3714402 - SSO user can log in to the SuccessFactors BizX system via SSO even when the user does not exist in IAS.

Symptom

A user is created and maintained in the SuccessFactors BizX staging system, but the same user is not synchronized to the IAS tenant (i.e user does not exist in IAS). However, the user is still able to successfully log in to the SuccessFactors BizX staging system via SSO.

Environment

SAP SuccessFactors HCM Suite

Cause

Identity Federation settings. By default, the Use Identity Authentication user store option is disabled.

Resolution

When an application uses a corporate identity provider for authentication and the Use Identity Authentication user store option is disabled, the user attributes, NameID attribute, and default attribute configurations maintained in the SAP Cloud Identity Services administration console are not evaluated.
In this scenario, Identity Authentication simply forwards to the application the same attributes received from the corporate identity provider.
If you want to restrict access to SuccessFactors only to users who exist in IAS, please enable the “Use Identity Authentication user store” and “User Access” options in the Identity Federation configuration.
Once enabled, only users present in IAS will be allowed to authenticate and access SuccessFactors via SSO.

Keywords

SSO login, SuccessFactors SSO, BizX SSO, IAS user not found, IAS user does not exist, user not synchronized to IAS, IAS staging, BizX staging, corporate identity provider, external IdP, identity federation, Use Identity Authentication user store, User Access option, IAS user store disabled, SAML assertion, NameID attribute, user provisioning, SF BizX login without IAS user, SAP Cloud Identity Services, Identity Authentication Service, SAP IAS authentication, restrict SSO access, SuccessFactors authentication issue , KBA , LOD-SF-PLT-IAS , Identity Authentication Services (IAS) With BizX , How To

Product

SAP SuccessFactors HCM Core 2511