Create user in NW ABAP automatically via SAML 2.0

There are many alternatives available to achieve single sign-on to a NetWeaver (ABAP) system. I’ve already demonstrated these at DSAG AK Development as well as documented almost all of them in my blog. For instance, take a look at SAML 2.0, X.509 based logon or OAuth 2.0. All of the above mentioned SSO alternatives have the same problem in common: the user must exist in the target NW ABAP system. If not, the user cannot log on. For instance, for X.509 logons, the SAP user must exist. All NetWeaver does during the X.509 logon is to do a user mapping.

As long as you can automatically provision new users from an IDM system to your target systems, this is not a severe issue. It gets problematic when you have a dynamic user base, like external users, self-registration or short-lived users. Consider a web site where external users can self-register and then need to look up data from an SAP system. Maybe they never will click on the link to load data from SAP, or they will the second they registered. What if you want to remove users after a certain amount of inactivity from SAP, but the user is still active in the general non-SAP data related web site? While you can manage the user provisioning of these users to NetWeaver, may times you do not want this.

Reasons to use SAML 2.0

In case a user is never accessing the area that demands access to SAP, why create an SAP user? Why provision maybe thousands of users when they do not need access right away? What if just a very few are going to access SAP data after registering? You’d have to manage a complex provisioning process and monitor it, with SLAs for the minority of your user base.

SAML 2.0 allows you to automatically create a user in NetWeaver ABAP. When the user logs on via SAML 2.0 and a corresponding user does not exist in the NW user base, a new user is created. The same user can be updated, using the latest information provided in the SAML 2.0 assertions, like email, roles, etc. The automatic user creation gives you the option to also automatically delete users from NetWeaver. For instance, in case a user did not log in x days/weeks/months, the user can be deleted. In case the user logs on later, after being deleted, the SAP user will be recreated again. For the end user, all of this is transparent.

Tasks

To be able to automatically create a user in a NetWeaver ABAP system, all you need is included in a standard NW ABAP stack. You can start without adding an add-on or new infrastructure. The logon stack for SAML 2.0 provided by SAP includes an extension point to trigger the create and update of a user.

• Create user in NetWeaver via SAML 2.0 – 1 – Extend BADI
• Create user in NetWeaver via SAML 2.0 – 2 – Implement BADI
• Create user in NetWeaver via SAML 2.0 – 3 – Configure ICF
• Create user in NetWeaver via SAML 2.0 – 4 – Configure IdP
• Create user in NetWeaver via SAML 2.0 – 5 – Create number range

Troubleshooting

Best way to learn is to fail and learn from your mistakes. Before you have to learn all my mistakes again, I’ll show here the solution to some of my mistakes and errors I’ve come across while setting up the configuration.

• Troubleshooting SAML 2.0 – SAML 2.0 trace with sec diag tool
• Troubleshooting SAML 2.0 – CX_SAML20_CORE Message is not signed

Resources from SAP/SCN

• Automatic User Account Creation and Update using SAML 2.0 in AS ABAP
• Common Problems When Configuring SAML 2.0 for AS ABAP
• Troubleshooting SAML 2.0 Scenarios