Mapping Users in Table USREXTID 
Use this procedure to map users of the ABAP service provider to the external user IDs sent by a SAML 2.0 identity provider in the chosen name ID format.
For more information, see Configuring Out-of-Band Account Linking.
See also SAP Note 1362866.
Prerequisites
-
You have determined with the administrator of the identity provider, the name ID format you are using and what the resulting name ID looks like for your users.
If you mass configure user mappings, you have determined what common factor to use to create the external ID. You can choose from the following:
-
User ID
-
Logon alias
-
A value determined by a custom BAdI
You must create your own BAdI. SAP provides the BAdI USREXTIDMAPPING as an example of just such an implementation.
-
Procedure
Performing Mass Configuration of Mapping Data
-
In transaction SA38, open report RSUSREXT.
-
In the User section, determine the selection criteria for the users to which you want to map external IDs.
In the Ext. Name Changed section, enter the following data:
Choose an external ID type to match the name ID format as listed in the following table:
Name ID Format
External ID Type
Kerberos
KB
Windows Name
NT
X.509 Subject Name
DN
Unspecified
SA
-
Enter any text that is to appear before or after the common part of the external name ID.
ExampleFor X.509, enter CN= as the prefix and , O=EXAMPLE, C=US as the suffix.
For unspecified, add a prefix using the pattern <trusted_provider>:<name_qualifier>:.
End of the example. -
Choose the source for the common part of the external name ID.
-
Enter further options as required.
-
Choose
(Execute).
Mapping a Single User
-
In transaction SM30, open view VUSREXTID.
Choose an external ID type to match the name ID format as listed in the following table:
Name ID Format
External ID Type
Kerberos
KB
Windows Name
NT
X.509 Subject Name
DN
Unspecified
SA
-
Edit the table entries.
-
Save your entries.