My users are not provisioned from Azure AD to SAP BTP Identity Authentication as Service with an issue at the last step of the provisioning

Question

Hello team,

Me and my team implemented automatic provisioning of users from Azure Active Directory to SAP Business Technology Platform Identity Authentication Service using the following article:

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial

On this I created an enterprise application called "SAP Cloud Identity Services" associated with the application that my team is developing.

At the last step after the initial synchronization cycle finished, I received the following error:

I attached to the conversation the JSON file called sapscimschema.txt, that represents the response to the HTTP request. In the screenshot below you can see that the attribute urn:sap:cloud:scim:schemas:extension:custom:2.0:User attribute is in the SAP schema, but apparently the error says that attribute is somehow invalid.

I also attached the provisioning logs in the last 2 days if needed (file called ProvisioningLogs_07-25-2023_07-26-2023.txt).

It should be mentioned that all the users on my test tenant are affected. A UPN of an affected user would be ******@bogdanapostol97gmail.onmicrosoft.com).

My tenant ID is 147d2894-bf3e-4257-8022-b4daf6345ea7. I have a Visual Studio Enterprise Subscription and its ID is 439018ac-05a7-4ee3-ad1f-0a7556a579a1.

Could you help me troubleshoot this error? Thanks a lot!

Answer 1

Based on the comments there's a few things going on, but there are a few relevant things:

• AAD Provisioning doesn't currently include custom values in the "schemas" attribute even if an attribute from a custom schema is being used. The core and enterprise extension user schemas are always passed, but the urn:sap:cloud:scim:schemas:extension:custom:2.0:User schema is not being included.
  • The screenshots are hard to read, but it looks like the error being returned may be referencing the fact that an attribute was included in the payload but the relevant schema was not included in the schemas attribute.
• AAD Provisioning doesn't currently support custom SCIM schemas that don't align with the pattern urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute. The two bolded sections that start with Custom can be changed, but otherwise that pattern must be used. This is overly restrictive behavior in AAD Provisioning, and the SCIM standard does allow for any URN to be used. There is a development item in our backlog to relax this behavior, although I cannot share an ETA publicly at this time.
  • https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#provisioning-a-custom-extension-attribute-to-a-scim-compliant-application for reference
• Finally, as you mentioned, it appears that this SCIM endpoint is deprecated by SAP and they have a new one. It looks like the tutorial published in the Azure AD/Entra ID documentation is outdated. I'll pass a note to the team that manages this to see if we can get the tutorial refreshed.