Show TOC

Managing Name IDsLocate this document in the navigation structure

The name ID is the common identifier between the SAML 2.0 identity provider and the service provider. By setting the name ID for a user on SAP NetWeaver Application Server (AS) to the same value as a user on the identity provider, you federate the two accounts. By removing the name ID for a user, you defederate the accounts.


Use this procedure to federate and defederate accounts or to identify the name ID used by a user account for different identity providers.


  1. Start the SAML 2.0 configuration application (transaction SAML2).
  2. Choose the Name ID Management tab.
  3. Enter a user and choose a name ID format.
  4. Enter data as required.
    • Federate user accounts by editing the name ID of the user.
    • Defederate user accounts by removing the name ID of the user.
    The source for the name ID format determines if you can edit the name ID. For some sources, you can only view the name ID. The table below lists which name ID sources for the name ID formats are editable.
    Table 1: Editable and Read-Only Sources for Name IDs per Name ID Format
    Name ID Format Editable Sources Read-Only Sources
    Kerberos Mapping in USREXTID table None
    Persistent Mapping in SAML2_PIDFED table None



    Mapping in USREXTID table. Multiple entries with name qualifiers supported.

    Name IDs must not include colons (:).

    • Logon Alias
    • Logon ID
    • E-mail
    Windows Name Mapping in USREXTID table None
    X509 Subject Name None Mapping in USREXTID table

    The name IDs for formats Kerberos, Windows Name, and X509 Subject Name apply for all trusted providers. The table USREXTID does not include information indicating the trusted provider for which a name ID in these formats was added.


    The system uses the same mapping for Unspecified, Transient, and E-mail name ID formats. If you configure a specific mapping for one of the above formats, it will be set for the other formats too.

  5. Save your entries.