Context
The service provider defines which name ID format to require in the SAML authentication request it forwards to the identity provider. As long as the identity provider supports this name ID format, the identity provider returns the requested information in the SAML response, including any attributes.
Identity federation is the mapping of the requested information to the information provided by the identity provider. Without this mapping, no federation can exist.
The federation type
Persistent Users corresponds to the out-of-band account linking configuration.
Procedure
- Start SAP NetWeaver Administrator.
- Choose
and choose
.
- Select an identity provider and choose the
Edit button.
- On the
Identity Federation tab, choose the
Add button.
- Choose a name ID format.
The service provider requests the name ID format from the trusted identity provider. When the service provider receives the SAML response, the service provider uses the
User ID Source attribute to determine
where it searches for the user, based on the string returned by the identity provider. If the search does not return a unique result, logon fails.
The name ID format on the service provider must match with the one specified on the identity provider.
- To set the out-of-band account linking configuration, select the federation type
Persistent Users .
- Configure the assertion attribute for
User ID Source . You can use attributes other than the subject name ID by selecting the option
Assertion Attribute .
- Set the
User ID Mapping Mode . The
User ID Mapping Mode defines which user ID attribute from the identity provider is mapped to the identifier of the service provider.
You can select from the following
options:
User ID Mapping Mode Values
|
Description
|
E-mail
|
The value is the e-mail address. The service provider will search for a user for which the e-mail address corresponds to the identifier.
|
Kerberos Principal Name
|
The service provider will handle the received user identifier as being in the format principal@realm and will look for a user for which the principal and realm account attributes match the user identifier.
|
Logon Alias
|
The value is the logon alias. The service provider will search for a user for which the logon alias corresponds to the identifier.
|
Logon ID
|
The ID with which the user logs on interactively. The service provider will search for a user for which the logon ID corresponds to the identifier.
|
User Attribute
|
The value is a user attribute configuring name and optional namespace. The service provider will search for a user for which the user attribute corresponds to the identifier.
|
Windows Name
|
The service provider will handle the received user identifier as being in the format domain/principal and will look for a user for which the domain and principal account attributes match the user identifier.
|
-
Save your entries.
- Configure the identity provider to provide the name ID required to result in a 1:1 match.
For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.
Example
Donna Moore has configured her service provider to require the
E-mail name ID format. A trusted identity provider sends her service provider a SAML response with
Laurent.Becker@example.com as the subject. The service provider searches
for a user with that value as an e-mail address. If the result is a single user, logon succeeds.
Laurent Becker has a different user ID on the service provider and the identity provider, but his e-mail address is the same in both systems. A simple mapping would be to have the identity provider use the
E-mail name ID format, too.
Imagine that the identity provider uses the e-mail address for the user ID and does not use an attribute for e-mail. Then the identity provider would use the
Unspecified name ID format to return the user ID. Donna must reconfigure her service provider to match.
If the identity provider cannot support the
E-mail name ID format, Donna must configure the service provider to request the
Unspecified name ID format and select the e-mail user attribute as the user ID source.