3508873 - Understanding SAML traces for Story troubleshooting

While troubleshooting blank/loading screen issues when creating/running Story reports via Report Center, you followed KBA 3508799 and want to cross check the information shown in the log with IAS/SF settings.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

SAP SuccessFactors HCM Suite

1. Follow the KBA 3508799 - How to collect SAML traces for Story troubleshooting
2. Open the URL you usually use to access SuccessFactors
3. First there will be an authentication request

    4. Click on the "Summary" tab

    5. In “Destination” you will see the IdP and it is looking for the “Issuer”:

    6. The ”Destination” URL should match with the ”Single Sign-On Redirect Service Location” URL set in provisioning (Go to the Provisioning of the affected Company ID > Single Sign-On (SSO) Settings >Single Sign-On Redirect Service Location):

     7. The ”Issuer” needs to match with the URL set in IAS > Application and Resources > Application > SuccessFactors > SAML 2.0 Configuration > Name

    8. After login we will see the response for IAS (the “Issuer” in the Response sometimes will not match with the host of IAS. Sometimes IAS host is “.could.sap” and the issuer will still be “.ondemand.com”)

    9. In the same tab we will see the NameID of the person who sent the request (logged in user):

    10. Check the “Summary” tab and confirm that the username or email is correctly set as “Subject”:

    11. The ”NameID” and “Subject” (check the 2 screenshots above) found in the SAML tracer must match with the username or email set in SuccessFactors. We can create a table report with the Employee Profile domain to check what is the username or email set in SuccessFactors for the logged in user. In the example below we can see that the "NameID" is matching with the username set in SuccessFactors:

NOTE: If any of the above mentioned settings do not match, please contact the Platform team: LOD-SF-PLT-IAS

    12. When we access the Report Center page, we can see the integration between SF and SAC. In the example below, we can see the SAC integration and the SAPSFSFREP and SAPSFSFLMS connections:

    13. Then the request is redirected to the authentication server of SAC, below we can see the authentication server URL:

    14. And it will redirect the access to IAS, we must check if the SAC URL is correctly set in “Issuer”:

    15. We can cross check this information in IAS (IAS > Applications > SF Analytics > SAML 2.0 Configuration). This “Name” should match with the “Issuer” found in the SAML tracer. If this is not matching, we will have the login issue*:

(Message to the Support Team: the URL from step 15 must match with the "providerName" found in CIC).

    16. In the next call, we can see the "NameID" of the logged in user:

    17. This "NameID" must match with Per Person UUID of the user in SuccessFactors:

    18. It also must match with the "Custom Attribute" of the user in IAS > Users & Authorizations > User Management:

NOTE: in the SAML call, SuccessFactors and IAS this ID must be in UPPERCASE with 32 alphanumeric characters.

3508788 - How to set SAML tracer extension in the browser for Story troubleshooting

3508799 - How to collect SAML traces for Story troubleshooting

2912865 - [Main KBA] Unable to access Story reports - People Analytics

KBA , LOD-SF-ANA-SAC , Stories in People Analytics , How To