2320766

This article covers Data model changes required for implementing Partial Organization Single Sign On.Prerequisites are:

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

SAP SuccessFactors HXM Suite

Note: Steps 2 and 3 are interchangeable. As soon as Step 1 has been completed you will be able to setup the loginMethod even if Partial Organization SSO is not yet turned on.

We have created a new standard element with id of “loginMethod”. This new field is needed only when "Partial Organization SSO" is enabled. It is not needed for any SSO customers that do not enable this feature.This field will define whether a user comes in through SSO or not. The standard element will have three allowable valuesSSO: A value of “SSO” means the user must login through the SSO method configured for this customer.PWD: A value “PWD” means the user must login through the standard username/password login pages.Null (no value specified): No value specified means the user must login through SSO

This "loginMethod" standard element must be enabled in the Succession Data Model. An example XML snippet appears below. If this field is not enabled in the Succession Data Model for the instance, then all users must login through SSO. This standard element will not be required at user import / user account creation time.  If a value is not specified during user import, then the user will default to SSO login.

Standard Element DeclarationAdd the following as a standard-element in the Succession Data Model      Login Method

Edits to the "sysAllUserDirectorySetting" Edit Template Add a reference to this standard element in the "sysAllUserDirectorySetting" Edit Template that appears in the "sysUserDirectorySetting" View Template. This is to make the field visible in the Employee Export and/or Manage Users.An example appears below:    User Directory Setting    User Directory Setting          User Directory Setting(Entire Ordered List)      User Directory Setting(Entire Ordered List                  ....                    .....   

Enable the "Partial Organization SSO" feature in the provisioning tool under Single Sign-On (SSO) Settings.

Once the data model has been configured per the instructions above, you can set the loginMethod for the user by setting values in the "loginMethod" field.  This field can be edited either through the Employee Import, or other means (like Admin Tools to edit user information).  You could even enable the value for editing in the Employee Profiles if desired.

Note: Introduced on 2H Release (item PLA-25355) - now you can update loginMethod via Manage Login Accounts page.

If setting the PWD value on the employee data file, add a column titled in rows 1 and 2 "LOGIN_METHOD".  You can also download the employee import template from Admin tools as the new column should also be displayed there.Or finally you can export the user data file and work with this file to set the values as required for all users in the LOGIN_METHOD columnIt is expected that most customers will set this value through the Employee Import file, most likely as an automated FTP process.

For more details on the system behaviour of Partial SSO, refer to KBA 2088837 - [SSO] Partial Organization Single Sign-On - BizX Platform

Data model, Partial Single Sign On, configurations, provisioning, xml, login method, PWD, SSO, partner, consultant , KBA , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-PLT-SAM , SAML SSO First Time Setup , Problem