Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SSO Error in SAC

tskwin
Participant

on ‎2025 Feb 07 3:34 PM

0 Likes
1,205

Hi Experts,

I need your help.

I have configured IAS as a proxy, and in IAS, I have set the Subject Name Identifier=employee_id

In Azure (OpenID Connection to IAS), I have added the employee_id to Additional Claims.

In the source system (Azure) in IPS, I have configured the transformation as follows:

{
"sourcePath": "$.employeeId",
"targetPath": "$.userName",
"correlationAttribute": true
}

Also in IPS transformation I replaced "sourcePath": "$.userPrincipalName" with "sourcePath": "$.employeeId".

Users are provisioned with IPS.

In IAS, the "Login Name" field for users receives the employee_id, for example, 1111. These users are then provisioned to SAC and have the employee_id (1111) in the "USER ID" field as well.

When I try to test SSO and select "Choose a user attribute to map to your Identity Provider" -> User attribute set = "USER ID", the user is not found in SAC.

The user accesses the SAC link and enters their email address. The user is authenticated in Azure, but in SAC, the user is not found.

I need help.

I can't solve this by myself.

Thank you very much !!!

 

 

 

 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (3)

Answers (3)

dyaryura
Contributor
‎2025 Feb 12 12:37 PM
0 Likes

Hello 

When using SAML mappings you don't need to worry about attributes in IAS for the users, all the mapping happens in the SAML assertion and SAC will receive all the details needed. This is the same scenario as most companies use for BTP apps.

In the scenario described in the learning mentioned earlier you should use IAS as a proxy an you should already have EntraID configured in IAS as a corporate IDP in section Identity providers->Corporate identity providers. The trust config IAS-EntraID should consider attributes like these:

dyaryura_0-1739363294964.png

if a user have multiple groups those will be included in the SAML assertion. you don´t need to worry about it. You should use a naming though to avoid sending all EntraID groups to IAS and exceed the limit of 150 in SAML.

From IAS side you need to configure a new app for SAC and configure SAML in SAC with this app. This app should include custom1, custom2 atributes (depending if you want groups and teams in different atributes)

dyaryura_1-1739363513744.png

A user in EntraID having assigned sac_admin, Sac_team1,Sac_role2 will log into SAC and will have in the SAML assertion the value of the groups in the attributes custom1 and custom2 (usually groupIDs are used instead of group names). then you map those group IDs to your roles/Teams in SAC as described in the learning and the users will be automatically created and assigned to groups in SAC once login. There's no IPS needed neither attribute creation in IAS. it's just a SAML mapping between EntraID-IAS-SAC

 

 

 

 

 

Show replies
Show replies
dyaryura
Contributor
‎2025 Feb 10 12:20 PM
0 Likes

Hi 

For this scenario I think the scenario described in the Learning Managing Security and Administration in SAP Analytics Cloud

Specifically the section Managing Users Using SAML Attributes

Is much more simpler for what you want to achieve. You don't need IPS, you just map SAML attributes. In case an attribute is not available in EntraID and you need it from IAS, if you use Identity Federation you should be able to use it. The scenario in the learning is described based on an old NW java system but you can achieve the same using IAS

 

Show replies
Show replies
tskwin
Participant
‎2025 Feb 09 8:17 PM
0 Likes

Hello @dyaryura 

Thanks a lot for your reply.

We are provisioning users with IPS, and we handle role assignment using IPS code.

 

 

{
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-
roles']['roles'][1]['value']",
"condition": "$.displayName == 'SAC_ADMIN'",
"constant": "PROFILE:sap.epm:Admin",
"optional": true
},
{
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-
roles']['roles'][1]['display']",
"condition": "$.displayName == 'SAC_ADMIN'",
"constant": "Admin",
"optional": true
}

 

 

Is this method not recommended?

Thanks a lot!

Show replies
Show replies
dyaryura
Contributor
‎2025 Feb 11 12:23 PM
0 Likes
It is posisble also to use IPS but using SAML mapping attributes for Teams and Roles is much simpler. The creation of users happen automatically upon login if you enable shadow user creation
tskwin
Participant
‎2025 Feb 12 8:54 AM
0 Likes

Hello @dyaryura 

Thank you for the feedback.

I’ve also looked into the SAML mapping.

I don't understand how user group assignments should be handled when a user belongs to multiple groups and when the groups are provisioned from Azure.

For example, the Azure group "sac_admin" and its user "pptadm". This group and this user, are provisioned to IAS.

Then, in the Custom Attribute 1 field of the user "pptadm," there is no attribute (e.g., "sac_admin").

How should this be automated?

Because, as I understand it, the SAML mapping works based on custom attributes in IAS. And one more question: What if a user in Azure belongs to multiple groups? Should IAS then show, for example, Custom Attribute 1 = group1 and Custom Attribute 2 = group2

tskwin_0-1739350654531.png

Many Thanks

Best Regards

tskwin
Participant
‎2025 Feb 17 10:31 AM
0 Likes

Hello @dyaryura 

Many Thanks

does this mean that users in SAC will only be created dynamically, and that we must enable "Dynamic User Creation"  in SAC?

Does this also mean that we don't need to provision users from Azure to IAS? 

How should we delete users in SAC - manually? What happens if users are not deleted in Azure? Will those users still have access to SAC?

What are your recommendations regarding this entire process?

Thank you very much!

Best Regards

dyaryura
Contributor
‎2025 Feb 17 12:29 PM
does this mean that users in SAC will only be created dynamically, and that we must enable "Dynamic User Creation" in SAC? Users will be created upon logon and assigned to roles/teams accordingly if you set "Dynamic User creation" Does this also mean that we don't need to provision users from Azure to IAS? no need to provision users in this scenario How should we delete users in SAC - manually? What happens if users are not deleted in Azure? Will those users still have access to SAC? This is not covered by the SAML scenario. Users won't have access to SAC anyways since they won't be able to autenticate. The decision depends on your scenario requirement. SAML attribute mapping is the usual way customers are ntegrating BTP solutions so it seems more natural. IPS is a great tool but will requiere some expertise to configure properly
tskwin
Participant
‎2025 Feb 17 9:07 PM
0 Likes

Hello @dyaryura 

  thank you very much.

Does this mean that in this scenario with "Dynamic User Creation," the deletion of users in SAC must be done manually?

What about team creation?

Should teams in SAC be created manually or via IPS (Groups (Azure) -> SAC (Teams))?

I’ve read somewhere that manually created teams in SAC can no longer be accessed by IPS. I’m not sure if this is correct.

Many Thanks

Best Regards

Ask a Question