cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IAS: Provisioned User cannot login

Go to solution
former_member298553
Explorer

on ‎03-14-2018 12:27 PM

0 Kudos

Hi,

I used the SCP Identity Provisioning Service to copy the users from an SAP ABAP to the SCP Identity Authentication Service. The user was created correctly, but he is not able to login.

I created an initial password in the IAS, but it did not help, no login possible.

If i enter an incorrect password in the login form, the counter for failed login attempts does not increase.

If i us the "forgot password" button, i receive an email with the reset-password-link. When i enter my new password and press send (in the password-reset-form) i am logged in and i can see the IAS-user detail screen. When i log off and try to log in again, its again not possible to login.

I could not see any differences to an manually created IAS-user, but this user could login normally (including the "set first password" form).

I don´t know what could be wrong.

For the Provisioning service i used the standard transformations without changing anything.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member188370
Participant
‎03-14-2018 1:17 PM

Hello,

can you check if the transformation of the target system (IAS) contains the following section:

{
"constant": "39",
"targetPath": "$.sourceSystem",
"scope": "createEntity"
},

If yes, remove the section and try provisioning again.

Kind regards

Show replies
Show replies
former_member298553
Explorer
‎03-15-2018 9:25 AM
0 Kudos

Hi Jens,

it worked! Thank you very much!

But could you explain your answer?

In SCP IPS documentation [Link] is written following comment:

/* The 
sourceSystem attribute shows the provisioning source of the users. The supported value is 
39. That means, a corporate user 
is provisioned via the SCIM REST API of the Identity Authentication service. Do not delete this statement and do not change the constant! */

Why can remove this section and why do they say i must not?

Lee3
Active Participant
‎11-01-2018 10:30 AM
0 Kudos

Hi experts,

I'm a newbie in this.

As I understand when you provision users in the IAS , the password must be stored in the IAS otherwise it's not possible to logon right?

It's not possible to authenticate the user with password from the backend (ECC) ?

Kinds regards,

Vo

Answers (2)

Answers (2)

GerganaTsakova
Product and Topic Expert
Product and Topic Expert
‎04-30-2018 4:29 PM

Hello colleagues,

Thanks for the answers! The IPS documentation for the IAS scenario is now updated. See: SAP Cloud Platform Identity Authentication => section Remember in the end.

Or go straight to the relevant Troubleshooting page: Identity Authentication: Provisioned Users Can't Log On

Kind regards,

Gergana

Show replies
Show replies
pierosilve
Explorer
‎05-24-2019 12:30 PM
0 Kudos

Hi Gergana,

I read in documentation this:

"If you set $.userType to "public", all passwords will be written by default in the Identity Authentication. Thus, all provisioned users will successfully log in to Identity Authentication target system."

Does it mean that if I have the user "PIPPO" with password "12345678" in ABAP server and I provision this user to IAS, than I have a corresponding user "PIPPO" with the same password "12345678" already setted so I can access IAS/SCP without setting or resetting the password?

Thanks and Regards

veratzompova
Associate
Associate
‎03-30-2018 12:36 PM
0 Kudos

Hello Tim,

For user type “employee” we could change the password source – AD or IAS.

This code in transformation set AD as a source for the password. If the password for the user is stored in AD, this code must exist 

{ 
  "constant": "39", 
  "targetPath": "$.sourceSystem", 
  "cope": "createEntity"  
}

If the password for the user is stored in IAS, this code must be removed from transformation or "Corporate User Store" must be configured in IAS to reuse/check the password in AD.

If the user type is “public” then IAS is used as password store by default.

The IPS documentation will be updated as well.

Show replies
Show replies
Ask a Question