Show TOC

Preparing the WS Provider AS ABAP for Accepting SAML Token Profiles for Validation with the Ticket PSELocate this document in the navigation structure

Prerequisites

  • You have configured your WS provider in the AS ABAP to use SAML token profiles, that is, you have set SAML Assertion in the individual configuration.

  • You have set up the trust relationship between the provider and the consumer. If you have configured your systems for the use of logon tickets, this relationship has already been set up.

    More information: Using Logon Tickets with AS ABAP

    If you do not want to set up the entire logon ticket trust relationship for SAML token profiles, it is sufficient to exchange the certificates of the two systems and, for AS ABAP, to include them in the access control lists.

    More information:

  • You know the data to be specified in table USREXTID for the issuer and the signature certificate of the SAML assertion of the WS provider.

If the issuing system is an AS ABAP, refer to Preparing the SAML-Token-Profile-Issuing WS Consumer AS ABAP .

Context

Use the following procedure to prepare the WS provider for the use of SAML token profiles.

Procedure


  1. Maintain the user assignment in table USREXTID, for example, with report RSUSREXT.

    Entry

    Value

    Comment

    Client

    <Client>

     

    User

    <empty>

    <user name>

    Specifies the user with the name used in the target system If you leave the field empty, all users are assigned.

    User Group

    Empty

    This field is not evaluated.

    External ID Type

    SA

    SA for SAML authentication mechanism

    Prefix of External Name

    <Issuer>::

    For example:

    ABAP System: <SID>/<client>::

    Default issuer in Java systems: <SID>::

    Issuer of the SAML assertion

    Suffix of External Name

    Empty

    This field is not evaluated.

    Optional: Name of the Issuer

    CN=<SID>,

    OU=<organizational unit>,

    O=SAP Trust Community,

    C=<country>

    Owner of the importing SAML assertion signature certificate, as recorded in transaction STRUST

    User name as variable part

    None

    If the user names are identical (contained in each other), we recommend this setting.

    Alias as variable part

    None

     

    BAdI implementation

    None

    If the user names are not identical (contained in each other), we recommend this setting.

    Also display correct entries

    None

    To have the report also display entries that alreadz exist, set this indicator.

    Delete all other entries for a user

    None

    The report USREXTID only adds new entries. To delete existing entries, set this indicator.

    Only Users Without External Names

    Checked

    Delta assignment that means that external names are only assigned to users who do not already have them.

    Test mode

    None

    To create only test entries, set this indicator.

    More information: SAP Note 1362866 Information published on SAP site.