Show TOC

Procedure documentationConfiguring Federation Type Service Users Locate this document in the navigation structure

 

Identity federation with the type Service Users enables authenticated users that do not have personal accounts on the AS ABAP to access your system. With this configuration multiple users are logged on with one service user account because the service provider does not care about the identity of the logged-in user. This many-to-one user mapping is done with rules that use the information provided in the assertion attributes.

You negotiate with the administrator of the identity provider to determine what kind of SAML 2.0 attributes you require. You determine how these attributes are mapped to service users in your system, while the identity provider handles the management of the users and their authentication, without your intervention.

Prerequisites

  • You have trusted an identity provider.

    For more information, see Trusting an Identity Provider.

  • You have configured the system to allow any service users for the Transient name ID format.

Procedure

  1. Start the SAML 2.0 configuration application (transaction SAML2).

  2. On the Trusted Providers tab, select an identity provider and choose the Edit pushbutton.

  3. On the Identity Federation tab, choose the Add pushbutton.

  4. Select the Transient name ID format and the federation type Service Users.

  5. Create a mapping between the SAML 2.0 attributes sent with the SAML assertion and the service users on your system.

    These attributes enable the service provider to identify the service user on the ABAP system.

  6. Determine if you want a default service user.

    The service provider uses the default service user when there is no other mapping for a transient user. If you do not configure a default service user, the service provider rejects assertions for transient users that the service provider cannot match to a service user.

    To configure a default service user, enter the user ID of a service user in the Default Service User field.

  7. Save your entries.

  8. Configure the identity provider to provide the Transient name ID format.

    For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.

More Information