[doc issue] Propagated User ID flow

[Naguco]

Issue description

The documentation for the Propagated User ID: Sources section describes two sources in priority order:

1. Field in the JWT
2. Custom User Attribute

For source 1, it states:

• "If the userIdSource property is configured in the destination, its value is the key of the JWT field that will be the user ID (if there is no such key in the JWT, the flow proceeds to the next level)."

The phrase "proceeds to the next level" is ambiguous. It is unclear whether "next level" means:

• (A) Proceeds to the next source in the priority list (Custom User Attribute) — meaning nameIdFormat is never consulted when userIdSource is set, or
• (B) Proceeds as if userIdSource is missing — meaning the nameIdFormat fallback still applies

How should I interpret the flow proceeds to the next level? Should we consider adding a bit more of context to that statement?
Like: if there is no such key in the JWT, the flow proceeds to:

• A: Custom User Attribute process
• B: Proceeds as if userIdSource is missing

This ambiguity has a direct impact on how developers configure destinations.

Consider this scenario:

• Destination has userIdSource = logonName
• The incoming JWT does not contain a logonName claim at root level
• The JWT does contain user_name and email claims
• nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Under interpretation A, the Destination service skips to Custom User Attribute and fails if the JWT lacks user_attributes scope, even though user_name is present and nameIdFormat would resolve it correctly.

Under interpretation B, the nameIdFormat fallback kicks in and the propagation succeeds using user_name.

Kind regards,
Nata.

Feedback Type (Optional)

None

Page Title on SAP Help Portal (prefilled)

User Propagation via SAML 2.0 Bearer Assertion Flow

Page URL on SAP Help Portal (prefilled)

https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/user-propagation-via-saml-2-0-bearer-assertion-flow

[Frank1Mueller]

Hi Francisco,

thanks a lot for your feedback :)

We'll look into your issue and get back to you as soon as possible.

Best regards

Frank

[sap-doc-bot]

Thank you for your valuable feedback contribution, @Naguco! So that we can recognize your contribution in the SAP Community, please check your SAP Community user ID (this is a number). To do so, navigate to your personal settings page, open the menu below your user picture in the upper right corner, and choose My content. Copy the user ID from the URL and share it with us in a reply to this comment. Make sure you just include the number in the reply.

Example URL: https://community.sap.com/t5/user/viewprofilepage/user-id/53

User ID: 53

Please note that we are currently refactoring our profile and badge system on the SAP Community, and will start assigning badges again when that's complete.

[Frank1Mueller]

Hi Francisco,

thanks again for your feedback :)

We have now looked into your issue.

Indeed, the statement if there is no such key in the JWT, the flow proceeds to the next level may be a bit confusing in this place. It simply means proceed to the next point in the list (fallback to destination property nameIdFormat).

So, your option B is given.

We will adapt the documentation accordingly.

Best regards

Frank

[Naguco]

Thank you for your valuable feedback contribution, @Naguco! So that we can recognize your contribution in the SAP Community, please check your SAP Community user ID (this is a number). To do so, navigate to your personal settings page, open the menu below your user picture in the upper right corner, and choose My content. Copy the user ID from the URL and share it with us in a reply to this comment. Make sure you just include the number in the reply.

Example URL: https://community.sap.com/t5/user/viewprofilepage/user-id/53

User ID: 53

Please note that we are currently refactoring our profile and badge system on the SAP Community, and will start assigning badges again when that's complete.

User ID: 116758