Show TOC

Using Predefined User Attributes in SAMLLocate this document in the navigation structure

Use

You can map SAML attributes from the SAML response to user attributes on the Application Server (AS) Java. There is a set of predefined attributes in the user management engine (UME) of AS Java. For example, these are: first name, last name, e-mail, and so on.

The predefined attribute SAP Client allows the service provider to issue SSO2 tickets for different clients (if legacy support is enabled) and override the default value for the system defined in the UME property login.ticket_client . These tickets can later be accepted by legacy systems if you want to set up SSO for them, too. The value of SAP Client can be a three-digit number from 000 to 999.

The SAP R/3 User attribute specifies the user that exists on the legacy ABAP system. You can use the mapping between a SAML attribute and the SAP R/3 User attribute to enable authentication on a legacy ABAP system.

Procedure

Setting the SAP Client Attribute

  1. In the Trusted Providers tab, select the relevant identity provider from the list.

  2. Choose Edit .

  3. Choose the Identity Federation tab.

  4. Add the Name ID format to the list of supported formats for communication with the trusted identity provider and select the federation type Persistent Users (Advanced) or Virtual Users .

    For more information, see:

  5. Select the Update attributes, roles, and groups at login checkbox.

  6. On the Default User Attributes tab, add the SAP Client attribute with a value corresponding to the company it identifies.

  7. Save the changes to the identity provider.

Setting the SAP R/3 User Attribute

  1. On the Trusted Providers tab, select the relevant identity provider from the list.

  2. Choose Edit .

  3. Choose the Identity Federation tab.

  4. Add the Name ID format to the list of supported formats for communication with the trusted identity provider and select the federation type Persistent Users (Advanced) or Virtual Users .

  5. Select the Update attributes, roles, and groups at login checkbox.

  6. On the Assertion-Based User Attributes tab, choose Add .

    • In the SAML 2 Attribute field, enter the name of the SAML attribute you want to use (for example: R3User ).

    • In the User Attribute field, select the SAP R/3 User option.

    • Select the Is Mandatory option.

    • Choose OK .

  7. Save the changes to the identity provider.