cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAC SSO Dynamic User Creatinon

Go to solution
tskwin
Participant

‎2024 Oct 16 5:44 PM - edited ‎2024 Oct 16 10:24 PM

0 Kudos
1,018

Hello experts,

 I have configured SSO to SAC (IAS as Proxy and Azure as IdP). In SAC, I enabled ‘Dynamic User Creation’ and set the "User Attribute" = email. When I try to verify my user in SAC under Step 4 against Azure AD, I can log in in SAC, but it seems that the user attributes are not being transmitted. It looks like this, see screenshot.

screen.png

Also, I don’t see the "SAML USER MAPPING" column under Users in SAC.

Why are the user attributes not being transmitted, and how can I enable the "SAML USER MAPPING" column?

Thank you very much !!!

Best Regards

 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
alexeydugarov
Product and Topic Expert
Product and Topic Expert
‎2024 Oct 17 9:32 AM

Hi!

You need to address to 2 help pages:

1. How to manage roles: Mapping Roles Using SAML Attributes

@Matthew_Shaw provided to you some additional links.

2. How to map roles to user groups while using Custom IdP

Here you can find point #7 with all the possible additional attributes. But you can't use email as an attribute because it's a key to map users

alexeydugarov_0-1729154426158.png

 

tskwin
Participant
‎2024 Oct 17 2:02 PM
0 Kudos

Hi @Matthew_Shaw Thanks.

I can't see that in my SAC tenant. I don't understand why.

scre2.png

Thank you very much.

Matthew_Shaw
Product and Topic Expert
Product and Topic Expert
‎2024 Oct 17 2:14 PM
Very weird that there is no 'SAML Mapping' column in Menu-Security-Users screen when you have SAML SSO setup to map on 'custom' (step 3 on that authentication setting page). This is most odd. I guess you've tried as system owner, used a different browser and keeping your fingers crossed! I don't get it. Time to log a support incident I would say. Please let us know what the cause was when you get it. All the best, Matthew

Accepted Solutions (1)

Accepted Solutions (1)

Matthew_Shaw
Product and Topic Expert
Product and Topic Expert
‎2024 Oct 17 8:25 AM

The SAML mapping column is only shown when you are mapping on a 'custom' value. When mapping on userid or email, then there is no SAML mapping column.

 

Read my blog here about the problems of using SAML SSO mapped on 'email' with dynamic user creation. Its 'ok', but you don't get the userID of your choice. https://community.sap.com/t5/technology-blogs-by-sap/sap-datasphere-security-amp-data-access-control... (the blog is focused on Datasphere but has a section on userIDs for SAP Analytics Cloud)

To get the USERID of your choice you need to use the SCIM v2 API which is used typically with user provisioning tools (like SAP Identity Provisioning Services) or just direct coding the API with your own solution. 

If you have already loads of users with the 'wrong' userID you can use my sample scripts to 'migrate' the user ID. Sample 2666 'Migrate userID' will create a new user off the source, copying all the user properties, like roles/teams etc.  You'll also find my user guide for the samples handy to explain some practical and other handy things about the mappings for example.

 

Overall, you'd be better to map on USERID and ask Azure to return a USERID as the Subject NameID rather than an email. You can still authenticate by identifying yourself by email. Sometimes your userID has funny characters that are not permitted.  In which case, manipulate the Subject nameid dynamically. 

USERID must not contain unsupported characters, any lowercase character, a ‘-’ or more than 20 characters

Manipulating the NameID when using SAP Identity Authentication, Microsoft Azure, Microsoft ADFS, Okta

 

 

Kind regards, Matthew

Show replies
Show replies
tskwin
Participant
‎2024 Oct 17 11:37 AM
0 Kudos

Hi Matthew, Hi alexeydugarov

Thanks a lot, for the detailed response. I will study all the links.

@Matthew_Shaw In SAC, I set the user attribute to Custom SAML User Mapping—Is that what you meant in this sentence: "The SAML mapping column is only shown when you are mapping on a 'custom' value. When mapping on userid or email, then there is no SAML mapping column"?

dynam.png

 However, I still can't see the option "SAML USER MAPPING" in my SAC tenant. I can't find it under Security/User, and it's also not listed under Security/Roles. Why?

Many Tahnks

Best Regards

Matthew_Shaw
Product and Topic Expert
Product and Topic Expert
‎2024 Oct 17 11:47 AM
0 Kudos
You have set step 3 as 'custom' so a 'SAML MAPPING' column will now appear in the Menu-Security-Users screen. Please take another look it will be there. Kind regards, Matthew

Answers (1)

Answers (1)

tskwin
Participant
‎2024 Oct 28 1:10 PM
0 Kudos

Hello @Matthew_Shaw

It works, thank you! I haven’t enabled SSO yet (conversion not done), which is why I didn’t see the SAML Attribute button.

Thanks again!

Show replies
Show replies
Ask a Question