Symptom
You are using SSO with Azure AD and when trying to log in you receive the following error message: "E-mail address "ABC" could not be mapped to user. Reason: E-mail address "ABC" used b."
Environment
SAP Cloud for Customer
Reproducing the Issue
1. Try to log in to the system using SSO.
2. Error message appears: "E-mail address "ABC" could not be mapped to user. Reason: E-mail address "ABC" used b."
Cause
The e-mail ID needs to be unique for each user for the SSO to work and there is no workaround for the same.
Resolution
The SSO needs the e-mail ID to be mapped directly to exactly one user. This is because when the SAML assertion happens between the IDP and the SAP system, the IDP passes this e-mail ID to the SAP system. In case the same e-mail is used for multiple users, there is no way then to figure out which is the user who is requesting for the session. Hence, the SSO will not work as the correct user cannot be determined in this case.
Keywords
SSO, Error, Mapped, Azure, Single, Sign, , KBA , SRD-CC-SEC , Security , How To