SAP Knowledge Base Article - Public

3380849 - Users can't login SF by SSO when they click the link in SF Email notification

Symptom

  • When user is using proxy SSO: Users can't login SF by SSO when they click the link in SF Email notification but can login SF by SSO when they use the SF login link.
  • See error message : "Sorry, but you are currently not authorized to access"

Environment

SAP SuccessFactors HXM Core

Reproducing the Issue

Step 1 - Initiator will requests for time off/leave

Step 2:- Approval will reach to initiator's manager

Step 3:- Post approval by manager, workflow approval notification goes to the initiator to his/her business email address along with the link. When initiator click the link to view the information, it shows the error message.

Cause

There is something wrong in SSO URL configuration according to the blog.

The process customer triggered is SP-initiated SSO instead of  IdP-initiated SSO. So user needs to ask their IT to change the URL from their IDP side.

 

Resolution

User needs to change the URL as "https://xxxx.accounts.ondemand.com/saml2/idp/acs/xxxx.accounts.ondemand.com" from their side instead of " https://xxxx.accounts.ondemand.com/saml2/idp/acs/xxxx.accounts.ondemand.com?sp=<sp_name>&index=<index_number>".

Please refer to "Step2: Create SAML Integration in OKTA > Single sign on URL > 3.Copy ‘Assertion Consumer Service Endpoint’ (ACS endpoint) URL " in the blog for details.

See Also

Connect Okta to Identity Authentication

Keywords

SSO, SAML, link, SP-initiated SSO,  IdP-initiated SSO , KBA , LOD-SF-PLT-SAM , SAML SSO First Time Setup , Problem

Product

SAP SuccessFactors HCM Core all versions