Hi,
I think you can't distinguish directly because your identity provider maps every non sap user to one sap user. So for SAP system it always look like one account (service user). To confirm this assumption I would suggest to check what SAML messages are passed between client and SAP system.
You can't trust client. Hence you can't ask client what's his non sap account ID is. A workaround could be to have a non-sap system issue a HTTP cookie that is signed and contains non SAP user ID. You can get access to HTTP cookies in custom HTTP handler so that would allow you to get non sap ID. So the flow could be:
1. A user goes to non-SAP system and authenticates against it using SAML
2. Non-sap system issues a custom HTTP cookie that is signed and redirects to SAP system (the system must have common domain otherwise SAP system won't be able to read generated cookie)
3. SAP system uses SAML to authenticate user. A user is logged on as SAP service user
4. Custom HTTP handler reads the HTTP cookie, verifies signature and extract non-sap user ID (verification is important)
5. GW service is executed that uses non-sap ID extracted in step 4
As you can see the above solution is quite tricky. The proper solution to me seems to be automating user provisioning to your gateway system. You need to deploy some kind of identity management solution. There is SAP IdM but there are other solutions from other vendors. You could even build a custom for this specific case. I assume that you have LDAP server with all users. So building a script that dumps all students into a flat file and then using standard BAPIs to create/change users should not take too long to build. The customer solution is not going to be a future proof solution.
Cheers