Proper configuration of manual Duet Enterprise 2.0 user-mapping
Duet Enterprise 1.0 and 2.0 Single Sign-On relies on user-mapping performed on the Gateway system. The user-mappings are administrated in table USREXTID. There are multiple options to fill the table with your SharePoint account –> SAP named user entries. Upon the initial setup of the Duet Enterprise landscape, you typically take a shortcut and first manually add one or more entries in the table. This enables you to quickly validate the working of the Duet Enterprise runtime flow for one or more test-accounts, before spending the effort to map all relevant employee accounts.
When you apply the manual approach, you have to be careful to enter the user-mapping as required by the Single Sign-On handling. If incorrect, the user-mapping derivation fails at runtime, and Duet Enterprise 2.0 runtime flows return ‘authentication error’
For Duet Enterprise 2.0 user-mapping, the External ID value must be in the exact pattern ‘CN=<SharePoint account name>, OU=<domain name>’; and with both in lower case. Any derivation, e.g leave out the comma or space, the domain name in upper case, results in failure to successfully do the user mapping for any SharePoint account on the NetWeaver stack. The Issuer name must be specified at ‘CN=Duet Root Certificate Authority’, that is the name the SharePoint-side ‘DuetConfig’ tool assigns to the X.509 certificate created on the SharePoint 2013 consuming farm.
Example of a proper user-mapping aka assignment of External ID to SAP named user:
You have 2 options to manually add entries to the table USREXTID. You can use SM30 and open view VUSREXTID in maintenance mode. But be aware that the view does not display input fields for all the table columns of USREXTID! The solid way to manually add fresh entries is via BAdI ‘Simple Bulk User Mapping For Duet Enterprise 2.0’. The guide ‘How to Install and Configure Duet Enterprise 2.0’ describes how to do that. However, when I applied the approach as described in the guide, I afterwards experienced a failure in the user-mapping. The error is for the description how to set the value of ‘Suffix of External ID. The guide states that you must enter as ‘@<domain name>. In our case that would be “@tnv”. With that input, the resulting derived external id is ‘<accountname>@<domain name>’ and thus different from what the X.500 certificate based user-mapping requires:
The correct value for the “External Suffix field” is ‘, OU=<domain name>”, with <domain name> in small capitals:
Note: after you have one or more entries successfully via the BadI administrated in table USREXTID, from then one you can utilize any of those entries as source in SM30 for copy as. The non-displayed table-columns namely has the same value for all entries, and can thus 1-on-1 be copied and reused for new entries.