Identity Federation: Substitution of Subject Name Identifier in Identity Authentication

Identity Federation: Substitution of Subject Name Identifier in Identity Authentication
Estimated read time 5 min read

Identity Federation: Substitution of Subject Name Identifier in Identity Authentication  

 Context

Existing SAP Identity Authentication Service (SAP IAS) customers is sending a SubjectNameIdentifier as part of SAML response (say EmailID for FieldGlass) from their Identity Provider (IdP). To onboard another SAP Cloud Application (say Ariba,  may need EmployeeID ) a different SubjectNameIdentifier is needed.

We have a customer who informed that from there from their landscape another IdP instance cannot be created as it is not allowing multiple IdPs against a single SAP Cloud Identity Services (SAP CIS) tenant  (   https://<SAP IAS tenant  id>-accounts.ondemand.com ) 

Solution:

Step 1:
Identify the attribute that will serve as the NameID for the second SAP Cloud Application (Service Provider <SP >). Ensure this attribute is included in the Corporate IdP’s SAML response within the additional attributes section.

Step 2:
Configure the corresponding IAS application for the second SP so that it substitutes the SubjectNameIdentifier with the chosen additional attribute.

 

Here “IdP Proxy” is the SAP IAS Application which is substituting the NameId

 

Configurations: 

Prerequisites:

Configuration: SAP Ariba SSO with SAP Cloud Identity Services – Identity Authentication

Identity Federation: SAP Ariba SSO with SAP Cloud Identity Services – Identity Authentication

 

Use “Identity Authentication user store” = ON  Although User Data is not picked up from SAP CIS User store, this is needed 

(Path : Home > Corporate Identity Providers> select the IDP> Identity Federation >  Enable “Use Identity Authentication user store” )

 

Subject Name Identifier > Primary Attribute

Option 1: Standard Attribute
Source = Corporate Identity Provider
Value = lastName

Option 2: Custom Attribute
Source = expression
Value = ${corporateIdP.attributeName}

  ( Path : Home> Application & Resources > Application >    (Select the Application > Subject Name Identifier)

 

 

We have a demo run and captured the SAML 2.0 Responses as shown below:

In SAML 2.0 ,   Attribute NameID holds the SubjectNameIdentifier value. Here below two steps are happening :

i) SAML Response from Corporate Identity Provider ( IdP )  to SAP CIS Tenant  –  Attribute Name “lastName” = “sghosh01”  and NameID = sghosh01@example.com
ii) Within SAP CIS , the IAS Application  substitutes NameID from  “sghosh01@example.com” to “sghosh01” ( the value from lastName Attribute ) and sends the SAML to Ariba ( SP – Service Provider) 

In real scenarios instead of lastName Attribute other attributes like LoginName should be used to hold the Ariba User UniqueName.

Corporate IdP to SAP CIS (IAS)  :

 

CIS to SP ( Ariba)

In SAML Tracer Summary Tab  Subject shows the NameID attribute value.

Refer attached .txt files for the complete SAML response.

 

​ Identity Federation: Substitution of Subject Name Identifier in Identity Authentication    Context Existing SAP Identity Authentication Service (SAP IAS) customers is sending a SubjectNameIdentifier as part of SAML response (say EmailID for FieldGlass) from their Identity Provider (IdP). To onboard another SAP Cloud Application (say Ariba,  may need EmployeeID ) a different SubjectNameIdentifier is needed.We have a customer who informed that from there from their landscape another IdP instance cannot be created as it is not allowing multiple IdPs against a single SAP Cloud Identity Services (SAP CIS) tenant  (   https://<SAP IAS tenant  id>-accounts.ondemand.com ) Solution:Step 1:Identify the attribute that will serve as the NameID for the second SAP Cloud Application (Service Provider <SP >). Ensure this attribute is included in the Corporate IdP’s SAML response within the additional attributes section.Step 2:Configure the corresponding IAS application for the second SP so that it substitutes the SubjectNameIdentifier with the chosen additional attribute. Here “IdP Proxy” is the SAP IAS Application which is substituting the NameId Configurations: Prerequisites:Configuration: SAP Ariba SSO with SAP Cloud Identity Services – Identity Authentication Identity Federation: SAP Ariba SSO with SAP Cloud Identity Services – Identity Authentication Use “Identity Authentication user store” = ON  Although User Data is not picked up from SAP CIS User store, this is needed (Path : Home > Corporate Identity Providers> select the IDP> Identity Federation >  Enable “Use Identity Authentication user store” ) Subject Name Identifier > Primary AttributeOption 1: Standard AttributeSource = Corporate Identity ProviderValue = lastNameOption 2: Custom AttributeSource = expressionValue = ${corporateIdP.attributeName}  ( Path : Home> Application & Resources > Application >    (Select the Application > Subject Name Identifier)  We have a demo run and captured the SAML 2.0 Responses as shown below:In SAML 2.0 ,   Attribute NameID holds the SubjectNameIdentifier value. Here below two steps are happening :i) SAML Response from Corporate Identity Provider ( IdP )  to SAP CIS Tenant  –  Attribute Name “lastName” = “sghosh01”  and NameID = sghosh01@example.comii) Within SAP CIS , the IAS Application  substitutes NameID from  “sghosh01@example.com” to “sghosh01” ( the value from lastName Attribute ) and sends the SAML to Ariba ( SP – Service Provider) In real scenarios instead of lastName Attribute other attributes like LoginName should be used to hold the Ariba User UniqueName.Corporate IdP to SAP CIS (IAS)  : CIS to SP ( Ariba)In SAML Tracer Summary Tab  Subject shows the NameID attribute value.Refer attached .txt files for the complete SAML response.   Read More Technology Blogs by SAP articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author