Configuring the PAS for Providing the SAP User ID Directly (SAP Library - Pluggable Authentication Services for External Authentication)

Configuring the PAS for Providing the SAP User ID Directly

Use

As an alternative to maintaining the user mapping in the SAP system table USREXTID, the external authentication mechanism can provide the user’s ID for the SAP system directly when passing the user’s information to the PAS. This option is primarily useful when using either the LDAP bind for authentication or when using an arbitrary mechanism that sets the user’s ID in an HTTP header variable.

Caution

If you configure the PAS accordingly and the external authentication mechanism does not provide the user’s ID for the SAP system directly, then an error occurs. The user mapping table in the SAP system is not used as a fallback mechanism.

Prerequisites

If you are using an LDAP bind to a directory server as the authentication mechanism, then the user’s ID for the SAP system must be defined in an attribute in the directory server.

When using HTTP header variables, the external authentication mechanism must set the user’s ID for the SAP system in the header variable.

Procedure

Set the service file parameter ~extid_type in the PAS service file to the value UN.

If you are using an LDAP bind to a directory server as the authentication mechanism, then set the service file parameter ~ldapsapuid in the PAS service file to the name of this attribute.

Result

The PAS obtains the user’s ID for the SAP system directly from the authentication mechanism instead of using the mapping table.