Unknown Schema Property when using Azure Active Directory User Provisioning to SAP IAS (Identity Authentication Service)

Question

Unknown Schema Property when using Azure Active Directory User Provisioning to SAP IAS (Identity Authentication Service)

Fechter Florian 26

Hey Guys,

I'm sorry if the question was already answered anywhere else, but I couldn't fine one.
My setup is a SAP IAS System on one side, that should get the users, and an Azure AD on the other side, that knows the user that should be provisioned.
With the SSO I had no problems to configure. (Works like it should ^^)
But when I try to define the provisioning of the users, I always get the same error:
{ "status" : "400", "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "detail" : "Invalid user attribute: urn:sap:cloud:scim:schemas:extension:custom:2.0:User" }
I found the root cause, but I don't know how to solve it.
Basically, the IAS has a schema called "urn:sap:cloud:scim:schemas:extension:custom:2.0:User" and it includes the custom user attributes (customAttribute1 - customAttribute10).
When setting up the provisioning, the "default" mapping already knows these attributes and suggests when adding a new mapping. But if you want to fill/map them, you need to add the schema to the "schemas" field within the scim-create-user-request like this:
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"urn:sap:cloud:scim:schemas:extension:custom:2.0:User"
],
"userName": "max.test@GN .com",
"id": "49be12a95674jh363211",
"externalId": "tmax",
"name": {
"familyName": "Test",
"givenName": "Max"
},
"emails": [
{ "type": "work", "value": "max.test@GN .com" }
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"Manager": "49be12a95674jh363211"
},
"urn:sap:cloud:scim:schemas:extension:custom:2.0:User":{
"attributes": [{"name":"customAttribute1", "value": "1"}]
}
}
I understand that azure ad asks you to provide them in the format "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute"(source)
But since it provides a template for connecting to a SAP IAS System, I assumed that should work anyway.
After that I tried to solve it by removing the attributes from the "attribute list for SAP Cloud Platform Identity Authentication Service" within the Azure AD Enterprise App, apparently the Provisioning Service still tries to send them resulting in the same error.
I would very be happy if we could solve the problem. (Otherwise, I need to use the Provisioning Service from SAP)

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2022-05-11T02:48:57.81+00:00

Hi @Fechter Florian , do you have SAP IAS SCIM documentation that we can use in order to replicate your setup?
Fechter Florian 26 Reputation points

2022-05-12T11:34:55.61+00:00

Hey @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA ,
thanks for your support.
You can check the API Documentation here: https://api.sap.com/api/IAS_SCIM/overview (includes only little information about the API) or the other one https://api.sap.com/api/IdDS_SCIM/resource.
But if you send a sample request to an environment:
.
You see that the response includes the custom attribute Schema.
If you just wanted an overview over the schemas, I'll attach one exported ones from our System:
201349-alluserschemasjson.txt

1 answer

Your answer

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2022-05-11T02:48:57.81+00:00

Hi @Fechter Florian , do you have SAP IAS SCIM documentation that we can use in order to replicate your setup?
Fechter Florian 26 Reputation points

2022-05-12T11:34:55.61+00:00

Hey @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA ,
thanks for your support.
You can check the API Documentation here: https://api.sap.com/api/IAS_SCIM/overview (includes only little information about the API) or the other one https://api.sap.com/api/IdDS_SCIM/resource.
But if you send a sample request to an environment:
.
You see that the response includes the custom attribute Schema.
If you just wanted an overview over the schemas, I'll attach one exported ones from our System:
201349-alluserschemasjson.txt

Answer 1

Fechter Florian 26

Hey Guys,
I found the solution for my problem while researching the information for @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA .
So the problem was that there are these two APIs available for the IAS:

https://api.sap.com/api/IAS_SCIM (https://IAS-host/service/scim)
https://api.sap.com/api/IdDS_SCIM (https://IAS-host/scim)
And the false assumption on my side was to use the .../scim that includes more information, but apparently the Azure AD can not work with it.
So I switched to .../service/scim, and it worked (for one of both my test-users :D )
I'll mark is as solved as soon as I can provision both users.

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2022-05-12T18:02:25.097+00:00

Great news @Fechter Florian ! Now, after a speedy reviewal of SAP documentation seems that https://api.sap.com/api/IAS_SCIM is deprecated and being replaced by https://api.sap.com/api/IdDS_SCIM. Can you please query the schemas available for he latter?

curl --request GET --url "https://{tenant}.{host}/scim/Schemas" --header "Accept: */*" --header "DataServiceVersion: 2.0"
Fechter Florian 26 Reputation points

2022-05-13T10:51:22.243+00:00

No problem @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA . I appended the response. Fyi. I had to replace the Tenant Id, but that shouldn't be a problem.
If there is anything else you need, don't hesitate to write me. ^^

201747-idds-scimschemasjson.txt

Share via

Unknown Schema Property when using Azure Active Directory User Provisioning to SAP IAS (Identity Authentication Service)

1 answer

Your answer