[doc issue]

[nrgsap]

Issue description

Issue

The documentation here states the Subject Name Identifier attribute in an Identity Authentication Service is sent to the application and then used by the application to identify the user.

Experiment

Based on some experiments I have done, this appears to be false in the case of Cloud ALM.

I set the SNI to Global User ID, and the self-defined attributes to be only Groups (value Identity Directory -> Groups). No email, user id, etc. are configured to be sent. I logon and am granted access to Cloud ALM successfully. Ok, maybe Cloud ALM knows my Global User ID somehow and identifies me that way.

However, when I change my Global User ID by one character in IAS, I am still able to log on as before. How is Cloud ALM able to identify me based on the wrong Global User ID?

My theories are:

1. Cloud ALM is ignoring the SNI and using the User ID or Email typed into the logon screen.
2. IAS automatically provisions updates to Cloud ALM.

Proposed Solution

The documentation should clarify in what sense the SNI is used to "identify" users. In the case of Cloud ALM I believe the SNI is not being used to identify users, but rather the identifier typed into the logon screen is used.

Feedback Type (Optional)

clarity

Page Title on SAP Help Portal (prefilled)

Configure the Subject Name Identifier Sent to the Application

Page URL on SAP Help Portal (prefilled)

https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configure-subject-name-identifier-sent-to-application?version=Cloud

[ValAta]

Thank you for your feedback! We’ll look into it and come back to you if we have any questions.