03-19-2024 12:35 PM - edited 04-05-2024 8:30 AM
Hi experts!
we are currently working on integrating a custom schema within Identity Directory Services (IdDS). Specifically, we've developed a custom schema titled "urn:sap:cloud:scim:schemas:extension:custom:2.0:XitingIAM"
In our application, we're observing the following user data through Postman:
"urn:sap:cloud:scim:schemas:extension:custom:2.0:XitingIAM": {
"customattributeIAM_1": "sample-value-2"
}
Our primary objective is to utilize one of the attributes from this custom schema as the SAML Name ID for a specific application. However, we are encountering a challenge. When we try to specify this attribute in the following format:
Source: Expression
Value: ${urn:sap:cloud:scim:schemas:extension:custom:2.0:XitingIAM.customattributeIAM_1}
We receive an error stating: Invalid subject name identifier.
This outcome is unexpected, as our approach aligns with the method outlined in your documentation (https://help.sap.com/docs/identity-authentication/identity-authentication/configure-default-attribut...
According to the documentation, it should correctly read the value and include it in the token.
While this issue isn't of the highest urgency, it is significant for our customers who store values like perPersonUUID from SFSF within such custom schema attributes. Our aim is to seamlessly use these values within specific applications as a SAML Name Identifier.
Thanks in advance for your help!
Cheers Colt
The user is identified by setting an attribute with dynamic value in the following pattern: <prefix> ${attribute_technical_name} <suffix>.
See the technical names of the attributes that can take dynamic values:
Telephone Number | telephone |
Logon Name | loginName |
Display Name | displayName |
User ID | uid |
Global User ID | userUuid |
Employee Number | personnelNumber |
Custom Attribute 1 | customAttribute1 |
Custom Attribute 2 | customAttribute2 |
Custom Attribute 3 | customAttribute3 |
Custom Attribute 4 | customAttribute4 |
Custom Attribute 5 | customAttribute5 |
Custom Attribute 6 | customAttribute6 |
Custom Attribute 7 | customAttribute7 |
Custom Attribute 8 | customAttribute8 |
Custom Attribute 9 | customAttribute9 |
Custom Attribute 10 | customAttribute10 |
SP (service provider) user nameID | name_id |
SP (service provider) user Custom Attribute 1 | spCustomAttribute1 |
SP (service provider) user Custom Attribute 2 | spCustomAttribute2 |
SP (service provider) user Custom Attribute 3 | spCustomAttribute3 |
SP (service provider) user Custom Attribute 4 | spCustomAttribute4 |
SP (service provider) user Custom Attribute 5 | spCustomAttribute5 |
NameID coming from the assertion of the corporate IdP | corporateIdP.NameID |
Attribute coming from the assertion of the corporate IdP | corporateIdP.<corporateIDP attribute> |
SAP, in this context, seems to imply that "...It can be a user attribute coming from the Identity Directory..." However, instead of only supporting the attributes listed in the provided table, we strongly believe that an attribute from a Custom Schema, which is also a part of the Identity Directory, should be accommodated.
Consequently, we anticipate that, for example, instead of using ${customAttribute1}, something like ${urn:sap:cloud:scim:schemas:extension:custom:2.0:XitingIAM.customattributeIAM_1} would be operational.
It is at this juncture that we require a definitive statement from SAP regarding future support for this functionality, as the standard 10 customAttribute options present certain limitations, and the utilization of customer-owned schemas is not uncommon.
UPDATE 2024-04-05: In the meantime, I have discovered that this functionality works for Self-Defined Attributes (Application Attributes), and the value is integrated into the SAML Token.
However this works not for the SAML Subject Name ID
UPDATE 2024-04-19: I'm a tad disappointed with SAP's standard response. You'd think one OSS would be enough to send this to the product team, especially since I've spelled it all out in exquisite detail, complete with footnotes and a dramatic reading. But no, now they expect me to file a feature request.
Your incident reached the IAS development support. I would like to inform you that currently IAS doesn’t support the described functionality. In this documentation:https://help.sap.com/docs/identity-authentication/identity-authentication/configure-subject-name-ide... you can find the supported expressions for Subject Name Identifier. If you want this functionality to be added, you could submit improvement request. This way your suggestion would reach the Product Team directly.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
77 | |
11 | |
8 | |
8 | |
6 | |
6 | |
6 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.