Show TOC

Configuring a User MappingLocate this document in the navigation structure

Prerequisites

  • You have configured target ABAP systems to trust logon tickets from the AS Java.

  • You have configured technical users on target ABAP systems to which users will be mapped.

    Note

    Because of the temporary and anonymous nature of transient users on the AS Java and because multiple transient users are mapped to the same user on the AS ABAP, you should not use this configuration in scenarios with transient federation that have rigid auditing requirements.

Context

This procedure enables you to create a user mapping to a reference ABAP system. The user mapping enables you to grant access to users for trusted ABAP systems using logon tickets. When configured, the AS Java issues logon tickets to the browsers of users with the mapped user ID to use in the ABAP system. When the user visits the ABAP system that accepts these logon tickets, the ABAP system logs the user on with the user ID in the logon ticket.

Scenario Overview

In this configuration, the identity provider sends SAML attributes that map to calculated roles or groups on the AS Java. When the service provider on the AS Java creates the user it assigns calculated roles or groups to the users based on the attributes sent by the identity provider. The service provider is also configured to assign user mappings based on the calculated roles or groups. If a user is assigned to a role or group of this type, the service provider checks if this assignment is configured to map to a user on the AS Java. If it is, the service provider takes the user mapping of this AS Java user and writes the name of the mapped ABAP user in the logon ticket of the user.

Procedure

  1. Configure a reference system for the Application Server (AS) Java.

    For more information, see the portal documentation on the creation of reference systems.

    If there is no portal for your AS Java, set the following user management engine (UME) properties as follows:

    • ume. r3. mastersystem= UME Internal Reference System

    • ume. usermapping. admin. pwdprotection= false

    For more information, see Editing UME Properties .

  2. Create users on the AS Java and map them to technical users on the AS ABAP.

    For more information, see Configuring User Mappings on the Behalf of Users .

  3. Configure the identity provider to send SAML attributes including attributes with which you calculate role or group assignments on the AS Java.

    For more information, see the documentation for your identity provider.

    Example

    Call center workers from the partner company are supposed to be able to access a back-end system to order more parts as they are needed. Which call center worker places the order is not important. The partner company sends a SAML 2.0 attribute memberOf with authentication responses. If the value of this attribute is CallCenter, the service provider can assign this user to the calculated role PartnerCallCenter.

  4. Calculate group or role assignments based on the SAML attributes.

    For more information, see Mapping SAML 2 Attributes .

  5. On the User Mapping tab, choose the Add pushbutton.
  6. Select a calculated role or group assignment.
  7. Select a user with a user mapping assignment.
  8. Save your entries.

Results

Users that match the calculated role or group assignment receive the user mapping assignment of the AS Java user you selected. In a way, the user is borrowing the user mapping configuration of another user.