Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Issue with Guest User Provisioning to SAP IAS

Ari2
Discoverer

on ‎2024 Nov 14 7:49 PM

0 Likes
610

Dear SAP Support Team,

We are experiencing an issue where guest users are not being provisioned to SAP Identity Authentication Service (IAS). The interface between Microsoft Azure and SAP IAS provisions all regular employees at 15-minute intervals; however, it does not provision external users, who are registered as guest users in Azure.

This limitation prevents us from managing guest user permissions within SAP IAS. While guest users can log in to applications such as the Build Workzone, we are required to manually assign their permissions directly on the SAP Business Technology Platform (BTP).

Additionally, these guest users appear on the BTP in a cryptic format as so-called shadow users. Instead of the standard user IDs, they are represented with an encrypted form. A screenshot from SAP BTP illustrating this issue is attached below.

Screenshot from SAP BTP

Ari2_0-1731613739862.png

 

We kindly request your assistance in resolving this issue to ensure that guest users are properly provisioned to SAP IAS and their permissions can be centrally managed.

Thank you in advance for your support.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

dyaryura
Contributor
‎2025 Sep 01 12:52 PM
0 Likes

Hi Ari

There's no scpecific atribute for such "guests" users or I should say "the users that not exist in IAS".

Your specific issue seems to be with the Subject name Identifier or NameID atribute. I guess your BTP applicaitions are using email from the "identity store". this works only if you have your users created in IAS. If you don't want all your users in IAS you can work with Identity Federation Enabled and then you can pick to use a Entra attribute instead of all atributes from IAS. You can even keep both, using Entra as a fallback.

This scenario not having the Guests created in IAS might work for your scenario, but in general SAP is going to an approach were you'll need the users created anyway. This might not be needed now or maybe not mandatory for your scenario but seems that long term is SAP approach since more and more aplications requiere IAS user existance.

If you want to create your Guests in IAS I'd suggest to use a IPS provisioning job, you can filter your Guest Users from Entra based on some attribute and provision them to IAS using specific atributes based on IPS transformation. This uses standard SCIM protocol, so as long as you find the proper Graph API filter it should be straightforward.

Once you have your internal plus Guests users in IAS you can work with IAS atributes as you have in the sceenshot.

As I said this might not be mandatory at this point for your scenario and you might also be able to work with Identity Federation and pass Entra Attributes to the BTP application of needed.

 

Show replies
Show replies
dyaryura
Contributor
‎2024 Nov 15 1:41 PM
0 Likes

Hi Ari

If you have enabled "create shadows users during logon" for the IDP named "IAS" i guess that what you see there on those "weird" users is just the automatic creation happending once a guest logins for the first time. The username might come from the "sub" or some of the claims from openID that has such format. The emails "xxxx@user.from.sap.custom.cf" are created when BTP is not able to resolve the mail attribute from IDP.

If you have configured the IDP named "IAS" with the standard option "establish trust" I'd have a look at the application created in IAS named "SAP BTP Subaccount xxxxx" and check the attribute mappings to make sure the attributes you're using exist for the Guest users.

Show replies
Show replies
Ari2
Discoverer
‎2025 Sep 01 10:49 AM
0 Likes

where can i see - wich Attribute is for the Guest-Users?

We have follow attributes 

Ari2_0-1756720216414.png

 

Could I potentially work around the issue by enabling the option “Allow users stored in Identity Authentication…”?

In other words: If I manually create the external (public) user in IAS and assign the appropriate group-based permissions, would that user then be able to log in and carry out the activities defined in those IAS group permissions?

Or am I misunderstanding the purpose of this functionality?

Ari2_0-1756720523762.png

 

 

Ask a Question