cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How do setup IAS login page for Onboardee and SSO page for Employee authentication?

JaisonPJ1
Explorer

2 weeks ago

0 Kudos
315

The client has set up IAS and SSO for SuccessFactors. The expected behavior is that employees will log in via SSO, while onboardees and other users will use the IAS login process.

Current Configuration
The default authenticating identity provider is set to IAS. Conditional authentication is configured such that employee logging in with an email address ending in client domain (@xyz.com) are redirected to the SSO login page, while all other users are directed to the IAS login page where they authenticate using a username and password.
Real-time sync of onboardee is enabled in IAS

The client is not having any IP range for employee to configure in Conditional rule.

JaisonPJ1_0-1746703230153.png

Current behaviour

All users(Employee and Onboardee) are redirecting to IAS login. Once they enter username or email address, employee redirect to SSO page and onboardee continue in IAS login page.

Client Requirement

When an employee accesses the SuccessFactors (SF) URL, they should be redirected directly to the SSO login page, bypassing the IAS login page. However, when an onboardee clicks the login link, they should be directed to the IAS login page for authentication.
Has anyone configured or designed a solution for a similar requirement?

Additionally, is the client's requirement feasible?

@jaideepshetty @zebashah @lukemarson @sushilgupta857 @abdulbasit 
SAP Single Sign-On SAP SuccessFactors Onboarding Identity Provisioning #authentication

SAP Single Sign-On
SAP Single Sign-On
SAP Single Sign-On
SAP SuccessFactors Onboarding
SAP SuccessFactors Onboarding
SAP SuccessFactors HCM
Identity Provisioning
Identity Provisioning
SAP Business Technology Platform

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
abdulbasit
SAP Mentor
SAP Mentor
2 weeks ago

I had similar requirement before but unfortunately didn't find any solution.

I think it is a feasible requirement but there are technical limitations. Because IAS cannot understand if the user is employee or onboardee before they enter the email address.

The only solution came into my mind was also specifying an IP range but that was also not possible in my case.

JaisonPJ1
Explorer
2 weeks ago
0 Kudos

@abdulbasitThank you for sharing the details. Could you explain how you were able to meet this requirement? Also, is there an alternative approach that could work?

abdulbasit
SAP Mentor
SAP Mentor
2 weeks ago
0 Kudos
In our case, it was required for other BTP applications rather than SuccessFactors. Since it's only needed for our development and QA systems, we decided to leave it as is.

Accepted Solutions (0)

Answers (3)

Answers (3)

dyaryura
Contributor
a week ago

@JaisonPJ1 

Agree with @Soma5.

You don't need to configure authentication rule for SF scenario and onboarding users. Just simple don't configure rules and set "default Authenticating Identity Provider" to your corporate IDP. The section "Allow Identity Authentications users to Log On" you should already have the checkbox set and you'll see an URL. That URL is for IAS logon and bypasses the IDP config.

We have configured the ONB emails to use such link so the onboardees are redirected to IAS.

For the rest of the users the default will be the IDP and since no rules in place there will be no prompt for mail for them

Diego

Show replies
Show replies
abdulbasit
SAP Mentor
SAP Mentor
2 weeks ago

If this is a strict requirement, and you can't find an alternative, what I would suggest is:

  • Create a separate subaccount for internal users.
  • Setup IAS to authenticate with Corporate IDP by default for this subaccount.
  • Deploy a simple Fiori/CAP application which redirects user to the SuccessFactors URL.

Internal users should then access the system through this link, instead of using the direct SuccessFactors URL.

IAS will automatically trigger SSO with Corporate IDP and they will be redirected to the SF URL. After this point, SF will redirect authentication request to the IAS and since the user is already authenticated, it will redirect back to the SF with successful login.

Let me know if the method is not clear on your side.

It is a dirty solution but if you don't have an alternative and this is something needs to be implemented, that would be an alternative.

 

 

Show replies
Show replies
Soma5
Explorer
2 weeks ago

Hello JaisonPJ1!

My recommendation would be the following: (when the default identity provider is the customer IdP)

The onboardee recives the activation email from SuccessFactors. Important that in the IPS transformation in the target system have the following code snippet:

{
"targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['targetUrl']",
"constant": "https://xxxxxx.accounts.ondemand.com/saml2/idp/sso?sp=https://www.successfactors.eu/xxxxxx&idp=https...",
"scope": "createEntity"
},

If you add this then after the registration the user will be redirected to the given URL. (The above URL is for the PWD users when you set the corporate IdP you can enable this URL)

Also the activation email should contain this link so the users can login through this if they want to login to SF again. (After they fill their data in the onboarding)

I hope this helps!

Best Regards,
Soma

JaisonPJ1
Explorer
a week ago
0 Kudos

Hi @dyaryura @Soma5 

Thank you for the solution. I was able to partially achieve the requirement. However, I’ve noticed two issues related to this.

Configuration added

1) Added below code in Target system.

  {

                "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['targetUrl']",

                "constant": https://xxxxxxx.accounts.cloud.sap/saml2/idp/sso?sp=https://www.successfactors.com/xxxxxx&idp=https:...",

                "scope": "createEntity"

            },

JaisonPJ1_0-1747054888094.png

There is two issue i have noticed.

  • I’ve added the code you provided, but the account activation email is still displaying the Home page URL instead of the non-SSO URL configured in the code above.
  • When the onboardee clicks the account activation link, they are not prompted to set a password. Instead, they are redirected directly to the SuccessFactors home page, which prevents them from logging into the system later.

ONB-Account activation email template code

<h1 style="font-family: Arial, Helvetica, sans-serif;font-weight: bold;font-size: 20px;color: #555;margin-bottom: 24px">Dear ${user.firstName?html} ${user.lastName?html},</h1>

<p style="font-family: Arial, Helvetica, sans-serif;font-size: 14px;line-height: 18px">An account has been created for you. To activate your account for <#if user.target_url??><a href="${user.target_url}">${user.sp_name}</a><#else>${user.sp_name}</#if>, click the link below. You will be taken to a page where you will also set a password for your account.</p>

Do you think any changes are required in the email template or in the code?

dyaryura
Contributor
a week ago
Hi Jason You can probably use two variables as Soma mentioned. I'm using just one. I have sonething like: Welcome to... ...To activate your account click here ...a href="${user.activate_account_link}... ...once your account is activated you can login here: "https://xxxx.accounts.ondemand.com/saml2/idp/sso?sp=https://www.successfactors.com/XXXX&idp=https://...
Yogananda
Product and Topic Expert
Product and Topic Expert
2 weeks ago
0 Kudos

@JaisonPJ1 @Soma5 @abdulbasit 

Yes, Its possible to skip the IAS Login page to display for users when there is a multiple Identity Provider exist in your IAS - Corporate Identity Provider.

User 1 (depending on whatever the user type X):  Display IDP Login Page 

User 2 (depending on whatever the User Type Y): Display IDP Login Page (3rd Party or IAS Login Page)

I haven't written a blog for this, may be this month with different examples will be prepared and publish it.

Show replies
Show replies
abdulbasit
SAP Mentor
SAP Mentor
2 weeks ago
I didn't get how IAS would be able to identify the user type (X or Y) without first obtaining the email ID on the login page.
Ask a Question