3745982 - Error “Identity Provider Cannot Process the Response” when trying to access Internal Career Site powered by CSB - Recruiting Marketing

An error occurs when trying to access the Internal Career Site via SSO: "Identity provider cannot process the response due to wrong configuration. Please contact your system administrator."

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

• SAP SuccessFactors Recruiting Management
• SAP SuccessFactors Recruiting Marketing

1. Sign in to SAP SuccessFactors successfully using SSO.
2. Navigate to Home > Careers.
3. The Internal Career Site SSO screen is displayed.
4. Enter the user account information and click Continue.
5. An error message appears: "Identity provider cannot process the response due to wrong configuration. Please contact your system administrator."

This error can occur during authentication with a third-party identity provider (such as Microsoft Entra ID or Google Accounts) when there is a domain mismatch in the configured URLs.

SAP Identity Authentication Service (IAS) supports two URL domains. To ensure successful authentication, the selected endpoint domain must be used consistently across all applications and identity providers. Mixing these domains can lead to authentication failures.

Supported URL domains:

• Option 1: https://<tenantId>.accounts.cloud.sap     (common super domain)
• Option 2: https://<tenantId>.accounts.ondemand.com

Ensure that all Service URLs, endpoints, and identity provider (IdP) configurations reference the same domain.

Troubleshoting - Review the SAML Rrace Log

Capture the SAML trace log while attemtping to sign in, then locate <saml2p:StatusMessage> in the trace log. This message typically indicates the root cause of the authentication failure.

Refer to the KBA 3092644 - How to collect Internal Career Site Powered by CSB SAML Logs - Recruiting Marketing for instructions on collecting SAML logs.

Sample Error

The following example indicates a domain mismatch between the ACS URLs in the SAML request and the configured settings:

• <saml2p:StatusMessage>Invalid request, ACS Url in request https://<tenantId>.accounts.ondemand.com/saml2/idp/acs/<tenantId>.accounts.ondemand.com doesn't match configured ACS Url https://<tenantId>.accounts.cloud.sap/saml2/idp/acs/<tenantId>.accounts.ondemand.com.</saml2p:StatusMessage>

How to Determine the URL Domain

Follow the Single Sign-On (SSO) settings in SuccessFactors to identify the correct domain.

1. Review Single Sign-On (SSO) Settings

Navigate to Provisioning > Company Settings > Single Sign-On (SSO) Settings, and review the following Service URLs:

• Global Logout Service URL (Logout Request destination)
• Global Logout Service URL (Logout Response destination)
• Single Sign-On Redirect Service Location (To be provided by IDP)

Verify the domain part of the Service URLs. Ensure that the same domain is used consistently in identity provider (IdP) configurations.

Option 1: *.accounts.cloud.sap (common super domain)

• https://<tenantId>.accounts.cloud.sap/saml2/idp/slo/<tenantId>.accounts.ondemand.com
• https://<tenantId>.accounts.cloud.sap/saml2/idp/sso/<tenantId>.accounts.ondemand.com

Option 2: *.accounts.ondemand.com

• https://<tenantId>.accounts.ondemand.com/saml2/idp/slo/<tenantId>.accounts.ondemand.com
• https://<tenantId>.accounts.ondemand.com/saml2/idp/sso/<tenantId>.accounts.ondemand.com

2. Review RCM IdP Configuration

Navigate to Admin Center > Manage Service Provider Configuration for Identity Authentication service.

The Service URLs and Redirect URLs on this page will be automatically generated based on the Tenant Name. Ensure that the Tenant Name matches the domain used in the SSO Service URLs:

• Option 1: <tenantId>.accounts.cloud.sap     (common super domain)
• Option 2: <tenantId>.accounts.ondemand.com

3. Review CSB IdP Configuration

Navigate to Manage Career Site Builder > Settings > IDP Configuration.

The Service URLs and Redirect URLs on this page will be automatically generated based on the Tenant Name. Ensure that the Tenant Name matches the domain used in the SSO Service URLs:

• Option 1: <tenantId>.accounts.cloud.sap     (common super domain)
• Option 2: <tenantId>.accounts.ondemand.com

4. Review Third‑Party Identity Provider (IdP) Configuration

In the third‑party IdP, verify that all configured URLs reference the same domain, including:

• Assertion Consumer Service (ACS) URLs
• Services URLs / Redirect URLs for Login and Logout

Important: The Service URLs support two domains; however, the SAML issuer is always "https://<tenantId>.accounts.ondemand.com", regardless of which domain is used for the Service URLs.

• KBA 3428312 - SSO login page shows up when accessing Internal Career Site powered by CSB - Recruiting Marketing
• KBA 3092644 - How to collect Internal Career Site Powered by CSB SAML Logs - Recruiting Marketing

RCM, RMK, IAS, CSB, Career Site, Internal, SSO, Single-Sign-On, Error, IDP, Identity Provider, SAML, Authentication, common super domain, Sign In, Login , KBA , LOD-SF-RMK-ICS , Internal Career Site Builder (CSB, IAS, etc ...) , Problem