Wednesday, February 3, 2016

2249697 - User SAML mapping attribute not provisioned to HANA system

Symptom
  • You are using standard SAP Provisioning Framework HANA connector.
  • Attributes MX_SAML_ENABLED and MX_SAML_MAPPING (correct format is <provider name>= =<external identity>) have been defined for an user properly.
  • Attributes samlEnabled and samlIdentity have been enabled in the corresponding plugin task/process pass destination (this is the default setting).
  • After provisioning, no SAML mapping value of the user is provisioned to the HANA system.
  • No error shown in the plugin task/process job log.


Environment
  • SAP Identity Management 8.0
  • SAP Netweaver Identity Management 7.2


Reproducing the Issue
  1. Define attributes MX_SAML_ENABLED and MX_SAML_MAPPING properly for an user.
  2. Use SAP Provisioning Framework HANA connector to provision (create or modify) the user to an HANA system.


Cause
When provisioning SAML mapping attribute, HANA connector also verifies the defined attribute MX_SAML_MAPPING value <provider name>= =<external identity>. The <provider name> should be an MX_SAML_PROVIDER type entry, and it needs to have attribute MX_SAML_TARGET_SYSTEM defined, which value should be the current repository name. You can check the <provider name> entry type from DB view idmv_entry_simple, and all its attributes values from view idmv_vallink_ext.
All of these should be set up automatically by standard HANA initial load job. So such issue can be caused by the initial load job didn't load the current SAML provider information properly from HANA system.


Resolution
Make sure your HANA initial load job has been executed successfully, especially the following passes:
  • Read SAP HANA SAML providers
  • Create SAP HANA SAML providers
You can also copy these two passes to your own job and execute it (run the two passes again) for the corresponding HANA repository, so that it will load the current information again from the HANA system.


Keywords
SAML identity provider, create user plugin.



Header Data

Released On 26.11.2015 08:21:59
Release Status Released to Customer
Component BC-IAM-IDM Identity Management
Priority Normal
Category Problem
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)