Symptom
You have some of your business users which don't use SSO set to Security Policy S_BUSINESS_USER and others with S_BUSINESS_USER_WITHOUT_PASSWORD which are using SSO.
However the users which have S_BUSINESS_USER policy are also able to log using SSO if they add the tag "-sso" to the application URL (e.g. https://myXXXXXX-sso.crm.ondemand.com / https://myXXXXXX.sapbydesign.com).
Environment
- SAP Cloud For Customer
- SAP Business ByDesign
Reproducing the Issue
- Go to Administration (C4C) or Application and User Management (ByD).
- Go to Business Users.
- Enter any business user.
- Click to Edit.
- In Security Policy field select policy S_BUSINESS_USER.
- Save the user.
- Log off the system.
- Attempt to log with the user using the tag "-sso" in the URL.
- User will be able to login.
Cause
None of the available policies disables the SSO for any user. The S_BUSINESS_USER_WITHOUT_PASSWORD policy can be used when you want only SSO to be used for an user, but vice versa is not possible.
Resolution
This is the standard behavior of the system.
If the feature/functionality is needed as a matter of urgency, please refer to KBA 3475641 - Functionality Currently not Available
Keywords
SSO; Policies; Security; Logon; , KBA , sso , security , logon , SRD-CC-SEC , Security , How To