3073172 - Logout not redirecting to Logout URL redirect when users trigger logout

• User clicks on Settings drop down -> Logout, but they are not redirected to the logout URL setup on provisioning or on Manage SAML SSO Configurations;
  
  • They are simply re-logged;
  • They see another page once they do the logout from their SSO;
• When logged out from SuccessFactors with IAS integrated, it redirects to a new login.

SAP SuccessFactors HXM Suite

1. User triggers the logout from the settings dropdown on the upper right corner of any SF screens;
2. The user is not redirected to the expected URL;

This is an expected behavior caused by configuration.

There is multiple possible causes for this issue, depending on your scenario:

On SuccessFactors provisioning -> SSO Settings:

• Make sure you have the Please enter the redirect URL when logout: with the desired URL;

On SuccessFactors provisioning -> Authorized SP Assertion Consumer Service Settings:

• Make sure that all systems that are integrated here are systems that are integrated with the SuccessFactors tenant that you are working with;
• For example, if you have a cross instances integration, like:
  
  • You have two SF instances, lets call it BizX T1 instance and BizX T2 instance, both with their LMS T1 and LMS T2;
  • Lets say that on both LMS T1 and LMS T2, they are correctly integrated with BizX T1 and BizX T2;
  • Then on Authorized SP Assertion Consumer Service Settings you have both the urls for LMS T1 and LMS T2 (it could be the LMS T2 was copied from an refresh and not cleaned up);
  • So when your user trigger the logout, SuccessFactors will call all systems URLs setup on Authorized SP Assertion Consumer Service Settings to do the logout;
  • Then when your BizX T1, sends the logout request to LMS T2, it will reply back to the other instance and the BizX T1 will not be able to complete the logout process and redirect;
    
    • Depending on the system and other settings on third party this could even trigger a new login depending on the system that is setup;

Note: BizX Generic IDP (SP configured in Authorized SP Assertion Consumer Service Settings page) does not support SP-initiated logout request from SP side. This is known issue and SSO team has no plan to enhance this at this moment.

On your Corporate IdP:

• You need to make sure that you have all the URLs setup as per metadata (which you can create based on this KBA https://launchpad.support.sap.com/#/notes/0002747798)
• If you have setup SP-Initiated Logout, you need to make sure that it is setup with the correct urls and that it is signing the response (if setup on provisioning SSO Settings);
• You need to work with your IDP team and your implementation partner to have both systems setup to expect the same things.

If you face issues, please generate SAML-Tracer logs as referred on this KBA https://apps.support.sap.com/sap/support/knowledge/en/2461862 and then you can check where the failure is happening, if you receive the logout request to SuccessFactors, but your IdP is not responding correctly.

Before engaging with SuccessFactors support team, check on this document with your Corporate IdP team and implementation partner as most of the settings that might affect this are configuration issues on 3rd party application or settings on our side that depend on 3rd party applications.

SSO Redirect logout re-login , KBA , LOD-SF-PLT-SEL , SSO Errors & Logs , How To