cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD and IDM UME integration

Go to solution
Former Member

on ‎12-30-2014 10:08 AM

0 Kudos

Hi Experts,

  Today we have done few configuration related to AD and UME integration which doesn't go well. Please provide your valuable suggestions to overcome the issues. Steps what we followed are :

1. We have created service user in Ad

2. Configured service user with SPN (service prinicpal name)

3.Logged into nwa : http://hostname:port/nwa

4. Done UME configurations, please check attached doc for screenshot

5.Restart AS Java

We are looking to load the AD users into UME, could you please suggest what needs to be done after these steps.

Thanks,

Lokesh

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Steffi_Warnecke
Active Contributor
‎01-14-2015 1:54 PM
0 Kudos

But those users can login to the portal?

Show replies
Show replies
Former Member
‎01-14-2015 2:02 PM
0 Kudos

No, users not able to login to portal,because Portal UME and IDM ume is different in our environment.

Do we need to integrate Portal and IDM to achieve this? Please suggesr

Steffi_Warnecke
Active Contributor
‎01-14-2015 2:09 PM
0 Kudos

Okay, okay, okay... now I get it. You're not talking about the IDM product, but the portal user administration, where you try to add the AD as data source for the users, right?

If you click on the "Validate configuration" button (from your first screenshot) on the UME configuration page for the LDAP server, is it coming back as successful?

Are the users in the portal group "Authenticated Users"?

Former Member
‎01-14-2015 2:34 PM
0 Kudos

Hi

That's correct.. As per screenshot.. Connection is successful

And users is mapped to group "authenticated users"

Answers (2)

Answers (2)

Former Member
‎01-14-2015 10:19 PM
0 Kudos

Judging by your screen-shot, you haven't provided a user path. pick one of your AD users that can't log in and find their location in Active Directory. Provide this location in your LDAP UME config and restart the system... then try to log in again with that user.

<KC>

Show replies
Show replies
Former Member
‎01-15-2015 5:38 AM
0 Kudos

Hi KC,

Thanks for your reply.. Yes i have defined the path in userpath in LDAP UME as well.

Still user is unable to login

Former Member
‎01-15-2015 2:45 PM
0 Kudos

Hmmm. Well based on all that, there's really only two reasons I can think of to explain why those users aren't able to log on...

1. the samaccountname property of those users aren't populated with the logon ID. Note that samaccountname is your unique identifier based on your LDAP UME config (this is customizable, if you want)

2. identical user IDs exist in the local database as well (on the SAP system). If there is ever ambiguity then the app can't determine which occurrence of the ID is authoritative so it excludes the ID. I'd check the local user store in SAP to see if you have the same IDs defined there (matching the IDs in Active Directory). If so, you need to delete them from one or the other... ID can only exist once.

If those don't fix this, I recommend finding the closest window and throwing this system out because it's obviously cursed.  ;o)

<KC>

Former Member
‎01-15-2015 3:00 PM
0 Kudos

Could you please let me know how to populate the samaccountname with logon id.? I have checked samaccountname box in LDAP UME while defining service user, hostname, port etc...

We have removed all duplicate Id's from SAP or idm db also. Now we have ID's only which is fetched from AD.

Former Member
‎01-15-2015 3:06 PM
0 Kudos

That's really a question for whomever maintains your AD because it can vary from one installation to the next. In general, there are default properties for all user IDs in your AD domain that each/every user will have populated. What you need to know from your AD folks is whether the samaccountname property is populated with the logon ID for these users.

If it's not, you have two options... ask those same AD folks to populate that property with the users' logon IDs and make that a requirement for all new users moving forward. -OR- find another property that DOES contain the logon ID and modify your LDAP UME config to reference that property instead of samaccountname.

<KC>

Former Member
‎01-15-2015 3:19 PM
0 Kudos

Thanks KC for your valuable suggestions.

I will check with AD folks and get back to you with results

Steffi_Warnecke
Active Contributor
‎01-13-2015 7:35 PM
0 Kudos

Hello Lokesh,

we're not so great in mind reading here. So you need to share, what exactly "doesn't go well". If you just need more steps to do, you should consult the documentation. Searching here on SCN also helps a lot, but we're not going to do that for you.

So please share sone more information where you are stuck and need help.

Regards,

Steffi.

Show replies
Show replies
Former Member
‎01-14-2015 11:06 AM
0 Kudos

Hi Steffi,

  Thanks for response. we have tried to do AD and UMe integration in our environment, but AD users were still unable to login to IDM UI with their AD credentials. Here, I m able to fetch users from AD to UME.. and able to see users in UME as well. But those users were still unable to login to IDM UI.

Could you please provide any documents which helps us doing in AD and UME integration and provide your valuable suggestion on this.

Thanks

Lokesh

Steffi_Warnecke
Active Contributor
‎01-14-2015 11:42 AM
0 Kudos

You need to assign the IDM actions via IDM portal roles to those users. How to do that is explained very well in the IDM documentation. Just have a look at the startpage of this space to find the documenation links and from there you'll find the implementation and security documentation to complete your setup.

Regards,

Steffi.

Former Member
‎01-14-2015 1:23 PM
0 Kudos

Hi Steffi,

  Thanks for you reply again.

We have assigned action 'idm_authenticated' to the user and tested again, Still not able to login to idm ui with AD credentials.

Thanks

Lokesh

Steffi_Warnecke
Active Contributor
‎01-14-2015 1:42 PM
0 Kudos

Can you describe a bit more the "not able to login"? Do they at least see the IDM application?

Former Member
‎01-14-2015 1:47 PM
0 Kudos

Hi

When we try to access IDM UI i.e

http://hostname:port/idm

with username as : AD user and AD password (which is fetched in IDM UME LDAP as datasource)

Error : authentication failed

LOG wht we found in UMe is :

LOGIN.FAILED

User: N/A

IP Address: ******

Authentication Stack: sap.com/tc~wd~dispwda*webdynpro_dispatcher

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details

1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true     

2. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          exception             true       Authentication did not succeed.

3. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok                                true      

Ask a Question