Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

This wiki page describes the procedure to enable automatic user account creation and update using SAML 2.0 in AS ABAP.  

AS ABAP Releases

This functionality is released in the following releases of SAP NetWeaver:

  • NW 7.02 SP13 and higher
  • NW 7.30 SP09 and higher
  • NW 7.31 SP07 and higher

For NW 7.02 SP12, SAP Note 1799402 - Automatic account creation for SAML 2.0 SP should be implemented.

SAP Notes

1992049 - SAMl 2.0 user update is not working with IdP initated SSO - valid for 7.02 SP15, 7.30 SP11, 7.31 SP11, 7.40 SP5 or 7.40 SP6

2016414 - Show custom error page for automatic account creation failures during SAML 2.0 logon - valid for 7.02 SP13, 7.02 SP14, 7.30 SP9, 7.30 SP10, 7.40 SP2-SP7

 

 

Example

An example scenario with two companies, Boilit and ITelO, is used to better explain the configuration steps.

ITelO is a supplier of IT equipment and has set up an online purchase ordering system for its customers. Boilit is a chemical company and is a customer of ITelO. As such Boilit has the requirements that its employees have single sign-on access to the ITelO’s purchase ordering system, and different permissions are granted to them based on their business roles at Boilit. For example, engineers shall be able to create purchase orders and purchasers to approve or deny them.

For auditing reasons, the ITelO’s purchase ordering system does not allow the creation and approval of purchase orders with service users. Due to this restriction every Boilit engineer and purchaser has to have an individual user account in ITelO’s system (AS ABAP).

The two companies have decided to use SAML 2.0 as a single sign-on technology because of the following additional features supported by AS ABAP:

  • Automatic user account creation
  • Automatic user account update

In addition, the administrators of the ITelO’s system do not have to worry about revocation of access rights of former Boilit employees. The Boilit employees can access the ITelO’s system by only using the SAML 2.0 identity provider of Boilit, i.e. when they are logged into the Boilit corporate network.

In our example scenario, Michael Smith and Denise Richards are employees of Boilit that have different business roles at the company. Michael as an engineer can order IT equipment from ITelO. Denise as a purchaser can approve orders created by engineers.

Michael needs to order a new laptop, but he has never used the ITelO’s purchase ordering system before. To access it, he chooses a link available on the Boilit corporate portal. This corporate portal is configured to work as an SAML 2.0 identity provider and generates SAML 2.0 assertion for Michael before redirecting him to the ITelO’s system. This assertion is digitally signed and contains information for Michael such as first name, last name, e-mail, and also his business role, engineer.

<Assertion xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" ID="A-abc7b27f-8336-4f30-99dd-de660d5f8a9e" IssueInstant="2012-12-11T06:13:03.765Z" Version="2.0">
  <Issuer>boilit</Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  …
  </ds:Signature>
  <Subject>
    <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
     NID-P-nYWWrcpfvkDD6zNbybR5/Ci3C6o=
    </NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <SubjectConfirmationData NotOnOrAfter="2012-12-11T06:23:13.593Z" Recipient="https://orders.ITelO.com/sap/saml2/sp/register/001"/>
      </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2012-12-11T06:08:13.593Z" NotOnOrAfter="2012-12-11T06:23:13.593Z">
    <AudienceRestriction>
      <Audience>itelo</Audience>
    </AudienceRestriction>
  </Conditions>
  <AuthnStatement AuthnInstant="2012-12-11T06:13:13.593Z" SessionIndex="S-SP-8c22f243-ac1f-49b3-919f-b53647e293f6">
    <AuthnContext>
      <AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
      </AuthnContextClassRef>
    </AuthnContext>
  </AuthnStatement>
  <AttributeStatement>
    <Attribute Name="email">
      <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">michael.smith@boilit.com</AttributeValue>
    </Attribute>
    <Attribute Name="firstname">
      <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Michael</AttributeValue>
      </Attribute>
      <Attribute Name="lastname">
        <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Smith</AttributeValue>
      </Attribute>
      <Attribute Name="memberof">
        <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Engineers</AttributeValue>
      </Attribute>
  </AttributeStatement>
</Assertion>

The ITelO’s system validates the signature of the assertion and because Michael does not yet have a user account, the system creates one for him. The information from the assertion is used to set the corresponding user attributes and roles in AS ABAP. After the creation is completed, Michael is successfully authenticated, and he is allowed to order a new laptop.

Denise receives a notification that there is a new purchase order created in ITelO’s system. Previously she had accessed the system directly and had authenticated with username and password. However, the direct access with username and password was disabled a few weeks ago because of security reasons. She was on a honey moon at that time, and now it is the first time she accesses the ITelO’s system using the new link from the corporate portal. Like Michael, she chooses the link to the ITelO’s system, and a SAML 2.0 assertion is generated. It contains her first name, new last name after the marriage, e-mail, and business role.

<Assertion xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" ID="A-f669c081-1958-4fb3-961a-902f25f9a393" IssueInstant="2012-12-11T06:03:12.062Z" Version="2.0">
  <Issuer>boilit</Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  ...
  </ds:Signature>
  <Subject>
    <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
NID-P-1jt/ecH+h4kkgaiVl3DnbULvdoQ=
    </NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <SubjectConfirmationData NotOnOrAfter="2012-12-11T06:13:47.953Z" Recipient="https://orders.ITelO.com/sap/saml2/sp/register/001"/>
    </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2012-12-11T05:58:47.953Z" NotOnOrAfter="2012-12-11T06:13:47.953Z">
    <AudienceRestriction>
      <Audience>itelo</Audience>
    </AudienceRestriction>
  </Conditions>
  <AuthnStatement AuthnInstant="2012-12-11T06:03:47.953Z" SessionIndex="S-SP-e25d00c8-4c7b-46e4-b445-6c3780d49ae1">
    <AuthnContext>
      <AuthnContextClassRef>
        urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
      </AuthnContextClassRef>
    </AuthnContext>
  </AuthnStatement>
  <AttributeStatement>
    <Attribute Name="email">
      <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">denise.richards@boilit.com</AttributeValue>
      </Attribute>
    <Attribute Name="firstname">
      <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Denise</AttributeValue>
    </Attribute>
    <Attribute Name="lastname">
      <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Richards</AttributeValue>
    </Attribute>
    <Attribute Name="memberof">
      <AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Purchasers</AttributeValue>
    </Attribute>
  </AttributeStatement>
</Assertion>

The ITelO’s system validates the signature of the assertion and tries to find the corresponding user account. First, it searches for a mapping based on the persistent name identifier from the assertion subject. Because Denise accesses the system for the first time with SAML 2.0, her user account is not found. Second, the system searches for the user account based on the e-mail. This search succeeds and her account is updated with her new last name and a mapping is stored with the persistent name identifier from the assertion. This persistent identifier is immutable and will allow update even of her e-mail in the future. Finally, she is logged in and can approve Michael’s order.

Configuration steps

The configuration procedure includes the following steps:

Implement an SAP Note 1799402 (only AS ABAP 7.02 SP12)

  1. Log into the AS ABAP system.
  2. If you are using NW 7.02 SP12, start transaction SNOTE and implement SAP Note 1799402.

Implement BAdI BADI_SAML20_USER_CREATE_UPDATE

Implement and activate the BAdI for user creation or update
The BAdI name is BADI_SAML20_USER_CREATE_UPDATE, and it is located in package SAML2_COMMON. The BAdI has an example implementation in the class CL_SAML20_USER_BADI_EXAMPLE.

Create and configure an ICF service and alias

  1. Start transaction SICF to create a non-public ICF node.
  2. Choose the execute pushbutton.
  3. Create a node which will be used as a new ACS endpoint in the tree structure. Example: Path "/default_host/sap/bc/saml2/" and Service Name "register_user". You can choose your own names.
  4. Choose Logon Data tab for the newly created ICF node.
  5. Select Alternative Logon Procedure for Procedure.
  6. Remove SAML Logon from the Logon Procedure List located on the bottom of the window.
  7. Choose Handler List tab and add CL_HTTP_EXT_SAML20 to the handler list.
  8. Save your entries and return to the node.
  9. Activate the service for the created node.
  10. Create external alias /sap/saml2/sp/register by choosing External Aliases pushbutton.

    Warning

    The alias must be exactly /sap/saml2/sp/register.

    On IdP side, configure ACS endpoint to be http(s)://<SP host>:<SP port>/sap/saml2/sp/register/<SAP client>

  11. Choose Logon Data tab of the newly created external alias. Under Logon Data section, provide information for client, user, and password. The user that you choose must have permission to create users on the client where SAML 2.0 SP is configured for automatic user account creation.

    Warning

    If you configure automatic user creation for several application clients, you need to create the same user and password for each client.

    Note

    If you do not specify client, the system will use the default client.

  12. Select Alternative Logon Procedure for Procedure.
  13. Remove SAML Logon from the Logon Procedure List located on the bottom of the window. Make sure that "Logon Through Service Data" is on top of procedure list.
  14. Choose tab Trg Element, find the previously created ICF node in the tree structure and double click it to set the alias to point to the ICF node.
  15. Save your settings.

    Note

    When you save your entries, the system verifies the specified password.

Configure SAML 2.0 trust between Boilit (SAP identity provider) and ITelO (service provider running on AS ABAP)

SAML 2.0 Configuration of ITelO system (service provider running on AS ABAP)

  1. Start transaction SAML2
  2. Choose Trusted ProvidersAdd. You can create the new trusted provider by uploading metadata file or by entering the information manually.
  3. Configure the newly added trusted identity provider. Choose Trusted ProvidersIdentity Federation and add Persistent name ID format.
  4. Select Automatic Account Creation for Federation Mode.

    For more information about the SP configuration, see Configuring AS ABAP as a Service Provider.

SAML 2.0 Configuration of Boilit system (SAP identity provider running on AS Java)

  1. Log into the SAP NetWeaver Administrator and choose Authentication and Single Sign-OnSAML 2.0Trusted Providers to configure the identity provider to trust the AS ABAP service provider.
  2. Add the ITelO service provider to the list of service providers and enable it.
  3. To automatically create and update accounts for purchasers and engineers, the identity provider must send the SAML 2.0 assertion to the new endpoint on the service provider (ITelO’s AS ABAP system). In the example scenario the URL of the new endpoint is https://orders.itelo.com/sap/saml2/sp/register/001?sap-client=001. Choose the Edit button and set the HTTP POST endpoint.
  4. Add Persistent name ID format.
  5. Specify the name under the section Source for NameID, and add the following user-based assertion attributes: email, firstname, and lastname.
  6. Set the authorization-based assertion attribute memberof with Type Group, and Filter Engineers and Purchasers.
  • No labels