issue

  1. Go to Administration (C4C) or Application and User Management (ByD).
  2. Go to Business Users.
  3. Enter any business user.
  4. Click to Edit. 
  5. In Security Policy field select policy S_BUSINESS_USER.
  6. Save the user. 
  7. Log off the system.
  8. Attempt to log with the user using the tag "-sso" in the URL.
  9. User will be able to login. 

Cause

None of the available policies disables the SSO for any user. The S_BUSINESS_USER_WITHOUT_PASSWORD policy can be used when you want only SSO to be used for an user, but vice versa is not possible.

Resolution

This is the standard behavior of the system.

If the feature/functionality is needed as a matter of urgency, please refer to KBA 3475641 - Functionality Currently not Available

Keywords

SSO; Policies; Security; Logon; , KBA , sso , security , logon , SRD-CC-SEC , Security , How To

Product

SAP Business ByDesign all versions ; SAP Cloud for Customer add-ins all versions ; SAP Cloud for Customer core applications all versions