Show TOC

Preparing the WS Provider AS ABAP for Accepting SAML Token Profiles for Validation with the Ticket PSELocate this document in the navigation structure


  • You have configured your WS provider in the AS ABAP to use SAML token profiles, that is, you have set SAML Assertion in the individual configuration.

  • You have set up the trust relationship between the provider and the consumer. If you have configured your systems for the use of logon tickets, this relationship has already been set up.

    More information: Using Logon Tickets with AS ABAP

    If you do not want to set up the entire logon ticket trust relationship for SAML token profiles, it is sufficient to exchange the certificates of the two systems and, for AS ABAP, to include them in the access control lists.

    More information:

  • You know the data to be specified in table USREXTID for the issuer and the signature certificate of the SAML assertion of the WS provider.

If the issuing system is an AS ABAP, refer to Preparing the SAML-Token-Profile-Issuing WS Consumer AS ABAP.


Use the following procedure to prepare the WS provider for the use of SAML token profiles.


  1. Maintain the user assignment in table USREXTID, for example, with report RSUSREXT.









    <user name>

    Specifies the user with the name used in the target system If you leave the field empty, all users are assigned.

    User Group


    This field is not evaluated.

    External ID Type


    SA for SAML authentication mechanism

    Prefix of External Name


    For example:

    ABAP System: <SID>/<client>::

    Default issuer in Java systems: <SID>::

    Issuer of the SAML assertion

    Suffix of External Name


    This field is not evaluated.

    Optional: Name of the Issuer


    OU=<organizational unit>,

    O=SAP Trust Community,


    Owner of the importing SAML assertion signature certificate, as recorded in transaction STRUST

    User name as variable part


    If the user names are identical (contained in each other), we recommend this setting.

    Alias as variable part



    BAdI implementation


    If the user names are not identical (contained in each other), we recommend this setting.

    Also display correct entries


    To have the report also display entries that alreadz exist, set this indicator.

    Delete all other entries for a user


    The report USREXTID only adds new entries. To delete existing entries, set this indicator.

    Only Users Without External Names


    Delta assignment that means that external names are only assigned to users who do not already have them.

    Test mode


    To create only test entries, set this indicator.

    More information: SAP Note 1362866 Information published on SAP site.