Skip to content

Latest commit

 

History

History
344 lines (205 loc) · 15.1 KB

configure-user-identifier-attributes-8b9fa88.md

File metadata and controls

344 lines (205 loc) · 15.1 KB

Configure User Identifier Attributes

Tenant administrators can configure user identifier attributes as required and unique for the tenant.

Prerequisites

You are assigned the Manage Tenant Configuration role. For more information about how to assign administrator roles, see Edit Administrator Authorizations.

Context

Identity Authentication ensures the uniqueness only of the newly set values of the attributes. The system doesn’t guarantee the uniqueness of the existing attributes.

The default configuration for the user identifiers are:

User Identifier Default Configuration

User Identifier

Required

Unique

User ID

Yes/Not Configurable

Yes/Not Configurable

Email

Yes/Configurable

Yes/Configurable

Login Name

No/Configurable

Yes/Not Configurable

Display Name

No/Configurable

No/Configurable

Phone

No/Not Configurable

No/Configurable

Caution:

The User ID and Login Name identifiers of a user can't have values that are equal to the User ID, Email, Login Name, Display Name, and Phone identifiers of another user.

When Email or Phone identifiers of a user are set as unique they can't have values that are equal to the User ID, Email, Login Name, Display Name, and Phone identifiers of another user.

Remember:

If the DisplayName is edited via the profile page, consider the following:

  • When the Display Name identifier of a user is set as unique it can't have values that are equal to the User ID, Global User ID, Email, Display Name, Login Name, and Employee Number identifiers of another user.

  • When the Display Name identifier of a user is set as non-unique it can't have values equal to the User ID, Global User ID, Email, Login Name, and Employee Number identifiers of another user.

Note:

The Display Name user identifier for the tenants created before the system upgrade on May 13, 2020 is configured as required and unique.

The Phone user attribute is configured as non-unique by default. If you configure it as unique, all users that are created or updated after this configuration won't be able to have phone numbers taken by someone else.

Remember:

If Email is marked as not-required on tenant level, it becomes configurable on application level, and must also be changed there, too. For more information, see Configure Registration and Upgrade Forms.

Email Required/Unique Configurations

Choice

Yes

No

Required
  • admin must provide email when creating or editing user in the admin console
  • emails.value attribute is mandatory when creating a user via the SCIM REST API
  • email appears as required in the registration form of an application
  • user must provide email, if missing, when an update of the account is triggered
  • admin can't delete user's email in admin console
  • user can't delete his/her email in profile page
  • admin must provide email when creating user in the admin console only when account activation is Send activation email
  • emails.value attribute must be provided when creating a user via the SCIM REST API only when sendMail attribute is true
  • email is required in the registration form of the application; the configuration is taken into account for the upgrade process
  • reset password process will be replaced by change password process for users with no email
  • user is not prompted to provide email, if missing, when an update of the account is triggered
  • admin can delete user's email in admin console
  • user can delete his/her email in profile page
  • end-user screen texts differ from the actual tenant configuration; admin can change the tenant texts to match the configuration
  • email verification setting for an application could be skipped for users with no email.

Unique
  • email can be used for logon
  • email must be unique, if provided, when a user is created or edited via the admin console
  • emails.value attribute must be unique, if provided, when a user is created via SCIM REST API
  • user must provide unique email, if required, when an update of the account is triggered
  • user import is supported; email must be provided
  • email attribute must be unique, if provided, when a user is registered via User Management REST API

Note:

The email user identifier must be selected unique if you use it for logon. For more information about how to configure the allowed logon identifiers, see Next Steps.
  • email can't be used for logon
  • admin can create more than one user with one and the same email in the admin console
  • emails.value attribute may not be unique if provided when a user is created via SCIM REST API
  • email, if required, may not be unique when an update of the account is triggered
  • users with non-unique emails can't change their password via the Forgot Password process using the email as identifier
  • end-user screen texts differ from the actual tenant configuration; admin can change the tenant texts to match the configuration
  • user import is not supported

The texts on the end screen are predefined. If you change the required/unique preference in the tenant, this won’t automatically change the texts in the end-user page. To change the text, you must update the predefined texts and messages for end-user screens available per tenant in the Identity Authentication. For more information, see Change Tenant Texts REST API.

Although the choice for the required attribute is applied for all applications in the tenant, you can still make the Email required on the registration and upgrade form for specific applications via a custom configuration. For more information, see Configure Registration and Upgrade Forms

Remember:

It takes 2 minutes for the configuration changes to take place.

If you want to change the configuration for the user identifier for your tenant, follow the procedure below:

Procedure

  1. Sign in to the administration console for SAP Cloud Identity Services.

  2. Under Applications and Resources, choose the Tenant Settings tile.

    At the top of the page, you can view the administrative and license relevant information of the tenant.

  3. Under Authentication, choose the Logon Alias list item.

  4. Select the options for the user identifier according to your needs.

    • Required
    • Unique

    If the operation is successful, the system displays the message Logon alias updated. It takes two minutes for the change to be applied.

Next Steps

Choose the allowed logon identifiers for the users. For more information, see Configure Allowed Logon Identifiers.

Related Information

Tenant SAML 2.0 Configurations

Get SAML 2.0 IdP Metadata via Parameter

Rotate Signing Certificates

Tenant OpenID Connect Configurations

Change Tenant Texts Via Administration Console

Configure Master Data Texts Via Administration Console

Configure Links Section on Sign-In Screen

Add Instructions Section on Sign-In Screen

Configure X.509 Client Certificates for User Authentication

Enable Users to Generate and Authenticate with Certificates

Configure Tenant Images

Configure Allowed Logon Identifiers

Configure Trust this browser Option

Enable Back-Up Channels to Send Passcode for Deactivation of TOTP Two-Factor Authentication Devices

Password Recovery Options

Configure Initial Password and Email Link Validity

Configure Session Timeout

Configure Trusted Domains

Use Custom Domain in Identity Authentication

Change a Tenant's Display Name

Configure Default Risk-Based Authentication for All Applications in the Tenant

Configure Sinch Service in Administration Console

Configure RADIUS Server Settings (Beta)

Configure Mail Server for Application Processes

Configure IdP-Initiated SSO

Send Security Alert Emails

Send System Notifications via Emails

Configure Customer Managed Keys in Administration Console (Restricted Availability)

Configure Default Language for End User Screens

Configure P-User Next Index

Reuse SAP Cloud Identity Services Tenants for Different Customer IDs