Solved: SSO User Mapping in non-portal environment

Former Member · ‎10-01-2010

Hi

We are setting up SSO from CRM7.0 to an ERP and BI system. The question has been asked whether it is possible to use user mapping in this scenario.

Before I state outright that user mapping is only possible from the Portal to backend systems I thought I'd just try to get confirmation on this.

Is is possible to setup user mapping from CRM to backend systems? This is not a licensing matter - Enteprise licensing is in place - it is a matter of ease of maintenance.

I would appreciate any comments please.

Kind Regards

Leigh

Former Member · ‎10-01-2010

> We are setting up SSO from CRM7.0 to an ERP and BI system.

Which SSO technology are you using?

> The question has been asked whether it is possible to use user mapping in this scenario.

Yes it is, but it depends.

> Before I state outright that user mapping is only possible from the Portal to backend systems I thought I'd just try to get confirmation on this.

You have it, but it depends.

> Is is possible to setup user mapping from CRM to backend systems?

Yes, but it might not even be required.

>This is not a licensing matter

Please transfer 1 million USD to my bank account.

>Enteprise licensing is in place

Ohhh... bugger... and then they tried to save on the consulting...

> it is a matter of ease of maintenance.

Yes, dependent on implementation advice and skills.

> I would appreciate any comments please.

Hope you appreciated. Please revert back with the same information.

Cheers,

Julius

Former Member · ‎10-01-2010

Hi Leigh,

Just putting my 2 cents - I do not think SSO in SAP using logon tickets or using user id and password can be set up in Non Portal environment. I think external tool using SNC is used to achieve this. But wait for others to comment on this as well.

Former Member · ‎10-01-2010

> We are setting up SSO from CRM7.0 to an ERP and BI system.

Which SSO technology are you using?

> The question has been asked whether it is possible to use user mapping in this scenario.

Yes it is, but it depends.

> Before I state outright that user mapping is only possible from the Portal to backend systems I thought I'd just try to get confirmation on this.

You have it, but it depends.

> Is is possible to setup user mapping from CRM to backend systems?

Yes, but it might not even be required.

>This is not a licensing matter

Please transfer 1 million USD to my bank account.

>Enteprise licensing is in place

Ohhh... bugger... and then they tried to save on the consulting...

> it is a matter of ease of maintenance.

Yes, dependent on implementation advice and skills.

> I would appreciate any comments please.

Hope you appreciated. Please revert back with the same information.

Cheers,

Julius

Former Member · ‎10-04-2010

Hi Julius

Thanks for the reply and the sense of humour. Please can you elaborate on your answer. SSO is currently setup from CRM7.0 to BI and ERP systems, however the named user exists in all of the systems. How would you go about configuring the user mapping as I am only aware of how to do this in the Portal. I cannot find documentation on user mapping in a non-portal environment.

Thanks

Leigh

Former Member · ‎10-04-2010

Sorry - as to the SSO we are using - it's is the normal SAP Logon Tickets.

Former Member · ‎10-04-2010

Hi,

I may be wrong but I am not aware that is is possible to do user mapping when using SAP Logon Tickets.

Regards,

Olivier

Former Member · ‎10-05-2010

> however the named user exists in all of the systems...

If the names are the same then there is no need for mapping when using SSO2 tickets.

If not, then how do the users logon to the portal and which OS are your servers running on?

There are lots of options and also tricks and workarounds. I suggest you do some reading first - there is plenty of infos on this.

Cheers,

Julius

Former Member · ‎10-05-2010

Hi Julius

Maybe I am not being clear.

We don't access through the portal - I know user mapping is possible from the portal.

We are wanting to use SSO using SAP logon tickets from the WEBUI on the CRM7.0 system to a backend BI and ERP system.

This is a new implementation and although we have setup SSO by creating a couple of users in all systems, we would actually prefer for the users in CRM7.0 to connect to the backend BI/ERP system with a generic user in order to make user maintenance in those systems simpler. Which is why I am enquiring about user mapping.

The systems are all on AIX.

Maybe there is documentation about user mapping with SAP logon tickets in a non-portal environment but I cannot find anything - everything relates to Portal.

Which is why I posted on the forum.

If you can help even by pointing to some documentation that would really be helpful.

Thanks

Leigh

tim_alsop · ‎10-05-2010

Leigh,

I think you will find that the only mapping possibilities in SAP products are:

1. A JAAS login module can be used to map the authenticated identity of a user to a SAP user. If this login module is configured in the auth stack before the CreateTicketLoginModule is invoked, then the SSO2 ticket created after a user authenticates will be based on the mapped user id.

2. Inside an SSO2 ticket there is a field which contains an alternative SAP user id. I am not sure if/when this is used by SAP products, but I was told it existed.

3. In portal, when accessing backend systems, it is possible to implement mapping.

Regarding your specific requirements...

a. I don't think it would be a very secure solution to map many users onto a common user, since you will loose end to end auditability and not have a very secure solution. For example, if data in back-end is compromised, how will you know which user was to blame ?

b. I think you will find that SAP do not provide many:1 mapping capability, since this feature (if available) could be used to avoid buying additional user licenses.

I hope this helps ?

Thanks,

Tim

Former Member · ‎10-05-2010

In that case it is a fixed mapping so you can simply enter the generic user ID into the conmection data and save it there for all callers to use anonymously.

Not state of the art, but very popular and easy to implement solution. However, you state that you have the named users in all the systems so why use this "hardwired" approach now?

@ Olivier: in theory one could use the verification library to extract the caller's name from the cookie, lookup a mapped name for it and generate a new SSO2 ticket for that new name to call a transaction iView to logon to the backend session. But I don't think that would even qualify as a "workaround solution", even if not impossible

Cheers,

Julius

Former Member · ‎10-06-2010

Hi Julius,

>@ Olivier: in theory one could use the verification library to extract the caller's name from the cookie, lookup a mapped name for it and generate a new SSO2 ticket for that new name to call a transaction iView to logon to the backend session. But I don't think that would even qualify as a "workaround solution", even if not impossible

Interesting but yes quite tricky ! I would not even tell it is possible to my internal customers !

Regards,

Olivier