I am also interested in this scenario. We have a similar landscape, and our directory is MS AD.

Thank you.

Allan

Yves,

ok, I will answer assuming that Yves is also using MS AD as his LDAP directory.

Firstly, lets discuss SAP GUI. To make this work with any other form of authentication, other than regular SAP userid and password store in SAP database, you need to use SNC. The SNC interface is used by SAP ABAP system and also by SAP GUI to authenticate the user before their identity can be used to log them onto the SAP system. There are many docs on SDN and on SAP Help Library which describe how SNC works, so I wont duplicate this information. For purposes of this explantion, you just need to understand that a cryptographic library is required on the workstation and also on the SAP server to use SNC. The cryptographic lirbary can be using x.509 certificates, or Kerberos, or any other mechanism. If Active Directory is used to logon to workstation, then it common to use a Kebreros library, since the Kerberos authentication has already been done when user logs on to domain, and hence Secure SSO is very easy to acheive. If you use x.509, then you need to manage client certificates and it is harder to make use of the existing users logon to the AD domain.

To get the SNC library mentioned above, if you are using SAP on Windows you can use the library provided by SAP which is designed for this basic SSO requirement with Kerberos and SAP GUI. However, if SAP is on UNIX or Linux, you have to use a third party, SAP certified product from a SAP partner. These are listed on SAP EcoHub. For example, one of them is described at http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient

to be continued...

continued...

So, I hope you can see that SAP GUI SSO is easy to achieve using Kerberos, but there is no mention of LDAP in my above explanation. This is because LDAP is not a cryptographic authentication protocol. It is therefore not possible to develop an SNC library that uses LDAP as a way to authenticate the user. If Yves is not using MS AD for domain authentication, then he will be a bit stuck.

For portal or Web SSO into NetWeaver, you can use a similar method of authentication, but in this case, SNC is not used. Instead, a protocol included in web browser called the Negotiate protocol is used. In IE this is referred to as Integrated Windows Authentication. To implement IWA on server side (e.g. in NetWeaver) you need a Java stack and you need to install a login module which supports IWA. The SAP login module is called the SPNEGO login module. There are various third party products which provide similar support, but have differences, and additional features. For example, one of them is at http://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter. This product has some nice features, for example , it allows you to change the URL to stop IWA for a particular logon and this can be very useful when you want to logon to an application using a diferent AD account to the account you are logged onto your workstation with, and don't want to log off and log on again as somebody else.

Anyway, hope this is enough of a summary and a taster. I am sure you will have more questions, which you can ask here or search the forum first and then ask if you find something which is not clear. It is easy to get confused

Regards,

Tim

Yves,

For SAP GUI SSO, you cannot use LDAP since LDAP is not a cryptographic protocol that can be used with SNC. Just because you have an LDAP directory, perhaps uses also have an account in MS AD ? If not, how do users logon to their Windows workstation ?

For JAVA apps, or Web enabled apps which can authenticate users via Java stack, it is possible to use LDAP auth. This is via UME configuration in the LDAP stack. It means the user gets a SAP signon screen in their browser and has to enter the LDAP userid and password in this screen. This is not realy SSO, since it is requirnig the user to signon each time they access the application. Normally SSO means that a user signs on once, e.g. authetnicates when they first logon to workstation.

The reference to PAS (pluggable authentication) might refer to the PAS module on External ITS, which is not supported with latest versions of SAP NetWeaver, and most companies now prefer the integrated ITS instead. On Integrated ITS, the NetWeaver Java custom login modules are used instead, and this is the method I described earlier when I mentioned using Kerberos. You could write a custom login module to support LDAP, use Kerberos, use some other protocol if a login module exists, or use the existing UME supprot for LDAP. This is useful, but not useful for SAP GUI SSO.

Any Idm, including NetWeaver Idm is not going to provide SSO features. The Idm will allow you to set a users password in a SAP system, and in other applications in your network, but it will not help with the authentication of users when they logon to the application - in your case, if you want to use LDAP to logon to SAP you don't want any SAP stored password, since you want the user to only have the LDAP password.

I hope this helps ?

Thanks,

Tim

>

> Thanks Tim,
> 
> Actually, we don't have an AD and users open local sessions to their workstation (which by the way can be Macs, but let's assume we only talking about PC users here).
ok. I understand. thanks.
> 
> I want to clarify one point : we're not looking for full SSO (as when for example opening a Windows session on an domain will allow access to any system onward).
> 
> We're just looking for a solution where the only username/password users have to remember to log onto the SAP system is their Notes (messenging client) username/password, which is actually stored in the Domino directory. We've implemented this in other systems and would like to use this authentication scheme for the ERP as well. So whether they log onto the Portal or using SAP GUI, the users would still have to enter their credentials, only these would be their Notes credentials.
This can be acheived using UME configuration, but this will only work for Web GUI and other web enabled applications. for the SAP GUI for Windows product ot SAP GUI for Java product (e.g. on a Mac) you need to use SNC, which requires a cryptographic library and protocol, which LDAP is not.
> 
> Hopes this makes it clearer what we're trying to achieve.
Yes, I hope my clarification above is helpful
> 
> Thank you,
> 
> Yves