SAP Knowledge Base Article - Public

3241298 - Error when moving SAML connection from one IDP to another

Symptom

We deleted the Service Provider entry on our workspace, then we created a new Service Provider entry, and then copied the setup metadata to the Collaboration hub authentication in our workspace. Now, we are getting the error below when trying to log in. Please advise.




Resolution

That error message is caused by the workspace recognizing the email of the user but it is preventing the login attempt because the user ID provided by the IDP is different from the value that's stored with Signavio. Therefore, the system prevents the login.

It's a security mechanism that prevents attackers from gaining access to other workspaces by intentionally misconfiguring their identity provider.


Two options to resolve this:


  1. Make sure all workspaces the user has access to are protected through the 'enforce SSO' option. Enable 'enforce SSO' where it's applicable. We would need to remove the user from all workspaces where 'enforce SSO' is not enabled
  2. We can remove the user from all but one workspace (in this case, the external id will be updated since there is only this one workspace the user can get access to, hence there is no risk to gain access to other workspaces)



Keywords

KBA , BPI-SIG-CA-SEC-SAM , SAML 2.0 for SAP Signavio , How To

Product

SAP Signavio Process Manager all versions ; Signavio Process Manager all versions