Create user in NetWeaver via SAML 2.0 – 3 – Configure ICF

Published by Tobias Hofmann on

4 min read

The ICF configuration is more complex than the standard SAML 2.0 configuration. Instead of just validating the SAML 2.0 response, the response must be validated, and a user created or update. To be able to create / update a user, the response received must be handled by a service user. That user has the permission to create / update the user in the NW user base. Therefore, the SAML 2.0 endpoint is not the standard ACS endpoint. An external alias is used to receive the SAML response from the IdP, here the BADI is called, and then the user is redirected to the original service URL.

As this is a little bit more complex, I’ll try to explain this using picture.

Ein Bild, das Screenshot enthält. Automatisch generierte Beschreibung

There are two ICF services:

  1. External service: /sap/saml2/sp/register
  2. Internal service: /sap/bc/saml2/register_user

The external ICF node is called by the browser with the SAMLResponse payload. The external service is calling the internal. It will use the service data (pre-configured user & password) to log on to the internal ICF service and trigger the BADI for user creation / update. The internal ICF service will also validate the SAMLResponse from the IdP.

Create internal ICF service

Tx: SICF

Select the host, service path /sap/bc/saml2/ and click on “Create Host/Service”.

Name of service: register_user
Type: Independent service
Description: SAML create user
Logon Data: Alternative Logon Procedure

Remove SAML Logon from List

Logon handler: CL_HTTP_EXT_SAML20

Save and activate service

Create external ICF alias

Tx: SICF

Click on “External Aliases”.

Select default_host.

Click on Create.

External Alias: /sap/saml2/sp/register

Logon:

Client: 001
User / Password: user that can create users
Procedure: Alternative Logon Procedure

Delete SAML Logon

Change order of Logon Through Service Data to 1

Target element: /default_host/sap/bc/saml2/register_user

Save.

Result

New external alias /sap/saml2/sp/register is created.

Let the world know
Categories: BasisCloudSAP
Tags:

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

SAP

SAP Development Tech Radar

4 min read The SAP Development Tech Radar is available online. The source code is available at its GitHub repository. The information used for to place each technology on the radar is in the folder Read more…

SAP

What if … it is not the technology?

9 min read The past The SAP Community Network (SCN) [1] went through some changes in the last 20+ years. 2011 a major change was planned, went live in 2012 and did not work as Read more…

SAP

DSAG Technologietage 2024

10 min read Moin Hamburg. Ich bin nicht aus Zucker, ich bin aus Hamburg. Mehr muss man über das Wetter nicht wissen und zum Glück sind die Technologietage keine Freiluftveranstaltung. Montags bei der Anreise und Read more…