3564839 - Troubleshooting authorization issues when logging into S/4 HANA Cloud Public Edition

When trying to log in to S/4HANA Cloud Public Edition, the following screen appears after selecting "Log On".

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental." 

SAP S/4HANA Cloud Public Edition

1. In order to be able to log in, a user needs to be created in both SAP S/4HANA Cloud Public Edition, and in Identity Authentication service (IAS).
   Check if a Worker (Manage Workforce) and Business User (Maintain Business Users) is present in SAP S/4HANA Cloud Public Edition for that specific user.
   If the Worker and Business User is already created in the system but not in the IAS tenant, follow these steps to create a new user in IAS:
   1. In the SAP S/4HANA Cloud tenant, search for Identity Provider app - Log into IAS
   2. In IAS, the Administrator role is required
   3. Go to the "Users & Authorizations" tab and then select "User management".
   4. A user can be created manually with "+" (Add) button or can be mass imported (Users & Authorizations tab and then Import Users) with a template file downloaded from Maintain Business Users app.
   5. When importing, the correct system has to be selected.
      
      Read more about the topic HERE and select the correct landscape at the bottom of the page.
2. If the Workers and Business Users are created, and the Users are imported to IAS, but this specific user still not able to log in to S/4 Hana Cloud Public Edition because the password was never set or received, then the "Send Emails" button ("Users & Authorizations" tab and then Import Users)  has to be triggered and an initial password has to be set.
3. In Maintain Business Users app, the Business User is Locked.
   Active users shouldn't be locked as it won't allow the authentication.
   
   
   
4. In the IAS tenant, go to "Applications and Resources" tab and then "Application", the Subject Name Identifier has to be set to "Login Name" or "Email address".
   1. Check if the user name in SAP S/4HANA Cloud Public Edition (Maintain Business Users) and Login Name in IAS is same. If the "Subject Name Identifier" was set to Login Name, then the "Default Name ID Format" should be "Unspecified".
      
      
   2. Check if the email address in SAP S/4HANA Cloud Public Edition (Maintain Business Users) and in IAS is same. If the two emails are different, it will cause an authentication issue. If  "Subject Name Identifier" was set to Email Address, then the "Default Name ID Format" should be "Email".
      
      
5. Check if this specific user's email address is verified. Go to the "Users & Authorization" tab and then "User Management".
   The "Verify Email" checkbox has to be selected.
   
   
6. If the following message appears after log in:
   
   "Sorry, we could not authenticate you. Try again."
   
   
   
   Check if this specific user's "Status" is "Active" ("Users & Authorization" and then "User Management").
   
7. If the issue still persists, open a case to component CA-GTF-BUM.

Other requirements:

1. If integration with Microsoft Entra ID (Azure) required.
2. If concurrent user access needs to be restricted.
3. How to Bind SAP S/4HANA Cloud to a Non-Default Identity Authentication Tenant
4. How to enable Two-Factor Authentication
5. For tenants provisioned after release 2208, the Subject Name Identifier must be configured as outlined in the SAP Help Portal
6. FAQ

IAS, Error, Authentication, User, log in, authenticate , KBA , CA-GTF-BUM , Business User Management , Problem