Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ABAP only Stack - Integration with AD

Go to solution
former_member424387
Participant

‎07-20-2012 4:33 PM

0 Kudos

Hi,

We have the below Landscape.

ECC - ABAP only stack

SolMan - Dual Stack

Requirement:

Lots of password reset requests for ECC6 has been coming to the Support Team. So business wants to get rid of this by doing a AD Integration. But not SSO. User has to enter MS AD Credentials and authenticate himself/herself at some point.

Solution

What are the possible scenerios? If not possible, can we utilize the SolMan?

Thanks!

1 ACCEPTED SOLUTION

Go to solution
mvoros
Active Contributor

‎07-21-2012 12:55 AM

0 Kudos

Hi,

IMO password synchronization is way to hell. There are always some complications, passwords out of sync. It's better to have authentication against one system and then other systems trust this system (aka SSO).

Anyway, another complication is that passwords are not stored in AD in plaintext. They are hashed. So you can't read them from AD and pass them to SAP system. There is a workaround for IdM where you register a hook that gets called when a user changes her password and it gets sent to IdM. At this moment a password is still in plaintext. So if you really want to implement this then you need to use this workaround.

Cheers

12 REPLIES 12

Go to solution
Former Member

‎07-20-2012 8:16 PM

0 Kudos

Try to configure SAP and LDAP sync programs. Here you need to configure lot of things. Try to look into RSLDAP* programs and configure accordingly.

Go to solution
mvoros
Active Contributor

‎07-21-2012 12:55 AM

0 Kudos

Hi,

IMO password synchronization is way to hell. There are always some complications, passwords out of sync. It's better to have authentication against one system and then other systems trust this system (aka SSO).

Anyway, another complication is that passwords are not stored in AD in plaintext. They are hashed. So you can't read them from AD and pass them to SAP system. There is a workaround for IdM where you register a hook that gets called when a user changes her password and it gets sent to IdM. At this moment a password is still in plaintext. So if you really want to implement this then you need to use this workaround.

Cheers

Go to solution
tim_alsop
Active Contributor
In response to mvoros

‎07-21-2012 7:55 AM

0 Kudos

I agree completely. It is better to use a product which uses a crypto protocol like Kerberos for authentication, but doesn't provide SSO. The user would then be asked for their AD account and password during logon to SAP and there is no need for any password sync.

Go to solution
Former Member

‎07-22-2012 10:52 PM

0 Kudos

Some customers are quite content with the variant of Java UME pointing to AD, and successful Java authentication issues a SAP Logon Ticket for truisted systems.  User navigates into a landpad which looks like SAPGui Logon Pad and clicks on the ABAP system they need represented by an iView.

iView authenticates on ABAP system via http request with ticket and starts a SAPGui tcode returned to the caller.

There are several limitations such as domains and unique user IDs between AD and JAVA and ABAP, but it is very simple and can be implemented in about 1 day.

Downside is that you do have a trust chain between systems and not a "real" SSO where there is a central authentication provider.

You already have SolMan with dual stack and most likely at least outbound trust to ECC (if not inbound as well - optional) so this option might seem tempting but is probably not the best fit.

There are lots of options. You need to inform yourself and make a choice which best suites your needs.

Cheers,

Julius

Go to solution
former_member424387
Participant
In response to Former Member

‎07-23-2012 2:22 PM

0 Kudos

Thanks everyone.

So,

Apart from having authentication against one system and then other systems trust this system-

What are the other options? Do I have any? Is Password Synchronizations through RSLDAP* trust worthy considering I dont have a huge User base?

Tim - you say: "The user would then be asked for their AD account and password during logon to SAP and there is no need for any password sync" - Can you please explain this a little more.

Julius - you say  "User navigates into a landpad which looks like SAPGui Logon Pad and clicks on the ABAP system they need represented by an iView" - Can you please help me in exploring this solution further. Any pointers would be appreciated.

Thanks!

Go to solution
Former Member
In response to Former Member

‎07-23-2012 6:48 PM

0 Kudos

For SSO configuration may be we can use 3rd part products like quest for Unix based SAP systems. Again for windows based SAP systems, even 3td party products not required and SAP native libraries can be used. But here the requirement is not SSO just password synchronization. May be you can give a try with SAP, AD/LDAP synchronizations programs provided by SAP. You can google it on how to configure this.

Go to solution
former_member424387
Participant
In response to Former Member

‎07-23-2012 9:06 PM

0 Kudos

I want to know what are the other options apart from SAP-AD synchronizations programs

I want to know more about the options suggested by Tim and Julius.

Thanks!

Go to solution
mvoros
Active Contributor
In response to Former Member

‎07-24-2012 12:43 AM

0 Kudos

Hi,

as far as I understand  Julius' solution you can use SAP portal to launch SAP transaction in SAP GUI. In this case portal handles SSO. So users could use SAP portal only to access backend systems. Portal UME would be pointing to AD so there would be no need for integration.

Tim is talking about classical SSO solution. A user authenticates against AD and gets a security token that is accepted by SAP system for authentication purposes.

Cheers

Go to solution
former_member424387
Participant
In response to Former Member

‎07-24-2012 4:12 PM

0 Kudos

I dont have portal in my landscape. Only a SolMan.

How do i utilize the SolMan to achieve - "A user authenticates against AD and gets a security token that is accepted by SAP system for authentication purposes"

The scenerio I am looking for is - the authentication happens in a webpage and then the security token is used for login (SSO) into other ABAP based SAP Systems.

1. Do i need to build a custom web page in the Java Stack of the SolMan for the authentication (wherein the AD Id and Password is used) ?

2. How to configure the SSO - security token (from the authentication in Step 1) is used for SSO in ABAP only System. Please let me know the high level steps.

Thanks!

Go to solution
former_member424387
Participant
In response to Former Member

‎07-24-2012 4:19 PM

0 Kudos

1. How do i build a iView in the Java Stack of the SolMan to get the authentication (wherein the AD Id and Password is used) done?

2. How to configure the SSO - security token (from the authentication in Step 1) is used for SSO in ABAP only System. Please let me know the high level steps.

Thanks!

Go to solution
former_member424387
Participant
In response to Former Member

‎07-25-2012 2:39 PM

0 Kudos

If someone can help me here please.

Go to solution
tim_alsop
Active Contributor
In response to Former Member

‎08-01-2012 1:57 PM

0 Kudos

Sorry for delay, but I have been on holiday. See some feedback below:

1 - you cannot create an iView in Java stack, since iView is specific to portal. Also, an iView would not be used to authenticate a user. To make Java stack authenticate a user, you need to use existing login modues or create a custom login module, or purchase a product which includes a login module that uses the technology you need for AD id/password authentication.

2 - This depends on what login module you use for 1.