cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Inquiry: LDAP-to-AD integration conditions

Go to solution
Former Member

on ‎01-04-2011 6:57 AM

0 Kudos

Hi Gurus,

I am thinking of synchronizing/integration of my company's AD and SAP system (user authentication).

My currents setup is via SSO; using a client to act as master user authentication, and then via ePortal to assigned the users to the respective clients.

However, I am abit puzzled and am wondering if the below conditions works with SAP-and-AD sync/integration?

1. Not all SAP users have AD ID

2. Not all AD users is authorized to access SAP

3. Some users are not tied to domains (AD) but have SAP ID.

Would the integration/sync works when all the conditions above applied?

Thank you.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-04-2011 3:24 PM
0 Kudos

Hi,

I did not well understand your landscape:

My currents setup is via SSO; using a client to act as master user authentication, and then via ePortal to assigned the users to the respective clients.

quote}

Do you mean that you have a SAP Portal and the UME of your SAP Portal is connected to a SAP ECC Client to have single sign on between your SAP Portal and your SAP ECC (working with SAP Logon tickets)?

Are you looking to have authentification on your SAP Portal using AD credentials?

Can you please provide more details about your current landscape and fonctions expected as target?

Ben

Show replies
Show replies
Former Member
‎01-05-2011 4:25 AM
0 Kudos

Hi Ben,

It is as you said:

I'm using Portal and my Portal's UME is connected to an ABAP client for authentication.

My end objective is as follow:

I wanted to be able to sync the password between SAP' UME and LDAP-AD.

1. For user who connect their PC to domain (LDAP- AD)

User would be able to connect to SAP via Portal without the need to key in password again.

If user changes their Window's Password, their SAP password would automatically be changed.

If their Windows' account is locked, their SAP account would automatically be locked.

2. For user who does not connect their PC to domain (using workgroup, or stand-alone PC)

User would be able to connect to SAP via Portal, but they would be prompt to key in password.

User can also connect to my company's server's using remote desktop and an AD ID provided to perform their task.

3. For users who connect their PC to domain (LDAP-AD) but is not authorized to use SAP

These user should encounter login error if they try to connect to Portal as they are not authorized to use SAP system. However, other non-SAP system should not be affected.

Regards

Former Member
‎01-05-2011 10:14 AM
0 Kudos

Hi

What you want to achieve can be done with the SAP Portal SPNego Login Module and its configuration wizard with BasicPassword Fallback & SAP Logon Tickets:

/people/holger.bruchelt/blog/2008/01/09/configuring-and-troubleshooting-spnego--part-1

/people/holger.bruchelt/blog/2008/01/15/configuring-and-troubleshooting-spnego--part-2

/people/holger.bruchelt/blog/2008/01/24/configuring-and-troubleshooting-spnego--part-3

http://wiki.sdn.sap.com/wiki/display/Security/SingleSign-OnwithSPNego%28NWAS+Java%29

There's also an SPNego-Addon that fixes some errors with Win7/Win2k8-AD: Note 1457499 - SPNego add-on

For no 3: Depending on your settings in AD (groups) or Portal UME (groups/roles) AD-users will have permission to access specific Portal content or not.

With this solution you will of course loose the UME/ABAP-synchronization, but it will suit your end-objective.

BR

Michael

Answers (2)

Answers (2)

Former Member
‎01-06-2011 1:55 AM
0 Kudos

Hi all,

Thanks for the information provided. All these information is very helpful, and can confirm that my idea is applicable for SAP environments.

However, am I correct to say that there is 2 different methods (creating of UME by Sen & using SPNego by Micheal)?

or are the 2 method mention above is the same method (different presentation style)?

Thank you.

Regards

Show replies
Show replies
former_member218672
Active Contributor
‎01-04-2011 3:34 PM
0 Kudos

HI,

Please check this document to see how to configure AD to UME - http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e266...

And for the 3 cases that you have mentioned, you can directly create profile into UME for those user, so that they would be validated against UME while logging in into Portal.

Regards,

Sen

Show replies
Show replies
Ask a Question