SCIM User Provisioning with SAP Cloud Identity Services - Additional attribute is not included in the provisioning

Question

SCIM User Provisioning with SAP Cloud Identity Services - Additional attribute is not included in the provisioning

Abdulbasıt Gülşen 0

Hello,

I'm trying to provision Microsoft Entra ID identities to SAP Cloud Identity Services using the following tutorial:

https://learn.microsoft.com/en-us/entra/identity/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial

It is working fine with default configuration. However, I also want to map Object ID on the source to the following property on the target:

urn:ietf:params:scim:schemas:extension:sap:2.0:User:userUuid

I've added this attribute to the attribute list and added mapping with Object ID.

User's image

When I run the provisioning, this field is not updated on the target system. I've verified this attribute is not included in the payload. I've also verified that target api updates this attribute via Postman.

It looks like this mapping does not have any effect. I've also found the documentation:

https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes#editing-the-list-of-supported-attributes

which states that:

Applications and systems that support customization of the attribute list include:

Salesforce
ServiceNow
Workday to Active Directory / Workday to Microsoft Entra ID
SuccessFactors to Active Directory / SuccessFactors to Microsoft Entra ID
Microsoft Entra ID (Azure AD Graph API default attributes and custom directory extensions are supported). For more information about creating extensions, see Syncing extension attributes for Microsoft Entra Application Provisioning and Known issues for provisioning in Microsoft Entra ID.
Apps that support SCIM 2.0
Microsoft Entra ID supports writeback to Workday or SuccessFactors for XPATH and JSONPath metadata. Microsoft Entra ID doesn't support new Workday or SuccessFactors attributes not included in the default schema.

According to this documentation, it should be possible to customize the attribute list for apps that support SCIM 2.0.

SAP Cloud Identity Service API is also supporting SCIM 2.0 (https://api.sap.com/api/IdDS_SCIM/overview)

Is there anything I'm missing in the configuration? Any help would be appreciated.

Thanks in advance.

Abdulbasit.

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-02-07T07:24:01.8966667+00:00

@Abdulbasıt Gülşen Thank you for reaching out to us and for the detailed description of the issue. Researched on this attribute - urn:ietf:params:scim:schemas:extension:sap:2.0:User:userUuid while referring to this documentation - https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/534356acc0ab4b0e8977ebfb2eb432f7/00df9b8134d04fe496a7144c18c0d4a4.html noticed there is a typo in that attribute in your configuration, from the sap document I see this urn:ietf:params:scim:schemas:extension:sap:2.0:User.userUuid

Request you to make this change and try testing the provisioning again and let me know the results.
Abdulbasıt Gülşen 0 Reputation points

2024-02-07T12:59:30.3233333+00:00

Thanks for the response. It looks like the documentation you are referring is pointing to SAP SuccessFactors identity system. It is using "." instead of ":" for other attributes. I'm using SAP Cloud Identity System and I've already verified this syntax with Postman. In addition, concatenating attribute with name using ":" works fine for my other attributes. You can see on the screenshot below, other attributes are also concatenated with ":" and works fine during sync.

btw, I've changed the attribute just to make sure, unfortunately it doesn't work.

1 answer

Your answer

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-02-07T07:24:01.8966667+00:00

@Abdulbasıt Gülşen Thank you for reaching out to us and for the detailed description of the issue. Researched on this attribute - urn:ietf:params:scim:schemas:extension:sap:2.0:User:userUuid while referring to this documentation - https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/534356acc0ab4b0e8977ebfb2eb432f7/00df9b8134d04fe496a7144c18c0d4a4.html noticed there is a typo in that attribute in your configuration, from the sap document I see this urn:ietf:params:scim:schemas:extension:sap:2.0:User.userUuid

Request you to make this change and try testing the provisioning again and let me know the results.
Abdulbasıt Gülşen 0 Reputation points

2024-02-07T12:59:30.3233333+00:00

Thanks for the response. It looks like the documentation you are referring is pointing to SAP SuccessFactors identity system. It is using "." instead of ":" for other attributes. I'm using SAP Cloud Identity System and I've already verified this syntax with Postman. In addition, concatenating attribute with name using ":" works fine for my other attributes. You can see on the screenshot below, other attributes are also concatenated with ":" and works fine during sync.

btw, I've changed the attribute just to make sure, unfortunately it doesn't work.

Answer 1

Givary-MSFT 35,626 Microsoft Employee Moderator

@Abdulbasıt Gülşen Apologies for the delayed response, was able to setup the dev instance of SAP Cloud Identity Systems at my end and tested the above scenario by creating this mapping urn:ietf:params:scim:schemas:extension:sap:2.0:User:userUuid ---> objectGuid

Though the provisioning on demand picks the attribute and shows as updated in the provisioning logs however Global User ID (which is UserUUID) in SAP is not getting updated. User's image

Have you engaged SAP support team to review/debug this issue from their end?

Also, send me an email to 'AzCommunity@microsoft.com' with Sub - Attn: Givary and following details in the email body: Link to this thread/post We can connect offline and discuss further on this.

Abdulbasıt Gülşen 0 Reputation points

2024-02-20T13:43:05.7066667+00:00

@Givary-MSFT Thanks for investigating further. I've reached out to SAP Support in the meantime and they said that this Enterprise Application is not intended to use for provisioning but it should only be used for SSO. All the configurations are done by following the tutorial: https://learn.microsoft.com/en-us/entra/identity/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial

It is really disappointing that this is not mentioned in any part of the documentation, in the application UI etc. It seems that the only way to go is a Custom Enterprise Application, do you think I can achieve this with custom application? Thanks for the help.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-02-23T11:47:50.6433333+00:00

@Abdulbasıt Gülşen Thanks for the update, as you are working with SAP team on this, keep this thread updated with the outcome of this issue, as it would help other community members having similar issue.

Share via

SCIM User Provisioning with SAP Cloud Identity Services - Additional attribute is not included in the provisioning

1 answer

Your answer