You have configured your WS provider in the AS ABAP to use SAML token profiles, that is, you have set SAML Assertion in the individual configuration.
You have set up the trust relationship between the provider and the consumer. If you have configured your systems for the use of logon tickets, this relationship has already been set up.
More information: Using Logon Tickets with AS ABAP
If you do not want to set up the entire logon ticket trust relationship for SAML token profiles, it is sufficient to exchange the certificates of the two systems and, for AS ABAP, to include them in the access control lists.
More information:
Trust Manager , to import the certificate for the WS consumer
You know the data to be specified in table USREXTID for the issuer and the signature certificate of the SAML assertion of the WS provider.
If the issuing system is an AS ABAP, refer to Preparing the SAML-Token-Profile-Issuing WS Consumer AS ABAP .
Use the following procedure to prepare the WS provider for the use of SAML token profiles.
Maintain the user assignment in table USREXTID, for example, with report RSUSREXT.
Entry |
Value |
Comment |
---|---|---|
Client |
<Client> |
|
User |
<empty> <user name> |
Specifies the user with the name used in the target system If you leave the field empty, all users are assigned. |
User Group |
Empty |
This field is not evaluated. |
External ID Type |
SA |
SA for SAML authentication mechanism |
Prefix of External Name |
<Issuer>:: For example: ABAP System: <SID>/<client>:: Default issuer in Java systems: <SID>:: |
Issuer of the SAML assertion |
Suffix of External Name |
Empty |
This field is not evaluated. |
Optional: Name of the Issuer |
CN=<SID>, OU=<organizational unit>, O=SAP Trust Community, C=<country> |
Owner of the importing SAML assertion signature certificate, as recorded in transaction STRUST |
User name as variable part |
None |
If the user names are identical (contained in each other), we recommend this setting. |
Alias as variable part |
None |
|
BAdI implementation |
None |
If the user names are not identical (contained in each other), we recommend this setting. |
Also display correct entries |
None |
To have the report also display entries that alreadz exist, set this indicator. |
Delete all other entries for a user |
None |
The report USREXTID only adds new entries. To delete existing entries, set this indicator. |
Only Users Without External Names |
Checked |
Delta assignment that means that external names are only assigned to users who do not already have them. |
Test mode |
None |
To create only test entries, set this indicator. |
More information: SAP Note 1362866 .