Show TOC

Procedure documentationConfiguring Federation Type Persistent Users Locate this document in the navigation structure

 

The service provider defines which name ID format to require in the SAML authentication request it forwards to the identity provider. As long as the identity provider supports this name ID format, the identity provider returns the requested information in the SAML response, including any attributes. Identity federation is the mapping of the requested information to the information provided by the identity provider. Without this mapping, no federation can exist.

The federation type Persistent Users corresponds to the out-of-band account linking configuration.

Prerequisites

You have trusted an identity provider.

For more information, see Trusting an Identity Provider.

Procedure

  1. Start SAP NetWeaver Administrator.

  2. Choose   Configuration Management   Security   Authentication and Single Sign-On   and choose   SAML 2.0   Trusted Providers  .

  3. Select an identity provider and choose the Edit button.

  4. On the Identity Federation tab, choose the Add button.

  5. Choose a name ID format.

    The service provider requests the name ID format from the trusted identity provider. When the service provider receives the SAML response, the service provider uses the User ID Source attribute to determine where it searches for the user, based on the string returned by the identity provider. If the search does not return a unique result, logon fails.

    The name ID format on the service provider must match with the one specified on the identity provider.

  6. To set the out-of-band account linking configuration, select the federation type Persistent Users.

  7. Configure the assertion attribute for User ID Source. You can use attributes other than the subject name ID by selecting the option Assertion Attribute.

  8. Set the User ID Mapping Mode. The User ID Mapping Mode defines which user ID attribute from the identity provider is mapped to the identifier of the service provider.

    You can select from the following options:

    User ID Mapping Mode Values

    User ID Mapping Mode Values

    Description

    E-mail

    The value is the e-mail address. The service provider will search for a user for which the e-mail address corresponds to the identifier.

    Kerberos Principal Name

    The service provider will handle the received user identifier as being in the format principal@realm and will look for a user for which the principal and realm account attributes match the user identifier.

    Logon Alias

    The value is the logon alias. The service provider will search for a user for which the logon alias corresponds to the identifier.

    Logon ID

    The ID with which the user logs on interactively. The service provider will search for a user for which the logon ID corresponds to the identifier.

    User Attribute

    The value is a user attribute configuring name and optional namespace. The service provider will search for a user for which the user attribute corresponds to the identifier.

    Windows Name

    The service provider will handle the received user identifier as being in the format domain/principal and will look for a user for which the domain and principal account attributes match the user identifier.

  9. Save your entries.

  10. Configure the identity provider to provide the name ID required to result in a 1:1 match.

    For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.

Example

Donna Moore has configured her service provider to require the E-mail name ID format. A trusted identity provider sends her service provider a SAML response with Laurent.Becker@example.com as the subject. The service provider searches for a user with that value as an e-mail address. If the result is a single user, logon succeeds.

Laurent Becker has a different user ID on the service provider and the identity provider, but his e-mail address is the same in both systems. A simple mapping would be to have the identity provider use the E-mail name ID format, too.

Imagine that the identity provider uses the e-mail address for the user ID and does not use an attribute for e-mail. Then the identity provider would use the Unspecified name ID format to return the user ID. Donna must reconfigure her service provider to match. If the identity provider cannot support the E-mail name ID format, Donna must configure the service provider to request the Unspecified name ID format and select the e-mail user attribute as the user ID source.

More Information

Logical Attributes