08-21-2009 5:45 PM
Hello
I'd like to ask for some guidance in my quest
Current situation looks like this:
I've configured UME in AS Java to work with LDAP as read only data source. Then I've configured SPNego to run SSO - It works, users from MS AD can log into portal.
Now I have application in WD which authorizes via EP/AD - works fine.
And next step is users mapping between AD and ABAP backend (serving some BAPI's for WD app)
I've found a bunch of help pages starting from
http://help.sap.com/saphelp_nwce711/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm
But somehow it's quite complicated to achieve this mapping. I've tried to set RFC destinations logon type to user mapping but without succes.
Can anyone point me to some more clear example or give path to configure this scenario? Is there a way of configuring this with NWA or some XML file editing is required?
Any help will be appreciated.
BTW: whole environment is in version 7.11
Best regards
Maciej
08-21-2009 8:36 PM
There is no equivalent to SPNEGO on the ABAP side.
If your goal is to propagate the user, then possible options are:
-> Wait for SAML 2.0 or invest now in a SAML 1.0 provider.
-> Use the same kerberos ticket for the EP as what your ABAP system will accept: route = SNC and 3rd party libraries.
-> Issue SAP logon tickets for the ABAP system from the EP, and use these in your WDA.
Another option is to expose the service with saved logon data in the ICF. If the service is just a wrapper for the BAPI, then you can also consider using trusted RFC between the service and the backend, but this might not be acceptable for your service.
I have only done experimental stuff with this and some of the above is not released yet. Also consider the consequences, even if it "does work"...
Cheers,
Julius
08-21-2009 8:36 PM
There is no equivalent to SPNEGO on the ABAP side.
If your goal is to propagate the user, then possible options are:
-> Wait for SAML 2.0 or invest now in a SAML 1.0 provider.
-> Use the same kerberos ticket for the EP as what your ABAP system will accept: route = SNC and 3rd party libraries.
-> Issue SAP logon tickets for the ABAP system from the EP, and use these in your WDA.
Another option is to expose the service with saved logon data in the ICF. If the service is just a wrapper for the BAPI, then you can also consider using trusted RFC between the service and the backend, but this might not be acceptable for your service.
I have only done experimental stuff with this and some of the above is not released yet. Also consider the consequences, even if it "does work"...
Cheers,
Julius