cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO and distinguishedname attribute

Go to solution
kai-raschke
Explorer

on ‎2023 Jun 02 10:40 AM

0 Kudos
739

Hi,

does anyone know how to correctly set the distinguishedname attribute using SAML?

It's vaguely explained in an onboarding document here: https://enable-now.sap.com/ic/wa/ext/~tag/published/slide/SL_8FE43874848BC18D/51CEB6F96A753D8C.pdf

The concept I was hoping for was, that on creation of a new user through a SSO login the user gets automatically pushed to the right OU using the attribute value.

I tried different value like this:

distinguishedname:OU=org,OU=root

My understanding was, that the user will be created under root->org

But the the user still gets imported into "Imported User".

Did anyone already did this and has an example for, what Enable Now is expecting as attribute value?

Regards

Kai

EDIT:
I know this other thread which asks a similar question but Dirks answer is also vague about the content of the attribute

https://answers.sap.com/questions/13884074/building-org-units-via-sso.html

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
Anton_Mavrin
Product and Topic Expert
Product and Topic Expert
‎2023 Jun 02 2:46 PM

First, the attribute mapping must be done properly in the SAP Enable Now backend, so that your SEN Cloud system will expect this attribute and process it correctly. Customers do not have access to backend, so this must be done by the SAP Cloud OPS team (KM-SEN-MGR). Simply tell in the incident that you are going to send the additional attribute and provide it's full name.

The syntax of the distinguishedname value is the same as in the Active Directory. It's a standard attribute of the user record in AD

Example:

CN=Victor Ashiedu,OU=Writers,DC=itechguides,DC=local
Show replies
Show replies
kai-raschke
Explorer
‎2023 Jun 05 9:05 AM
0 Kudos

Thank you for the hint, Anton. This is the information I was looking for.

nedapetrova
Explorer
‎2023 Jun 08 2:21 PM
0 Kudos

Hi Anton,

Thanks for this info! I have the same question as Kai and asked first here without much success: https://answers.sap.com/questions/13884074/building-org-units-via-sso.html . Eventually we started incident (KM-SEN-MGR) and were instructed to send from the AD the saml attribute "user.onpremisesdistinguishedname" and call it distinguishedname. However in our AD the OU data is available under the attribute "department" and not under "user.onpremisesdistinguishedname". And we are struggling at the moment to get answer how to include this attribute from the AD assertion into the assertion issued by the IAS. Do you have any directions to that?

Hi Kai,

Have you managed to pass the OU data to SAP Enable Now already? If yes it will be very helpful if you could share the steps you've taken.

Thank you!

Ask a Question