on 2023 Aug 15 4:12 PM
Hi,
We have configured SAP Build work zone standard edition and it works as expected. We are connecting to the corporate IdP (Azure AD) for authentication directly (without an identity authentication service/ tenant in between the corporate IdP and BTP)
We have noticed that the first name and the last name doesn't show up correctly in the name field. It seems to be adding the first part of the email address as the first name and the domain as the last name.
We have tried setting family_name with user.surname and given_name with user.givenname in Azure AD
We have also tried setting first_name with user.givenname and last_name with user.surname in Azure AD
But we still do not see the proper name displayed in the build workzone launchpad user menu, settings.
We reached out SAP through a ticket and they say that its standard behavior. That doesn't seem correct. Does anyone from product management or any one have any insights into this?
Thank you
Julius
Request clarification before answering.
Please ensure the attributes are sent as required per the following documentation: Map User Attributes from a Corporate Identity Provider for Business Users | SAP Help Portal This will also depend on your Azure AD / IAS setup (using federation or not).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Assuming you are using the recommended OIDC-based trust between IAS & BTP, please ensure the attributes are sent in the following way:
If you are not using the identity federation (i.e. the claims from Azure AD are forwarded "as is"), please the claims are configured as required. Otherwise, please ensure the IAS-level attributes are configured in the required pattern referring to the corp. IdP attributes.
Please also double-check both XSUAA & WZ application: De-mystifying SAP Cloud Identity Services Integration with SAP Build Work Zone | SAP Blogs
Lastly, please confirm the attributes above being issues by IAS as required in the OIDC token via the troubleshooting logs: Logging OpenID Connect Tokens | SAP Help Portal
Thank you @florian_buech, your answer helped me to create this mapping and for me it is properly working 🙂
I was facing the same problem, when the users logged in using Azure AD the user was created at the Subaccount without First and Last Name. I did the mapping described at https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/enrich-assertion-attribute... and now works fine.
Your link was really helpful, now I know where to find this kind of information.
I have been struggling with the same thing.
I have made progress. I can make the Corporate Identity Provider send forward First and Last name now.
I added email and profile scopes and removed the offline_access scope that came from a different Blog. These are added to the Corporate Idp -> OpenID Connect Configuration.
However, there are still issues. From my reading if have "Use Identity Authentication user store" turned on in the Corporate IdP, then IAS should be able to add its Attributes to the JWTpayload that is passed to the Application. After some trial and error, I have found that if I turn that switch on and in the Application -> subacct -> Attributes I configure "groups" to include Corporate Identity Provider value groups, then it passes the Entra groups Ids forward. If I login with a user that is only in the IAS, then it passes the IAS Group names. However, if I have the user in IAS with matching login name and email to the Corporate Id Provider, that doesn't send the groups forward.
User | Count |
---|---|
77 | |
30 | |
10 | |
8 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.