cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML Auto User Creation on the fly basis in SAP system

Go to solution
former_member210281
Explorer

on ‎03-09-2016 5:40 AM

0 Kudos

Hi All,

    

We have enabled SSO with ADFS SMAL2.0 for SAP Gateway system. Now we can connect SAP application with SAML SSO with user mapping
option.

Our requirement is:

a) We have 200K end users to access our SAP Fiori
application.

b) All 200K user ids are created in ADFS but not in SAP GW system.

We are planning to Sync all 200K user ids from LDAP to SAP GW but it is not a good approach and Security team will not accept to expose employee info.

 

So, We can see SAML SSO will provide a feature called on-the-fly Auto User creation.

I tried with below approaches to create user accounts on-the-fly basis:

Approach 1:

Name ID: Unspecified

UserID Source: Assertion Subject NameID

UserID Mapping Mode: User Alias

Allow Identity Provider to Create NameID: YES

This settings are working for user mapping with (a) User Alias and (b) Mapping in USREXTID table, type SA.

But if any new user who does not mapped with user id in SAP, they are unable to access SAP fiori.. here we want to create Auto User creation in SAP system.

Approach 2:

NameID=Persistent

Account federation=Interactive Account linking.

here, when I access my SAP Fiori application, after ADFS authentication, I prompt with SAP logon screen to enter SAP User id/password and check the federated local user account.

Once I did that, I successfully connected SAP Fiori tiles and second time login onwards, I am entering to SAP Fiori apps with SAML SSO.

But, here, I am seeing auto User creation option enablement.. as we have 300K users and it’s tough to create accounts and send all user credentials to users.

 

Please find the screenshots and help me to fix the issue.


I referred

SAP note: 0001799402 - Automatic account creation for SAML 2.0 SP

 

https://wiki.scn.sap.com/wiki/display/Security/Automatic+User+Account+Creation+and+Update+using+SAML...

 

https://help.sap.com/saphelp_nw73/helpdata/en/2e/25659ad6834ce5b7f6c394fca79ee3/content.htm

 

http://scn.sap.com/community/sso/blog/2012/12/12/automatic-user-creation-in-as-abap-using-saml-20

Please help us here to fix the issue.

  

Thanks,

Nagaraju

+91-9008488440

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member182254
Active Participant
‎03-09-2016 8:25 AM
0 Kudos

Hello,

Have you followed any of the steps described in the Wiki: Automatic User Account Creation and Update using SAML 2.0 in AS ABAP - Security and Identity Managem...? For example have you implemented BADI_SAML20_USER_CREATE_UPDATE which is actually responsible for the account creation? Or have you defined ICF service /sap/saml2/sp/register and so on, ...? Without performing the described steps you can't achieve automatic account creation.

Best regards,

Dimitar Mihaylov

Show replies
Show replies
former_member210281
Explorer
‎03-09-2016 9:10 AM
0 Kudos

Hi Dimitar,

Seems to be the manual steps will be released in latest SAP NW versions.

This functionality is planned to be released in the following future releases of SAP NetWeaver:
•NW 7.02 SP13 and higher
•NW 7.30 SP09 and higher
•NW 7.31 SP07 and higher


our SAP Gateway is running on NW 7.02 SP17.

Do you want us to implement the same in our landscape?

We have tried that approach but it is for SAP EP as IdP. In our case ADFS. we requested ADFS team to allow us to create Auto accounts in SAP. but they said, there will be no extra config at ADFS.

Thanks,

Nagaraju

former_member182254
Active Participant
‎03-09-2016 9:50 AM
0 Kudos

Hello,

You can skip only the implementation of note 1799402. All other steps have to be done. The last step with the configuration of SAP IDP (AS Java) has to be done with ADFS instead. If you already have a trust with ADFS using persistent identifiers then you should only change the ACS endpoints to be the newly created /sap/saml2/sp/register.

Regards,

Dimitar

former_member210281
Explorer
‎03-09-2016 2:46 PM
0 Kudos

Thanks Dimitar,

I did configurations at AFDS. Now our end points are /sap/saml2/sp/register.

But still we are getting below error for users who does not mapped with SAP User ids.

Your account on Identity Provider [ESOSMGW] is not yet federated with any local account in system SM1 (100)

Thanks,

Nagaraju

former_member182254
Active Participant
‎03-09-2016 4:32 PM
0 Kudos

Hello,

Have you implemented the BADI to create the user? Have you selected "Federation Mode" to be "Automatic Account Creation"?

Regards,

Dimitar

former_member210281
Explorer
‎03-09-2016 5:44 PM
0 Kudos

Hi Dimitar,

1. Create a new SAML 2.0 Assertion Consumer Service(ACS) endpoint which will be

used for the account creation and update

Ans: Done

2. Implement a BAdI for account creation and update.

Ans: The BAdI name is BADI_SAML20_USER_CREATE_UPDATE in present in our SAP Gateway system.

No action, I have taken here.

Implement means, Do I need to be done any extra settings here?

3. Configure ABAP SP to perform automaic account creation and update

Ans: I dont see

As per given steps, I have to select the option in drop down “Automatic Account Creation” but I could not that.

I can see Account  Federation options:

                  a) Interactive Account Linking

                  b) Out-of-Bank account Linking.

So, I have selected Interactive Account Linking and

Allow Identity Provider to Create NameID = Yes.

Still I am not able to create users on-the-fly basis.

4. Configure your IDP to send the SAML 2.0 assertion to

the new ACS endpoint

Ans: Done

Thanks,

Nagaraju

former_member182254
Active Participant
‎03-09-2016 6:07 PM
0 Kudos

Hello,

I think the Wiki page is pretty clear about the BAdI:

Implement BAdI BADI_SAML20_USER_CREATE_UPDATE


Implement and activate the BAdI for user creation or update

The BAdI name is BADI_SAML20_USER_CREATE_UPDATE, and it is located in package SAML2_COMMON. The BAdI has an example implementation in the class CL_SAML20_USER_BADI_EXAMPLE.

You do not see option "Automatic Account Creation" because there is no BAdI implementation in the system, only its interface "BADI_SAML20_USER_CREATE_UPDATE". If you are not familiar with BAdIs then please check the documentation about this.

Regards,

Dimitar

former_member210281
Explorer
‎03-10-2016 7:56 AM
0 Kudos

Thanks Dimitar,

Seems to be BADI is not implemented in SAP system. We will do it.

Part of Auto User creation on-the-fly,

a) Where will store all IdP Users in SAP System?

b) Can we assign SAP roles to Users, if Users will not store in SAP User Master table?

Thanks,

Nagaraju

former_member182254
Active Participant
‎03-10-2016 8:31 AM
0 Kudos

Hello,

1) You need to create the user as normal SU01 user. Additional information could be stored in other tables as well but it is a must to have a valid SU01 user in order to perform authentication to the system!

2) You can assign roles.

In any case check the example BAdI implementation "CL_SAML20_USER_BADI_EXAMPLE".

Regards,

Dimitar

former_member210281
Explorer
‎03-10-2016 9:15 AM
0 Kudos

Hi Dimitar,

Sorry, I am bit confusion here.

As per my understanding, If we enable Auto User creation enabled, that mean, it will create users in SAP system automatically.

As you said, we have to create user ids in SU01. Do you mean, we need to create all users manually in SAP even though we enable Auto User creation on-the-fly?

If yes, then how auto user works here?

In our case, we have 300K users existed in ADFS and we want to enable SAP Fiori access to all users but the same users accounts are not existed in SAP system.

Thanks,

Nagaraju

former_member182254
Active Participant
‎03-10-2016 10:07 AM
0 Kudos

Hello,

You do not have to create users in SU01. In the BAdI implementation you have to create them programatically as regular ABAP users which means they have to be visible in SU01 afterwards. Check the example!

Regards,

Dimitar

former_member210281
Explorer
‎03-14-2016 10:19 AM
0 Kudos

Hi Dimitar,

1) We have successfully implemented BADI as per SAP note: 0001799402 - Automatic account creation for SAML 2.0 SP.

2) We can do Auto user creation on the fly method using SAML.

3) We have passed required fields in SAML Assertion to create accounts in SAP system.

4) We can see all users in SU01.

5) We can pass default SAP roles for everyone from SAML assertoin or we can add required roles in BADI code which is mentiond in above SAP note. So that the roles will be assigned automatically to the user once it is created in SAP system.

I am facing one issue now:

1) My ID created on-the-fly basis in SAP system.

2) Part of testing I have deleted and tried to create by Auto fly. It does not create and SAML is trying to update.

CX_SAML20_CORE: The validation of message 'Response' failed. Long text: The validation of message 'Response' failed.

Thanks,

Nagaraju

former_member182254
Active Participant
‎03-14-2016 10:59 AM
0 Kudos

Hello,

I can see that in parallel you discuss the topic with my colleagues via support ticket 173156. I would recommend to use a single channel for such issues. Please continue the discussion via the support ticket.

Best regards,

Dimitar Mihaylov

former_member210281
Explorer
‎03-15-2016 6:22 AM
0 Kudos

Hi Dimitar,

I got the solution. Actually, the Auto Users created on-the-fly basis, those will be stored in table SAML2_PIDFED. If we delete the user in SU01, still the user account keys will be present in table record. When we try to create user account again using SAM auto fly, the system will verify the table and if the user entry already present and any value is mismatch then, the application will not allow to login.

Fix:

Solution 1) Delete the entry from table.

Solution 2) Delete Trusted Provider in SAML2 application then the table entries will be deleted and accounts will be created freshly.

Thanks for your support.

Nagaraju

Answers (0)

Ask a Question