Szenario

A trust between the SAML 2.0 IdP and SP is created. A user tries to log on for the first time to NetWeaver ABAP and after successfully logging in at the IdP, logging at the SP fails. The SAMLResponse is validated without errors, the NetWeaver ABAP system cannot create a user.

Problem

The ABAP class is calling a function named NUMBER_GET_NEXT. In an empty NW system, this method will fail.

CALL FUNCTION 'NUMBER_GET_NEXT'
EXPORTING
  nr_range_nr = '01'
  object = lc_number_range_object
IMPORTING
  number = lv_number
EXCEPTIONS
OTHERS = 1.

For creating a user automatically, a number range is used to create users with an ID like SAML0000001. The ABAP code shows that lc_number_range_object is defined as lc_number_range_object TYPE inri-object VALUE ‘SAML2ID’.

If you test the function in SE37, you pass that as a parameter and get back an error message.

Error: OBJECT_NOT_FOUND

Solution

You need to create the number range for the object. Follow the steps detailed in my blog Create user in NetWeaver via SAML 2.0 – 5 – Create number range

Test

Run the function NUMBER_GET_NEXT in SE37 with the same values provided by the ABAP class.

NR_RANGE_NR: 01
OBJECT: SAML2ID
QUANTITY: 1

Result

When the ABAP Class in the BADI is now called, the function BAPI_USER_CREATE1 is called.

The generated user id is using the number from the number range.

User is created and logged on automatically.

Tx SU01

User is created with the provided data from the SAML assertions.

In the trace, you can see that the NameID is mapped to th user ID SAML0000003.