07-30-2006 12:07 PM
Hi all,
We are implementing an EP installation. We want to reuse the abap role assignment for the portal roles and we require a SSO solution based on SPNego.
Now we can implement each on it's own fine. The question is how we can connect the ume to use both abap and ldap datasource. I opened an OSS about it and they said it's possible, supported but I'm on my own when it comes to implementing it (or consulting offcourse).
Anyone had experience with this configuration or can provide me with the datasource schema file?
Thank in advance,
Eric
07-31-2006 8:11 AM
Eric,
My understanding is that SAP does not currently support simultaneous ABAP and LDAP data sources. What SAP does support is an ABAP backend with LDAP synchronization:
http://help.sap.com/saphelp_nw04s/helpdata/en/0c/632441cd87a12be10000000a1550b0/frameset.htm
I do not think that helps you with your authentication problem though.
Would importing the ABAP roles into the portal help?
http://help.sap.com/saphelp_nw04s/helpdata/en/0c/632441cd87a12be10000000a1550b0/frameset.htm
-Michael
07-31-2006 10:50 AM
Hi Michael,
According to an OSS message I opened, this is indeed possible and similar scenarious are even described in the ADM200 course.
Imporitng roles into the portal is no good for me since I need the users which are assigned to these roles and not the name of the roles. This must be dynamic and not batched.
Eric
01-11-2007 8:38 PM
Hi Eric,
As Michael replied such configuration is not supported by SAP at the moment. You should be able to achieve that though, by doing the following:
customization of the datasource xml file that you use, adding two datasources: ldap and abap. You can achieve that by using the provided templates, i.e. copy and paste from dataSourceConfiguration_abap.xml and dataSourceConfiguration_[your ldap server].xml the relevant datasource sections.
Configure UME to use that customized xml file
Configure the LDAP connection configuration in the private section of the LDAP datasource as explained here:
http://help.sap.com/saphelp_nw2004s/helpdata/en/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm
Configure the ABAP connection as explained here:
http://help.sap.com/saphelp_nw2004s/helpdata/en/4e/4d0d40c04af72ee10000000a1550b0/frameset.htm
After that restart and you should be able to use the two systems as user stores.
Let me remind you again that this is not supported by SAP that is why you should do that configuration on your own risk.
Cheers,
Ilian
01-12-2007 5:39 AM
Please do the below setting for LDAP and ABAP
<b>LDAP settings (only when ldap persistence is used)</b>
ume.ldap.access.server_name : /H/sapgate1.wdf.sap.corp/S/3299/H/p102397.ume.wdf.sap.corp
ume.ldap.access.server_port : 389
ume.ldap.access.user : cn=administrator, cn=users, dc=ume, dc=wdf, dc=sap, dc=corp
ume.ldap.access.password : admin
ume.ldap.access.base_path.user : DC=ume, DC=wdf, DC=sap, DC=corp
Ume.ldap.access.base_path.grup : dc=ume, dc=wdf, dc=sap, dc=corp
<b>Abap Settings (only when Abap Persistence is used)</b>
1. Take one ABAP system: Ex: System Name: B4T, Client Num: 000
2. Login with user, who has admin rights.
3. Create user J2EE_ADMIN using SU01 transaction.
4. Assign role SAP_J2EE_ADMIN (note: assign all roles).
5. Create user J2EE_GUEST using SU01 transaction.
6. Assign role SAP_J2EE_GUEST.
7. Create communication user COMUSER using SU01 transaction; usertype: communications.
8. Assign role SAP_BC_JSF_COMMUNICATION.
ume.persistance.data_source_configuration: dataSouceConfiguration_abap.xml
r3.connection.master.ashost /H/sapgate1.wdf.sap.corp/S/3299/H/ls4079
r3.connection.master.client : 000
r3.connection.master.sysnr : 09
r3.connection.master.user : comuser (the sapjsf or communication user which we created in backend system)
r3.connection.master.password : test (it is the password of the com user which is in the backend system)
08-15-2007 2:36 PM
02-07-2008 11:55 AM
Hi Hussein Bilgen,
I´m concerned with the same problem (UME-Source = ABAP ; SSO via ADS-LDAP with SPNEGO).
Can you send me the example schema?
Or is there in the meantime a solution provided by SAP?
Edgar
02-07-2008 12:12 PM
Hi,
I appologise in advance for this being a bit of s vendor sales pitch, but I think it is important and useful to many people who have posted in this thread.
My company has a product which implements Integrated Windows Authenticaiton using SPNEGO protocol, but our product does not requrie any changes to data source. The product also uses C based Kerberos libraries rather than the somewhat dated Kerberos protocol support in Java SDK which is used by SAP SPNEGO login module. We can support any configuration of datasource required, so are not dependant on UME LDAP configuration. As far as I am aware the reason why SAP SPNEGO login module uses UME and LDAP data source is so it can determine the SAP user id after the user has been authenticated using Kerberos credentials. Our product uses a different approach - we map the principal/account name of the authenticated user onto a SAP id using one of many methods. At moment latest version of our product supports 2 methods of mapping, and we plan to add more. The 2 mapping methods are described below:
1. If user has authenticated as username@REALM we assume that their SAP user name = USERNAME (e.g. username converted to upper case). This method seems to be ok for many SAP customers.
2. If user has authenticated as username@REALM we look in USRACL table on ABAP system for a match, and if we find one we will know the SAP user id to use when creating the SSO2 ticket. This method of mapping is suited to customers who are also using SAP GUI SNC SSO and are therefore already maintaining the USRACL table mapping via SU01 t-code on ABAP system.
I appreciate that this is vendor specific and not describing a SAP solution, but it is clear from this thread that people are trying to make SAP product do things it cannot - this is why vendors like us develop such solutions so we can fill the gaps
If you need any more info on our product, please contact me using the email address in my SDN business card.
Thanks,
Tim
06-03-2008 9:41 AM
06-03-2008 9:30 PM
Try the following:
1. Download the SPNegoWizard_645.zip (for 7.0) SPNegoWizard_640 (for 6.40)from SAP Note 994791 and unzip it.
2. Adjust the user running the SAP system in Active Directory
3. Copy the EAR and XML Files from the SPNegoWizard.ZIP file to a temporary directory on the server.
4. Open up the Visual Administrator. Logon with the admin ID.
5. SID ->Server -> Services -> Deploy
6. Open the Config Tool. (Yes to using DB settings)
7. Select UME LDAP Data
8. Browse to the XML file you copied earlier. (dataSourceConfiguration_ads_readonly_db_with_krb5.xml)
Click the upload button.
9. Select the Configuration file you just uploaded. Click OK on the Warning message.
10. Setup the Connection details as specified below:
Server Name: xxxxxx
Server Port: xxxxxxx
User: SAPService<SID>@domain.com
Password: xxxxxx
Use UME unique id with unique LDAP attribute (checked): samaccountname
User Path: dc=<domain>,dc=com
Group Path: ou=xxxxxx,ou=xxxx,dc=xxxx,dc=xxxx
11. Click the Test Connection button you should see:
Click Close when done.
12. Click the Test Authentication button, enter NT user ID and NT password, and click the authenticate button and you should get a success message:
13. Select cluster-data Global Server Configuration services com.sap.security.core.ume.service
14. Edit the ume.admin.addattrs.
Add the values: krb5principalname;kpnprefix;dn
Click the Set button.
15. Click the Save button or File -> Apply.
16. Close the Config tool and restart the JAVA engine.
17. After the engine is restarted, continue on with the Kerberos configuration.
18. Open up the SP Nego Wizard by going to the following URL: http://<server>:<port>/spnego
19. Logon with the Administrator user ID.
20. Select the check boxes for the u201CService user is created and configured in Active Directoryu201D and u201CUME configuration includes SPNego specific settingsu201D
Click the Next button
21. Click the Add Kerberos Realm button and enter your domain name (e.g. company.com)
22. For the Realm Configurationu2019s KDCs (Key Distribution Centers) put in <KDC host> and 88 for the port (the port should already be filled in.
23. In the KPN (Kerberos Principal Name) section enter the Service User Name & Password.
Service User: SAPService<SID>
Password: xxxx
Leave LDAP Host - blank
24. Click the Next button
25. Select Prefix Based for the Resolution Mode and Click Next
26. In Policy Configuration we want to create a new policy called spnego. Tick Basic password Fallback (when SSO do not work) and tick SSO with Logon Tickets. Click the Next button.
27. Click Finish on the Confirmation screen.
28. Close the browser and restart the engine.
29. After the engine has finished restarting, continue with the final steps.
30. Open up the Visual Administrator. Logon as the Administrator ID.
31. SID Server Services Security Provider
32. Go into change mode by clicking the change button.
33. On the Runtime tab Policy Configurations tab Select ticket from the Components list.
34. On the Authentication tab for the ticket component select Authentication Template: spnego
35. Now go to the useradmin service (http://<server>:<port>/useradmin) to test the Kerberos SSO. You should get signed on without entering a user name or password.
You are done!
06-04-2008 8:26 AM
Hi Ankur Agrawal
Thank you for this guide. I´d like to be shure about the following criterias before implementing this:
- Roles from the ABAP Backend will still be converted into Portal Roles automatically, similar to the scenario when we configure the ABAP Backend as UME-Datasource
- User can have similar or different userid´s on the DataSources (Mapping required if they are different)
I really doubt about the rolles beeing loaded automatically. Do you know this?
Sincerely, Simon