Gui 7.10 (XP) SSO -> ABAP (i5 aka AS/400)
We are a new and excited (so far) SAP customer - in blueprint phase - with solution manager running on i5/iSeries OS (IBM AS/400 h/w); SAP Gui 7.10 on Win XP/AD 2003. We have poor man's idenitity security to date: SAP LDAPsync pulls in user accounts+attributes from Active Directory. Imported accounts need password reset on ABAP side. End-user is "requested" to match password to AD password upon first log on. AD account if disabled has no direct effect on ABAP side.
Wish to establish SSO, remove repeat logon, and not allow SAP logon if AD account is disabled. Don't know if portal is in our scope. And how this all impacts LDAPsync to CUA?
Suggestions appreciated! I hear/read logon tickets, SNC, Kerberos. Thank you!
Tim Alsop replied
What you have described is a classic example of where SNC and Kerberos can help. Then, user will logon to workstation using their AD account and password, open SAP GUI and be able to logon to SAP applications using the credentials whcih are already issued on workstation for their AD domain account. The user will not have to logon twice, and you don't need to use a portal for this.
As I am sure you have read elsewhere, to acheive this you need to buy a product from a SAP partner that provides SNC Kerberos libraries. There are other SNC libraries available that use x.509 certificates from some vendors, but since your users are already authenticating with AD using simple userid and password, the use of Kerberos will be easier for you.