Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Identity lifecycle management with SAP BTP and Microsoft Entra - User not able to authenticate?

Go to solution
Naga19881
Explorer

‎2024 Nov 16 6:21 PM - edited ‎2024 Nov 17 6:19 AM

0 Likes
584

@MartinRaepple  @RegineSchimmer 

I would like to thank Martin Raepple | Regine Schimmerfor thier wonderful session on XP202 | Identity lifecycle management with SAP BTP and Microsoft Entra. 

Hi All, I was trying to replicate this issue and was able to successfully replicate to some extent.  Currently i have created a new Corporate IDP(Microsoft Entra) in the IAS system and the scenario works perfectly fine in case if the Identity Federation(User Store | User Access) is disabled. However, First name | Last name are not getting populated from the corporate IDP in the BTP subaccount user store and also user name info is populated with the subject information from the ID token. Please let me know how can we have the first name and last name populated? Ideally what info has to be populated in the User id information in BTP?

Also, ideally do we have to  enable identity federation(Only the Use Identity Authentication user store option) option or do we need to disable?

Can you please help with your comments pls!!

 

Thanks and Regards,

Maram Nagarjuna Srivatsa

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

dyaryura
Contributor
‎2024 Nov 18 1:07 AM

Hi

You need to configure the attributes in IAS for the application (look for the app named "SAP BTP Subaccount xxxxx"). For example, If you're using SAML and the standard EntraID names in IAS should look like below: 

dyaryura_0-1731891326996.png

The User Name is taken from the Subject name identifier:

dyaryura_1-1731891386587.png

If you're using SAML you can use "SAML Tracer" tool. It's available as extension for Chrome/Mozilla for example. You can also check in IAS (Monitoring & Reporting -> Troubleshooting Logs) the OIDC tokens and the details of the attributes being sent.

Using Federation or not depends on what you want to achieve. For some integrations it's recommended or might be required (i.e for SF depending on your EntraID attributes might be required to map the user to a SF Login ID if you're not sending it from your IDP). In general the federation will help you to enrich and play around with attributes from your IDP + Attributes from IAS (if users exist in IAS).

Be aware that SAP is changing some of this logic these days so might note strange behavior in the attribute mappings from time to time 

Hope it helps.

Diego

 

 

Show replies
Show replies
Naga19881
Explorer
‎2024 Nov 18 5:19 AM
0 Likes

@dyaryuraThank you for your comments!! I think i found the solution, i leveraged Open Id connect protocol for this instead of SAML. However as you mentioned, the logic behind the scenes would be the same.The issue in my case was i missed adding scope value as "profile" in the open id connect configuraton while defining the corporate idp in IAS. Initially, openid was the scope and later on added profile also in it.

Answers (1)

Answers (1)

Naga19881
Explorer
‎2024 Nov 16 7:25 PM
0 Likes

Naga19881_0-1731785121171.png

Attaching a screenshot for reference..

 

Show replies
Show replies
Ask a Question