Show TOC

Procedure documentationConfiguring Federation Type Persistent Users Locate this document in the navigation structure

Prerequisites

You have trusted an identity provider.

For more information, see Trusting an Identity Provider.

Procedure

  1. Start the SAML 2.0 configuration application (transaction SAML2).

  2. On the Trusted Providers tab, select an identity provider and choose the Edit pushbutton.

  3. On the Identity Federation tab, choose the Add pushbutton.

  4. Choose a name ID format, a user ID source, and a user ID mapping.

    Transient and persistent name ID formats offer more possibilities.

    Name ID Formats for Federation Type Persistent Users

    Name ID Format

    User ID Source

    User ID Mapping Mode

    Description

    Kerberos

    Assertion Subject NameID

    Mapping in USREXTID table, type KB

    Searches for the user in the USREXTID table.

    Persistent

    Assertion Subject NameID

    Mapping in SAML2_PIDFED table

    Searches for the user in the SAML2_PIDFED table

    Note Note

    The Persistent name ID format allows other configuration options.

    End of the note.

    Unspecified

    E-mail

    Transient

    Assertion Subject NameID or Assertion Attribute

    Logon ID

    Searches for the user based on the logon ID

    Logon Alias

    Searches for the user based on the logon alias

    Mapping in USREXTID table, type SA

    Searches for the user in the USREXTID table

    E-mail

    Searches for the user based on the e-mail address

    Windows Name

    Assertion Subject NameID

    Mapping in USREXTID table, type NT

    Searches for the user in the USREXTID table.

    X509 Subject Name

    Assertion Subject NameID

    Mapping in USREXTID table, type DN

    Searches for the user in the USREXTID table.

  5. Save your entries.

  6. Make sure the user mapping information is maintained correctly for the selected mapping mode.

  7. Configure the identity provider to provide the name ID required to result in a 1:1 match.

    For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.

Example

Donna Moore has configured her AS ABAP system to require the Transient name ID format. A trusted identity provider sends the user’s alias as an assertion attribute. The service provider searches for a user with that value as an alias. If a user with this alias is found, he or she is logged in.

More Information