SAP Knowledge Base Article - Public

2818741 - Users are unable to login to the S/4HANA Cloud System

Symptom

  •  User is not able to login in the system.   
  •  Blue Flower screen is coming after login.

Environment

S/4HANA Cloud (All versions)

Reproducing the Issue

Try to login to the URL and it will not redirect to the IDP (Identity Provider) Tenant.

Cause

  •   Wrong user mapping between S/4HANA Cloud tenant to IDP Tenant.
  •   Wrong configuration in SAML 2 configuration in IDP Admin Tenant.

Resolution

Scenario A: Wrong User Mapping Between S/4HANA Tenant to IDP Tenant

  1. Go to Maintain Business User App In S/4HANA Tenant (myxxxx.s4hana.ondemand.com)
  2. Check the user name field in Maintain business user App, user name is for example: CB12345.
  3. Go to User Management App in IDP Admin Tenant (https://xxxxxx.accounts.ondemand.com/admin)
  4. Check login name field in User Management App in IDP Admin Tenant App.
  5. Check Here login name should be CB12345.
  6. Always your login name and user name should be same in S/4HANA Tenant and IDP Admin Tenant.
  7. Login name equal to user name, in this case login name is CB12345 and user name should be CB12345.


Scenario B: Wrong Subject Name Identifier option maintained in IDP admin Tenant

  1. Go to IDP Admin Tenant (https://xxxxxx.accounts.ondemand.com/admin)
  2. Go to Application & Resources -> Applications -> Select your Test/PRD Tenant (myxxxx.s4hana.ondemand.com)
  3. Click on Tenant, here check Subject Name Identifier Attribute Value should be select as Login Name.

Scenario C: Wrong Default Name ID format option maintained in IDP admin Tenant

  1. Check also Default Name ID Format value should be select as unspecified.
  2. In-case if you are using Third Party SSO tool such as ADFS, then also you can find this after following below steps.
  1. Get a SAML trace of the issue 2461862 - Collecting SAML traces with Chrome or Firefox 
  2. Open the SAML2 trace in SAML2 tracer tool.
  3. Once you open the SAML2 trace the output would be like as mentioned below format.
  4. Check NameID Format Always should be unspecified as mentioned in the log and if you see any difference then make it to unspecified.

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Username</NameID>

<AttributeStatement>
<Attribute Name="mail">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">xxxx@xxx.com</AttributeValue>

Keywords

Unable to Login, Production System is not available, Blue screen is coming after login, Identity Provider, SAML2 Trace , KBA , XX-S4C-OPR-INC , S/4HANA Cloud Availability, Performance and Administration , How To

Product

SAP S/4HANA Cloud all versions