Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP IAS and Successfactors - How SAML2 Attributes are used

arturka
Explorer

‎2025 May 22 12:12 PM - edited ‎2025 May 22 12:32 PM

0 Likes
884

 

Hi

I created this post for better understanding how it works. It isn't a post how to configure/fix errors. Just for better understanding of process. Our configuration works, but in some special cases I would like to extend my knowledge about.

We have a situation
SF is integrated with IAS and IAS is federated with CorporateIDP EntraID (no enriched an so one) 

arturka_0-1747910252842.png

On Entra ID side we have a configuration 

arturka_1-1747910301077.png

 

UPN has format of the email address and is used as the login in EntraID
but some partners have own Email outside our domain as on example below

arturka_3-1747910607614.png

We have a SF app - standard configuration delivered by SAP 

arturka_4-1747910696674.png

with standard attributes 

arturka_5-1747910747212.png

App is federated with CorporateIDP

arturka_6-1747910782929.png

User in SF and IAS had following settings

arturka_8-1747911025043.png

Same login name and mail as on SF side 

But user wasn't able to logon to SF (IAS/EntraID logon was ok)

arturka_9-1747911174338.png

In IAS log we had 

arturka_10-1747911404340.png

Of course, after changing email on IAS side from first.last@domain.pl to username@partner.com logon to SF is possible,


Looking in the documentation (maybe I do not understand whole process correctly) 
 

https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/corp-idp-configure-identit...

https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configure-identity-federat...

When Use Identity Authentication user store option is enabled, the application checks if the users authenticated by the corporate identity provider exist in the Identity Directory, the user store of Identity Authentication. The existence check is done with the name identifier sent by the corporate identity provider for the identifying attributes uid, loginName, emailsand phoneNumber.

For users that exist in the Identity Directory, data from the user store is taken and the subject name identifier, assertion and default attributes according to the application configuration are sent. For users with no profile in Identity Authentication, the application receives the nameID attribute from the corporate IdP assertion, and the attributes according to the application configuration.

arturka_12-1747912284605.png

 

In my understanding, if federation is enabled, attributes should be taken from user record in IAS. But by some reasons mail from CorporateIDP is used.
Question why? 

Thanks for any suggestions & feedback 🙂
Artur

 

 

 

 

 










Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

dyaryura
Contributor
‎2025 May 22 1:07 PM

Hi

You're missing one piece here and is the configuration of your corporate IDP to IAS settings.

I guess you have that configured with the email attribute. You need to think that first the authentication goes from EntraID to IAS and here is where you need an attribute to match between your EntraID and your IAS. Based on that then IAS applies Federation and enrichs the user attributes with what you have in IAS. But if you're using one email in EntraID and another email in IAS and that's the Subject name identified, how is IAS supposed to know you're talking about the same user?

When there's no user in IAS to match and based on the claim names probably you're passing to SF your EntraID attributes. Remember the federation is intended to enrich attributes and IAS allows you to chose between IDP Attributes or IAS attributes to be sent to SF.

The best way if you're using SAML is to use the SAML-tracer tool or similar that can be installed in chrome/mozilla to check the saml messages one you logon and the attributes that are negotiated between EntraID-IAS-SF.

As a hint if your emails in SF (same as IAS since you're using IPS) are not the same as your emails in EntraID then the email is not the proper attribute as a subject name identifier for your trust IAS-EntraID. In one scenario we've used the Login name That matched with a specific atribute in EntraID.

 

Show replies
Show replies
arturka
Explorer
‎2025 May 22 1:18 PM
0 Likes

Thank you for clarification now is more clear

I know this configuration is not optimal. We are going to set UPN as an attribute because is unique and standarised. I just wanted to understand how it works in details.

I have checked KBA 

3440428 - "Invalid Login" error when accessing SuccessFactors instance via Identity

And 
On IAS side we have 

arturka_0-1747916341925.png

for app

arturka_2-1747916425869.png

 


In SAML2 trace 

arturka_3-1747916459193.png

I'm looking where NameID format is configured. 

 

And probably 

dyaryura
Contributor
‎2025 May 22 1:31 PM
Have a look in EntraID
dyaryura
Contributor
‎2025 May 22 1:33 PM
0 Likes

Have a Look in EntraID

dyaryura_0-1747917109734.png

dyaryura_1-1747917160468.png

dyaryura_2-1747917217660.png

 

 

 

Show replies
Show replies
arturka
Explorer
‎2025 May 22 1:44 PM
0 Likes
Thanks a lot, I missed the information that NameID is always taken from EntraID 🙂
Ask a Question