Show TOC

Procedure documentationPreparing the WS Provider AS ABAP for Accepting SAML Token Profiles for Validation with the Ticket PSE Locate this document in the navigation structure

 

Use the following procedure to prepare the WS provider for the use of SAML token profiles.

Prerequisites

  • You have configured your WS provider in the AS ABAP to use SAML token profiles, that is, you have made the setting SAML Assertion in the individual configuration.

  • You have set up the trust relationship between the WS provider and the WS consumer. If you have configured your systems for the use of logon tickets, this relationship has already been set up.

    More information: Using Logon Tickets

If you do not want to use logon tickets, you need to exchange the certificates for both systems and possibly include them in the access control list.

More information:

Procedure

  1. Maintain the user assignment in table USREXTID, for example, with report RSUSREXT.

    Data for Table USREXTID

    Entry

    Value

    Comment

    Client

    <Client>

    User

    <empty>

    <user name>

    Specifies the user with the name used in the target system If you leave the field empty, all users are assigned.

    User Group

    Empty

    This field is not evaluated.

    External ID Type

    SA

    SA for SAML authentication mechanism

    Prefix of External Name

    <Issuer>::

    For example:

    ABAP System: <SID>/<client>::

    Default issuer in Java systems: <SID>::

    Issuer of the SAML assertion

    Suffix of External Name

    Empty

    This field is not evaluated.

    Optional: Name of the Issuer

    CN=<SID>,

    OU=<organizational unit>,

    O=SAP Trust Community,

    C=<country>

    Owner of the importing SAML assertion signature certificate, as recorded in transaction STRUST

    User name as variable part

    None

    If the user names are identical (contained in each other), we recommend this setting.

    Alias as variable part

    None

    BAdI implementation

    None

    If the user names are not identical (contained in each other), we recommend this setting.

    Also display correct entries

    None

    To have the report also display entries that alreadz exist, set this indicator.

    Delete all other entries for a user

    None

    The report USREXTID only adds new entries. To delete existing entries, set this indicator.

    Only Users Without External Names

    Checked

    Delta assignment that means that external names are only assigned to users who do not already have them.

    Test mode

    None

    To create only test entries, set this indicator.

    More information: SAP Note 1362866.