Create user in NetWeaver via SAML 2.0 – 3 – Configure ICF

Published by Tobias Hofmann on

4 min read

The ICF configuration is more complex than the standard SAML 2.0 configuration. Instead of just validating the SAML 2.0 response, the response must be validated, and a user created or update. To be able to create / update a user, the response received must be handled by a service user. That user has the permission to create / update the user in the NW user base. Therefore, the SAML 2.0 endpoint is not the standard ACS endpoint. An external alias is used to receive the SAML response from the IdP, here the BADI is called, and then the user is redirected to the original service URL.

As this is a little bit more complex, I’ll try to explain this using picture.

Ein Bild, das Screenshot enthält.

Automatisch generierte Beschreibung

There are two ICF services:

  1. External service: /sap/saml2/sp/register
  2. Internal service: /sap/bc/saml2/register_user

The external ICF node is called by the browser with the SAMLResponse payload. The external service is calling the internal. It will use the service data (pre-configured user & password) to log on to the internal ICF service and trigger the BADI for user creation / update. The internal ICF service will also validate the SAMLResponse from the IdP.

Create internal ICF service

Tx: SICF

Select the host, service path /sap/bc/saml2/ and click on “Create Host/Service”.

Name of service: register_user
Type: Independent service
Description: SAML create user
Logon Data: Alternative Logon Procedure

Remove SAML Logon from List

Logon handler: CL_HTTP_EXT_SAML20

Save and activate service

Create external ICF alias

Tx: SICF

Click on “External Aliases”.

Select default_host.

Click on Create.

External Alias: /sap/saml2/sp/register

Logon:

Client: 001
User / Password: user that can create users
Procedure: Alternative Logon Procedure

Delete SAML Logon

Change order of Logon Through Service Data to 1

Target element: /default_host/sap/bc/saml2/register_user

Save.

Result

New external alias /sap/saml2/sp/register is created.

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.