Hi Hande,

I can imagine implementing a password hook on your domain controller: PasswordChangeNotify callback function (Windows)

which would then update the SAP password for a user on all defined SAP instances via RFC call to BAPI_USER_CHANGE.

All the above would require some 200-300 lines of code, however from a security standpoint, I strongly discourage you of implementing that. Your active directory passwords are safe as long as you keep them on the domain controller and you do not touch them. Any attempt like above leads to compromise of user credentials.

Either keep the authentication separate or go for SSO. Do not synchronize the passwords.

Hynek

Regarding 1. You can use an authentication product so that when a user logs onto the SAP system the SAP system (via the authentication product) is able to check the users password against Active Directory. This is much more secure than using the password hook to synchronise passwords between systems. If you want to you can configure some users to get SSO, whilst others are required to enter their Active Directory password each time they logon. Or you might want all users to enter AD credentials.

Thanks

Tim

Hello Hande,

Well you reference old documents, but you don't mention what version of IDM is to be used.  If it's 7.2, then the documents should be fairly relevant, but you might need to make a few tweaks.  If it's version 8, then it's anybody's game.  Documentation is coming at a slow, but steady pace.  Your best bet in that case is to do your research and ask questions here.

Password management is pretty much the same.  I'd suggest looking at and for the best information.

Finally, from a consulting point of view, I would want to understand why they don't want to use SSO (Several excellent reasons exist, but it's good to understand) SSO in some way, shape, or form should be a part of any long range Identity and Access Management plan.

Hope this helps!

Cheers,

Matt