3 weeks ago
Hi All, Hi @Matthew_Shaw
@Matthew_Shaw thank you so much for your help!
Now a clarification question: We have Azure as IdP, IAS as a proxy, and cloud apps like SAC configured. We provision users from Azure to IAS and then to SAC.
Ideally, we would like to log in to the apps (like SAC) using an employee number (e.g., 283268).
I can of course provision the employee number (283268) from Azure to IAS in the "Login Name" field and then to SAP SAC in the "USER ID". However, when a user tries to log in to SAC, they cannot log in with the employee number (283268). This user is not found in Azure. If the user logs in with the email address, the login works. What am I doing wrong here?
Question 1: Is it possible to authenticate in cloud apps (such as SAC) using an employee number from Azure (since users are redirected to Azure for authentication)?
Question 2: In Azure, the UPN is set as the email address, e.g., firstname.lastname@mail.com. If I form the username "f.lastname" from firstname.lastname@mail.com and transfer it from Azure -> IAS -> SAC, can the user log in with "f.lastname"? Will this user be found in Azure with "f.lastname"? What is the best attribute from Azure to provision to the USER ID for authentication?
Thank you again. Unfortunately, I am stuck here and need help.
Best Regards
Request clarification before answering.
Dear @tskwin
The user is added to IAS with the employee number as a property "Login Name" field.
The user is then provisioning from IAS to SAC via IPS. The user is created in SAC with the user ID of the employee number. (this can be done regardless of what you set the SAML attribute to map the user to within SAC. In other words, regardless of the SAML attribute mapping (email, USERID, or custom) you can create the user ID of your choice - however this required IAS to be use version 2 of the SAC SCIM API).
The user then authenticates against IAS (acting as a proxy/federation to Azure), the user authenticates by identifying themselves by either email address and any 2 factor authentication that may be setup. IAS then returns the employee number in the Subject Name ID within the SAML response. This is because IAS has been set to use "Login Name" as the attribute for this user, for this 'SAC application'.
SAC uses the contents of the Subject Name ID (employee ID in your case) to identify the user in SAC. As SAC is configured to identify the user by the USERID, the user must exist with this ID in SAC, otherwise they will not be able to login (EXCEPT - if dynamic user creation has been enabled, then if the user is not found, the user is dynamically created. (this is generally good, however problematic if dynamic user creation is enabled when an email is used in the Subject Name ID) ).
So, I think you're problem is somewhere in the mix above. It could be that IAS isn't returning the correct attribute but instead passing back the same attribute from Azure, which you don't want. I'm not an IAS expect, but I've heard of this issue before and I'm pretty sure there's a configuration that can be made to change it to work as described above.
It might also be something very simple: The user doesn't exist in SAC with the Subject Name ID you've got back from the authentication phase. Look into what contents is inside your Subject Name ID from the SAML claim and check this user exists in SAC. When using USERID, the contents must be UPPERcase, when using email it must be in lower, when custom it can be mixed case.
I would also recommend using my 'scan and repair' tool from https://community.sap.com/t5/technology-blogs-by-sap/sap-analytics-cloud-user-and-team-provisioning-... - see sample 'SCIM 2667-All_U-Uu-Es-Scan and repair' but I've yet to write the documentation for it! For the moment, just run it as is, it's very safe to run without changing any settings. It doesn't need a data file, and it writes information into the console log where'll you'll find any issues with any users. Just make sure the Postman environment has the correct setting for 'SAMLSSO'.
Question 1: Is it possible to authenticate in cloud apps (such as SAC) using an employee number from Azure (since users are redirected to Azure for authentication)?
A1: It's possible yes, but I'm unsure the exact IAS settings. From SAC point of view, it is as I've described above.
Question 2: In Azure, the UPN is set as the email address, e.g., firstname.lastname@mail.com. If I form the username "f.lastname" from firstname.lastname@mail.com and transfer it from Azure -> IAS -> SAC, can the user log in with "f.lastname"? Will this user be found in Azure with "f.lastname"? What is the best attribute from Azure to provision to the USER ID for authentication?
A2: Not a great idea I would say. Best to stick with the employee ID you had thought of before as the ID is unlikely to change over time unlike email addresses or names.
Sorry I've not got the full answer, but this is a good starting point I think. Let us know how you get on.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Matthew_Shaw
I have tested what you described. I have configured that:
1. Configuration:
Azure:
IAS:
SAC:
In this configuration, the user is able to authenticate without any issues.
2. Issue with New Configuration:
However, when I change the configuration to the following:
Azure:
IAS:
SAC:
I receive the following error message:
It seems that you don't have an active account. Please contact your system administrator and ensure that you have an active account for this system.
USER ID in SAC
I do the user and role assignment with the help of IPS using this code:
{
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']['roles'][1]['value']",
"condition": "$.displayName == 'sac_admin'",
"constant": "PROFILE:sap.epm:Admin",
"optional": true
},
{
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']['roles'][1]['display']",
"condition": "$.displayName == 'sac_admin'",
"constant": "Admin",
"optional": true
}
How to resolve this issue? What is wrong with this configuration?
Thank you in advance for your help !!!
Best regards
Thanks for your support
Best Regards
User | Count |
---|---|
57 | |
10 | |
9 | |
8 | |
6 | |
6 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.