Symptom
Important: this KBA and it's respective instructions are dedicated only to token-based (MD5-based, SHA1-based, DES/3DES-based) SSO scenarios.
- Some users are currently unable to login within the instance through token-based SSO method;
- End users are being shown with the "Invalid login" page when attempting to login via SSO;
- Users are facing issues with their token-based SSO URLs;
Environment
SAP SuccessFactors HXM Suite
Reproducing the Issue
- Open your preferred browser;
- Place the login URL filled up with the proper parameters;
- Try to login;
- You won't be allowed to.
Cause
The user might be either:
- Using a broken URL (therefore, not built correctly, with each parameter on it's proper place);
- Using an URL which contains outdated values for some parameter (e.g. holding an username value that was changed to something else in the system for that user);
- Using an URL that may belong to another users (as stated before, the login URL will be exclusive to each user);
Examples of parameters: username, password, tklogin_key, expire, callerharsh.
Each token-based SSO user will have their own URL to login. The URL parameters must be filled up with the proper values for each user — and those will be exclusive.
This login URL will contain different parameters, and, note that, perhaps, some of them might need a refresh or the URL itself has expired.
Resolution
Evaluate which of the above possible causes's scenario the user falls in, and correct it's URL accordingly (if needed, generate a new login URL for the affected user).
Furthermore, also ask the affected user to clear it's browser cookies and cache before attempting to login again. Such measure will help to clean up outdated values stores in the browser.
NOTE: The URL generation is responsibility of the customer administrator.
Keywords
token-based, MD5-based, SHA1-based, DES/3DES-based, username, password, tklogin_key, expire, callerharsh , KBA , LOD-SF-PLT-SEL , SSO Errors & Logs , Problem