SAP Community - SAP Cloud Identity Services

How can assign in Identity Authentication Service IAS bulk users to a group?

2024-04-11T21:02:02.902000+02:00

Hello,

we created groups in Identity Authentication Service IAS.
Now we need to add hundreds of users to these groups.
We found only the option to add users one by one to a group, which is not helpful.

We could import groups via CSV file upload.

But users to a group?

Many Thanks!

Thomas

SAP Cloud Identity Services

IAS/IPS: conditional provisioning business vs. personal email of user

2024-04-17T22:31:29.472000+02:00

Hi all,

I am seeking help for adapting the transformation template script in IPS for the SuccessFactors source system for mapping the IAS user email either from EC user field "email" (Business Email) in case of white-collar or from "custom02" (Personal Email) in case of blue-collar workers (Email types B & P from contact information section are already mapped accordingly for HRIS sync).

I am not good at coding but in pseudo code I was thinking about something like this:

IF user.custom02 (personal email) = NULL
THEN email = user.email (business email)
(here condition for unique IAS user email generation)
IF user.email = NULL || dummy-value
THEN email = ECUserID@dummy.sap
ELSE email = user.custom02

I am not sure if it would work like this... Did anyone face this requirement before or could help with putting this into proper code for the IPS Transformation Template?

I am using IAS SCIM API v2 btw.

Regards,

Andreas

Shadow user in BTP

2024-04-18T11:36:17.711000+02:00

Hello,

What are the possible methods for automatic user provisioning from SAP IAS to SAP BTP while "Create Shadow Users During Logon" option in SAP BTP is deactivated ?

Or do users need to be created manually in SAP BTP in that case?

Many thanks for every tip ?

Best Regards

Can we configure a custom branding of the IAS after login ?

2024-04-18T15:22:47.211000+02:00

I understand that we can customize the login page through a CSS file. However, I would also like to customize the appearance after login.

Activation of IAS

2024-04-19T11:29:19.152000+02:00

Hi Team,

We have Azure setup as the Corporate IDP where users will be logging through Azure via SSO and then redirected to SF via IAS as proxy. There are few consultants who will be logging via Password.

The default Identity Provider is set as Microsoft Azure(Allow users stored in Identity Authentication service to log on was enabled) . When we started to test activation via password user, it directed me to the Azure screen. Deleted cookies but still same behavior. I had to switch the default identity provider to "Identity Authentication" then it worked( We have conditional authentication rule setup- 1 as PWD and other as SSO). Later to test activation for SSO users, had to set the identity provider back to Azure. Just want to check is this expected behavior.

Please share if anyone has experienced this issue and is normal behavior.

Thanks

Regards

Vidya

SAP IAS - Password Synchronisation with Active Directory

2024-04-22T20:37:47.984000+02:00

Hello all,
Is it possible to sync passwords between IAS and Active Directory?
I have a scenario under which users can authenticate using the SPNEGO mechanism: however, in case the kerberos token is not available, they should be able to log-in via Username and Password, using the same password that they use to authenticate via AD.

I was not able to find anything in the documentation that reflects a similar scenario.

Any hint?
Best,
Roberto.

putNextEntry failed storing SPML.SAPUSER

2024-04-23T07:08:19.985000+02:00

Hi All,

I'm getting "putNextEntry failed storing SPML.SAPUSER" Error while reprocessing the user failed privilege.
User account attribute is correctly set in IDM and as mentioned in
https://community.sap.com/t5/technology-q-a/unable-to-reprocess-the-failed-role/qaq-p/11322380#feedback-error

the privilege is not orphan, could you please help where I'm missing to check.

Thanks & Regards,
Laxmi

SAP Application User provision based on Application Role via Entra ID

2024-04-23T17:22:07.846000+02:00

Hi Team,

As SAP IDM is expected to retire soon in the coming years, wanted to know possibility of it being replaced by Entra ID ( azure AD).

SAP IDM and SAP applications including security components - SAP GRC and IAG are very well integrated with each other as they are a part of same family.

Wanted to know if Entra ID can replace SAP IDM , with respect to tasks like :

1. Informing SAP IPS system to provision users to target application based on approval/deny event from SAP GRC or SAP IAG.

Is this possible with Entra Id ? How does the SAP Application role information flow from SAP GRC / IAG to Entra ID is it even possible ?

SAP Cloud Identity Services - Identity Authentication with sap ecc

2024-04-24T11:09:42.807000+02:00

Hy all,

is it possibile tu use SAP Cloud Identity Services - Identity Authentication with sap ecc?Our customer has a ecc system that use as fiori gateway for a S/4 hana system.

It's possibile to implement 2fa with SAP Cloud Identity Services - Identity Authentication and Delegate Authentication to a a 3rd party or on-premise IdP(entra ID in thsi case) for fiori in this situation?

Kind regards

OIDC configuration in S/4

2024-04-29T15:54:08.577000+02:00

We are in process of configuring SSO for SAP Fiori Apps.

We are using Ping ID as corporate identity provider and using BTP IAS as proxy host. Ping Id is OIDC compliant and we have used OIDC protocol for this configuration.

Configuration between BTP IAS and Ping is completed. Below are queries for configuration of s/4 application in BTP IAS:

1) Can we add S/4 system as SAML2.0 protocol? will that work for configuring SSO with Ping ID as we have configured PingID as OIDC protocol at BTP IAS.

2) If point 1 do not work, is there any document available of configuration of s/4 application in BTP IAS as OIDC protocol? what all configuration do I need to do in s/4 system for this?

Regards,

Chadresh.

providing IAS authentication through cloud identity service for UI5 MTA app

2024-04-30T20:10:11.395000+02:00

Hi,
I have created a sap ui5 MTA(multi target application) with stand alone app router. its having mta-approuter(router), mta-ui(ui5 app), xs-security.json, mta.yml etc..
mta-approuter is having xs-app.json file which is pointing to mta-ui as the welcome file and authentication as 'route'. mta-ui as well having another xs-app.json file which is having the default route pointing to html5-repo-rt and 'xsuaa' as authentication type.
I have deployed this app to CF and on running the app from CF its working good.

Now I wanted to try out cloud identity services which provides IAS authentication. So i have created an IDP in my trial account. then inside my mta-ui's 'xs-app.json' i have changed authentication type from 'xsuaa' to 'ias' .

And in my mta.yml i have added a identity service in the required section of app router and defined it in resource section as well.

Now I have deployed it to CF. On try running the app I am getting the below error. even i tried enabling third party cookies.

my expectation is same like default IDP with cloud identity services as well SSO works smoothly.

Can you please help me what am i missing?

PFA details of app/trial account.

Thank in Advance.

SF Employment Type replication to IAS user store

2024-04-30T23:27:19.016000+02:00

Hey all,

There's a requirement on bringing the employment type field from SF to user attribute in IAS user store? Is this possible?

Currently on API v2 / SCIM API

Automatic assignment to groups in IAS

2024-05-01T03:24:05.411000+02:00

We would like to automatically assign users to groups in IAS, based on an attribute that we can provision from SF to IAS through IPS. Question is: is it possible? Should it be done through transformation rules at IPS level?

------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

Is activation of US language a requirement/prerequisite for IAS/IPS?

2024-05-03T11:06:30.031000+02:00

Today we only have English UK and French in all our instance. We are also planning to activate the English US language and the IAS/IPS. I wonder if there is connection between the two i.e. the language should be activated first before IAS/IPS?

Establishing Trust with Custom Identity Provider for Platform Users failed

2024-05-10T10:14:21.496000+02:00

Hi community,

I am trying to establish trust between my BTP global account (trial) with a custom IAS tenant by following the document below:

https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-of-custom-identity-providers-for-platform-users?locale=en-US

I have subscribed to Cloud Identity Services and my user has been added to it as an administrator.

When I tried to establish trust, I got the following error:

Please reference the correlation ID d61ffe82-fb25-459e-7c9f-bb5a116def62 in the support ticket

I searched for the correlation ID in IAS Troubleshooting Logs, but nothing was found.

At subaccont level, I would be able to manually establish trust by exporing and importing metadata, but in global account, I don't see an option to download metadata. Is there any workaround or resolution for this issue?

Destination Service failed after deployment - Cloud Foundry

2024-05-12T19:05:43.254000+02:00

Hello,

After re-deploying MTA application on BTP I encountered the following error :

"Updating service "*-destination-service" failed: Service broker error: Service broker destination-service-broker failed with: Failed to update the destination service instance with the user provided configuration."

What could be the cause of it?

Risk Based Authentication in SAP CIS

2024-05-14T09:58:34.607000+02:00

Hi Experts,

I am trying to configure RBA in SAP CIS for restricting the access of application limited to series of IP addresses (internal to a network).

While configuring the RBA, there are 2 options one is IP Range and another is Forwarded IP range.

As per the documentation, we need to provide IP range in the IP range field to define a range of IP addresses that authentication requests to Identity Authentication can be sent from. And for Forwarded IP range field, we need to define a range of IP addresses for the original IP addresses that authentication requests to Identity Authentication can be sent from. This range is used in conjunction with IP Range in scenarios where authentication requests to Identity Authentication are made by a proxy on-behalf of the user/client. And for this IP Range field needs to be defined first.

So, the question here is, if I need to limit the access to IP address which are specific to intranet (internal network IP addresses), do I still need to define public IP address range from where application would be accessed. For example, if I am defining a rule with allow authentication action and in IP Range field in I am providing internal IP address range like 10.21.0.0/16 and then try to access the application. It is not allowing me to access it and gives me error message.

However, when I insert the public IP address of my machine with CIDR range in the IP Range field I am able to access the application. So does it mean that I need to provide public IP address range in IP Range field and Internal IP address range in Forwarded IP range field for this scenario to work.

Working inputs:

Not working inputs:

Let me know how it works and any hints of how it can be configured.

Thanks

IPS only provision entity, if user logged into another system

2024-05-15T14:10:11.360000+02:00

Hi all,

I received the requirement to provision users from AzureAD to SAP Enable Now, which should be pretty straight forward as far as I know.
But now I got asked, if it is possible to only provision users to SAP Enable Now, if they, at least once, logged in to SAP Concur. The thought process behind all that is, that we might save some licences, if only the employees, who actually work with SAP Concur are provisioning, instead of every employee of the company.

Now I have two questions.

1. Generally speaking, is it possible, to only provision from a source system to a target system, if they logged into another system, which is neither source nor target?

2. If this is possible, how would I check for this in a condition?

I feel like this won't be possible, because inside the source system transformation, you can only access the user's attributes of AzureAD and i'm pretty sure that there's no attribute to check, if a user has logged into a specific system or not.

Any help would be greatly appreciated.

Prevent of simultaneous login with a single user account

2024-05-16T03:36:22.046000+02:00

Hello,

We have set up IAS and then configured SSO with Azure. The client requirement is to prevent multiple simultaneously logins with the same user account from different browsers. We are trying to set up this in IAS with no success.

We cannot find any setting in order to set up this.

Kind regards,

Azure user group replacement

2024-05-17T16:10:09.545000+02:00

Hello Experts,

We are having Azure as a Source System and IAS as the target system. We are replicating the user data from Azure Environment to the IAS. We use both the User and Group mapping transformation.

The job is working fine and we are able to fetch the data and write into the target system.

The challenge what I have is, I need to transform a specfic User Group to a different value.

I have written the transformation code in my TARGET SYSTEM (IAS) as follows.

The two blocks are found under the User Group section.

I have checked with the 'Validate' function and it is just converting it into UpperCase and replacement function doesn't function at all.

Does anyone have an idea about what i am missing here

Input : Abcd

Output : ABCD

Transformation

{
"sourcePath": "$.displayName",
"targetPath": "$.displayName",
"functions": [
{
"function": "replaceString",
"target": "Abcd",
"replacement": "SAP_CBC_CONSUMPTION_AUDITOR"
},
{
"function": "toUpperCaseString",
"locale": "en_EN"
}
]
}

{
"sourcePath": "$.displayName",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']",
"scope": "createEntity",
"functions": [
{
"function": "replaceString",
"target": "Abcd",
"replacement": "SAP_CBC_CONSUMPTION_AUDITOR"
},
{
"function": "toUpperCaseString",
"locale": "en_EN"
}
]