Show TOC

 Mapping SAML Principals to AS ABAP User IDsLocate this document in the navigation structure

Use

You can use this topic to configure mapping of SAML principal IDs to user IDs in the AS ABAP.

When you use SAML assertions to access an AS ABAP application, you must always map the external ID of the SAML principal to the user ID in the AS ABAP even if the external ID and the AS ABAP ID are identical.

Procedure

You can map users in view VUSREXTID of the AS ABAP as shown below:

  1. In table view maintenance (transaction SM30), maintain the view VUSREXTID.
  2. As External ID type , enter SA .
  3. Enter the external ID in the format <Partner Name>:<Name Qualifier>:<Name Identifier> .

    <Partner Name> is the identifier of the partner as it appears in the SAML configuration for the inbound partners (see Inbound Partner Parameters ).

    If the source site does not fill the Name Qualifier attribute, leave this part of the external ID empty.

    Tip

    Examples of external ID entries are:

    • MyPartnersID::MyExternalName (the NameQualifier attribute is not set)
    • MyPartnersID:DOMAIN:logonID (the source site has filled the NameQualifier attribute with the string DOMAIN and NameIdentifier with the string logonID ).
  4. Map the ID to a valid user ID in the AS ABAP and set the Activated indicator.
    Note

    If the saml:Assertion/saml:Subject/saml:Na meIdentifier element contains the SAP user ID, you can use the report RSUSREXTID to create the mapping for all users or a subset of users. For more information, see SAP Note 1254821.

Result

When requesting access a SAML enabled AS ABAP application, the source site provides the user's ID (SAML principal) in his or her SAML assertion in the element NameIdentifier and an optional qualifier with the NameQualifier attribute. Based on the configured user mapping, the AS ABAP determines the user ID and authenticates the user.