Configuring Identity Federation with Transient Users

Identity federation by transient pseudonym identifiers enables you to provide authenticated users with access to your system, but you do not need to know specific details about those users. You negotiate with the administrator of the identity provider to determine what kind of SAML 2.0 attributes you require. You determine how these attributes are mapped to service users in your system, while the identity provider handles the management of the users and their authentication, without your intervention.

Prerequisites

You have trusted an identity provider.
For more information, see Trusting an Identity Provider.
You have configured any service users you intend the transient users to use.

Procedure

Start the SAML 2.0 configuration application (transaction SAML2).
On the Trusted Providers tab, select an identity provider and choose the Edit pushbutton.
On the Identity Federation tab, choose the Add pushbutton.
Select the name ID format Transient.
Create a mapping between the SAML 2.0 attributes sent with the SAML assertion and the service users on your system.
These attributes enable the service provider to identify the service user to use on the ABAP system.
For more information, see the following:
- Mapping SAML 2.0 Attributes for Transient Users
- Example of Transient Federation
Determine if you want a default service user.
The service provider uses the default service user when there is no other mapping for a transient user. If you do not configure a default service user, the service provider rejects assertions for transient users, who the service provider cannot match to a service user.

To configure a default service user, enter the user ID of a service user in the Default Service User field.
Save your entries.
Configure the identity provider to provide the transient name ID format.
For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.