Hi,

thanks for reply. I think in sy-uname will be some default communication user, but I need user name used for authentication on nonSAP portal. Scenario:

WD App on Gateway -> user click on logon -> redirected by SAML2 to nonSAP portal -> user log in by user name and password existing in nonSAP system -> redirected back and logged in to WD app on Gateway: I need the user name which user used for logging to nonSAP system.

Thx Jiri

Hi Jiri,

just to get you right, in your approach, the users do not have any account on the backend (as in this case, you could just use trusted RFC)?

Maybe I misunderstand your question but my approach would be to add this field to the data model on the backend (if it is not allready there) and on the gateway system fill this field with the contents from sy-uname when doing the call to the backend.

BTW: I would suggest you ask this question over in the SAP NetWeaver Gateway forum, as there might be other options as well.

Regards,

Patrick

Hi Patrick,

and do you know how can I retrieve this user name from SAML2 response directly on Gateway system?  - you are right that I can then save this user name to one field of the data model.

Or do you think I can create my own login screen on gateway (here I can save typed user name) and then perform SAML2 authentication by my own?

Thanks Jiri

Hi Jiri,

I'm referring to the gateway system. If you do authenticate there via SAML2, the users need to be there as well, then you can retrieve this info via checking sy-uname. If this is not the case, for example beacuse the identity used to authenticate at the gateway system is allways the same, you are pretty much out of luck, as the ABAP system to my knowledge neither supports SAML2 attribute queries nor do I know how to access additional attributes which might be part of a SAML2 message in ABAP. The only thing you then could do is to add the info as part of the initial request for instance as parameters to the request.

Regards,

Patrick

Hi Patrick,

I will try to describe situation:

we have configured SAML2 authorization agains our nonSAP portal for our gateway system. Then I created simple SAPUI5 application and in SICF t-code I selected SAML2 as authentication method. When the user open url with our SAPUI5 application he is automatically redirected to our nonSAP portal, where when is successfuly logged in is redirected back to SAPUI5 application on Gateway system. But here I have the problem, because I need user name used for logging in in nonSAP system for showing right data for actually logged user.

If I create users in Gateway system, where is the reason for SAML2? If I have users in gateway system, I can use std. SAP logon....

Many thanks Jiri

Hi Jiri,

even with SAML2, you have to have a user in the system that matches the credentials provided by the SAML2 IdP, you just do not need to provide the username and password to the end user. So when you access a gateway system with authentication set to SAML2 via a SAPUI5 application, some user needs to be known to the gateway system.

You can customize, what information is provided by the IdP to determine the SAP user, this can be the email address of the user (which then would be the identifier contained in the SAML assertion). If you have a one to one relationship via user on the IdP and SAP user, you might be able to just revert this mapping via the info in the SAML2 mapping tables. In other cases, I do not know of any reliable method to determine the SAML assertion which lead to the creation of a session.

The gateway system can forward the info on the current user either in payload or via identity propagation (preferred based on your use case) to the backend system.

If you want to restrict access to data per user, I would recommend to use authorizations. In this case the recommendation would be to provision the users to the backend system as well and use identity propagation. Please keep in mind, the users not necessarily will be able to access the backend system, as long as you permit them to log in only via SSO and control the access via the SSO mechanisms.

The reason for using SAML2 is to achieve SSO between systems, also it allows the creation of users on demand, so you do not have to provision the users first but the user will be created when he authenticates via SAML2. For more information on SAML2, please see the SAML2 overview in the docs.

Hi Patrick,

thru sec_diag_tool I'm able to see SAML2 response from my identity provider. I can see that in SAML2 attributes I have personal number which I have in external system - and I have same number in HR master data for each person in backend SAP system...so my question now is how to read these saml2 attributes in my ABAP code:

part of the SAML2 response:

     <saml:Attribute Name="https://whoami.cesnet.cz/attribute-def/tcsPersonalID"

                     NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

       <saml:AttributeValue xsi:type="xs:string">

       23060@vutbr.cz</saml:AttributeValue>

     </saml:Attribute>

Thanks Jiri

unfortunatly you can't according to my informations. Only the diag tool is able to see the information for debugging purposes.

Regards,

Patrick

Hi,

yes, you are correct. We have Gateway, we have backend SAP system and we have user authenticated on our nonSAP portal by SAML2 - this scenario is working - but I need the user name from the portal - because every user has it's own data in backend system.

Many thanks Jiri

Hi Martin,

many thanks for your answer.

So there is no possibility how to get the user name on SAP system (backend or gateway) for users who are authenticated on nonSAP systems by SAML2? But every user (SAP or nonSAP) has it's own data - how can i distinguish between different SAML2 authenticated users?

Yes, maybe I can create users on gateway  - but the organization is public university - lot of students are gets fired everyday - we have to remove them from our study system and also from gateway - duplicate work. We want to create a set of SAPUI5 apps for students where they can see their payments for example...but I need student login name to show

Thanks Jiri

Then create a function on the nonSAP portal which the backend can make a callback to and then either create the user, use ABAP logic which is free of AUTHORITY-CHECKS which are calling user specific or assign the user specific roles to the user.

SAP had something similar before with SU05 users. Problem is that it has massive functionality restraints if the runtime is a generic service user ID against which the checks are performed.

So... you need to explain how granular you need control on the backend. That will determine the best solution. Getting the user name and mapping it and reacting to it will not be a problem.

Cheers,

Julius

Hi Julius,

to my understanding, the ABAP backend has info about persons which are not users in the system itself but users in an other system. If the users would also be present in the ABAP backend, one could just use identity propagation (Asssertion tickets, ...) or trusted RFC to authenticate at the backend instead of using a service user. But maybe Jiri can give us a more precise picture of the situation and the requirements, because this is also not clear enough for me.

Regards,

Patrick

That is what I was thinking as well (the ABAP backend can have infos about the user without there necessarily being a SU01 user ID) so can be reused for access logic which is not associated with AUTHORITY-CHECK in the backend system, but rather some business partner access or similar.

But provisioning the user through does give lots for functional freedom and authorization granularity.

I think it is clear that Jiri wants to know the name of the caller as a minimum, but what is that name needed for? A simple mapping logic which a service could take care of, or a more complex scenario where authorization granularity beyond user name and a few attributes which the backend does not have without the support of authorizations (which 1 service user cannot support on it's own -> in which case Jiri should go for the scenario of the delayed login to migrate the user to the backend and authorize it correctly. This is quite a popolar requirement for IDM scenarios and workflows (using geographical attributes and approval workflow tasks).

Cheers,

Julius