Hello SAP Community,
We have implemented SAML2 SSO for an SAP S/4HANA On-Premise system using an external Identity Provider (IdP). The authentication process is working as expected, with Name ID Format set to PERSISTENT and user mapping configured in the standard table SAML2_PIDFED.
Challenge
Due to compliance requirements, storing the IdP user ID in SAP for mapping purposes is not permitted. As a result, we are exploring an alternative approach to achieve user mapping without storing the IdP user ID directly.
Proposed Approach
The idea is to extend the SAML2.0 authentication process to call a third-party web service that provides an additional attribute (which can be legally stored) to be used for mapping instead of the IdP user ID. The high-level process would be:
- User accesses the SAP Fiori URL, triggering a redirect to the IdP authentication page.
- The user logs in via the IdP authentication process.
- The IdP sends a SAML2 response containing the IdP user ID.
- (Code Extension) SAP calls a third-party web service using the IdP user ID to retrieve a new attribute.
- SAP performs user mapping using the new attribute instead of the IdP user ID.
- The user is successfully logged into Fiori with their SAP username.
Questions for the Community
- Is it possible to extend the SAML2.0 authentication process in SAP S/4HANA to support this approach?
- What would be the best extension points (e.g., BAdIs, enhancement spots, user exits) to achieve this customization?
- Are there any potential risks or best practices we should consider when modifying the SAML2 authentication flow in this way?
Any guidance, experiences, or references to similar implementations would be greatly appreciated.
Thank you for your insights!
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.