on 03-09-2016 5:40 AM
Hi All,
We have enabled SSO with ADFS SMAL2.0 for SAP Gateway system. Now we can connect SAP application with SAML SSO with user mapping
option.
Our requirement is:
a) We have 200K end users to access our SAP Fiori
application.
b) All 200K user ids are created in ADFS but not in SAP GW system.
We are planning to Sync all 200K user ids from LDAP to SAP GW but it is not a good approach and Security team will not accept to expose employee info.
So, We can see SAML SSO will provide a feature called on-the-fly Auto User creation.
I tried with below approaches to create user accounts on-the-fly basis:
Approach 1:
Name ID: Unspecified
UserID Source: Assertion Subject NameID
UserID Mapping Mode: User Alias
Allow Identity Provider to Create NameID: YES
This settings are working for user mapping with (a) User Alias and (b) Mapping in USREXTID table, type SA.
But if any new user who does not mapped with user id in SAP, they are unable to access SAP fiori.. here we want to create Auto User creation in SAP system.
Approach 2:
NameID=Persistent
Account federation=Interactive Account linking.
here, when I access my SAP Fiori application, after ADFS authentication, I prompt with SAP logon screen to enter SAP User id/password and check the federated local user account.
Once I did that, I successfully connected SAP Fiori tiles and second time login onwards, I am entering to SAP Fiori apps with SAML SSO.
But, here, I am seeing auto User creation option enablement.. as we have 300K users and it’s tough to create accounts and send all user credentials to users.
Please find the screenshots and help me to fix the issue.
I referred
SAP note: 0001799402 - Automatic account creation for SAML 2.0 SP
https://help.sap.com/saphelp_nw73/helpdata/en/2e/25659ad6834ce5b7f6c394fca79ee3/content.htm
http://scn.sap.com/community/sso/blog/2012/12/12/automatic-user-creation-in-as-abap-using-saml-20
Please help us here to fix the issue.
Thanks,
Nagaraju
+91-9008488440
Hello,
Have you followed any of the steps described in the Wiki: Automatic User Account Creation and Update using SAML 2.0 in AS ABAP - Security and Identity Managem...? For example have you implemented BADI_SAML20_USER_CREATE_UPDATE which is actually responsible for the account creation? Or have you defined ICF service /sap/saml2/sp/register and so on, ...? Without performing the described steps you can't achieve automatic account creation.
Best regards,
Dimitar Mihaylov
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Dimitar,
Seems to be the manual steps will be released in latest SAP NW versions.
This functionality is planned to be released in the following future releases of SAP NetWeaver:
•NW 7.02 SP13 and higher
•NW 7.30 SP09 and higher
•NW 7.31 SP07 and higher
our SAP Gateway is running on NW 7.02 SP17.
Do you want us to implement the same in our landscape?
We have tried that approach but it is for SAP EP as IdP. In our case ADFS. we requested ADFS team to allow us to create Auto accounts in SAP. but they said, there will be no extra config at ADFS.
Thanks,
Nagaraju
Hello,
You can skip only the implementation of note 1799402. All other steps have to be done. The last step with the configuration of SAP IDP (AS Java) has to be done with ADFS instead. If you already have a trust with ADFS using persistent identifiers then you should only change the ACS endpoints to be the newly created /sap/saml2/sp/register.
Regards,
Dimitar
Thanks Dimitar,
I did configurations at AFDS. Now our end points are /sap/saml2/sp/register.
But still we are getting below error for users who does not mapped with SAP User ids.
Your account on Identity Provider [ESOSMGW] is not yet federated with any local account in system SM1 (100)
Thanks,
Nagaraju
Hi Dimitar,
1. Create a new SAML 2.0 Assertion Consumer Service(ACS) endpoint which will be
used for the account creation and update
Ans: Done
2. Implement a BAdI for account creation and update.
Ans: The BAdI name is BADI_SAML20_USER_CREATE_UPDATE in present in our SAP Gateway system.
No action, I have taken here.
Implement means, Do I need to be done any extra settings here?
3. Configure ABAP SP to perform automaic account creation and update
Ans: I dont see
As per given steps, I have to select the option in drop down “Automatic Account Creation” but I could not that.
I can see Account Federation options:
a) Interactive Account Linking
b) Out-of-Bank account Linking.
So, I have selected Interactive Account Linking and
Allow Identity Provider to Create NameID = Yes.
Still I am not able to create users on-the-fly basis.
4. Configure your IDP to send the SAML 2.0 assertion to
the new ACS endpoint
Ans: Done
Thanks,
Nagaraju
Hello,
I think the Wiki page is pretty clear about the BAdI:
Implement BAdI BADI_SAML20_USER_CREATE_UPDATE
Implement and activate the BAdI for user creation or update
The BAdI name is BADI_SAML20_USER_CREATE_UPDATE, and it is located in package SAML2_COMMON. The BAdI has an example implementation in the class CL_SAML20_USER_BADI_EXAMPLE.
You do not see option "Automatic Account Creation" because there is no BAdI implementation in the system, only its interface "BADI_SAML20_USER_CREATE_UPDATE". If you are not familiar with BAdIs then please check the documentation about this.
Regards,
Dimitar
Hello,
1) You need to create the user as normal SU01 user. Additional information could be stored in other tables as well but it is a must to have a valid SU01 user in order to perform authentication to the system!
2) You can assign roles.
In any case check the example BAdI implementation "CL_SAML20_USER_BADI_EXAMPLE".
Regards,
Dimitar
Hi Dimitar,
Sorry, I am bit confusion here.
As per my understanding, If we enable Auto User creation enabled, that mean, it will create users in SAP system automatically.
As you said, we have to create user ids in SU01. Do you mean, we need to create all users manually in SAP even though we enable Auto User creation on-the-fly?
If yes, then how auto user works here?
In our case, we have 300K users existed in ADFS and we want to enable SAP Fiori access to all users but the same users accounts are not existed in SAP system.
Thanks,
Nagaraju
Hi Dimitar,
1) We have successfully implemented BADI as per SAP note: 0001799402 - Automatic account creation for SAML 2.0 SP.
2) We can do Auto user creation on the fly method using SAML.
3) We have passed required fields in SAML Assertion to create accounts in SAP system.
4) We can see all users in SU01.
5) We can pass default SAP roles for everyone from SAML assertoin or we can add required roles in BADI code which is mentiond in above SAP note. So that the roles will be assigned automatically to the user once it is created in SAP system.
I am facing one issue now:
1) My ID created on-the-fly basis in SAP system.
2) Part of testing I have deleted and tried to create by Auto fly. It does not create and SAML is trying to update.
CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.
Thanks,
Nagaraju
Hi Dimitar,
I got the solution. Actually, the Auto Users created on-the-fly basis, those will be stored in table SAML2_PIDFED. If we delete the user in SU01, still the user account keys will be present in table record. When we try to create user account again using SAM auto fly, the system will verify the table and if the user entry already present and any value is mismatch then, the application will not allow to login.
Fix:
Solution 1) Delete the entry from table.
Solution 2) Delete Trusted Provider in SAML2 application then the table entries will be deleted and accounts will be created freshly.
Thanks for your support.
Nagaraju
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.