Symptom
- Internal candidates are receiving an Identity Provider error when trying to apply for jobs.
- Error: "Identity Provider could not process the authentication request received."
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Environment
- SAP SuccessFactors Recruiting Management
- SAP SuccessFactors Recruiting Marketing
Reproducing the Issue
- Log in to SuccessFactors via SSO;
- Click on Home > Careers;
- It shows "You have now been authenticated..." and opens the Internal Career Site powered by CSB;
- Search and open a job posting;
- Click "Apply Now";
- Receiving an error "Identity Provider could not process the authentication request received. Delete your browser cache and stored cookies, and restart your browser. If you still experience issues after doing this, please contact your administrator."
Cause
Incorrect Redirect URLs in the Manage Service Provider Configuration for Identity Authentication Service (IAS) configuration (Previously 'Career Site Identity Provider (IDP) configuration').
Resolution
Scenario 1:
If this is the first time to configure the feature, follow the steps of Configuring IAS SAML 2.0 Integration in the Admin Center. Once the steps are completed, the Redirect URLs in the configuration will be automatically populated.
Scenario 2:
If the issue occurs after an Instance Refresh, follow the KBA 3496434 to resolve it.
Scenario 3:
If there is any error when saving the configuration in 'Manage Service Provider Configuration for Identity Authentication Service (IAS)', it would be necessary to manually modify those URLs. Refer to the Review Tips below.
After manually updating the configuration, delete the browser caches and cookies, and restart the browser.
Review Tips
Navigate to Admin Center > Manage Data > Recruiting Career Single Sign-On Configuration.
1. There are 8 Redirect URLs and the following 7 are the same. Only the "Redirect URL for Logout" is the RMK Portal URL.
2. The URL pattern is: https://tenantID.accounts400.ondemand.com/saml2/idp/sso/tenantID.accounts400.ondemand.com?sp=https%3A%2F%2Fcareer[n].successfactors.com%2FCompanyID
Please double check the strings such as "https%3A%2F%2F" to make sure there are no missing characters.
3. The Service Provider (sp=) in the URL is the Recruiting Management Career Site entity. Its domain is something like "career[n].successfactors.com".
NOTE: It is not "www.successfactors.com" or "hcm[n]preview.sapsf.com".
You can verify the Career Site domain by exporting the Career Site metadata.
- Go to Admin Center > Manage Service Provider Configuration for Identity Authentication Service (IAS);
- Export Metadata;
- Open the XML file;
- Search for "entityID=" and you will see a URL "https://career[n].successfactors.com/CompanyID".
4. There are also two Service URLs for logout requests. Pay attention that it is "slo" (Single Logout).
- Service URL for Service Provider Global Logout (Logout Request Destination): https://tenantID.accounts400.ondemand.com/saml2/idp/slo/tenantID.accounts400.ondemand.com?sp=https%3A%2F%2Fcareer[n].successfactors.com%2FCompanyID
- Service URL for Identification Provider Global Logout (Logout Request Destination): https://tenantID.accounts400.ondemand.com/saml2/idp/slo/tenantID.accounts400.ondemand.com
See Also
Keywords
RMK, RCM, Careers, IAS, Identity Authentication Service, authentication error, IDP, Identity Provider, SAML, SSO, Single Sign On, failure, error when applying, employee , KBA , LOD-SF-RMK-ICS , Internal Career Site Builder (CSB, IAS, etc ...) , LOD-SF-RMK , Recruiting Marketing , Problem
Product
Attachments
image.png |
image.png |