Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

Many business-to-business (B2B) scenarios require cross-company user provisioning. In such cases, it might be difficult to automate the provisioning process, and this may lead to the following issues:

  • Account Creation

Employees of company A have to wait until accounts are created for them in company B.

  • Account Updates

Employees’ authorizations are managed in two places – a change of user authorization (for example, due to promotion, department change, or dismissal) in company A is not automatically reflected for the corresponding user account in company B.

  • Additional Passwords

Employees have to remember additional passwords.

To solve the additional passwords issue, you can configure Single Sign-On (SSO) mechanism. The preferred technology for cross-company SSO and identity federation is SAML 2.0. SAP provides SAML 2.0 support in AS ABAP which is the most commonly used platform for business applications. For more information, see Configuring AS ABAP as a Service Provider.

You can configure identity federation in AS ABAP using SAML 2.0 based not only on logon ID, but also on e-mail, logon alias, and other types. This gives additional flexibility in the B2B scenarios, but cannot solve the problems with account creation and update. However, the latest enhancement in SAML 2.0 functionality for AS ABAP provides a solution to these problems.

To automatically create and update users with SAML 2.0, you need to implement a Business Add-In (BAdI). The SAML 2.0 framework validates the received assertion, extracts the identity information (assertion issuer, assertion subject, and assertion attributes), and calls the BAdI implementation with this information. The BAdI is responsible for user creation and update reflecting the specific requirements of the business application. The necessary identity information must therefore first be agreed between the companies. This includes user data (for example, first name, last name, e-mail, address) and authorization data (for example, business roles). The authorization data can be used to assign corresponding roles and profiles in AS ABAP.

An example scenario is described and configuration steps with screenshots are provided on the following wiki page:

This new functionality is to be released with SAP Note # 1799402.

Any suggestions or comments are appreciated.