SAP Knowledge Base Article - Public

3039315 - Unable to access Story reports due to incorrect Corporate IDP settings in IAS

Symptom

  • This document is one of the possible solutions regarding unable to access Story reports while trying to create or run. Please check full details on KBA 2912865.
  • Unable to access Story reports. Please ensure that third-party cookies are enabled in your browser settings and try again. If the issue persists, please contact your system administrator to check the identity authentication settings and resolve the issue. For more information, refer to the Knowledge Base article 2912865

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors HCM Suite

  • Analytics & Reporting (Ad Hoc, YouCalc, ORD)
    • Story Reports
      • IAS configurations

Reproducing the Issue

After successfully upgrading to Story reports in SuccessFactors and completing all implementation steps (such as user synchronization and permission assignment),

  1. Navigate to Report Center

  2. Click New

  3. Select Story

You may encounter either a blank or continuously loading screen, or an error message may be displayed.

Cause

The issue is caused by misconfiguration of the Corporate Identity Provider (IDP) in IAS. Possible misconfigurations include:

  1. Forward all SSO requests to Corporate IDP is enabled
  2. Use Identity Authentication user store is disabled
  3. Trust All Corporate Identity Providers is disabled for SuccessFactors and/or SF Analytics
  4. Single Sign-On URL mismatch between Corporate IDP and IAS ACS endpoint

Resolution

For companies using third Party Identity Provider as SSO.

  1. Disable 'Forward all SSO Requests to Corporate IdP' toggle
  • Problem: As Story report is embedded on SuccessFactors, the call for the Corporate IdP is not successful when the toggle is ON
  • Reason: All requests are getting redirected to the Corporate IDP, even when you were already authenticated on Corporate IdP when first accessing SuccessFactors.
  • Solution: Turn off the flag responsible for redirecting all the request to the Corporate IDP.

2. Enable 'Use Identity Authentication user store' toggle

As Story report uses UUID to authenticate, which is a parameter from SuccessFactors (synchronized by IPS), you require to use the IAS User Store to be able to get that parameter, so for all IdPs setup on your IAS, you need to have the below flag enabled.

To check on the flag follow the below steps:

  1. Login to IAS admin Console;
  2. Go to Identity Provider -> Corporate Identity Providers
  3. Select the third Party IDP customer is using (there can be multiple IDPs set up here, so make sure all IdPs have this setting or at least all that can login into SuccessFactors instance);
  4. Select Identity Federation (from right pane)
  5. Make sure that 1st option - Use Identity Authentication user store is ON.

3. Enable 'Trust All Corporate Identity Providers' toggle

Please make sure that you turn 'Trust All Corporate Identity Providers' 'ON' for both SuccessFactors and SF Analytics application. This is required as if the corporate idp is not whitelisted by SAP, it might prevent Story from working.

To check on the flag follow the below steps:

  1. Login to IAS admin console.
  2. Go to Applications & Resources ->Applications
  3. Under Bundled Applications, make sure 'Trust All Corporate Identity Providers' is 'ON' for both SuccessFactors and SF Analytics applications.

4. Single Sign On URL not matching

 Check if the current single sign on URL set in your corporate IdP is the same as the Assertion Consumer Service (ACS) URL you see in the administration console of your IAS tenant.

 Please follow below steps to check the Assertion Consumer Service URL in your IAS:

  1. Open the IAS administration console
  2. Applications & Resources
  3. Tenant Settings
  4. Click on 'Single Sign-On' tab, then 'SAML 2.0 Configuration'
  5. Check the URL under 'Assertion Consumer Service Endpoints'

If URL is different, copy the ACS endpoint you see in your IAS tenant and add it as a new requestable SSO URL.

See Also

2912865 - [Main KBA] Unable to access Story reports in SuccessFactors

Keywords

Story Report access issue, embedded SAC not loading, Corporate IDP misconfiguration, IAS settings, Identity Authentication Service, SSO URL mismatch, Trust All Corporate Identity Providers, Use IAS user store, Forward all requests to Corporate IDP, Story report not opening, Report Center issue, SuccessFactors Story error, Story report blank screen, SAML configuration, Assertion Consumer Service URL, SAP Analytics Cloud embedded, SAP SuccessFactors authentication, story access denied, story report fails to load, story report login loop, corporate identity provider setup, IAS federation settings, SAP story report troubleshooting , KBA , LOD-SF-ANA-SAC-IAS , IAS configurations , LOD-SF-ANA-SAC , Stories in People Analytics , LOD-SF-ANA-SAC-ADM , SF Admin configurations (Security Center, Provisioning) , Problem

Product

SAP SuccessFactors HCM Suite 2511 ; SAP SuccessFactors Platform 2511

Attachments

image.png
image.png
Pasted image.png
Pasted image.png
Res1.png
Res2.png
Res4.png
Res3.png
symptom.png
Res3.png
Pasted image.png
Res2.png
symptom.png
Res4.png
image.png
Pasted image.png
image.png
Res1.png