3248892 - "A new Learning-only user could not be created" - Learning IAS Real Time User Sync

An error is received either before or after IAS activation when enableRealtimeUserSync=true:

• “A new Learning-only user could not be created. Please verify the values from System Administration > Configuration > System Configuration > SAP CLOUD IDENTITY SERVICES > Identity Provisioning section and try again.”

SAP SuccessFactors Learning

Before IAS Activation

• Learning Administration > System Administration > Security > Activate Identity Authentication Integration > error message when clicking “Test Now” in Step 4 “Test Real-time User Creation”

After IAS Activation

• Learning Administration > System Administration > Configuration > System Configuration > SAP CLOUD IDENTITY SERVICES > error message when setting enableRealtimeUserSync=true and clicking Apply Changes.

There are four possible reasons:

1. SAC Provisioning Indirectly includes LMS as a source system  - In IPS, SAC target system> system source is set to “Target system will read entities from all enabled source systems” which will include LMS. However, provisioning Learning-only users in People Analytics is not supported.
2. Tech User password for LMS, IAS and IPS are not equal - The tech user password must be the same in LMS, IAS and IPS. If any of these have been changed after provisioning then they all need to be reset to be the same. Tech User is in Learning with password in configuration for purposes of API usage only so when IAS and IPS call LMS, they need to have the correct password configured in Learning.
3. IAS Test User from Previous Attempt is Blocking Activation - If a previous failed attempted has happened to enable real time user sync, then the "ias_test_user_27F5AAEA" user may have been created. Retrying the enablement of real time sync with this user in IAS will continue to make the job fail.
4. The Learning IPS-mTLS Certificate may have expired - Uploading the renewed LMS mTLS certificate is required to use/enable real time user sync.

5. Missing below permissions for the technical user of the IAS target system

   • read users
   • access real-time provisioning API 

Please see above for the four different causes to identify the proper solution that needs to be followed.

• SAC Provisioning Indirectly includes LMS as a source system:
  
  1. In Identity Provisioning, navigate to Target Systems > Select SAC > Details tab then change SAC source system to “SuccessFactors”.
• Tech User password for LMS, IAS and IPS are not equal
  
  1. Set the password in each of the 3 systems to the same value
     
     1. For Learning: Learning Administration > Configuration > System Configuration> SAP CLOUD IDENTITY SERVICES "techUserPassword".
     2. For IPS: navigate to Source Systems > select Learning Source system > Properties tab, modify the Password Property to the new Password.
     3. For IAS:  Admin > Identity Providers > Source Systems > Learning (the name would be usually LMS – tenantID). In the Technical User section change the Technical User Secret (password) to the new password.
• IAS Test User from Previous Attempt is Blocking Activation
  
  1. Navigate to IAS>Users & Authorizations > User Management > Search for “ias_test_user_27F5AAEA”> Select and delete the user > Set ‘enableRealtimeUserSync’ to ‘true’ again.
• The Learning IPS-mTLS Certificate may have expired
  
  1. Navigate to the Identity Provisioning admin console and use the Learning IPS - mTLS Certificate Expiration KBA here to check if your LMS source system inbound certificate is expired. Example:
     
     • 
  2. If the certificate has expired, use the Learning IPS - mTLS Certificate Expiration KBA to upload the renewed LMS mTLS certificate and then you can attempt to enable real time user sync again.

• Please ensure to add the below permissions to the technical user of your IAS target system

  1. read users
  2. access real-time provisioning API 

Note:

Should the above resolution not work for you and you need to contact Product Support, please ensure to choose the following component during ticket creation - BC-IAM-IDS

IAS, IPS, LMS, Learning, User, fail, real, time, sync, failure, not, working, activation, enableRealtimeUserSync, source, system, Learning-only , KBA , LOD-SF-LMS-IAS , LMS IAS Integration for External User , Problem