Show TOC

Configuring Federation Type Virtual UsersLocate this document in the navigation structure


You have trusted an identity provider.

For more information, see Trusting an Identity Provider .


Identity federation with the type Virtual Users enables you to provide authenticated users with access to your system without needing to know specific details about those users. You negotiate with the administrator of the identity provider to determine which SAML 2.0 attributes you require. You determine how these attributes are mapped to user attributes, groups, and roles in your system, while the identity provider handles the management of the users and their authentication, without your intervention. The users exist on your system in memory only for as long as the user is logged on.


  1. Start SAP NetWeaver Administrator with the quick link /nwa/auth .
  2. Choose Start of the navigation path SAML 2.0 Next navigation step Trusted Providers End of the navigation path.
  3. Select an identity provider and choose the Edit pushbutton.
  4. On the Identity Federation tab, choose the Add pushbutton.
  5. Choose the name ID format.
  6. Select the federation type Virtual Users .
  7. If you want to enable the identity provider to create a name ID when necessary, select the Allow Identity Provider to Create Name ID (AllowCreate) checkbox.
  8. Configure the assertion attribute for User ID Source . You can use an attribute other than the subject name ID by selecting the option Assertion Attribute .

    The User ID Mapping Mode value is set to Logon ID by default and cannot be changed.

  9. Set the User ID Filter field. This field defines what user ID pattern the service provider can accept in the form of a Java regular expression.

    You can also use this field to configure any realms or domains for the name ID formats E-mail , Windows Name , and Kerberos , or to restrict the scope of the trusted providers. For example, you can allow user IDs ending with and ban all others.

  10. Set the User ID Prefix and User ID Suffix fields. You add suffix and prefix to tell the service provider what user ID to authenticate.

    For example, if the service provider receives user IDs with the name John, then a prefix or a suffix to this user ID will make the ID unique. That way the service provider will know which trusted provider to authenticate.

  11. Create a mapping between the SAML 2 attributes sent with the SAML assertion and the user management engine (UME) attributes the service provider writes.

    These attributes provide the basis for the temporary user on the service provider. Attributes marked as mandatory must be present and have values. Otherwise the service provider rejects the entire authentication attempt. The service provider does not create the temporary user account without the mandatory values. You can also create a mapping between SAML attributes, roles, and groups or predefine the roles and groups to which temporary users belong.

    For more information, see the following:

  12. Save your entries.
  13. Configure the identity provider to provide the name ID format with the mandatory attributes.

    For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.

Next Steps

Logical Attributes