Identity Federation in AS ABAP
Identity federation provides the means to share identity information between partners. To share information about a user, partners must be able to identify the user, even though they may use different identifiers for the same user. The SAML 2.0 standard defines the name identifier (name ID) as the means to establish a common identifier. Once the name ID has been established, the user is said to have a federated identity.
The service provider receives the SAML subject identifier with the specified assertion subject name ID or assertion attributes from the identity provider (assertion attributes can be used as a user ID source only for Unspecified, Transient, and Email formats). The setting of the User ID Source field defines where this SAML subject identifier is obtained. The service provider uses the assertion subject name ID or another assertion attribute to get the user identifier. The service provider then checks the User ID Mapping Mode to determine how to find the user in the ABAP system. When the service provider finds the local user, it authenticates the user.
Donna Moore, as an administrator, would like to configure her system so that users can authenticate with an e-mail address. As a prerequisite, she requires that the identity provider sends an assertion containing the e-mail address of the user as a subject name ID, and the identity provider is configured to use the Unspecified name ID format. She therefore also sets the Unspecified name ID format for her service provider with Subject NameID for User ID Source, and Email as a User ID Mapping Mode.
Laurent Becker, as a user, has different user IDs on the identity provider and the service provider. With SAML 2.0, he authenticates on the identity provider. The identity provider passes his user ID, which is actually his e-mail address, to the service provider, and the service provider searches for his user by his e-mail address. Thus his two accounts are linked by user ID and e-mail address.
- Persistent Users
- Service Users
The meaning of the Persistent Users type is to establish permanent user IDs in the AS ABAP. In this case the identities of a user in system A and system B are identified and agreed upon ahead of time between the administrators of the two systems. The administrator of the identity provider and the service provider agree how the name ID used for the user in the identity provider maps to the user in the service provider.
Use this kind of federation to support most scenarios where you need to map user identities across domains.
Persistent name ID format supports advanced options such as Interactive Account Linking and Automatic Account Creation. The latter requires implementation of a Business Add-In (BAdI).
The type Service Users is applicable for Transient name ID format only. You can define a service user mapping and a default service user.
The system supports the following qualified format names:
| Name ID Format | Fully Qualified Format Name |
|---|---|
| urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | |
| Kerberos | urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos |
| Persistent | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent |
| Transient | urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
| Unspecified | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| Windows Name | urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName |
| X509 Subject Name | urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName |
Each name ID format has its own configuration.
- Assertion Subject NameID
If you set the service provider to use Assertion Subject NameID, you allow the provider to use the information defined by the NameID subelement of the Subject element in the assertion passed by the identity provider.
- Assertion Attribute
If you specify Assertion Attribute for User ID Source, you define your own custom assertion attribute for user ID source.
The User ID Mapping Mode allows you to set the following values:
| User ID Mapping Mode Values | Description |
|---|---|
| The service provider searches for a user for which the e-mail address corresponds to the identifier. | |
| Logon Alias | The service provider searches for a user for which the logon alias corresponds to the identifier. |
| Logon ID | The ID with which the user logs on interactively. The service provider searches for a user for which the logon ID corresponds to the identifier. |
| Mapping in USREXTID table | Use this mode to map users of the ABAP service provider to the external user IDs sent by a SAML 2.0 identity provider in the chosen name ID format. |
| Mapping in SAML2_PIDFED table | Used with Persistent name ID format only. |