Create user in NetWeaver via SAML 2.0 – 5 – Create number range
In the SAML 2.0 SSO logon with automatic user creation scenario, the user is created in the SAP system by a BADI. The user information send by the SAML 2.0 IdP is contained in the SAML response. In my previous blog I have shown how the user profile is configured using mappers in Keycloak. With these mappers the mandatory information expected by the ABAP class is provided:
- First name,
- Last name
- Email address
In a SAP NetWeaver ABAP system, each user created has a unique user id. This user id is not part of the SAML response. You may now wonder how the SAP system is creating the user and assuring that the user id is unique to the target system. This is achieved by using a number range for the actual user id for the user going to be created via the SAML 2.0 SSO process.
The ABAP class called when creating a new user is calling a function named NUMBER_GET_NEXT. For this method to work, the number range must be configured.
Note
Another user should not have a conflicting user id in the SAP system.
Source code
CALL FUNCTION 'NUMBER_GET_NEXT' EXPORTING nr_range_nr = '01' object = lc_number_range_object IMPORTING number = lv_number EXCEPTIONS OTHERS = 1.
lc_number_range_object is defined as lc_number_range_object TYPE inri-object VALUE ‘SAML2ID’. In the example code, the value of that variable is SAML2ID.
The function can be tested in transaction SE37.
In case you pass the value SAML2ID as a parameter and get back an error message you have to configure the corresponding number range. If not, the method for creating a user with SAML 2.0 will fail.
Error: OBJECT_NOT_FOUND
Root cause
You need to create the number range for the object.
Tx: SNRO
When you filter for the available objects (eg SA*), you can see that for SAML2ID nothing exists.
Solution
Create a new number range for object SAML2ID.
Object Name: SAML2ID
Create
Short Text: SAML2ID Long Text: SAML2 User ID Number Length Domain: NUM8 (see explanation below) % Warning: 10,0
Save
Provide a workbench request.
This should create a new number range for object SAML2ID. Next, add the interval
Click on “Interval Editing”.
Edit Intervals
The screen for adding an interval is shown.
Add a new interval. The Nr is given again by the ABAP class: 01 (see explanation below).
Nr: 01 From No. 1 To Number: 2000
Save
Result
Number Length Domain
The num8 number domain is defined by the ABAP class.
lv_number TYPE num8,
CALL FUNCTION 'NUMBER_GET_NEXT' EXPORTING nr_range_nr = '01' object = lc_number_range_object IMPORTING number = lv_number EXCEPTIONS OTHERS = 1
0 Comments