Share via

My users are not provisioned from Azure AD to SAP BTP Identity Authentication as Service with an issue at the last step of the provisioning

Bogdan Apostol 20 Reputation points
2023-07-26T14:00:16.5766667+00:00

Hello team,

I implemented automatic provisioning of users from Azure AD to SAP Business Technology Platform Identity Authentication Service using the following article:

 

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial

 

On this I created the enterprise application "SAP Cloud Identity Services" associated with the application that my team is developing.

 

At the last step after the initial synchronization cycle finished, I received the following error at the last provisioning step.

 

User's image

User's image

I attached to the ticket the JSON file (called sapscimschema.txt) that represents the response to the HTTP request. In the screenshot below you can see that the urn:sap:cloud:scim:schemas:extension:custom:2.0:User attribute is in the SAP schema, but apparently the error says that attribute is somehow invalid.

image

I also attached the provisioning logs in the last 2 days if needed (file called ProvisioningLogs_07-25-2023_07-26-2023.txt)

 

It should be mentioned that all users on my test tenant are affected. A UPN of an affected user would be ******@bogdanapostol97gmail.onmicrosoft.com.

 

My tenant ID is 147d2894-bf3e-4257-8022-b4daf6345ea7. I have a Visual Studio Enterprise Subscription and its ID is 439018ac-05a7-4ee3-ad1f-0a7556a579a1.

 

Could you help me troubleshoot this error?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. Anonymous
    2023-07-27T19:31:56.4033333+00:00

    Hi @Bogdan Apostol , thank you so much for the detailed write up. Assuming the custom attributes in the SAP Business Technology Platform Identity Authentication are correct, please check the following for me:

    1. Review the Attribute Mapping section in the Azure AD provisioning configuration for SAP Business Technology Platform Identity Authentication. Make sure the attribute mappings are correct and follow the required format specified by SAP.
    2. Verify that the administrator user in SAP Business Technology Platform Identity Authentication is of type System. Creating a normal administrator user can lead to unauthorized errors while provisioning.

    If this doesn't resolve your issue please let me know and we can dig deeper. Please let me know.

    Best,

    James

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.