Show TOC

Configuring Federation Type Persistent Users Locate this document in the navigation structure

Prerequisites

You have trusted an identity provider.

For more information, see Trusting an Identity Provider.

Procedure

  1. Start the SAML 2.0 configuration application (transaction SAML2).
  2. On the Trusted Providers tab, select an identity provider and choose the Edit pushbutton.
  3. On the Identity Federation tab, choose the Add pushbutton.
  4. Choose a name ID format, a user ID source, and a user ID mapping.
    Transient and persistent name ID formats offer more possibilities.
    Table 1: Name ID Formats for Federation Type Persistent Users
    Name ID Format User ID Source User ID Mapping Mode Description
    Kerberos Assertion Subject NameID Mapping in USREXTID table, type KB Searches for the user in the USREXTID table.
    Persistent Assertion Subject NameID Mapping in SAML2_PIDFED table Searches for the user in the SAML2_PIDFED table:
    Note The Persistent name ID format allows other configuration options.
    Unspecified

    E-mail

    Transient

    		 Assertion Subject NameID or Assertion Attribute Logon ID Searches for the user based on the logon ID
    Logon Alias Searches for the user based on the logon alias
    Mapping in USREXTID table, type SA Searches for the user in the USREXTID table
    E-mail Searches for the user based on the e-mail address
    Windows Name Assertion Subject NameID Mapping in USREXTID table, type NT Searches for the user in the USREXTID table.
    X509 Subject Name Assertion Subject NameID Mapping in USREXTID table, type DN Searches for the user in the USREXTID table.
  5. Save your entries.
  6. Make sure the user mapping information is maintained correctly for the selected mapping mode.
  7. Configure the identity provider to provide the name ID required to result in a 1:1 match.
    For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.

Example

Donna Moore has configured her AS ABAP system to require the Transient name ID format. A trusted identity provider sends the user’s alias as an assertion attribute. The service provider searches for a user with that value as an alias. If a user with this alias is found, he or she is logged in.
Related Information