Symptom
Environment
Reproducing the Issue
Try to login to the URL and it will not redirect to the IDP (Identity Provider) Tenant.
Cause
- Wrong user mapping between S/4HANA Cloud tenant to IDP Tenant.
- Wrong configuration in SAML 2 configuration in IDP Admin Tenant.
Resolution
Scenario A: Wrong User Mapping Between S/4HANA Tenant to IDP Tenant
- Go to Maintain Business User App In S/4HANA Tenant (myxxxx.s4hana.ondemand.com)
- Check the user name field in Maintain business user App, user name is for example: CB12345.
- Go to User Management App in IDP Admin Tenant (https://xxxxxx.accounts.ondemand.com/admin)
- Check login name field in User Management App in IDP Admin Tenant App.
- Check Here login name should be CB12345.
- Always your login name and user name should be same in S/4HANA Tenant and IDP Admin Tenant.
- Login name equal to user name, in this case login name is CB12345 and user name should be CB12345.
Scenario B: Wrong Subject Name Identifier option maintained in IDP admin Tenant
- Go to IDP Admin Tenant (https://xxxxxx.accounts.ondemand.com/admin)
- Go to Application & Resources -> Applications -> Select your Test/PRD Tenant (myxxxx.s4hana.ondemand.com)
- Click on Tenant, here check Subject Name Identifier Attribute Value should be select as Login Name.
Scenario C: Wrong Default Name ID format option maintained in IDP admin Tenant
- Check also Default Name ID Format value should be select as unspecified.
- In-case if you are using Third Party SSO tool such as ADFS, then also you can find this after following below steps.
- Get a SAML trace of the issue 2461862 - Collecting SAML traces with Chrome or Firefox
- Open the SAML2 trace in SAML2 tracer tool.
- Once you open the SAML2 trace the output would be like as mentioned below format.
- Check NameID Format Always should be unspecified as mentioned in the log and if you see any difference then make it to unspecified.
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Username</NameID>
<AttributeStatement>
<Attribute Name="mail">
<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">xxxx@xxx.com</AttributeValue>
Keywords
Unable to Login, Production System is not available, Blue screen is coming after login, Identity Provider, SAML2 Trace , KBA , XX-S4C-OPR-INC , S/4HANA Cloud Availability, Performance and Administration , How To