SAML2: Format ’emailAddress’ is not supported for user assignment

Posted by — October 1, 2023 in SAP SECURITY Leave a reply

You are setting up the SAML2 authentication with the SAP NetWeaver ABAP and while performing the testing, the following error is captured,

SAML20 SP (client 123 ):  Exception raised:
SAML20  SAML20 CX_SAML20_FEDERATION: Format 'emailAddress' is not supported 
for user assignment. Long text: Format 'emailAddress' is not supported for user assignment. 
SAML20     at CL_SAML20_ENTITY->IS_NAMEID_FORMAT_SUPPORTED(Line 61)
SAML20     at CL_SAML20_FEDERATION->CREATE_INSTANCE(Line 56)
SAML20     at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 82)
SAML20     at CL_SAML20_RESPONSE->VALIDATE(Line 64)
SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 91)
SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 350)
SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2296)

Solution

As stated in SAP Note 2574530 – SAML2.0: Format ‘transient’ or ’emailaddress’ is not supported for user assignment, the cause is due to,

The error occurs because the Identity Provider (IdP) sends “‘transient'” name ID format, but the system doesn’t have it configured.
The error may occur for any incorrect name ID format which is not configured, eg: The following nameID formats can be present in error: Persistent, Windows Name, E-mail, Unspecified, Kerberos, X509 Subject Name

So, to fix this,

  1. Launch the transaction code SAML2
  2. Click on “Trusted Providers”
  3. Click on “Identity Federation”
  4. Add the same ID format as you use in your IdP (Identity Provider)

You May Also Like

Internal error – NUMBER_GET_NEXT call error (SU01)

SNCCONFIG: Displaying the SNC Configuration for Application Server ABAP

How to mass update the SNC Name/Canonical Name of SAP User

SAPGUI Login “Name or password is incorrect” Continuously Showing Instead of Detailed Login Error Messages

Leave a Reply?