The name ID is the common identifier between the SAML 2.0 identity provider and the
service provider. By setting the name ID for a user on SAP NetWeaver Application Server (AS)
to the same value as a user on the identity provider, you federate the two accounts. By
removing the name ID for a user, you defederate the accounts.
Context
Use this procedure to federate and defederate accounts or to identify the name ID
used by a user account for different identity providers.
Procedure
- Start the SAML 2.0 configuration application (transaction
SAML2).
- Choose the Name ID Management tab.
- Enter a user and choose a name ID format.
- Enter data as required.
- Federate user accounts by editing the name ID of the user.
- Defederate user accounts by removing the name ID of the user.
The source for the name ID format determines if you can edit the name ID. For some
sources, you can only view the name ID. The table below lists which name ID sources
for the name ID formats are editable.
Table 1:
Editable and Read-Only Sources for Name IDs per Name ID Format
Name ID Format |
Editable Sources |
Read-Only Sources |
Kerberos |
Mapping in USREXTID table |
None |
Persistent |
Mapping in SAML2_PIDFED table |
None |
Unspecified Transient
E-mail
|
Mapping in USREXTID table. Multiple entries
with name qualifiers supported.Caution
Name IDs must not include colons (:).
|
- Logon Alias
- Logon ID
- E-mail
|
Windows Name |
Mapping in USREXTID table |
None |
X509 Subject Name |
None |
Mapping in USREXTID table |
Note
The name IDs for formats Kerberos, Windows
Name, and X509 Subject Name apply for all
trusted providers. The table USREXTID
does not include information indicating the trusted provider for which a name
ID in these formats was added.
Note
The system uses the same mapping for Unspecified,
Transient, and E-mail name ID
formats. If you configure a specific mapping for one of the above formats, it
will be set for the other formats too.
- Save your entries.