Identity Federation in AS ABAP
Identity federation provides the means to share identity information between partners. To share information about a user, partners must be able to identify the user, even though they may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as the means to establish a common identifier. Once the name ID has been established, the user is said to have a federated identity.
The service provider receives the SAML subject identifier with the specified assertion subject name ID or assertion attributes from the identity provider (assertion attributes can be used as a user ID source only for Unspecified, Transient, and Email formats). The setting of the User ID Source field defines where this SAML subject identifier is obtained. The service provider uses the assertion subject name ID or another assertion attribute to get the user identifier. The service provider then checks the User ID Mapping Mode to determine how to find the user in the ABAP system. When the service provider finds the local user, it authenticates the user.
Identity Federation Principles
Types of Federation
- Persistent Users
- Service Users
Persistent Users
The meaning of the Persistent Users type is to establish permanent user IDs in the AS ABAP. In this case the identities of a user in system A and system B are identified and agreed upon ahead of time between the administrators of the two systems. The administrator of the identity provider and the service provider agree how the name ID used for the user in the identity provider maps to the user in the service provider.
Use this kind of federation to support most scenarios where you need to map user identities across domains.
Persistent name ID format supports advanced options such as Interactive Account Linking and Automatic Account Creation. The latter requires implementation of a Business Add-In (BAdI).
Service Users
The type Service Users is applicable for Transient name ID format only. You can define a service user mapping and a default service user.
Qualified Format Names
The system supports the following qualified format names:
| Name ID Format | Fully Qualified Format Name |
|---|---|
| urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | |
| Kerberos | urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos |
| Persistent | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent |
| Transient | urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
| Unspecified | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| Windows Name | urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName |
| X509 Subject Name | urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName |
Each name ID format has its own configuration.
User ID Source Values
- Assertion Subject NameID
If you set the service provider to use Assertion Subject NameID, you allow the provider to use the information defined by the NameID subelement of the Subject element in the assertion passed by the identity provider.
- Assertion Attribute
If you specify Assertion Attribute for User ID Source, you define your own custom assertion attribute for user ID source.
User ID Mapping Mode Values
The User ID Mapping Mode allows you to set the following values:
| User ID Mapping Mode Values | Description |
|---|---|
| The service provider searches for a user for which the e-mail address corresponds to the identifier. | |
| Logon Alias | The service provider searches for a user for which the logon alias corresponds to the identifier. |
| Logon ID | The ID with which the user logs on interactively. The service provider searches for a user for which the logon ID corresponds to the identifier. |
| Mapping in USREXTID table | Use this mode to map users of the ABAP service provider to the external user IDs sent by a SAML 2.0 identity provider in the chosen name ID format. |
| Mapping in SAML2_PIDFED table | Used with Persistent name ID format only. |