> Well Single Sign On is a solution to avoid the user of handling a lot different login/passwords on diferente application, our Company Culturaly is far for applying SSO for our SAP Solutions. 
Can you explain what you mean by "far for" in sentence above ? It is not clear if you are saying your company is in favour of SSO for SAP, or not in favour ? if not in favour, can you explain why ? I ask because sometimes companies assume that it will work one way, but in fact it doesn't.
> 
> Instead they prefer to have an application to centralize the  user lock/unlock and password change.   now, I don't know if some of you had the opportunity to work in a similar project, to know if maybe CUA could be the central system and if we could use portal as a frontend for the functunality
This looks like a requirement for an identity management system. When using CUA, it will not centrally manage passwords for users. Often companies use CUA along side an SSO solution so that they don't have to manage passwords one ach SAP system.

CUA is a not a good concept to solve your issue. If you want to provide the users authorization to Unlock and reset the password then it is vulnerable for all users in all child systems, because in that case all of them will have the Administrative access....

Did you get a chance to review the new solution from SAP called "Identity Management"?

It consists of various solutions (SSO is also included into IDM) for many such issues you and other people pointed out in this forum for a long time to minimize the heads up of User Administration throughout the landscape... One of the component of IDM is "Password Management"

Password Management:

1. Password management is an important part of identity administration. This is an expensive task for most organizations since it usually requires a help desk staff to respond to requests about forgotten passwords in different systems.

2. Password management includes functionality for ensuring that the user's identifier and password remain the same across a number of repositories.

3. It is also responsible for updating the password in all applications when a user changes the password.

4. This aspect includes password policy checking, the legal semantics of the password (i.e. number of characters and requirements for special characters) and the update frequency and password history.

5. In addition, when users forget their password, there is a need for password resets, either by an administrator or by the user in question (Most Important aspect).

Password recovery

1. Many helpdesk calls concern forgotten passwords. The Identity Center includes a kiosk solution for resetting lost passwords.

2. A user who forgets his/her password can log on with a given user name and reach the Workflow's password recovery task without gaining access to any other resources.

3. This provides a secure way for recovering passwords without assistance from a helpdesk or another internal service desk.

(the above points is picked up from the solution map presentation I prepared for Introducing this concept to our clients.. .. you can have a look into various IDM documents available in SDN and SMP)

Regards,

Dipanjan

> Dipanjan

> *************************************************

> Your reply makes it clear how IDM could resolve the company need, But I am not sure if is posible to live with IDM and CUA? will it be unnecessary to keep CUA?

>

Yes, If you adopt the solutions of IDM, then it's of no necessity to keep CUA. After all, if you don't want to make any change to your current scenario (and also want not to go for the implementation cost of a new solution) then a Helpdesk will be a good choice

Regards,

Dipanjan

> Tim.
> *******************************************+
> It is not clear if you are saying your company is in favour of SSO for SAP, or not in favour ? if not in favour, can you explain why ? 
> 
> R: Right now  the Company feels that  there is not a strong sense of security on the end users, to implements this kind of functionalities in our SAP solutions, we are working on educate our company so in a near future this option could be more viable.
I am assuming you refer to the security issues when a user logs on and walks away from their computer and then somebody else can sit at their desk and logon without needing a password ? If yes, then perhaps you should initially consider using common authentication instead of full SSO - in both cases, the authentication of users to SAP is external, but the difference is that with common authentication, the user is asked to authenticate each time they logon using a central authentication server such as Active Directory. You can read more about this in my blog at https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/11111. [original link is broken]    I hope it helps.

>

> > It is not clear if you are saying your company is in favour of SSO for SAP, or not in favour ? if not in favour, can you explain why ? 
> LoL! How you got that impression I am stumped 
It was mentioned because of previous comment; "Well Single Sign On is a solution to avoid the user of handling a lot different login/passwords on diferente application, our Company Culturaly is far for applying SSO for our SAP Solutions." which is not clear to me because of "far for" wording. If he had said "far against" it would have been clearer. This is why I asked if he was in favour of SSO for SAP or not. This has now been clarified in subsequent post.
> 
> Tim's subsequent post should clear your doubts and sounds like a good plan -> to go for reusing the AD authentication possibility via LDAP so that the user's have a central (hopefully) stronger password which they can use for other applications as well.
Actually, I didn't mention using LDAP protocol. I mentioned using Active Directory, and AD supports Kerberos authentication of users. Kerberos is much more secure than using LDAP protocol to authenticate since passwords are not passed over network + Kerberos would also work better for SSO needs. I would therefore suggest that Kerberos is used to authenticate users as they logon to SAP and not LDAP, and there will be less security issues for his company to worry about. Also, SAP GUI does not and cannot support LDAP authentication of users so LDAP could not be used in this scenario.
> 
> Which OS are your application server's on? If Windows, then you might even be in luck.
Why ? 
> 
> Otherwise a lot of folks use an Enterprize Portal to issue SAP Logon Tickets for ABAP systems and then create portal iViews for them to start the SAPGui. This works nicely as to get to the ABAP system you have to re-enter your AD password to logon to the Portal first.
> 
> But as per Tim's example of the user walking away from an unlocked workstation, the same can happen with UID / PWD if the user is already logged on, or shares their password, or someone is holding a gun against their head.
> 
> There is no easy medication against that, but re-using the AD password does help - because it hurts more (includes mail access, ESS, file systems, etc, and not just an ABAP system)
> 
> Cheers,
> Julius

>

> > Why ? 
> In this case the MS AD can be used for SSO of ABAP systems without 3rd party certified partner software.
yes, but we are discussing turning off SSO and using common authentication instead ? This is not possible using the SAP supplied SNC libraries, but is possible using partner product, even on Windows.

>

> Originally we were discussing the reset of an AD password from an ABAP system.

It's definetly not possible to reset an AD password from an ABAP system - with or without IdM.

If at all, then this has to happen at the IdM.