cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Applications using AD to authenticate against

Former Member

on ‎07-01-2009 3:32 PM

0 Kudos

Hi All,

it possible to delegate SAP authentication of users to the Microsoft Active Directory and NOT through the local SAP application user store (listed below)?

Furthermore, which of the SAP applications listed below have this function already built in?

Currently i have the following SAP applications:

  • SAP EP

  • SAP PI v7.1

  • SAP BI/BW v7.0

  • TREX

  • SAP Business Objects v XI 3.1

  • SAP Composite Environment (CE)

  • SAP ERP v 6.0

  • SAP ERP HR

  • SAP eLearning

  • SAP EP HR v6.0 (ERP)

  • SAP Nakisa v 2.0

  • SAP GRC v 5.3

  • SAP GRC PC3.0

  • SAP BI Accelerator

  • SAP MDM v7.1

  • SAP eSourcing/ CLM v5.1

  • SAP SRM v7.1

  • SAP Composite Environment (CE)

  • SAP SRM/MDM both v7.1

  • SAP Solution Manager v7.0

  • SAP document access by opentext

  • SAP Productivity Pack v3.1

Thanks and regards,

Gul

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎07-02-2009 10:23 AM
0 Kudos

thanks!

Show replies
Show replies
tim_alsop
Active Contributor
‎07-01-2009 3:58 PM
0 Kudos

Gul,

Yes, all of the applications can be setup to authenticate users via their Active Directory account name and password. In fact, is is not the application itself which handles the initial user authentication, but the SAP platform (e.g. NetWeaver).

For ABAP based applications, the SNC interface is used, so you need an SNC library that supports Active Directory user authentication. Most commonly this is done using Kerberos protocol since Kerberos is the protocol used by Microsoft to authenticate users to the domain. You can then use Single SignOn if you like, but depending on the library you use, you might get an option to turn off SSO and just ask user to enter their AD account name and password each time they logon to a SAP system.

If your SAP system is running on Windows, then you can get the SNC library (mentioned above) from SAP website, but if SAP is on UNIX or Linux you need to invest in a product from a SAP partner company/vendor. You can find companies that offer SNC libraries and work with Active Directory if you look on SAP EcoHub, e.g. https://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient

For applications such as EP, and other applications whcih are accessed using a web browser, you need to consider using a login module that is installed on Java stack, and you will then find you can setup AD user authentication and SSO (if required) when accessing apps via browser.

I hope this helps ?

Thanks,

Tim

Show replies
Show replies
Former Member
‎07-01-2009 4:50 PM
0 Kudos

Hi Tim,

So what you are saying (if i get you right) is that should a person have access multiple SAP applications one can use a central Active Directory which all SAP Applications listed above can use for authentication purposes.

Therefore, if one enters the password 3 times wrong then it will lock the AD Account and thus the user will not have access to any other SAP systems until the his/her account is unlocked in Active Directory?

This is a backup incase Idm failsu2026

Regards,

Javier

tim_alsop
Active Contributor
‎07-01-2009 5:00 PM
0 Kudos

Javier,

Yes, what you describe is correct. Depending on which product/library you use, you can implement SSO or what I call "common authentication" where the user only has to remember their AD account and password, and they are asked this each time they logon to SAP.

I am not sure what you mean by "a backup incase Idm fails" ? Can you explain ? Are you going to try and implement password sync wiuth Idm and see if this works before you invest any time in AD authentication solutions ?

Thanks,

Tim

tim_alsop
Active Contributor
‎07-01-2009 5:14 PM
0 Kudos

I am a bit confused who this thread belongs to, is it Gul or Javier ? Are these people same, or from same company ?

Thanks,

Tim

Former Member
‎07-01-2009 5:28 PM
0 Kudos

Hi Tim,

Let me try to explain what Iu2019m trying to do...

At my company I have many SAP Applications and currently we use an Enterprise Portal whois job is to authenticate a given user (through the use of Active Directory).

The way this portal functions is as follows:

1. It will take the user credentials and log onto the SAP GUI (using the user credentials)

2. the SAP GUI will log the user into a given SAP Application.

This in effect creates one the one side a SSO type solution however it also creates a Single point of failure (the Enterprise Portal) on the other side.

We have brought IDM at the firm, however I donu2019t want IDM to handle the password side of things as it will be hard to manage all the applications (for lock out and suspensions of accounts).

Unless there is an easy way to achieve this?

Furthermore should SAP IdM fail because of a Hardware problem, virus etc I need the users to still work (as if nothing happened until the IdM is restored), I also donu2019t want to use the password Hook as it provides a hole in my security architecture.

So based on the above,

1. Does this makes sense?

2. is it possible to do?

Regards,

Javier

Former Member
‎07-01-2009 5:29 PM
0 Kudos

Hi Tim,

Gul and I work together...

Sorry for the confusion

regards,

Javier

tim_alsop
Active Contributor
‎07-01-2009 7:02 PM
0 Kudos

Javier,

Thankyou for explaining in more detail.

Quick answers to your 2 questions:

1. Yes, it makes very good sense.

2. Yes, it is possible.

More details:

Uisng the approach I described in my first response to this thread, you do not need to depend on Idm, and you do not need to use password sync and you do not need to depend on portal. Instead, each SAP system will accept Kerberos credentials issued during the logon. The only infrastructure which you will depend on is your Active Directory infrastructure, but most companies are happy with this since they have built this into their network architecture.

I hope you are also clear on the security differences between what you are doing now, and what you could do if you implemented Kerberos authentication using SNC interface ? For example, when a user logs on to a SAP system at moment via GUI (with authentication via portal) the SAP GUI session is not secured so any data passing over this network could be accessed by an attacker, but when you use SNC to protect the session and authenticate the user who is logged onto workstation, you have mutual authentication using cryptography, and optional data integrity and encryption.

Thanks,

Tim

Ask a Question