Skip to Content

IAS: Provisioned User cannot login

Mar 14 at 12:27 PM


avatar image


I used the SCP Identity Provisioning Service to copy the users from an SAP ABAP to the SCP Identity Authentication Service. The user was created correctly, but he is not able to login.

I created an initial password in the IAS, but it did not help, no login possible.

If i enter an incorrect password in the login form, the counter for failed login attempts does not increase.

If i us the "forgot password" button, i receive an email with the reset-password-link. When i enter my new password and press send (in the password-reset-form) i am logged in and i can see the IAS-user detail screen. When i log off and try to log in again, its again not possible to login.

I could not see any differences to an manually created IAS-user, but this user could login normally (including the "set first password" form).

I don´t know what could be wrong.

For the Provisioning service i used the standard transformations without changing anything.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Jens Koster
Mar 14 at 01:17 PM


can you check if the transformation of the target system (IAS) contains the following section:

"constant": "39",
"targetPath": "$.sourceSystem",
"scope": "createEntity"

If yes, remove the section and try provisioning again.

Kind regards

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Jens,

it worked! Thank you very much!

But could you explain your answer?

In SCP IPS documentation [Link] is written following comment:

/* The 
sourceSystem attribute shows the provisioning source of the users. The supported value is 
39. That means, a corporate user 
is provisioned via the SCIM REST API of the Identity Authentication service. Do not delete this statement and do not change the constant! */

Why can remove this section and why do they say i must not?

avatar image
Former Member
Mar 30 at 11:36 AM

Hello Tim,

For user type “employee” we could change the password source – AD or IAS.

This code in transformation set AD as a source for the password. If the password for the user is stored in AD, this code must exist

  "constant": "39", 
  "targetPath": "$.sourceSystem", 
  "cope": "createEntity"  

If the password for the user is stored in IAS, this code must be removed from transformation or "Corporate User Store" must be configured in IAS to reuse/check the password in AD.

If the user type is “public” then IAS is used as password store by default.

The IPS documentation will be updated as well.

10 |10000 characters needed characters left characters exceeded
Gergana Yanakieva
Apr 30 at 03:29 PM

Hello colleagues,

Thanks for the answers! The IPS documentation for the IAS scenario is now updated. See: SAP Cloud Platform Identity Authentication => section Remember in the end. You may need to expand the page width to see all the 4 cases (columns).

Kind regards, Gergana

10 |10000 characters needed characters left characters exceeded