Hi Kevin,

here is a definition of <a href="http://en.wikipedia.org/wiki/Single_sign-on">single sign-on (SSO)</a>. It seems SSO can have different definitions depending on the user type:

<b>end user</b> - definition from user experience perspective (logon once, have access to everything w/o re-logon). From this perspective, the SAP NW Portal MDM 5.5 SP4 iViews look like SSO connected to repositories.

<b>admin</b> - technical definition, eg. how SSO is actually implemented and configured. From this perspective, in NW, there is a clear difference between the logon types UIDPW (user ID and password), SAPLOGONTICKET, and X509CERT. All of them allows the optional user mapping, that means the userID can be "altered" by user mapping. The MDM repository must know the userID to set a proper access/role.

So far, I did not find any public MDM documentation describing how to configure SAP NW MDM 5.5 SP4 to accept an authentication ticket (e.g. SAPLOGONTICKET), and I did not find information how User Management UM works (user maintenance, access/role maintenance) in a SAP NW Portal & MDM Server with LDAP. Well, let's hope !

Is this info helpful for you ? What do you need to accomplish in your project ?

Thank you in advance.

Regards.

Laszlo.

Hi Kevin,

I'd like to add following information about MDM and LDAP.

MDM provides LDAP feature. This means that users need not to be maintained in every single repository they are used. Instead users and their assignments to MDM roles can be retrieved from an user directory via LDAP as an option.

You may check the MDM Console User's Guide for any further details.

Needless to say that making use of the MDM LDAP feature ain't mean that you are doing Single Sign-On.

Cheers

Klaus

Hi Kevin,

as initial information towards answering this question:

a). by default, the MDM users are managed in MDM repository (user account and roles). This means, if the MDM Server has many repositories and the same user needs access to these repositories, then a user account must be created in each MDM repository.

b). the SSO connection from J2EE/Portal to MDM repository is not an option since the MDM Server does not (yet) accept SSO connection (MDM 5.5 SP4 patch1). From Portal perspective, when User Mapping is used, then it would be recommended to have https (security !).

c). the MDM iViews focus on one table (main table) of a repository, therefore: the tables of various MDM repositories must have their own iViews (no generic iViews that are good for any table of any repository).

d). portal content (iViews, pages, worksets) is structured based on portal roles resulting from MDM Business Scenarios.

Summarizing all above, the most comfortable solution for MDM System Administrators would be to create portal user groups correspondingly to portal MDM roles, assign portal users to these portal user groups, create a "generic" user in repository that has access to the repository data as required by the business scenario (portal role), then map the portal user group to the repository user (further details: https://service.sap.com/installmdm -> "MDM 5.5 SP04 Enterprise Portal Content" -> chapter "Creating Portal User Groups with Roles" and "Mapping User Groups to Repository Users")

However, if it is really required (e.g. in UWL iView) for portal user to see only the data that belongs to that userID, then the same userID must be created in MDM repository, and the MDM System/Portal Admin must allow in portal personalization the individual ("self") user mapping (hint: the portal system object must have the UserMapping attribute set to value "Admin/User" and certainly it must have an alias - otherwise the system will not be available for user mapping in portal personalization).

I hope this helps in your work.

Regards.

Laszlo.