Skip to Content
Apr 17, 2020 at 07:05 AM

SAML2 Single Sign-on with Email Address


Environment: NW As ABAP 7.52 ; Web-dispatcher ; SAML2 ; ADFS

Currently I am trying to configure SSO for our Fiori application. In our company in ADFS id is different from SAP Logon Id. I already configured SSO by guide (Overview of SSL + SAML 2.0 Configuration) I am able to make single sign on working by maintaining Alias field in the SAP user with ADFS id (samaccountname).

Now Business is requesting for single sign with email address. email address is maintained on both sides in ADFS and also in SAP under user profile.

I have the changed the saml2 configuration for email under identity management like below:

Supported Name id Formats : unspecified - Persistent users

Details of NameID format “Unspecified” tried both option below

option-1.UserId Source – Assertion Subject NameID ; Mapping Mode – Email

option-2.UserId Source – Assertion attribute; Assertion Attribute Name -emailAddress; Mapping Mode – Email

On ADFS maintained claim rule like below :

a.Send LDAP Attributes as Claims rule:

1. From the LDAP Attribute column, select E-Mail Addresses.

2. From the Outgoing Claim Type, select E-Mail Address.

b.Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim

1. Select E-mail Address as the Incoming Claim Type.

2. For Outgoing Claim Type, select Name ID.

3. For Outgoing Name ID Format, select Email.

Single sign is not working for email address, I am unable to locate any relevant document, every document talks about name-id - Login id mapping. Very much appreciated for any help.