SAML Sender Vouches uses an XML Signature over SOAP Body, Timestamp and SAML assertion. To use a SAML assertion for authentication, certificate trust and user mapping need to be configured.
Configuring certificate trust
Trust is configured by importing the certificate used for the signature into the System PSE. To import the certificate, open transaction STRUST, select Certificate -> Import, add the certificate to the system PSE and save. Copy the content of field Owner of the certificate, as it required in the next step to create the user mapping.
Configuring user mapping
In the next step, the identity authenticated by the SAML assertion needs to be mapped to a user in the ABAP system. Mapping information between an external security token like X.509 certificates or SAML assertions to an ABAP identity is kept in table USREXTID. In case the SAML assertion contains the ABAP user name mapping can be done by using report RSUSREXTID.
A mapping entry from a SAML assertion to an ABAP identity uses the following attributes:
- SAML Issuer
- SAML Name Qualifier
- SAML Subject
To create the mappings, call report RSUSREXTID, and enter <SAML issuer>:<Name Identifier>, use the certificate owner as the name of the issuer. For every user on the system, this will create a mapping <SAML Issuer>:<Name identifier>:<username> mapped to user name. In case the ABAP user name is not identical to the name in the SAML assertion, please check SAP note 1254821.