Symptom
- SSO for SuccessFactors.
- Identity Authentication acts as a proxy to delegate the authentication to OKTA as corporate identity provider
- In SP-initiated scenario, after redirect to IAS from OKTA, the following error occurs:
- Identity provider cannot process the response due to wrong configuration. Please contact your system administrator.
- Identity provider cannot process the response due to wrong configuration. Please contact your system administrator.
- The following errors in Troubleshooting log are visible:
- "Failed to forward to error page. Cannot forward after response has been committed Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
"Failed to send response. response parameter is null. Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
"Failed to forward to error page. Cannot forward after response has been committed Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
"Failed to create SAML error response Configuration for trusted SP [null] does not exist. Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
"Failed to read error response. Invalid SAML response: null Correlation ID: "XXXXXX-XXX-XXXX-XXXXXXXXXX "
- "Failed to forward to error page. Cannot forward after response has been committed Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
- In IAS admin console, the "Assertion Consumer Service Endpoints" of "SAML 2.0 Configuration" in tenant settings is "https://<tenantid>.accounts.ondemand.com/saml2/idp/acs/<tenantid>.accounts.ondemand.com" and in OKTA, the "Single Sign On URL" is the same value
- In the SAML trace the destination below is visible where the issuer is the SP:
- Destination="https://<tenantid>.accounts.cloud.sap/saml2/idp/sso/<tenantid>.accounts.ondemand.com"
- <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://www.successfactors.com/<mycopnaycode></saml2:Issuer>
Read more...
Environment
- SAP Cloud Identity Services - Identity Authentication (IAS)
- OKTA Identity Provider
Product
SAP Cloud Identity Services all versions ; SAP SuccessFactors Platform all versions
Keywords
IAS, OKTA, Common Super Domain, Identity Authentication, error, fail, Requestable SSO URLs , KBA , BC-IAM-IDS , Identity Authentication Service , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.