This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 15%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hello all,
I have a clarification question.
I have Azure as IdP, SAP IAS as a proxy, and cloud applications. Have I understood the authentication process correctly?
My settings:
The user accesses a link (e.g., SAC) and enters their UPN (as I understand it, this is the only way to authenticate with Azure?). The user is then redirected to Azure, where they are identified/found based on the UPN.
A token with attributes is then created, and the user is redirected to IAS. Since in IAS the Subject Name Identifier (SNI) is set to Corporate Identity Provider = employee_id, the SNI with employee_id is transmitted to SAC.
In SAC, in the "User ID" field ist set to 23244 (employee_id). The user is identified/found here with the employee_id. Is that correct, because SNI=employee_id ?
In Azure, the user is found based on the UPN (always ?), and in IAS, based on the employee_id.
What happens if the UPN in Azure changes? Since, in our case, the UPN is the same as the email address.
Thank you very much.
Best regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Hi @Mike
Thank you for posting this in Microsoft Q&A.
I understand your question regarding UPN an SNI.
The UPN (User Principal Name) is a unique attribute in Microsoft Entra (Azure Active Directory) that is used to authenticate users. The UPN consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name). The UPN was the primary identifier for authentication in Microsoft Entra ID. Microsoft Entra ID also supports email as an alternate login ID. If you configure both the UPN and email fields with the same value, users can log in using either one.
Regarding your question about user identification in SAC, it is correct that the SNI in IAS is set to Corporate Identity Provider = employee_id, and this value is transmitted to SAC. Therefore, in SAC, the user is identified/found using the employee_id.
In your scenario, the identity provider will be Entra ID (Azure), and authentication happens on the Entra side. If the user is successfully authenticated, they will receive a token with attributes. Based on the employee attributes, they can be redirected to IAS. If the UPN in Azure changes, the user will need to authenticate again with the new UPN. This is because the UPN is used to identify the user in Azure AD, and if it changes, the user will need to be re-identified with the new UPN.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.