on 09-15-2019 10:58 AM
Dear Expert ,
hope you have nice day all of you.
i am planning to implement SSO using SAML 2.0 , our MS Active directory already integrated to our AS JAVA SSO System as IDP is configured as well Service provider, my login ID for Domain same as Login ID to the IDP (AS JAVA SSO SYSTEM) authenticated using kerberos for Example TEST1 but my login to S/4 HANA System is different for example TEST2 as well Email Registered in user master record is different then the Email Registered on IDP
kindly, advice regarding how to map between user TEST1 and TEST2
actually, i tried to use the following SAPNOTE but it is not working
1254821 - SAML authentication for Web services in AS ABAP
thank you
Ahmed
Dear Ahmed,
so you have installed your SAP IdP (AS Java) using SPNEGO to authenticate your user, based on their Active Directory authentication. Now your IdP has a UME setup. Either local users only or LDAP or ABAP UME. On one of your Service Providers (S/4 HANA) you have different user IDs. Now you are facing the challenge of Identity Federation - a normal challenge 😉
There are some solutions to federate identities between the IdP and SPs. As SAML is used to work cross-company, it happens often that you don't even have a clue about the user IDs or attributes of the connected SPs.
In general the User ID Mapping can happen at the IdP or the SP.
You can:
Besides this, you can also put TEST1 or the email-address into the assertion and map this on the S/4 HANA system using logon alias or USREXTID table.
Cheers
Colt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Colt
thank you, great explanation :),
i use login alias mapping , it is working fine.
i am trying to use mapping in usrextid table , but it is not working
appreciate if you help my with one entry as an example for mapping in usrextid table
thank you
Ahmed
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.