cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SCP Platform Identity Provider member name displays "-subaccount not visited yet-"

former_member186439
Participant

on ‎07-03-2018 6:07 PM

0 Kudos

We have configured our SAP Cloud Platform Members with Administration Roles to authenticate with our Platform Identity Provider Tenant. Our Tenant is configured to proxy authentication to Azure AD. All of this is working great.

When a new Administrative User is added, the Name field defaults to "-subaccount not visited yet-". The 'real' name is supposed to be filled in the first time this user logs in. However, our Name field never changes even after a successful log in.

My working theory is that the SAML attributes coming from the Platform Identity Provider Tenant is missing a needed attribute. Our configuration is set to send Display Name, Login Name, First Name, Last Name, and E-mail.

Are we missing an attribute? Or, is the problem something else?

Show replies
Show replies
Ravindra_T
Explorer
‎03-04-2019 9:01 AM
0 Kudos

Hi Steven,

We are trying to configure the same (SCP Platform Identity Provider -> Identity Authentication Service (IAS) -> Azure AD for member login). But for some reasons it is not behaving the way it is expected to be. Could you please help us with configuration steps you have followed or correct me on below points which we have followed

-> Configured Platform IDP to point to IAS

-> Configured AAD in Corporate IDP Section of IAS

-> In IAS application under Conditional authentication selected above configured AAD as default authenticator.

May be for Sap Cloud Connector configuration purpose we might need to keep the

"Allow Identity Authentication Users Log On" setting on.

Could you please through some light here....if we are doing anything wrong here.

Though it works I have some questions here.

Do we need to create the user still in IAS in this case? If yes what about password

Do we need to still add the user(either IAS or AAD user ID as per answer to above question) in the Global and Sub account members?

Finally is there any Group mapping through assertions possible all the way like AAD->IAS->SCP Sub Accounts.

One more last point these users are also considers under licensing as per logons.

Thank you in advance for your help Steven.

Best Regards

RT

Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

taryckbensaili
Participant
‎11-12-2018 4:00 PM
0 Kudos

Hi,

Sorry to disturb you, but I would like to talk about :

https://archive.sap.com/discussions/message/16283136#16283136

We need to configure SAML Authentication for OData and we need some guidance.

Tell me if you've got time for that.

Thanks in advance.

Show replies
Show replies
former_member186439
Participant
‎09-05-2018 7:07 PM
0 Kudos

The actual problem was that the "members" list in the subaccount forces all ID values to upper case. Our SAP Identity Tenant allowed mixed case.

Show replies
Show replies
lucasvaccaro
Product and Topic Expert
Product and Topic Expert
‎07-03-2018 10:39 PM
0 Kudos

Hi Steven,

I think your assumption is right.

The basic attributes are first_name, last_name and mail (case sensitive).

If you have Identity Federation disabled on IAS side, the attributes from Azure are forwarded. If it is enabled, you have to configure them in the IAS Admin Console:

https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/c029bbbaefbf4350af15115396b...

Regards,
Lucas

Show replies
Show replies
Ask a Question