Hi,

We have exactly the same issue. We went live with AC10 in July and we have an OSS message open but no way to get a solution. Finally, they proposed to create a request on the Idea place and if several customers are voting for it they will take this in account in any of the next release.

As we can't autmoatically generate the SNC name we asked the people that create the request to enter the SNC name manually respective the case sensitivity but you can't avoid human errors and the impact on the user community is not good when they receive the notification that their access has been created and they can't finally access it by signle sign-on due to the SNC name that has been wrongly entered in the access request  and provisioned.

I don't understand why SAP is not taken this issue more seriously in account. At least to provide any work around to be able to generate the SNC name respecting the case sensitivity.

Could you share in details what you did to get the SNC name as "p:username@DOMAIN".

Did you map it using LDAPMAP tcode ? Did you create a specific AC field mapping in the IMG under "Maintain Mapping for Actions and Connector Groups" for hte LDAP connector ?

Thanks in advance for your feedback.
Patrick.

Patrick,

Is it possible that your issue is addressed in Note 1594909, which is in SP5?

REF:

Symptom

The SNC name gets provisioned only in the upper case even if the name is in lower case or mixed case. The SNC name is always converted to uppercase before provisioning. Because of this the SSO does not work for some users.

Good luck!

Regards,

Gretchen

Hi Gretchen,

We are on GRC 10.0 SP8 and this correction is therefore already applied.

In EUP, in the SNC name field we put "p:#!#USERID#!#@DOMAIN name in uppercase".

Per SAP, the GRC  USERID variable field is in fact taken the sap userid content when it's created on the backend system.

We currently have the userid in lowercase in the LDAP field name sAMAccountName and we mapped it to the AC field SNCNAME in the IMG under "Maintain Mapping for Actions and Connector Groups.

By doing this the EUP setting is not taken in account and we can see in the access request form that the snc field has the userid in lowercase but from there we don't knwo how to automatically add the constant  p: in lowercase before this userid variable and Domain name constant in uppercase after it to get the complete SNC name as mentioned above.

Any thoughts to get there ?

Thanks in advance.
Patrick.

Patrick,

Sorry, I am not an expert in this area; I just know that inconsistent case of the user ID was a pain point in SSO at previous employer and was the cause of problems at a client's GRC project I was on earlier this year. The workaround you described sounds quite painful; a configurable option of making SNC case insensitive sounds to me like the most elegant solution. If this suggestion is already in Idea Place, I would gladly vote for it.

Regards,

Gretchen

Hi Gretchen,

Finally, SAP released the OSS note 1760244 that created the new variable USERID_L and we added in our EUP settings to generate the SNC name automatically.

We applied it in our production system last week and it works fine.

It was hard to obtain but we got it after several weeks of discussions.

This will help other customers that will use GRC AC 10.

Patrick.

Thanks.

Hi Joe,

currently I am facing the exact same situation.

We have from LDAP the field userPrincipalName = <xxx>@<domain> but we need the SNC field to look like p:<xxx>@<DOMAIN>

Would it be possible for you to give me those two function modules and tell me where I have to put themn to convert from <xxx>@<domain> to p:<xxx>@<DOMAIN>?

In our case we don't need the Checkbox "allow insecure logon" ticked as we allow this systemwide via profileparameter.

Regards,

Niklas

Message was edited by: Niklas Theis Edit 31.01.2014 - 11:34 Our development Team added the modification to the corresponding include so that this works.