cancel
Showing results for 
Search instead for 
Did you mean: 

SAML 2 configuration for users with different Name IDs in ADFS and SAP Fiori

Former Member
0 Kudos

Hello experts!

Currenty I am trying to configure SSO for Mytimesheet application. In our company in ADFS can have 12+ symbols Name IDs but SAP supports user with max length 12 symbols. We use FM that during  RSLDAPSYNC_USER transform user ID (for example 'sapcommunitynetwork' will be transformed to 'sapcommunit1'). I already configured SSO by guide (Overview of SSL + SAML 2.0 Configuration) but it doesn't support situation when person want to login with user ID 'sapcommunitynetwork' which doesn't exist on Fiori side. And the issue is that system should support SSO for both type of users.

Have anyone faced same situation and know any solution? Or may be you just know how to configure SAML 2 for this case.

Best Regards,

Thanks in advance,

Vachik Tevosian.

Accepted Solutions (0)

Answers (1)

Answers (1)

martin_voros
Active Contributor
0 Kudos

Hi,

this is a common scenario where username used for authentication against identity provider is different from username used by service provider. A common example is email address used a username. The mapping is stored in view VUSREXTID. Check external type SA. More info here.

Cheers

Former Member
0 Kudos

Hello Martin,

Thank you for your answer. But the main problem is that every week we get some new employees and that's why we want to have automatic system that will add users (all what our basis team should do is to add them to system using RSLDAPSYNC_USER ). So adding manually every user to VUSREXTID is very complicated process and as far as I see it can not be populated by new user automatically.

Best Regards,

Vachik Tevosian.

martin_voros
Active Contributor
0 Kudos

What version are you on? There are some BADIs in newer release that might be helpful to automatically populate principal name when user is created. BADI_IDENTITY_SU01_CREATE sounds like perfect match but you need to check if RSLDAPSYNC_USER calls it.

Another approach would be to create s custom program that would be scheduled as a second step of job (the first one would be program RSLDAPSYNC_USER). It would populate VUSREXTID for newly created users.

Cheers