We’re experiencing authentication failures with our SBOM REST API endpoints after upgrading to SSO. The sync jobs that pull supplier BOM data are failing with LDAP attribute mapping errors.
The error occurs when external systems try to authenticate:
LDAP: uid attribute not found in token claims
Authentication failed for user: ext_supplier_api
HTTP 401: Invalid credentials
Our SSO token claims use ‘employeeId’ instead of ‘uid’, but the REST API authentication seems hardcoded to look for ‘uid’. The LDAP mapping worked fine before SSO migration. SBOM sync jobs are now completely blocked, preventing us from receiving critical supplier component updates. Has anyone dealt with LDAP attribute mapping mismatches in REST API authentication after SSO implementation?
I worked through this exact scenario last quarter. The SBOM REST endpoints have stricter authentication requirements because they handle external supplier data. You need to ensure your SSO configuration passes through all required LDAP attributes in the token claims. Beyond just ‘uid’, make sure ‘cn’, ‘mail’, and ‘memberOf’ are also included. We found that group membership attributes were particularly important for role-based access to SBOM data. Also verify that your external API users are properly configured in both the IdP and Teamcenter user registry.
I’ve seen this exact issue. The problem is that Teamcenter’s REST API authentication layer expects specific LDAP attributes by default. When you introduce SSO, the token claims structure changes but the API authentication handlers still reference the old LDAP schema. You need to create a custom attribute mapping in your SSO configuration that translates your IdP claims to the expected LDAP attributes. Check your wt.properties for any hardcoded LDAP attribute references.
Are you using a custom authentication handler or the default one? We had similar issues and found that the SAML assertion wasn’t including all required attributes. Our IdP was configured to send ‘mail’ and ‘displayName’ but not ‘uid’. We had to update the attribute release policy on the IdP side to include all attributes that Teamcenter expects for user lookup.
Check your REST API security configuration in the Teamcenter server. There’s usually a mapping file that defines which token claims map to which user attributes. For SBOM endpoints specifically, they might have additional security requirements.