Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Password sychronization between AD and SAP ABAP systems using SSO

Go to solution
former_member586384
Explorer

‎12-06-2008 12:49 PM

0 Kudos

Dear All,

Can the passwords between Windows AD and SAP systems be sychronized

when SSO is utilized.

Users access the SAP systems through Enterprise Portal, and with SSO setup, they can access the backend SAP ABAP systems fine.

Currently, these users have their passwords deactivated in these SAP systems. However, we would like to activate the SU01 password for users to be able to login into these SAP systems in case EP is down.

The requirement asked is that the passwords be able to match the users AD password so some type of synchronization needs to take place between

Please kindly advise.

Thanks in advance !

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎12-06-2008 2:04 PM

0 Kudos

Not possible in the way you want it.

What you can do is a "password hook" for the initial password only when resetting in the MS AD which will set the same initial password on the ABAP side, but you would still need to reset the AD password...

My recommendation would be to ensure a high availability infrastructure for the EP to avoid this, and if worst-really-does-come-worse then have a procedure to reset the previously deactivated ABAP passwords of the users and let them logon directly to the ABAP systems again with an application specific password.

If you search the forum here for "password AND synchronize" then you will find some more of the reasons behind this.

Cheers,

Julius

2 REPLIES 2

Go to solution
Former Member

‎12-06-2008 2:04 PM

0 Kudos

Not possible in the way you want it.

What you can do is a "password hook" for the initial password only when resetting in the MS AD which will set the same initial password on the ABAP side, but you would still need to reset the AD password...

My recommendation would be to ensure a high availability infrastructure for the EP to avoid this, and if worst-really-does-come-worse then have a procedure to reset the previously deactivated ABAP passwords of the users and let them logon directly to the ABAP systems again with an application specific password.

If you search the forum here for "password AND synchronize" then you will find some more of the reasons behind this.

Cheers,

Julius

Go to solution
Former Member

‎12-06-2008 9:54 PM

0 Kudos

Another possibility which I thought of and might interest you:

If the EP goes down, it might be a bit of an overkill to reactivate and reset the passwords of all users in all connected systems. Some might be patient and wait for the EP to be restored again, and others might only need and use the access to the back end systems on an irregular basis. During the Rio Carnival, many would not notice at all...

=> So you might create a lot of undesired disruption and risk for users who are inactive while the EP is down....

If it can be assumed that a total loss of the EP can be restored within a few hours or days, and your AD is still okay and has an authentication service available for other apps, then you could add a password reset application which authenticates against the AD, and afterwards the user can request a reset of their own UID password for backend systems which the portal previously provided iViews for.

The pwd would be sent to their company mail ID and they can logon with a password via SAPGui once they have it.

When the EP is back up again and they logon via the EP (for the backend, a passwordless authentication happens again), the password is deactivated once it has expired as per your password rules. [SAP Note 869218|https://service.sap.com/sap/support/notes/869218] will help you further here.

You could also redirect the EP DNS to a message explaining this for those who attempt to logon while the EP is down and further to the AD service to request the reset for those who need it (only!).

If your disaster recovery plan is fit enough to recover the EP within a space of time which is not mission critical, then this should also work for the permanently online users attempting to logon (unless they were at the Christmas Lunch when the EP went down, and would at most hear about it afterwards... probably the next morning during the Coffee Break... :-).

=> So you only reset the passwords of users who request it while the EP is down, and they can do this themselves as long as the AD is not down as well.

Perhaps if you could explain a bit more about the requirement, the infrastructure in place and the SSO technology, then it could be tweaked further.

Cheers,

Julius

Edited by: Julius Bussche on Dec 8, 2008 12:51 AM