Automatic User Account Creation in AS ABAP Using SAML 2.0
Many business-to-business (B2B) scenarios require cross-company user provisioning. In such cases, it might be difficult to automate the provisioning process, and this may lead to the following issues:
- Account Creation
Employees of company A have to wait until accounts are created for them in company B.
- Account Updates
Employees’ authorizations are managed in two places – a change of user authorization (for example, due to promotion, department change, or dismissal) in company A is not automatically reflected for the corresponding user account in company B.
- Additional Passwords
Employees have to remember additional passwords.
To solve the additional passwords issue, you can configure Single Sign-On (SSO) mechanism. The preferred technology for cross-company SSO and identity federation is SAML 2.0. SAP provides SAML 2.0 support in AS ABAP which is the most commonly used platform for business applications. For more information, see Configuring AS ABAP as a Service Provider.
You can configure identity federation in AS ABAP using SAML 2.0 based not only on logon ID, but also on e-mail, logon alias, and other types. This gives additional flexibility in the B2B scenarios, but cannot solve the problems with account creation and update. However, the latest enhancement in SAML 2.0 functionality for AS ABAP provides a solution to these problems.
To automatically create and update users with SAML 2.0, you need to implement a Business Add-In (BAdI). The SAML 2.0 framework validates the received assertion, extracts the identity information (assertion issuer, assertion subject, and assertion attributes), and calls the BAdI implementation with this information. The BAdI is responsible for user creation and update reflecting the specific requirements of the business application. The necessary identity information must therefore first be agreed between the companies. This includes user data (for example, first name, last name, e-mail, address) and authorization data (for example, business roles). The authorization data can be used to assign corresponding roles and profiles in AS ABAP.
An example scenario is described and configuration steps with screenshots are provided on the following wiki page: http://wiki.sdn.sap.com/wiki/x/F4PzEg.
This new functionality is to be released with SAP Note # 1799402.
Any suggestions or comments are appreciated.
Hi Nikola,
this is an excellent blog and couldn't come at a better time, we're implementing BD at the moment and crossing these problems os SAML authentication and User Provisioning.
The OSS Note you refer to says:
The requested SAP Note is either in reworking or is released internally only
Please would you provide the OSS Note.
Thank you and all the best,
Andy Silvey.
Hi Andy,
The note is currently being prepared and will be released soon. Please check again in a few days.
Thanks!
Nikola
Hi Andy,
While the note is being finalized we can organize an SAPConnect meeting to show you the new functionality and discuss how it fits in your BD scenario. Do your users directly access an ABAP system or they do this through a Java front-end? You can contact me at the following email: <firstname>.<lastname> at sap.com.
Regards,
Dimitar
Hi Andy,
The note is now released for customers. Let us know if you need help to implement it.
Regards,
Dimitar
Hi Nikola and Dimitar,
thank you so much for the feedback the offer of support and OSS Note.
I haven't responded yet because in the BD scenario (with the Java frontend) we're not
sure if this will be the right solution for our User Provisioning because we use Tivoli Identity Manager (TIM) for User Provision.
If we have more questions I'll come back in the mean time, thank you again.
Kind regards,
Andy.