/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
- In SAP SuccessFactors, users authenticated only against IAS are unable to access the Joule, the message 'login.microsoftonline.com refused to connect' is displayed.
- Users being authenticated via Corporate IdP (IAS acting as proxy) do not encounter this issue.
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Environment
- SAP SuccessFactors HCM Suite
- Joule
Reproducing the Issue
- Log in as a password user
- Click on the Joule icon at the top right of the page.
- Observe the error message:
Cause
Although these same password users can access the SF instance, the system runs a second validation between Joule and IAS. In other words, an user can access SF and not have a Joule account, so they will be verified separately from SF, according to the settings in IAS for Joule access.
The issue arises for users using the option 'Allow Identity Authentication Users Log On > Allow users stored in Identity Authentication service to log on' in the SuccessFactors application in IAS. In this scenario, Joule authenticates its users directly through a third-party IdP, which doesn't recognize SF password users authenticated at IAS level.
Resolution
It is recommended to keep the same Conditional Authentication settings for both SuccessFactors and Joule applications in IAS.
For example: if the SuccessFactors application is set to use Identity Authentication (IAS) as the Default Identity Provider (IDP), the Default IDP of Joule must also be adjusted to match.
Note: If the same Joule instance is intended to be used across multiple applications (such as SuccessFactors and S/4), those applications must have identical Conditional Authentication settings.
Joule application does not support the setting 'Allow Identity Authentication Users Log On > Allow users stored in Identity Authentication service to log on'.
To correctly validate password users for Joule access and SuccessFactors, you have 2 options:
- Contact your third-party IDP to understand how to create conditional authentication rules for some users to be validated with a password from their side.
- At IDP level, adjust the authentication method to IAS and use Authentication Rules to define users' log in method:
- Modify the Default Authenticating Identity Provider to IAS (step 3 in the image below).
- Use the Authentication Rules to select users that will be validated through a third-party IDP and the ones that will be verified by IAS - password (steps 4 and 5 in the images below).
See Also
- KBA 2954556 - How to implement Partial SSO after Identity Authentication IAS upgrade on SuccessFactors
- KBA 3544482 - Getting White/Blank Screen When Trying to Launch Joule in SuccessFactors
- KBA 3428564 - Joule authentication not working when browser '3rd-party cookie blocking policy' is enabled
- SAP Discovery Center Mission - Activate Joule for SAP SuccessFactors
Keywords
SuccessFactors, password users, access issue, third-party IDP, Conditional Authentication, IAS, Default Identity Provider, Authentication Rules, Joule, SSO, IDP, password, , KBA , LOD-SF-PLT-DA , Joule in SuccessFactors , How To
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)