3641882 - Candidates are able to reset password via IAS email, but when attempting to access SuccessFactors error Invalid Login happens - Onboarding

Candidates' account are successfully activated in IAS, they receive the reset password email from IAS, are able to properly configure a password, but when attempting to log in to SuccessFactors with same credentials, the error: "Invalid Login - Your account may be locked, inactive, or not included in the default user group. If your organization uses SSO, it may not be working correctly" is seen.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental. 

SAP SuccessFactors Onboarding

Onboardee Identity Authentication is not enabled in provisioning while Real Time Sync job is not properly running/facing errors to be completed (Execution Manager Dashboard > Pre Delivered).

Onboardee Identity Authentication:

• This setting (in Provisioning > Company Settings > Onboardee Identity Authentication) controls whether the system uses IAS for onboardee authentication.
• If disabled, the system expects the login method to be explicitly set to "SSO" for users to authenticate via IAS.

Real-Time Sync:

• This feature ensures that new hires (onboardees) are synced immediately to IAS with the necessary login details.
• When it's enabled and correctly configured, it can create users in IAS with login method left as "blank" (SuccessFactors > Manage Login Accounts > Actions > Edit Details > Login Method is not selected).
• In this case, a blank login method will default to IAS, and users can log in successfully.

Issue Root Cause:

• Onboardee Identity Authentication is not enabled in Provisioning, but real-time sync was also not properly configured/is presenting errors/not getting completed.
• Because of that, users created during that time have a blank login method but are not able to log in, leading to the "invalid login" error.
• Then, the correct behavior in this setup would be to have the login method set to "SSO" for affected users.

How to fix it:

• Once real-time sync possible issues are fixed, new users will start syncing correctly, and login method blank will work because the system defaults to IAS.
• However, for users created before the fix, the only way to correct the issue is to manually change the login method to "SSO" using Manage Login Accounts.

It is highly recommended that the related knowledge about IAS configuration and Manage Real Time Sync guide, posted in See Also section, are reviewed as well.

• 3281873 - [Onboarding] IAS Main KBA - SAP for Me
• Manage Real-Time Sync of New Hires from SAP SuccessFactors to Identity Authentication with Identity Provisioning | SAP Help Portal

error, Invalid, Login, Your account may be locked, inactive, or not included in the default user group. If your organization uses SSO, it may not be working correctly, SSO, incative, locked, user, candidate, IAS, unable, access, system, successfactors, reset, password,  , KBA , LOD-SF-OBX-IAS , IAS User Authentication , Problem