Hello Experts,

We have just enabled SAP NW SSO SP4 secure login library and secure login client, MS AD kerberos based . Now i am looking the solution for couple of requirement while using SAP SSO environment Linux/ECC6 EHP6 (ABAP stack only) with oracle as database but no EP:

1. User creation should be done through MS AD on the same infrastructure via batch job or through some automation as we don't want to create or manage users in SAP when we have already enabled SAP SSO. For example whenever user joins the company, and his id is created in MS AD, so it should be replicated in SAP as well, so no double work for user creation or management. Is it possible? or if there is another alternate way please suggest.

2. MS AD groups mapping with SAP roles. Requirement is whenever user wants to logon in SAP through his MS AD credentials i means through SSO, SAP roles should be authenticated at MS AD groups whether this user has right assignment in SAP or not like correct roles are assigned in SAP as per groups and permissions assigned in AD, if all conditions met then only he can login in SAP.

If it is possible then it would be great. Else some other solution which can meet this requirement.

I am also curious to know whether we can create and manage SAP roles through MS Ad as well?

Please advice how the above requirement fulfill where we have neither java stack nor EP .

Thanks in advance- Vikas.