01-20-2014 5:21 PM
Hello everybody,
There is a documentation or a guide about the configuration of SapGui authentication using MS AD instead of using standard user repository?
I have found some documentations, but all them are about a ECC server system in Microsoft Windows. Is it possible make the configuration without use a third party software?
Thanks in advance,
Renato Lima.
01-20-2014 6:21 PM
Hi Renato
sorry to be a pain but, sapgui is the presentation server of a ecc server and ad is microsoft's directory server, what's the third party sw?
Let me know
cheers
a
01-20-2014 6:37 PM
Andrea,
He is looking for an SSO solution that uses AD as an authentication server (via. SNC interfaces). There are many of these available, either from SAP or from SAP partners. Looks like he wants one for free since he said he doesn't want to buy third party s/w.
Renato,
If you don't want to spend money on a product, you can build your own using open source Kerberos libraries. Other SAP customers have done this. I personally wouldn't recommend it, but you can if you wish.
Thanks,
Tim
01-20-2014 7:51 PM
HI Both
apologies for my silly question
It appears i have to book again the adm100
later
a
01-21-2014 8:01 AM
Hi,
Just some additional info to what Tim already said above.
There is actually a whitepaper from realtech available on this topic.
However keep please keep in mind, this is not officially supported and if using the native libs from the linux distributions, you may run into trouble, as they are sometimes not complete or do not work.
Kind regards,
Patrick
01-21-2014 8:06 AM
Also, it is worth mentioning that the cost of the software might be ZERO, but if it is not supported and it stops working, there is a cost of downtime and user productivity on your critical SAP systems, since users won't be able to logon if it stops working. This is why customers generally prefer to buy products that are SAP certified and supported.
01-21-2014 8:16 AM
01-21-2014 8:20 AM
Yes, SAP NW SSO 2.0 product is SAP certified and supported. There are other products from SAP partners that are also SAP certified and supported. The details described in the Realtech doc would mean that the implementation is NOT SAP certified and NOT supported.
01-21-2014 8:58 AM
Hi Tim,
with regards to the realtech doc, this is why I mentioned the lack of support.
BTW: SAP NW SSO 2.0 isn't certified, as it is not a partner product but an SAP product. SAP only certifies partner products, that's why I added it to your list.
01-21-2014 9:25 AM
01-21-2014 10:03 AM
Regardless of the costs and support, it is highly recommendable to have a tested failover plan in case the SSO goes down in real life, such as a password reset self-service which can be redirected to or mailed as info.
This takes the immediate risk out of any alternate authentication mechanism, in the unlikely event of loss of cabin pressure... 🙂
Cheers,
Julius
01-21-2014 10:49 AM
And how exactly would you set this up? I have skimmed the SAP SSO documentation but didn't see it (I wasn't reading it carefully, though). Any ad-hoc ideas?
01-21-2014 11:21 AM
Hello Mylene,
Nice to hear from you again!
There is no password self-service within SAP SSO. It is something separate and independent of whatever SSO solution is deployed.
What I meant is that it generally makes a lot of sense for a plan B such as a redirect to automatically drop from the overhead area to that you can carry on working if needed. This means that the risk of cost and support delays for failure in any SSO is less.
Cheers,
Julius
01-21-2014 11:38 AM
Hello Julius,
nice to see you, too (also, beautiful floppy ears).
I concurr, this seems a most sensible arrangement, if you want to avoid being crucified by wandering mobs of users unable to login.
I was just speculating whether SAP SSO 2.0 delivered something like a password self-service - I know you have it as a part of IdM (the expense!) or some more or less dignified 3rd party companies (who have terrible problems handling such a self-service on both: SAPGui accessed systems and BEX and portals ...).
I will now stop derailing this thread. Sorry, Renato.