Create user in NW ABAP automatically via SAML 2.0
There are many alternatives available to achieve single sign-on to a NetWeaver (ABAP) system. I’ve already demonstrated these at DSAG AK Development as well as documented almost all of them in my blog. For instance, take a look at SAML 2.0, X.509 based logon or OAuth 2.0. All of the above mentioned SSO alternatives have the same problem in common: the user must exist in the target NW ABAP system. If not, the user cannot log on. For instance, for X.509 logons, the SAP user must exist. All NetWeaver does during the X.509 logon is to do a user mapping.
As long as you can automatically provision new users from an IDM system to your target systems, this is not a severe issue. It gets problematic when you have a dynamic user base, like external users, self-registration or short-lived users. Consider a web site where external users can self-register and then need to look up data from an SAP system. Maybe they never will click on the link to load data from SAP, or they will the second they registered. What if you want to remove users after a certain amount of inactivity from SAP, but the user is still active in the general non-SAP data related web site? While you can manage the user provisioning of these users to NetWeaver, may times you do not want this.
Reasons to use SAML 2.0
In case a user is never accessing the area that demands access to SAP, why create an SAP user? Why provision maybe thousands of users when they do not need access right away? What if just a very few are going to access SAP data after registering? You’d have to manage a complex provisioning process and monitor it, with SLAs for the minority of your user base.
SAML 2.0 allows you to automatically create a user in NetWeaver ABAP. When the user logs on via SAML 2.0 and a corresponding user does not exist in the NW user base, a new user is created. The same user can be updated, using the latest information provided in the SAML 2.0 assertions, like email, roles, etc. The automatic user creation gives you the option to also automatically delete users from NetWeaver. For instance, in case a user did not log in x days/weeks/months, the user can be deleted. In case the user logs on later, after being deleted, the SAP user will be recreated again. For the end user, all of this is transparent.
To be able to automatically create a user in a NetWeaver ABAP system, all you need is included in a standard NW ABAP stack. You can start without adding an add-on or new infrastructure. The logon stack for SAML 2.0 provided by SAP includes an extension point to trigger the create and update of a user.
- Create user in NetWeaver via SAML 2.0 – 1 – Extend BADI
- Create user in NetWeaver via SAML 2.0 – 2 – Implement BADI
- Create user in NetWeaver via SAML 2.0 – 3 – Configure ICF
- Create user in NetWeaver via SAML 2.0 – 4 – Configure IdP
- Create user in NetWeaver via SAML 2.0 – 5 – Create number range
Best way to learn is to fail and learn from your mistakes. Before you have to learn all my mistakes again, I’ll show here the solution to some of my mistakes and errors I’ve come across while setting up the configuration.
- Troubleshooting SAML 2.0 – SAML 2.0 trace with sec diag tool
- Troubleshooting SAML 2.0 – CX_SAML20_CORE Message is not signed
wanner · May 24, 2021 at 06:29
Is there a detailed configuration process for KeyCloak LDP
Tobias Hofmann · May 24, 2021 at 11:31
If you go through my blogs you’ll find enough information on how to set up the scenario with Keycloak or any other SAML 2.0 IdP
Jens Schwendemann · December 1, 2021 at 20:16
We have this scenario, where we want to expose some more critical apps like “my nuclear launch sites” on the same Fiori Frontend Server as some non-critical apps like “my little ponies”.
While that might be a bad idea from the start, I’d like to know if automatic user creation might come in handy for that. Ideally however, I would like to have the following situation
1: User opens launchpad from an insecure (read: no company device) device –> He sees “my little ponies”
2: User opens launchpad from a secure device –> he sees “my little ponies” plus “my nuclear launch sites”
3: User opens a “deep link” (intend based navigation) to “my little ponies” app with an insecure device like so: launchpad.example.com/sap/bc/ui2/flp#LittlePonies-displayPony –> user gets in
4: User opens a “deep link” (intend based navigation) to “my nuclear launch sites” app with an insecure device like so: launchpad.example.com/sap/bc/ui2/flp#NuclearLaunchSites-displaySite –> user gets asked to provide a second factor (ideally) or user gets blocked (not so ideally)
As far as I understood AUC might help in 1 and 2 provided that the IdP can offer some assertions to make a decision which roles will be assigned. This would however mean, that the IdP must ultimately have the knowledge which roles to assign. Local Role Assignment in Fiori will then be obsolete. For 3 and 4 I would need the IdP to act upon something the user requested from the FES respecting if he has a secure or insecure device. I think this nothing AUC can solve and I don’t have a clue how, if even possible to tackle that
Phew that was a lot for a comment. Hope you or some others might chime in on this.