Troubleshooting SAML 2.0 – Error getting number
Szenario
A trust between the SAML 2.0 IdP and SP is created. A user tries to log on for the first time to NetWeaver ABAP and after successfully logging in at the IdP, logging at the SP fails. The SAMLResponse is validated without errors, the NetWeaver ABAP system cannot create a user.
Problem
The ABAP class is calling a function named NUMBER_GET_NEXT. In an empty NW system, this method will fail.
CALL FUNCTION 'NUMBER_GET_NEXT' EXPORTING nr_range_nr = '01' object = lc_number_range_object IMPORTING number = lv_number EXCEPTIONS OTHERS = 1.
For creating a user automatically, a number range is used to create users with an ID like SAML0000001. The ABAP code shows that lc_number_range_object is defined as lc_number_range_object TYPE inri-object VALUE ‘SAML2ID’.
If you test the function in SE37, you pass that as a parameter and get back an error message.
Error: OBJECT_NOT_FOUND
Solution
You need to create the number range for the object. Follow the steps detailed in my blog Create user in NetWeaver via SAML 2.0 – 5 – Create number range
Test
Run the function NUMBER_GET_NEXT in SE37 with the same values provided by the ABAP class.
NR_RANGE_NR: 01 OBJECT: SAML2ID QUANTITY: 1
Result
When the ABAP Class in the BADI is now called, the function BAPI_USER_CREATE1 is called.
The generated user id is using the number from the number range.
User is created and logged on automatically.
Tx SU01
User is created with the provided data from the SAML assertions.
In the trace, you can see that the NameID is mapped to th user ID SAML0000003.
0 Comments