Header image

It's full of stars

Where documentation meets reality

Troubleshooting SAML 2.0 - Update a federated user

By Tobias Hofmann October 2, 2020 Posted in SAP
Tags: keycloak saml2 samlresponse update_federated_user

Reading time: 2 min read

Szenario

Users are able to logon to NetWeaver ABAP via SAML 2.0 and get their user created automatically. A user information is now changed in the IdP and the corresponding information in NetWeaver must now be updated the next time the user logs on.

Problem

Updating the user information in the NetWeaver ABAP fails. An exception is raised during the execution of the update_federated_user method.

The update method calls function BAPI_USER_CHANGE to update the user

CALL FUNCTION 'BAPI_USER_CHANGE'
EXPORTING
  username = iv_userid
  address = ls_addr
  addressx = ls_addrx
TABLES
  return = lt_result.

Afterwards, it checks if the update was performed successfully.

LOOP AT lt_result INTO ls_result.
IF ls_result-number = 039.
lo_trace->trace_text(
EXPORTING
if_text = |User { lv_userid } was successfully updated.| "#EC NOTEXT
).
ELSE.
lo_trace->trace_text(
EXPORTING
if_text = |User { lv_userid } was not updated. Error messages: { ls_result-message } { ls_result-message_v1 } { ls_result-message_v2 } { ls_result-message_v3 }| "#EC NOTEXT
iv_trace_severity = if_trace_constants=>gc_severity_error
).
RAISE EXCEPTION TYPE cx_saml20
EXPORTING
  c_stack = cx_saml20=>create_callstack( ).
ENDIF.
ENDLOOP.

Root Cause

In case the number value differs, an exception is raised. In a “normal” use case, a user won’t be altered between logins. In case nothing was update, the number value is 029. No change taken, means: the update also worked fine.

Solution

As the provided example class won’t work in most cases, you need to adjust the code. Change the if expression to

IF ls_result-number = 039 OR ls_result-number = 029.

Save and activate the change. Now you can log on again as the same user via SAML 2.0.