Identity FederationLocate this document in the navigation structure

Use

Identity federation provides the means to share identity information between partners. To share information about a user, partners must be able to identify the user, even though they may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as the means to establish a common identifier. Once the name ID has been established, the user is said to have a federated identity.

The service provider receives the SAML subject identifier with the specified assertion subject name ID or assertion attributes from the identity provider. The setting of the User ID Source field defines where this SAML subject identifier is obtained. The service provider uses the assertion subject name ID or the other assertion attribute to specify the user identifier. Then the service provider checks the User ID Mapping Mode to determine how to find the user in its user management engine (UME). When the service provider finds the local user, it authenticates the user.

Figure 1: Identity Federation Principles
Example

Users in the identity provider always log on with their e-mail address. The logon ID and e-mail address are identical. The administrator of the identity provider agrees to provide the Unspecified name ID format including the logon ID. After a user successfully logs on to the identity provider, the identity provider provides the logon ID of the user to the service provider in the SAML assertion. The service provider is also configured to use the Unspecified name ID format and is configured to use the user attribute for the e-mail address. The service provider searches for the user with an e-mail address that matches. As long as the e-mail address in the service provider is unique, the service provider can log the user on.

The figure below shows Laurent Becker has different user IDs on the identity provider and service provider. With SAML 2.0 he authenticates on the identity provider. The identity provider passes his user ID to the service provider, and the service provider searches for his user by his e-mail address. Thus his two accounts are linked by user ID and e-mail address.

Figure 2: Example of Identity Federation with Unspecified name ID formats

Types of Federation

The following types of federation are configured for the name ID formats:

  • Persistent Users

  • Persistent Users (Advanced)

  • Virtual Users

Persistent Users

If you configure the name ID federation type Persistent Users, this sets the system to simple out-of-band account linking. The meaning of the Persistent Users type is to establish permanent user IDs in the user management engine (UME). The UME acts as a database for the service provider that is used to authenticate assertions from the identity provider.

In this case the identities of a user in system A and system B are identified and agreed upon ahead of time between the administrators of the two systems. This kind of agreement is also supported by SAML 1.x. The administrator of the identity provider and the service provider agree how the name ID used for the user in the identity provider maps to the user in the service provider.

Use this kind of federation to support most scenarios where you need to map user identities across domains.

For more information about configuring name IDs with the Persistent Users federation type, see Configuring Federation Type Persistent Users .

Persistent Users (Advanced)

The Persistent Users (Advanced) federation type gives more flexibility in the settings configurations between the service provider and the identity provider. It also allows the service provider to restrict what user IDs to use.

Federation type Persistent Users (Advanced) also offers the following additional options:

  • Allowing the identity provider to create the name ID. The identity provider may have the authorization to generate a new identifier for the user, should one not already exist. The service provider sets the AllowCreate attribute on the NameIDPolicy element to 'true" for that permission.

  • Allowing interactive federation

    Federation is established on the fly. You can enable users to interactively establish federation between existing accounts or even create their own accounts on the target system with self-registration.

    Use this kind of federation if you have not created persistent pseudonyms on the identity provider and service provider ahead of time. It enables you to configure these mappings as you go.

  • Allowing automatic creation

    Federation is established on the basis of attributes passed to the target system. If the user has no account in the target system, the service provider automatically creates the account. The attributes are generated from rules based on SAML 2.0 attributes sent in SAML messages.

    Use this kind of federation to create and even provision users as you federate their accounts on the service provider.

  • Updating attributes, roles, and groups at login. This option is a possibility to set attributes, roles, and groups that should also match the respective settings at the identity provider.

  • Filtering user IDs passed from the identity provider. This field defines what user ID pattern the service provider can accept.

  • Adding a prefix and suffix to a user ID. This field helps the service provide to configure the right user ID.

Example

The service provider receives assertions from a few identity providers. If each identity provider sends a user ID with the same name, it is be difficult to distinguish between these providers. By adding a prefix or/and suffix value to this user ID, the system will know which identity provider to authenticate. Also, the regular expression can guarantee that a user ID ending with sap.com should be authenticated, but not any others.

For more information about configuring name IDs with the Persistent Users (Advanced) federation type, see Configuring Federation Type Persistent Users (Advanced) .

Virtual Users

The meaning of the Virtual Users type is to create a temporary user ID in the UME. A federation of this type exists for the length of the security session. Also, account linking features are not necessary for temporary user IDs because of this temporal duration of the session.

For more information about configuring name IDs with the Virtual Users federation type, see Configuring Federation Type Virtual Users .

Qualified Format Names

The system supports the following qualified format names:

Name ID Format

Fully Qualified Format Name

E-mail

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Kerberos

urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

Persistent

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Transient

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Unspecified

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Windows Name

urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

X509 Subject Name

urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

For each name ID format you can have your own configuration, which is independent of the name ID format that you choose.

If you set the service provider to use the assertion attribute Assertion Subject NameID , you allow the provider to use the information defined by the NameID sub-element of the Subject element in the assertion passed by the identity provider.

User ID Mapping Mode Values

The User ID Mapping Mode allows you to set the following values:

User ID Mapping Mode Values

Description

E-mail

The value is the e-mail address . The service provider searches for a user for which the e-mail address corresponds to the identifier.

Kerberos Principal Name

The service provider handles the received user identifier as being in the format principal@realm and looks for a user for which the principal and realm account attributes match the user identifier.

Logon Alias

The value is the logon alias. The service provider searches for a user for which the logon alias corresponds to the identifier.

Logon ID

The ID with which the user logs on interactively. The service provider searches for a user for which the logon ID corresponds to the identifier.

User Attribute

The value is a user attribute configuring name and optional namespace. The service provider searches for a user for which the user attribute corresponds to the identifier.

Windows Name

The service provider handles the received user identifier as being in the format domain/principal and looks for a user for which the domain and principal account attributes match the user identifier.