Symptom
When you have IAS integrated with an IdP, on below scenarios (might others not mapped), there will be cases that authentication to IAS will fail and IAS will send a SAML request to SuccessFactors informing that its authentication has failed as in the example below.
- User not replicated to IAS and feature Allow Identity Authentication users only enabled:
- Under Identity Providers -> Corporate Identity Providers -> Federation, Allow Identity Authentication users only is ON;
- User that is trying to access does not exist on IAS;
- SAML Authentication request sent from IdP does not have Name ID parameter;
Example of the SAML response that IAS sends to SF to inform the failure.
<Response
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns4="http://www.w3.org/2001/04/xmlenc#"
xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://salesdemo4.successfactors.com/saml2/SAMLAssertionConsumer?company=SFPART051986"
ID="RES-SSO-20f4b5b6-0106-4e77-ba83-7e1ddeba153b"
InResponseTo="_c014201e-505f-4ad3-a29f-c75bc842f30d"
IssueInstant="2021-08-27T13:14:07.419Z" Version="2.0" >
<ns2:Issuer>
sfbrazil.accounts400.ondemand.com
</ns2:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
<StatusMessage>Failed to authenticate user.
</StatusMessage>
</Status>
</Response>
Environment
- SAP SuccessFactors HXM Suite
- SAP Identity Authentication
Cause
This is caused by a configuration issue that generates the loop as the authentication has failed on IAS, though currently SuccessFactors does not treat the IAS response to inform the Failed to authenticate user.
Resolution
Since this is a configuration issue you can refer to this handy knowledge base article [2954188 - Failing to login to SuccessFactors instance through SAP IAS (Identity Authentication)] to resolve the configuration and allow the user access to the system.
In some situations instead of an error message an infinite loop occurs. In such situations please reach to support team under LOD-SF-PLT-IAS
Keywords
SSO loop issue error IAS, PLT-78808, Failed to authenticate user, IAS, sf, sfsf , sf sf, SuccessFactors, SuccessFactor, Success, Factor, bizx, IPS, SSO, SAML trace , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , BC-IAM-IDS , Identity Authentication Service , Problem