As you know, the report RSUSREXTID allows you to assign external ID to users. There is External ID type SA - SAML NameIdentifier (PartnerID:NameQualifier:Name). It's a pretty simple report and therefore it has some limitations. Basically, the external ID is created from prefix, username and suffix. Check Note 1254821 - SAML authentication for Web services in AS ABAP which describes how to use this report for SAML.

Since some releases SAP provide enhancement spot USREXTIDMAPPING mentioned in that note which gives you more flexibility. Basically, you can create your own logic for SAML external ID. For example if you want to use email address as SAML user ID then and you mantain user's email address in SU01 then it's pretty easy to implement logic to fetch email address from user master record, change it to required format and pass it back as SAML user ID.

If your system does not have this enhancement spot then I would just create a copy of report RSUSREXT (this report is called from RSUSREXTID) and I would modify routine CREATE_EXTID. I guess that you will use thi report just once during migration. If yes then you don't need to care about creating a copy of standard object. There is also attached example of custom report in note 1254821.

Yes, that note is only in German but as I said Google Translate returns a reasonable translation of that note.

Cheers

Hi,

those fields correspond to org. unit definition used in certificates (for example check the field Issuer in any SSL certificate). C is country, OU is organizational unit and O is organization.

The note 1254821 contains how to generate SAML external names.

External ID type: SA
Prefix of external name: <name of SAML issuer as in saml:Assertion/@Issuer, e.g. BXI/000>:<name identifier as in saml:Assertion/saml:Subject/saml:NameIdentifier/@NameQualifier>
Suffix of External Name:
Optional: Issuer's Name: For SAML, this field is mandatory and must be the subject name of the signature certificate as contained in the System PSE in transaction STRUST.

There is an example for user USER123. The SAML assertions are issued by issuer "BXI/000" and the issuer does not use name qualifier. The key has format "issuer":"name qualifier":"user name". In this example the external ID for user USER123 is BXI/000::USER123. Therefore the prefix field needs to be set to BXI/000:: and the suffix field needs to be left blank.

Just to summarize it. Your identity provider generates the SAML assertions. You need to know how the provider is identified and what name qualifier it uses. These two values define prefix field. It's possible that you need to implement enhancement to convert SAP user name to user named used by identity provider. Don't forget to fill field Issuer's name where you need to use values from certificate used for signing SAML assertions. The public part of this certificate needs to imported into consumer system.

Cheers

Hi,

identity provider is a Java application which can be deployed to any Java AS with sufficient SP level (7.2 SP3). Check the document which I have mentioned in this thread. You can download this application from service.sap.com/swdc as a SCA file. I am not sure about licensing. That document also mentions that you must have IdM 7.1 SP5 but I am not sure why you should not be able to use only identity provider except licensing issues.

I also got confused. Aren't you looking for scenario described [here|http://help.sap.com/saphelp_nwce72/helpdata/en/f2/1d7a4a9cb7486db6b439d35741c51f/frameset.htm]?

Cheers

Hi Martin,

To use SAP's IdP, yes you must have a SAP NetWeaver IDM 7.1 SP 5 license. See the implementation guide for the IdP. If you have another IdP, SAPs SP should be inter operable. It did pass SP lite certification.

-Michael

Hi Michael,

I could see that requirement but I was thinking more about technical point of view. As far as understnad Identity Provider is a java application which authenticates a user against UME and returns a SAML message which is used to prove identity to service provider. I don't see why you need to have other compoments of IdM deployed to your landscape.

Cheers

Hi Martin,

There is no other technical requirement than licensing at this time. It is my opinion that SAP hopes to offer tighter integration advantages between the IdP and the rest of the SAP NetWeaver IDM product. This licensing requirement sets the stage, so to speak.

-Michael

Hi Kiran,

What is the version and SP level of the ABAP system you are using? You can check ABAP server traces to see what is received and why the mappings failed.

Regards,

Desislava