The BADI you have to extend to be able to create or update a user in the SAP NW system based on the SAML 2.0 information is BADI_SAML20_USER_CREATE_UPDATE. It offers two methods, one for creating a new user, one for updating an existing user. Keep in mind that the SAP user identified by these methods depends on the SAML IdP identity. If the same user is logging in using different IdPs, there will be different SAP users, one for each IdP. Also, in case the user already exists in the SAP NW system (created as a normal SAP user), that user is not affected by the create or update methods.

Extend BADI_SAML20_USER_CREATE_UPDATE

The BADI to extend is part of package SAML2_COMMON. SAP delivers an example implementation, making it easy to implement your own method.

Package: SAML2_COMMON
Badi: BADI_SAML20_USER_CREATE_UPDATE
Example: CL_SAML20_USER_BADI_EXAMPLE

The BADI has two methods: one for creating a user, one for updating an existing user.

• Create user: CREATE_USER_TO_FEDERATE
• Update: UPDATE_FEDERATED_USER

The provided example class shows how to implement these methods.

Note

You cannot simply use the provided sample class. This class only works with pre-defined IdPs. These IdPs are SAP internal.

To use the example code, it is necessary to remove the check for the SAP internal dummy IdPs. The in the below picture the lines that must be adjusted. The if condition checks for some internal IdPs from SAP Labs in Sofia. If you do not delete these, an exception will be raised. At least we know where the BADI was developed.