SAP Knowledge Base Article - Public

3320155 - How to set time out redirect URLs for your HXM Suite to redirect user to the login page

Symptom

Need to set redirect URLs for session timeout in SuccessFactors.

Environment

SAP SuccessFactors HXM Suite

Reproducing the Issue

Upon session timeout, user would be presented with a popup window showing 2 options: Login and Close.  

Then-> 

  • If the instance is using username/password with SuccessFactors directly for authentication, without integration with any IdP (IAS or Corporate IdP), upon session timeout, users will be redirected back to the SuccessFactors login page upon click on the Login button.
  • If the instance is integrated with an IdP for authentication (IAS or Corporate IdP), when users click on Login, users would be redirected to the page specified by the default session timeout redirect URL.
  • If the instance is integrated with IAS as the real IdP, if the session timeout redirect URL is not set, users will be redirected to /LandingPage_sessiontimeout.html.
  • If the instance is integrated with IAS as proxy IdP with a Corporate IdP as the real IdP, if the session timeout redirect URL is not set, system will default to SuccessFactors HXM login page.  

The default timeout redirect URL (e.g. https://performancemanager.successfactors.eu/LandingPage_sessiontimeout.html) is a static page, with instructions for user to close the browser and login again, however, there is no link to the login page, hence does not offer users a direct path to relogin.  

Screenshot of the default static page for session timeout, with updated design

You can check default session timeout redirect URLs for each DC in this KBA: Default Redirect URLs for Single Sign On

Cause

Desired Session Timeout redirect URL has not been correctly configured.

Resolution

To provide users with a direct link for login on the timeout redirect page, we would recommend that you change the session timeout redirect URL accordingly.  

This setting is done in-

  • Provisioning, in the Single Sign On page
    OR,
  • Admin Center, in the Manage SAML SSO Settings page.  

 

Options to change these redirect URLs depending on different scenario: 

[A] If the instance has IAS enabled and IAS itself is being used as the IdP for login: 

There are two mechanisms to change the session timeout redirect URL:  

  1. You can go to "Admin Center" > "Tools" > "SAML 2.0 Single Sign On"  > Set Non SAML redirect Links: > Redirect URL when session timeout: Enter the redirect URL when the session times out and the user select the login option.

    - Change the value of ‘Redirect URL when session timeout” to “/login?company=companyid”, then click Done button to save the change. 
  2. The Redirect URLs can also be set in Provisioning -> Single Sign-On (SSO) Settings. Considering that only Support and Implementation Partners have access to Provisioning, to change these URLs you need to contact your partner or create an incident to Support (under component LOD-SF-PLT-SAM)- 
    - First select the currently active IAS entry from the SAML Asserting Party (IdP) drop down list:  


    - Set the value of session timeout URL for the to your desired values for your enterprise, for example to “/login?company=companyId” 


    - Be sure to set Enable SP-Initiated login to Yes for this IAS:  

 

 

[B] If the instance has IAS enabled and a Corporate IdP is connected to IAS (which will be acting as Proxy IdP) for login: 

You can access the Manage SAML SSO Settings in "Admin Center" > "Tools" > "SAML 2.0 Single Sign On" and change the URL as described on the "Configure the URL redirect links" section of KBA 2569087. If the Corporate IdP entry is already created in that screen, just edit and input the redirect URLs as needed, for example, set the value of session timeour URL to to the default login page such as https://www.successfactors.com/login?company=companyId or to the IDP initiated login URL of your Corporate IdP. 

 

 
 
Note: If you do not have access to Manage SAML SSO Settings, check with your SuccessFactors Administrator to provide you with the permission to the feature as referred on KBA 2674588 

[C] If the instance does not have IAS enabled and is directly connected to a Corporate IdP (via Provisioning) for login: 

The Redirect URLs will need to be set in Provisioning -> Single Sign-On (SSO) Settings. Same steps as in option [A].2
Considering that only Support and Implementation Partners have access to Provisioning, to change these URLs you need to contact your partner or create an incident to Support (under component LOD-SF-PLT-SAM) 

Keywords

session,timeout,redirect,time,out,SSO,IAS,logout,log,out,corporate,idp , KBA , LOD-SF-PLT-SAM , SAML SSO First Time Setup , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , How To

Product

SAP SuccessFactors HXM Suite 2211

Attachments

Pasted image.png