Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

users mapping between EP and ABAP system

Go to solution
Former Member

‎08-21-2009 5:45 PM

0 Kudos

Hello

I'd like to ask for some guidance in my quest

Current situation looks like this:

I've configured UME in AS Java to work with LDAP as read only data source. Then I've configured SPNego to run SSO - It works, users from MS AD can log into portal.

Now I have application in WD which authorizes via EP/AD - works fine.

And next step is users mapping between AD and ABAP backend (serving some BAPI's for WD app)

I've found a bunch of help pages starting from

http://help.sap.com/saphelp_nwce711/helpdata/en/0b/d82c4142aef623e10000000a155106/frameset.htm

But somehow it's quite complicated to achieve this mapping. I've tried to set RFC destinations logon type to user mapping but without succes.

Can anyone point me to some more clear example or give path to configure this scenario? Is there a way of configuring this with NWA or some XML file editing is required?

Any help will be appreciated.

BTW: whole environment is in version 7.11

Best regards

Maciej

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎08-21-2009 8:36 PM

0 Kudos

There is no equivalent to SPNEGO on the ABAP side.

If your goal is to propagate the user, then possible options are:

-> Wait for SAML 2.0 or invest now in a SAML 1.0 provider.

-> Use the same kerberos ticket for the EP as what your ABAP system will accept: route = SNC and 3rd party libraries.

-> Issue SAP logon tickets for the ABAP system from the EP, and use these in your WDA.

Another option is to expose the service with saved logon data in the ICF. If the service is just a wrapper for the BAPI, then you can also consider using trusted RFC between the service and the backend, but this might not be acceptable for your service.

I have only done experimental stuff with this and some of the above is not released yet. Also consider the consequences, even if it "does work"...

Cheers,

Julius

1 REPLY 1

Go to solution
Former Member

‎08-21-2009 8:36 PM

0 Kudos

There is no equivalent to SPNEGO on the ABAP side.

If your goal is to propagate the user, then possible options are:

-> Wait for SAML 2.0 or invest now in a SAML 1.0 provider.

-> Use the same kerberos ticket for the EP as what your ABAP system will accept: route = SNC and 3rd party libraries.

-> Issue SAP logon tickets for the ABAP system from the EP, and use these in your WDA.

Another option is to expose the service with saved logon data in the ICF. If the service is just a wrapper for the BAPI, then you can also consider using trusted RFC between the service and the backend, but this might not be acceptable for your service.

I have only done experimental stuff with this and some of the above is not released yet. Also consider the consequences, even if it "does work"...

Cheers,

Julius