Dear Ahmed,

so you have installed your SAP IdP (AS Java) using SPNEGO to authenticate your user, based on their Active Directory authentication. Now your IdP has a UME setup. Either local users only or LDAP or ABAP UME. On one of your Service Providers (S/4 HANA) you have different user IDs. Now you are facing the challenge of Identity Federation - a normal challenge 😉

There are some solutions to federate identities between the IdP and SPs. As SAML is used to work cross-company, it happens often that you don't even have a clue about the user IDs or attributes of the connected SPs.

In general the User ID Mapping can happen at the IdP or the SP.

You can:

• Use an existing common, unique NAME to map the accounts: Seems to be not possible in your case, mostly here the email address is used
• Create a new common, unique IDENTIFIER to link the accounts: You "could" create a custom UME attribute (or use a LDAP/ABAP attribute such as Logon Alias etc.) where you maintain different attributes for your SPs and use them for Name ID creation. In that case your IdP would put TEST2 into the assertion issued for SP (S/4 HANA) and on your SP you just need to map the name ID with your Logon ID.
• You can also make use of interactive account linking by using Persistent Pseudonyms as your Name ID format for that SP: Persistent IDs are opaque, random values that are used for each log-on session to link the IdP and SP accounts. They are useful in federation scenarios where no common name exists and/or privacy of the real user name is a concern. In such case if the user is accessing the SP next time he will be asked to federate his account.

Besides this, you can also put TEST1 or the email-address into the assertion and map this on the S/4 HANA system using logon alias or USREXTID table.

Cheers
Colt