You are setting up the SAML2 authentication with the SAP NetWeaver ABAP and while performing the testing, the following error is captured,
SAML20 SP (client 123 ): Exception raised:
SAML20 SAML20 CX_SAML20_FEDERATION: Format 'emailAddress' is not supported
for user assignment. Long text: Format 'emailAddress' is not supported for user assignment.
SAML20 at CL_SAML20_ENTITY->IS_NAMEID_FORMAT_SUPPORTED(Line 61)
SAML20 at CL_SAML20_FEDERATION->CREATE_INSTANCE(Line 56)
SAML20 at CL_SAML20_RESPONSE->VALIDATE_ASSERTION(Line 82)
SAML20 at CL_SAML20_RESPONSE->VALIDATE(Line 64)
SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 91)
SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 350)
SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2296)
Solution
As stated in SAP Note 2574530 – SAML2.0: Format ‘transient’ or ’emailaddress’ is not supported for user assignment, the cause is due to,
The error occurs because the Identity Provider (IdP) sends “‘transient'” name ID format, but the system doesn’t have it configured.
The error may occur for any incorrect name ID format which is not configured, eg: The following nameID formats can be present in error: Persistent, Windows Name, E-mail, Unspecified, Kerberos, X509 Subject Name
So, to fix this,
- Launch the transaction code SAML2
- Click on “Trusted Providers”
- Click on “Identity Federation”
- Add the same ID format as you use in your IdP (Identity Provider)