SAP Knowledge Base Article - Public

3091634 - When IAS integrated with an IdP if there is an issue SuccessFactors generates an infinite loop of login attempts

Symptom

When you have IAS integrated with an IdP, on below scenarios (might others not mapped), there will be cases that authentication to IAS will fail and IAS will send a SAML request to SuccessFactors informing that its authentication has failed as in the example below.

  • User not replicated to IAS and feature Allow Identity Authentication users only enabled:
    • Under Identity Providers -> Corporate Identity Providers  -> Federation, Allow Identity Authentication users only is ON;
    • User that is trying to access does not exist on IAS; 
  • SAML Authentication request sent from IdP does not have Name ID parameter;

Example of the SAML response that IAS sends to SF to inform the failure.

<Response
xmlns="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" 
xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" 
xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" 
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" 
Destination="https://salesdemo4.successfactors.com/saml2/SAMLAssertionConsumer?company=SFPART051986
ID="RES-SSO-20f4b5b6-0106-4e77-ba83-7e1ddeba153b" 
InResponseTo="_c014201e-505f-4ad3-a29f-c75bc842f30d" 
IssueInstant="2021-08-27T13:14:07.419Z" Version="2.0" > 
<ns2:Issuer>
sfbrazil.accounts400.ondemand.com
</ns2:Issuer> 
<Status> 
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> 
<StatusMessage>Failed to authenticate user.
</StatusMessage> 
</Status> 
</Response>

Environment

  • SAP SuccessFactors HXM Suite
  • SAP Identity Authentication

Cause

This is caused by a configuration issue that generates the loop as the authentication has failed on IAS, though currently SuccessFactors does not treat the IAS response to inform the Failed to authenticate user.

Resolution

Since this is a configuration issue you can refer to this handy knowledge base article [2954188 - Failing to login to SuccessFactors instance through SAP IAS (Identity Authentication)] to resolve the configuration and allow the user access to the system.

In some situations instead of an error message an infinite loop occurs. In such situations please reach to support team under LOD-SF-PLT-IAS

Keywords

SSO loop issue error IAS, PLT-78808, Failed to authenticate user, IAS, sf, sfsf , sf sf, SuccessFactors, SuccessFactor, Success, Factor, bizx, IPS, SSO, SAML trace , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , BC-IAM-IDS , Identity Authentication Service , Problem

Product

SAP SuccessFactors HXM Core 2105