SSO between ADFS 2.0 and SAP EP 7.3
I need to enable identity provider ADFS2.0 to create users in the service provider SAP EP 7.3 which is integrated and using SAP R/3 UME.
The scenario is we should allow to auto generate users through SSO from ADFS 2.0 to SAP EP 7.3.
I configured SAP portal as SAML 2.0 service provider and ADFS 2.0 as Identity Provider.
Now SSO is working with same and different User ID's between IdP and Sp.
Now how do I enable IdP (adfs 2.0) to automatically create users in Sp ( sap nw 7.3).?
In SAML 2.0 Configuration Page on NWA , I selected "Identity Federation" tab and in the "Supported Name ID Formats " table list I added Unspecified Name of Federation type "Persistent Users (Advanced) " and selected Allow Automatic Creation of Accounts check box and maintained
User ID Source as Assertion Subject NameID and User Id Mapping Mode as LogonID. Also I specified Assertion based attributes and Default Roles.
When I log in to the Service Provider, it redirects me to Identity provider. I logged in with the user in identity provider. It then redirects me to service providers application but didn't create user. It lands on login page with the warning message, "Your account on identity provider [ADFS 2.0] is not federated with any local account ". When I click on the link New Here?Register Now and Federate Accounts , It creates the account and assigns the user default roles and user attributes I maintained.
How to federate ADFS 2.0 user account with local account in SAP EP 7.3?
Desislava Petkova replied
Hello Eben Joyson,
Clicking the link "New Here?Register Now and Federate Accounts" the newly created user is automatically federated with the ADFS account.
In case you would to federate already existing users in SAP EP 7.3 with ADFS accounts, you need to enable the option "Allow interactive linking of accounts". If both the options are enabled, some users can choose to create new account and federate and others to use their existing username and password and federate the accounts by clicking "Federate Local Account " checkbox.
You can find more information on the following wiki page: http://wiki.sdn.sap.com/wiki/display/Security/Implementation+of+Identity+Federation+for+SAML+2.0#ImplementationofIdentityFederationforSAML2.0-PersistentUsers%28Advanced%29