cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAC - Changing the User Attributes 'USER ID' to 'Custom SAML Mapping' - What's the impact?

Go to solution
alexandru_negoescu
Explorer

on ‎2021 Jan 12 4:56 PM

1,156

Dear SAC Community,

I'm facing a big question with potential impact to plenty of SAC users (thousands).

I would like to change the User Attributes (Security area) the famous step 3 in SAC Administration > Security, from the current value which is USER ID (see screenshot) to "Custom SAML Mapping" (we are using our SAML/SSO implementation)

Why this change?

Simply because we have one user that has a different USER ID than the rest of us...

NameID in SAC (USER ID) is case sensitive. The NameID Mapping must match the values in SAML IdP exactly. For example, if the User ID returned by the SAML IdP is 'BOND007s' and the NameID used in SAP Analytics Cloud is 'BOND007S' the mapping will fail => user cannot authenticate.

The filed in SAC responsible for this is SAML_USER_MAPPING (not visible when using the USER ID - setup in SAC).

Solution

It seems that the solution is to use the option Custom SAML Mapping. Not difficult...could be done, but...

Problems I have if I change it:

  1. I'm not sure the impact this could cause to the system and actual users deployed on SAC --- any idea?
  2. There is any specific setup to be done after changing this setting?
  3. Do you have any experience with this kind of situations?

Any guidance, help, ideas or tips are highly appreciated!

Best Regards

Alex

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

mfoeken
Active Contributor
‎2021 Jan 13 10:16 AM

Hi Alex,

Depending on your IdP I suggest you look at the option to convert the userid in the SAML assertion to uppercase. In this way you always have a match. You can configure such as a transformation for the different attributes.

Kind regards,

Martijn van Foeken | Interdobs

Show replies
Show replies
alexandru_negoescu
Explorer
‎2021 Jan 13 3:32 PM
0 Kudos

Hi Martijn

Thanks for your suggestion!

I'll see with the IdP admin if they have this possibility. I'm not sure if they could do this, but I'll try.

For me this is the logical path too, but I have seen the SAP documentation on Custom SAML Mapping and I was thought that this it the only way.

I'll let you know if this proposition works in my situation.

Regards

Alex

Answers (2)

Answers (2)

anegoescu
Explorer
‎2021 Feb 17 8:01 AM

Hello all,

As solution here:

Even if we have done the necessary to make the UID and the SAML_SUBJECT uppercase - the assertion was working also correctly => uppercase, but SAC refused to let the user in.

Same symptoms as before, user does not exist in your system.

Solution: Contacting the Support SAP, they were able to see with the SAC operations teams and delete the user cache on the database (SAC side).

After this operation, the user was able to login without any problem.

Best Regards

Alex

Show replies
Show replies
mfoeken
Active Contributor
‎2021 Jan 13 3:45 PM
0 Kudos

Hi Alex,

What IdP are you using?

Kind regards,

Martijn van Foeken | Interdobs

Show replies
Show replies
alexandru_negoescu
Explorer
‎2021 Jan 20 10:01 AM
0 Kudos

Hi Marijn

Sorry for the late answer here! 🙂

We are using PingFederate.

Regarding your idea to convert the UID and SAML_SUBJECT to Uppercase, we have also implemented it but still the user cannot connect.

Here is the configuration - IdP:

I have also deleted the user and I have recreated his profile.

Same issue every time. SAC doesn't recognize the profile.

What I can see in the log files is that the user appear with the old values (mixed-case username).

I have no idea where this problem is coming from.

Thanks

Alex


Ask a Question