Troubleshooting SAML 2.0 – Update a federated user
Szenario
Users are able to logon to NetWeaver ABAP via SAML 2.0 and get their user created automatically. A user information is now changed in the IdP and the corresponding information in NetWeaver must now be updated the next time the user logs on.
Problem
Updating the user information in the NetWeaver ABAP fails. An exception is raised during the execution of the update_federated_user method.
The update method calls function BAPI_USER_CHANGE to update the user
CALL FUNCTION 'BAPI_USER_CHANGE' EXPORTING username = iv_userid address = ls_addr addressx = ls_addrx TABLES return = lt_result.
Afterwards, it checks if the update was performed successfully.
LOOP AT lt_result INTO ls_result. IF ls_result-number = 039. lo_trace->trace_text( EXPORTING if_text = |User { lv_userid } was successfully updated.| "#EC NOTEXT ). ELSE. lo_trace->trace_text( EXPORTING if_text = |User { lv_userid } was not updated. Error messages: { ls_result-message } { ls_result-message_v1 } { ls_result-message_v2 } { ls_result-message_v3 }| "#EC NOTEXT iv_trace_severity = if_trace_constants=>gc_severity_error ). RAISE EXCEPTION TYPE cx_saml20 EXPORTING c_stack = cx_saml20=>create_callstack( ). ENDIF. ENDLOOP.
Root Cause
In case the number value differs, an exception is raised. In a “normal” use case, a user won’t be altered between logins. In case nothing was update, the number value is 029. No change taken, means: the update also worked fine.
Solution
As the provided example class won’t work in most cases, you need to adjust the code. Change the if expression to
IF ls_result-number = 039 OR ls_result-number = 029.
Save and activate the change. Now you can log on again as the same user via SAML 2.0.
0 Comments