Share via

SNI with employee-ID

take95 20 Reputation points
2025-02-14T13:44:57.8933333+00:00

Hello Experts

I have configured Azure as IdP, SAP IAS (Cloud Identity Services) as a Proxy, and SAC as the Cloud Application.

Below are my current configurations:

  • Azure Configuration: NameID is set to user.employeeid.
  • IAS Configuration: Subject Name Identifier is set to Corporate Identity Provider = employeeid.
  • SAC Configuration: The USER ID field is populated with the Employee ID, and the SAML Configuration is set to USER ID

When a user logs in to SAC, they enter their email address and are successfully identified in Azure. However the user ist not identified in sac und an error occured.

Here’s the issue:

  1. When a user logs in to SAC, they enter their email address, and they are successfully identified in Azure.
  2. The employee ID is send from Azure to IAS: (SAML-Tracer): ``
  3. The employee ID is send from IAS to SAC: ``

However, in SAC, the user is not identified, and I receive an error message, that the account is not active.

I haven't been able to make progress with SAP's notes.

What might be wrong with my configuration?

Could this issue be related to Azure?

Many Thanks

Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,661 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2025-02-17T10:58:48.7233333+00:00

    Hello @take95

    The error message you are receiving indicates that the account is not active in SAC.

    Based on the configurations you provided:

    • Azure Configuration: NameID is set to user.employeeid.
      • IAS Configuration: Subject Name Identifier is set to Corporate Identity Provider = employeeid.
      • SAC Configuration: The USER ID field is populated with the Employee ID, and the SAML Configuration is set to USER ID. The issue might be related to how the Employee ID is being passed between Azure, IAS, and SAC. Here are a few things you can check to troubleshoot the problem:
    1. Check Attribute Mapping: Ensure that the Employee ID attribute is correctly mapped and passed through the SAML assertions from Azure to IAS and then to SAC.
    2. User Provisioning: Make sure that the user account associated with the Employee ID is active and provisioned in SAC. Sometimes, inactive accounts can lead to such errors.
    3. SAML Response: Verify the SAML response at each step to see if the Employee ID is being correctly included in the response.
    4. Error Logs: Check the error logs in SAC for more detailed information about why the account is not being identified. If you are unable to make progress with SAP's notes, you may need to review the SAML configurations in Azure, IAS, and SAC to ensure consistency in attribute mappings and data flow.

    Additionally, you can reach out to SAP support for further assistance in troubleshooting the issue. I hope this helps you identify the root cause of the problem. If you need further assistance or clarification, feel free to ask. Our team is here to help you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.