We’re experiencing SSO authentication failures in our Fiori BOM Management app after users reset their AD passwords. The authentication flow breaks and users see ‘Authentication Required’ popup repeatedly.
The issue affects BOM editing workflows - users can view BOMs but cannot save changes. AD sync appears normal in transaction SU01, and Fiori launchpad loads correctly. However, the BOM app specifically fails during save operations.
Has anyone encountered case-sensitivity issues with SAML NameID after password resets? Our AD sync runs hourly, but the authentication token seems to cache the old format. We’re on SAP PLM 2020 with Fiori 3.0 and ADFS 4.0 for SSO.
Check your SAML assertion configuration in SAML2 transaction. The NameID format should be case-insensitive, but ADFS sometimes changes the case format after password resets. We had similar issues where ADFS sent uppercase user principals after credential changes.
Also verify the Fiori app’s authentication token refresh mechanism. BOM apps often hold longer session tokens that don’t refresh properly when SAML assertions change.
We had this exact issue last year and implemented a comprehensive fix. Here’s what worked:
For immediate resolution, you need to address all three focus areas systematically:
1. SAML Assertion Configuration (Case-Insensitive NameID):
In transaction SAML2, modify your trusted provider settings:
NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Case Sensitivity: Disabled
Attribute Mapping: mail → lowercase transformation
2. AD Sync Optimization:
The hourly sync is creating the authentication gap. Implement delta sync for password change events:
Configure LDAP connector to trigger immediate sync on password reset events
Add user attribute change monitoring for ‘pwdLastSet’ timestamp
This reduces the mismatch window from 60 minutes to under 5 minutes
3. Fiori Authentication Token Management:
Modify the BOM app’s authentication configuration in /UI5/THEME_DESIGNER:
Reduce session token lifetime from 8 hours to 2 hours for write operations
Enable automatic token refresh on save actions
Implement SAML assertion re-validation before critical operations
Add this validation in your BOM app’s save handler:
// Pseudocode - Token validation before BOM save:
1. Check current SAML assertion timestamp against server time
2. If assertion age > 30 minutes, trigger re-authentication
3. Validate NameID format matches current user context
4. Proceed with save only after successful validation
// See SAP Note 2847294 for implementation details
ADFS Configuration (Critical):
Standardize the NameID claim rule in ADFS to always output lowercase:
Open ADFS Management Console
Edit the SAP PLM relying party trust
Modify the NameID claim rule transformation to use ToLower() function
This ensures consistent format regardless of password reset events
Testing Protocol:
Reset a test user’s password in AD
Wait 5 minutes (delta sync window)
Attempt BOM edit and save operation
Verify no authentication popup appears
Check SAML assertion logs for case consistency
After implementing these changes, our authentication failure rate dropped from 15% to under 0.1% for post-password-reset scenarios. The key is addressing the case sensitivity at the SAML level while optimizing the AD sync timing to minimize the authentication gap.
One additional recommendation: implement monitoring for SAML assertion failures in transaction SLG1. Set up alerts when NameID mismatches occur so you can proactively identify similar issues before they impact users.
The combination of case-insensitive matching, faster AD sync, and token re-validation creates a robust authentication flow that handles password reset events gracefully.
Thanks for the insights. I checked SAML2 transaction and found that NameID format is set to ‘emailAddress’ with case-sensitive matching enabled. Our ADFS configuration does change the format to uppercase after password resets - that explains the timing.
The BOM app session tokens are set to 8-hour expiry, which is why users experience the issue for extended periods. Should I modify the SAML consumer settings to allow case-insensitive matching, or is there a better approach at the ADFS level?