Many business-to-business (B2B) scenarios require cross-company user provisioning. In such cases, it might be difficult to automate the provisioning process, and this may lead to the following issues:
- Account Creation
Employees of company A have to wait until accounts are created for them in company B.
- Account Updates
Employees’ authorizations are managed in two places – a change of user authorization (for example, due to promotion, department change, or dismissal) in company A is not automatically reflected for the corresponding user account in company B.
- Additional Passwords
Employees have to remember additional passwords.
To solve the additional passwords issue, you can configure Single Sign-On (SSO) mechanism. The preferred technology for cross-company SSO and identity federation is SAML 2.0. SAP provides SAML 2.0 support in AS ABAP which is the most commonly used platform for business applications. For more information, see Configuring AS ABAP as a Service Provider.
You can configure identity federation in AS ABAP using SAML 2.0 based not only on logon ID, but also on e-mail, logon alias, and other types. This gives additional flexibility in the B2B scenarios, but cannot solve the problems with account creation and update. However, the latest enhancement in SAML 2.0 functionality for AS ABAP provides a solution to these problems.
To automatically create and update users with SAML 2.0, you need to implement a Business Add-In (BAdI). The SAML 2.0 framework validates the received assertion, extracts the identity information (assertion issuer, assertion subject, and assertion attributes), and calls the BAdI implementation with this information. The BAdI is responsible for user creation and update reflecting the specific requirements of the business application. The necessary identity information must therefore first be agreed between the companies. This includes user data (for example, first name, last name, e-mail, address) and authorization data (for example, business roles). The authorization data can be used to assign corresponding roles and profiles in AS ABAP.
An example scenario is described and configuration steps with screenshots are provided on the following wiki page: http://wiki.sdn.sap.com/wiki/x/F4PzEg.
This new functionality is to be released with SAP Note # 1799402.
Any suggestions or comments are appreciated.