Unknown Schema Property when using Azure Active Directory User Provisioning to SAP IAS (Identity Authentication Service)

Fechter Florian 6 Reputation points
2022-04-28T10:59:18.383+00:00

Hey Guys,

I'm sorry if the question was already answered anywhere else, but I couldn't fine one.
My setup is a SAP IAS System on one side, that should get the users, and an Azure AD on the other side, that knows the user that should be provisioned.
With the SSO I had no problems to configure. (Works like it should ^^)
But when I try to define the provisioning of the users, I always get the same error:
{ "status" : "400", "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "detail" : "Invalid user attribute: urn:sap:cloud:scim:schemas:extension:custom:2.0:User" }
I found the root cause, but I don't know how to solve it.
Basically, the IAS has a schema called "urn:sap:cloud:scim:schemas:extension:custom:2.0:User" and it includes the custom user attributes (customAttribute1 - customAttribute10).
When setting up the provisioning, the "default" mapping already knows these attributes and suggests when adding a new mapping. But if you want to fill/map them, you need to add the schema to the "schemas" field within the scim-create-user-request like this:
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"urn:sap:cloud:scim:schemas:extension:custom:2.0:User"
],
"userName": "max.test@GN .com",
"id": "49be12a95674jh363211",
"externalId": "tmax",
"name": {
"familyName": "Test",
"givenName": "Max"
},
"emails": [
{ "type": "work", "value": "max.test@GN .com" }
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"Manager": "49be12a95674jh363211"
},
"urn:sap:cloud:scim:schemas:extension:custom:2.0:User":{
"attributes": [{"name":"customAttribute1", "value": "1"}]
}
}
I understand that azure ad asks you to provide them in the format "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute"(source)
But since it provides a template for connecting to a SAP IAS System, I assumed that should work anyway.
After that I tried to solve it by removing the attributes from the "attribute list for SAP Cloud Platform Identity Authentication Service" within the Azure AD Enterprise App, apparently the Provisioning Service still tries to send them resulting in the same error.
I would very be happy if we could solve the problem. (Otherwise, I need to use the Provisioning Service from SAP)

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,447 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Fechter Florian 6 Reputation points
    2022-05-12T11:41:53.087+00:00

    Hey Guys,
    I found the solution for my problem while researching the information for @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA .
    So the problem was that there are these two APIs available for the IAS:

    • https://api.sap.com/api/IAS_SCIM (https://IAS-host/service/scim)
    • https://api.sap.com/api/IdDS_SCIM (https://IAS-host/scim)
      And the false assumption on my side was to use the .../scim that includes more information, but apparently the Azure AD can not work with it.
      So I switched to .../service/scim, and it worked (for one of both my test-users :D )
      I'll mark is as solved as soon as I can provision both users.
    1 person found this answer helpful.