Show TOC

Configuring Federation Type Persistent Users (Advanced)Locate this document in the navigation structure

Prerequisites

You have trusted an identity provider.

For more information, see Trusting an Identity Provider .

Context

Use this procedure to enable identity federation when no previous linking between the accounts exists. Interactive account linking and automatic account creation enable users to federate their accounts during authentication.

You can also use out-of-band account linking with persistent federation type, but the linking must be established ahead of time.

For more information, see Configuring Federation Type Persistent Users .

Procedure

  1. Start SAP NetWeaver Administrator with the quick link /nwa/auth .
  2. Choose Start of the navigation path SAML 2.0 Next navigation step Trusted Providers End of the navigation path.
  3. Select an identity provider and choose the Edit pushbutton.
  4. On the Identity Federation tab, choose the Add pushbutton.
  5. Choose the name ID format.
  6. Select a federation type Persistent Users (Advanced) .
  7. Configure the assertion attribute for User ID Source . You can use attributes other than the subject name ID attribute by selecting the option Assertion Attribute . The service provider requests the name ID format from the trusted identity provider. When the service provider receives the SAML response, the service provider uses the User ID Source attribute to determine where it searches for the user based on the string returned by the identity provider. If the search does not return a unique result, logon fails.
  8. Choose a federation mode.

    • Interactive account linking

      In this mode, if there is no pre-existing federation or no user is found on the service provider with the same name ID, the service provider prompts the user to log on. When the user logs on, the service provider prompts the user to federate the accounts. If the user accepts, the service provider writes the name ID from the user account on the identity provider to the user attribute configured for the name ID on the service provider. If the user declines, the service provider logs the user on as usual, but does not federate the accounts.

      If you select the option Allow interactive linking of accounts , the default User ID Mapping Mode value is E-mail . You can specify other values for the User ID Mapping Mode by selecting the option User Attribute .

      Interactive account linking provides the following options:

      • To enable the identity provider to create a persistent name ID if none exists for the user account on the identity provider, select the Allow Identity Provider to Create Name ID (AllowCreate) checkbox. The service provider sets the AllowCreate attribute on the NameIDPolicy element to 'true" for that permission.

      • To enable the user to create and federate a new account on the service provider, enable self-registration.

        For more information, see Configuring Self-Registration .

    • Automatic account creation

      In this mode, if there is no pre-existing federation or no user is found on the service provider with the same name ID, the service provider creates a user account. To create the account, the service provider uses the SAML 2.0 attributes sent by the identity provider. Either way, when the user logs on, the service provider writes the name ID from the user account on the identity provider to the user attribute configured for the name ID on the service provider.

      If you select the Allow automatic creation of accounts checkbox, then the specified User ID Mapping Mode attributes are E-mail and Logon ID . You can specify other values by selecting User Attribute for the mapping mode.

      Note

      To use custom user management engine (UME) attributes with SAML 2.0 attributes, you must add them for SAML on the service provider.

      For more information, see Adding Custom User Attributes for SAML .

      1. Create a mapping between the SAML 2.0 attributes and the UME attributes of the service provider.

        Attributes marked as mandatory must be present and have values. Otherwise, the service provider rejects the entire authentication attempt. The service provider does not create the user account without the mandatory values.

      2. Determine any group or role memberships by mappings or default assignments.

        You can create a mapping between SAML attributes, and roles and groups. You can predefine which roles and groups any created users belong to by default.

      3. Choose from the following configuration options:

        • To enable the identity provider to create a name ID if none exists for the user account on the identity provider, select the Allow Identity Provider to Create Name ID (AllowCreate) checkbox.

        • To enable the service provider to overwrite existing user attributes with data sent as SAML 2.0 attributes, select the Update attributes, roles and groups at login checkbox.

      Example

      The table below illustrates a mapping between SAML 2.0 attributes and UME attributes. Included are the values for a user named Laurent Becker. The attribute for last name is marked as mandatory. This means if this SAML 2.0 attribute is empty or missing, the service provider rejects the SAML response. The service provider does not create the user account without the required attributes.

      SAML 2.0 Attribute

      Is Mandatory

      Value

      UME Attribute

      1st-name

      No

      Laurent

      firstname

      2nd-name

      Yes

      Becker

      lastname

      mail

      No

      Laurent.Becker@example.com

      email

    • Choosing other modes of federation

      If you do not select interactive or automatic account linking, the federation mode will depend on your selection for the User ID Mapping Mode . You can select from the following options:

      User ID Mapping Mode Values

      Description

      E-mail

      The value is the e-mail address. The service provider will search for a user for which the e-mail address corresponds to the identifier.

      Kerberos Principal Name

      The service provider will handle the received user identifier as if it is in the format principal@realm and will look for a user for which the principal and realm account attributes match the user identifier.

      Logon Alias

      The value is the logon alias. The service provider will search for a user for which the logon alias corresponds to the identifier.

      Logon ID

      The ID with which the user logs on interactively. The service provider will search for a user for which the logon ID corresponds to the identifier.

      User Attribute

      The value is a user attribute configuring name and optional namespace. The service provider will search for a user for which the user attribute corresponds to the identifier.

      Windows Name

      The service provider will handle the received user identifier as if it is in the format domain/principal and will look for a user for which the domain and principal account attributes match the user identifier.
  9. Set the User ID Filter field. This field defines what user ID the service provider can accept in the form of a Java regular expression.

    You can use this field to configure any realms or domains for the name ID formats E-mail , Windows Name , and Kerberos, or to restrict the scope of the trusted providers. For example, you can allow user IDs ending with sap.com and ban all the others.

    You can also define a group in the regular expression pattern. The extracted substring is the value of this group. For example, if you set the regular expression (.+)\Q@company.de\E, and the user's e-mail is john@company.de, then the regular expression will return john.

  10. Set the User ID Prefix and User ID Suffix fields. You add suffix and prefix to tell the service provider what user ID to authenticate.

    For example, if the service provider receives user IDs with the name John, a prefix or a suffix to this user ID will make the ID unique. That way the service provider will know which trusted provider to authenticate.

  11. Create a mapping between the SAML 2.0 attributes sent with the SAML assertion and the UME attributes the service provider writes.

    These attributes provide the basis for the user on the service provider. Attributes marked as mandatory must be present and have values. Otherwise the service provider rejects the entire authentication attempt. The service provider does not create the user account without the mandatory values. You can also create a mapping between SAML attributes, and roles and groups or predefine the roles and groups to which users belong.

    For more information, see the following:

  12. Save your entries.
  13. Configure the identity provider to provide the name ID and any other attributes required by your configuration.

    For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.

Example

Donna Moore has recently configured her network to SAML 2.0. The users are still logging in to each system with a separate user ID and password. Donna has set up a new identity provider with all the users and assigned each user a name ID. She has just upgraded her legacy systems to support SAML 2.0 as service providers. In each system she trusts the SAML 2.0 identity provider and requires the name ID format. Since all the users already know their passwords in each system, she enables interactive account linking. Whenever a user logs on to a system for the first time since conversion, the user enters his or her logon information and the service provider adds the name ID from the identity provider to the local account. Donna does not need to go through the laborious process of adding the name ID to every account in every system. The users do it themselves.

Next Steps

Logical Attributes