cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO Error in SAC

tskwin
Participant

on ‎2025 Feb 07 3:34 PM

0 Kudos
279

Hi Experts,

I need your help.

I have configured IAS as a proxy, and in IAS, I have set the Subject Name Identifier=employee_id

In Azure (OpenID Connection to IAS), I have added the employee_id to Additional Claims.

In the source system (Azure) in IPS, I have configured the transformation as follows:

{
"sourcePath": "$.employeeId",
"targetPath": "$.userName",
"correlationAttribute": true
}

Also in IPS transformation I replaced "sourcePath": "$.userPrincipalName" with "sourcePath": "$.employeeId".

Users are provisioned with IPS.

In IAS, the "Login Name" field for users receives the employee_id, for example, 1111. These users are then provisioned to SAC and have the employee_id (1111) in the "USER ID" field as well.

When I try to test SSO and select "Choose a user attribute to map to your Identity Provider" -> User attribute set = "USER ID", the user is not found in SAC.

The user accesses the SAC link and enters their email address. The user is authenticated in Azure, but in SAC, the user is not found.

I need help.

I can't solve this by myself.

Thank you very much !!!

 

 

 

 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
tskwin
Participant
‎2025 Feb 09 8:17 PM
0 Kudos

Hello @dyaryura 

Thanks a lot for your reply.

We are provisioning users with IPS, and we handle role assignment using IPS code.

 

 

{
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-
roles']['roles'][1]['value']",
"condition": "$.displayName == 'SAC_ADMIN'",
"constant": "PROFILE:sap.epm:Admin",
"optional": true
},
{
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-
roles']['roles'][1]['display']",
"condition": "$.displayName == 'SAC_ADMIN'",
"constant": "Admin",
"optional": true
}

 

 

Is this method not recommended?

Thanks a lot!

Show replies
Show replies
dyaryura
Contributor
‎2025 Feb 11 12:23 PM
0 Kudos
It is posisble also to use IPS but using SAML mapping attributes for Teams and Roles is much simpler. The creation of users happen automatically upon login if you enable shadow user creation
tskwin
Participant
‎2025 Feb 12 8:54 AM
0 Kudos

Hello @dyaryura 

Thank you for the feedback.

I’ve also looked into the SAML mapping.

I don't understand how user group assignments should be handled when a user belongs to multiple groups and when the groups are provisioned from Azure.

For example, the Azure group "sac_admin" and its user "pptadm". This group and this user, are provisioned to IAS.

Then, in the Custom Attribute 1 field of the user "pptadm," there is no attribute (e.g., "sac_admin").

How should this be automated?

Because, as I understand it, the SAML mapping works based on custom attributes in IAS. And one more question: What if a user in Azure belongs to multiple groups? Should IAS then show, for example, Custom Attribute 1 = group1 and Custom Attribute 2 = group2

tskwin_0-1739350654531.png

Many Thanks

Best Regards

tskwin
Participant
‎2025 Feb 17 10:31 AM
0 Kudos

Hello @dyaryura 

Many Thanks

does this mean that users in SAC will only be created dynamically, and that we must enable "Dynamic User Creation"  in SAC?

Does this also mean that we don't need to provision users from Azure to IAS? 

How should we delete users in SAC - manually? What happens if users are not deleted in Azure? Will those users still have access to SAC?

What are your recommendations regarding this entire process?

Thank you very much!

Best Regards

dyaryura
Contributor
‎2025 Feb 17 12:29 PM
does this mean that users in SAC will only be created dynamically, and that we must enable "Dynamic User Creation" in SAC? Users will be created upon logon and assigned to roles/teams accordingly if you set "Dynamic User creation" Does this also mean that we don't need to provision users from Azure to IAS? no need to provision users in this scenario How should we delete users in SAC - manually? What happens if users are not deleted in Azure? Will those users still have access to SAC? This is not covered by the SAML scenario. Users won't have access to SAC anyways since they won't be able to autenticate. The decision depends on your scenario requirement. SAML attribute mapping is the usual way customers are ntegrating BTP solutions so it seems more natural. IPS is a great tool but will requiere some expertise to configure properly
tskwin
Participant
‎2025 Feb 17 9:07 PM
0 Kudos

Hello @dyaryura 

  thank you very much.

Does this mean that in this scenario with "Dynamic User Creation," the deletion of users in SAC must be done manually?

What about team creation?

Should teams in SAC be created manually or via IPS (Groups (Azure) -> SAC (Teams))?

I’ve read somewhere that manually created teams in SAC can no longer be accessed by IPS. I’m not sure if this is correct.

Many Thanks

Best Regards

Ask a Question