Show TOC

Procedure documentationManaging Name IDs Locate this document in the navigation structure

 

The name ID is the common identifier between the SAML 2.0 identity provider and the service provider. By setting the name ID for a user on SAP NetWeaver Application Server (AS) to the same value as a user on the identity provider, you federate the two accounts. By removing the name ID for a user, you defederate the accounts.

Use this procedure to federate and defederate accounts or to identify the name ID used by a user account for different identity providers.

Procedure

  1. Start the SAML 2.0 configuration application (transaction SAML2).

  2. Choose the Name ID Management tab.

  3. Enter a user and choose a name ID format.

  4. Enter data as required.

    • Federate user accounts by editing the name ID of the user.

    • Defederate user accounts by removing the name ID of the user.

    The source for the name ID format determines if you can edit the name ID. For some sources, you can only view the name ID. The table below lists which name ID sources for the name ID formats are editable.

    Editable and Read-Only Sources for Name IDs per Name ID Format

    Name ID Format

    Editable Sources

    Read-Only Sources

    Kerberos

    Mapping in USREXTID table

    None

    Persistent

    Mapping in SAML2_PIDFED table

    None

    Unspecified

    Transient

    E-mail

    Mapping in USREXTID table. Multiple entries with name qualifiers supported.

    Caution Caution

    Name IDs must not include colons (:).

    End of the caution.
    • Logon Alias

    • Logon ID

    • E-mail

    Windows Name

    Mapping in USREXTID table

    None

    X509 Subject Name

    None

    Mapping in USREXTID table

    Note Note

    The name IDs for formats Kerberos, Windows Name, and X509 Subject Name apply for all trusted providers. The table USREXTID does not include information indicating the trusted provider for which a name ID in these formats was added.

    End of the note.

    Note Note

    The system uses the same mapping for Unspecified, Transient, and E-mail name ID formats. If you configure a specific mapping for one of the above formats, it will be set for the other formats too.

    End of the note.
  5. Save your entries.