SAP Knowledge Base Article - Public

3381120 - Invalid User. SSO Authentication Failed

Symptom

SSO is failing with error "Invalid User. SSO Authentication failed".

Environment

  • SAP Service Cloud v2
  • SAP Sales Cloud v2

Cause

There are some possible causes for this error:

A. The email address of the affected employee is not unique in the system.

B. The email address in employee details have a space at the front.

C. The email address maintained in the IDP (Identity Provider) for the user does not match the email maintained in the SAP Sales Cloud and Service v2 system. 

D. There is a mismatch between the Subject Identifier Name configured in the SAP Sales Cloud and Service V2 and in the IAS Settings. 

Resolution

A. Please make sure the affected employee has a unique email address in the system.

B. Please confirm that the affected employee email do not have any extra space in both Sales Cloud and Service v2 system and IDP side. 

C. Please make sure the email address maintained in the IDP matches the email maintained in the Sales Cloud and Service v2 system. Please make sure that even upper case or lower case match as well.

D. Let's take the following scenario as example: the expected Subject Name Identifier is Email and the same is configured in SAP Sales and Service Cloud V2 IDP (Identity Provider) Configuration. However, the proxy setup in IAS uses Name Id as Username/Login Name.

The proposed solution is to change the setting in SAP Sales and Service Cloud V2 IDP Configuration to use Subject Name Identifier as "User Name" instead of currently configured "Email".

  1. Login as Admin to the system.
  2. Navigate to Settings -> All Settings -> Users and Control -> Identity Provider Configuration.
  3. Add a new Trusted Identity Provider by clicking on "+".
  4. Download the IDP metadata from the IAS tenant and use it to for configuration.
  5. Ensure that this new IDP configuration has "Subject Name Identifier" as "User Name".
  6. Set this new IDP Configuration as Active and Default.

Steps to configure Application in Cloud Identity Services:

  1. In the Cloud Identity Services, please navigate to the Applications and select the application configured for the system.
  2. Navigate to "Subject Name Identifier" under "Trust".
  3. Under the Basic Configuration, check and ensure that the "Select a basic attribute" is "Login Name".
  4. Click "Save". 
  5. Now go to your user and ensure that the Login Name and User ID maintained is same in both Cloud Identity Service and in SAP Sales and Service Cloud V2 respectively.

Keywords

SSO, Authentication Failed, Single Sign On, IDP, Email , KBA , CEC-CRM-IAM , Identity and Access Management for SAP Sales/Service Cloud , How To

Product

SAP Sales Cloud and SAP Service Cloud Version 2 1.0