Hi Julius,

I have the security guides for Portal, as well as for PI, BPC and a variety of other products, which I shall be reviewing, in addition to the CUA cook book. Upon cursory review of those documents, I didn't see any topic that specifically targeted the integration of Portal with CUA, hence my question.

Further to your point on IdM, that has been my suggestion to my client as well, but they have already committed to a non SAP product, and it's outside my scope of influence.

Again, thanks for your response, and if you do have any material that you feel would be "recommended reading", please do give me the name/link to the documents.

Regards,

Santosh Krishnan

The 2 obvious options are an LDAP sync and a UME pointing to an ABAP logical system representing the portal for the user store.

The latter option is not very scalable though in combination with CUA.

Good luck,

Julius

Julius,

I've been told about the latter option by another consultant, and I think in this case, it might be quite a reasonable one.

Is there a document on service marketplace that discusses this?

Thanks,

Santosh

Hi Tim,

Thanks for the good points. I have a meeting in 30 mins where I shall ask these questions. Basically, though, it's the Oracle IdM product that does SSO, and some other company is implementing it. That other company, from a few conversations I've had, don't have a clue on how to integrate it into an SAP environment. What's worse, my client is under the impression that installation, configuration and setup of SSO, and to some extent CUA, is a security task, rather than a BASIS task.

Regards,

Santosh Krishnan

Dear folks,

Thanks for your information thus far. It has been noted from my meeting today, that the Oracle Identity Management solution that is being implemented here will do a rather unconventional screen grab method of password management - no tickets, tokens or what not. The implementation team (wherever they currently are) are customizing it to recognize specific screens and react accordingly.

The whole CUA connection comes up because, according to the [Oracle Identity Management SAP Guide|http://www.oracle.com/technology/products/id_mgmt/oxp/pdf/oimconnectordatasheet-saperp.pdf], it will tie into CUA in order to create, delete and manage users.

Again, thanks. I'm sure my problems have only just begun.

Santosh

Damn. You were faster than me, but I still want to add a comment.

Santosh et. al. are not migrating a CUA to an IdM - this migration is easily done by adding the IdM as the "front-end" to the CUA and then switching the managed systems over to direct provisioning one at a time, without stress. That is standard procedure and works.

What is being done here is to implement a CUA for the business logic of the ABAP systems and use "catching screens" as the front-end to be able to distribute the password to non-ABAP systems as well simulate a "real" IdM with a crow's nest of overhead in the background for the basis folks to take care of and maintain.

Not a good idea, and I can already see all the "catching IDocs" involved, or even the dependency on being able to do so.

Clear design error (in the year 2010) and bad investment in available technology (in the year 2010 as well).

I would go for an IdM (regardless of the vendor) with all the agents supported for current and planned systems' APIs being used (regardless of the vendor) and a standards based SSO technology compatible with the various worlds on site (as regardless as possible of the legacy vendor support).

Whether that is PSE's, Kerberos or SAML does not really matter much when decentral password synchronization is still considered as an option for human owners of system identities.

Hopefully Santosh will keep us updated, but I would also understand if this for what-ever reasons was not allowed.

My customers also dont permit me to post everything while they are still using the odd FM or two...

Cheers,

Julius

Julius,

I agree with you and thanks for noting down those points. Do you have any whitepaper, or statistics or some business mumbo jumbo that discusses this area, for me to further discuss with my client?

From my perspective, when they first told me they're doing SSO, I told them it's a good idea to do an IdM solution, and so on. Then this morning's meeting revealed this screen capture strategy and that really does change the dynamic a teensy weensy bit, doesn't it.

Thanks a lot, and I will keep you guys posted on this thread as things roll out.

Santosh

SAP's own IdM even also offers an (optional) password hook with the MS AD, but is optional and the IdM as front-end is a migration path for existing CUA's and not an (new) implementation strategy.

> mumbo jumbo

You can use the search for related patterns (also see the FAQ thread at the top of the forum page for memorable discussions) The terms "sorry to disagree with you" and "login/password_min_diff" and "BAPI AND password" and "weakest link" and "common denominator" are good starting ponits.

If you look about 16 threads down (current location) then you will find another good search term. You will find the vendor in other threads as well.

Cheers,

Julius

ps: If they want to use one ABAP client via the CUA as UME for each logical Java system or even via a service for non-SAP systems, then you need to consider that this "workaround" has a limit of 998 clients per CUA master.

I just checked one of my clients, and they have more than 2000 Oracle based applications. Many of them are delta requirements and custom front-ends for projects (possibly like yours?) where it was a "post mortem". These also need to authenticate (somehow, or not at all...) and re-using the kerberos realm of the AD is certainly a MUCH better option.

In this case (I am originally an accountant) you would not need to worry about the IT auditors finding it actually (the password synchronization). The accountants will pick it up when the project is not closed or capitalized (should it have any real remaining value at all..) and what could or should have been operational costs are "parked" on it.

A good financial auditor would even pick this technical decision error up, even if they have no clue about IT. Perhaps I am opening a can of worms here?

Cheers,

Julius

I know that I've marked this thread as answered, but who'd have guessed ... my client has successfully unanswered it.

So here's the follow on to this discussion, where in I am out of my league and need your input.

Brief overview:

ABAP boxes are managed by a CUA. users created in CUA from Oracle OIM, which is outside my control. Client wants Enterprise Portal to use CUA as the user store.

Complication: Client has been told that all users can log into Enterprise portal, and from there, click on an icon to get "whisked" into the ECC, SRM or other systems, and that single sign on can be setup to do this.

As far as I know, the setup, as described, would use the Web GUI, and beyond that I don't know. Anyway, I don't believe you can launch the SAP Logon pad and do any sort of single sign on without having an SNC installed (which they don't).

I need to get my information straightened out on SSO. If I have my BASIS team to setup SSO in EP, what is it that I can and can't do, specifically regarding SAP GUI, Web GUI, and general user access to SAP systems?

Thanks,

Santosh

Hello Santosh,

Please see [Single Sign-On for SAP Shortcuts|http://help.sap.com/saphelp_nwmobile71/helpdata/en/43/e0499e421a4d9de10000000a155369/frameset.htm] which uses SAP logon cookies provided by Portal to the SAP GUI. We can also help you SSO via SNC. If your users are all access SAP GUI from the portal then the advantage you would see using SNC is network traffic signing and encryption versus clear text communications.

Thanks!

Kyle

Thanks Kyle. Even though it wasn't me who implemented the solution, it was this link that got our SRM guy to get cracking on how to go about this. So now, we have it setup so that within Portal, there's an icon for SAP GUI, and that pops up a proper SAP LOGON window, as my client is demanding.

Thanks.

Santosh

> there's an icon for SAP GUI, and that pops up a proper SAP LOGON window, as my client is demanding.

It is just a little popup window, right?

And if the user is already logged on then clicking on the icon (or executing the shortcut) does not present the logon popup, right?

A risk here is that the user is accustomed to enter their passwords into popups which appear and when things just run on their own then they think nothing of it...

@ Wolfgang and Tim:

Two solutions to the general comments I can think of are:

1) The vendor's Corporate Governance should kick in to say "That is enough stupidity" and it is not the strategic product direction (not to mention security image... with all non-short term consequences for revenue) which the software manufacturer wants to take and support.

2) The security research community gives admins 90 days grace, and then publishes the exploits. If an entire infrastructure is kept dependent on it via support or "hole in the bucket" integration encouraged by it, then it gets worse and worse and customers dig a deeper and deeper hole.

Personally, I would go for option 1 if it were my call.

Cheers,

Julius