on 06-06-2015 11:44 PM
Hi experts
We have two issue for our customer:
1-Integration of SAP User Administration into Microsoft Active Directory: Our customer wants to synchronize their SAP users and passwords with Microsoft Active Directory but they dont want to use Single Sign-on.
2-Creating and Synchronize Users in Active Directory from Employee Data Stored in SAP HR
We found two document related with this issue but their version is very old. Is there any new version of this document or we have to use different technology (for example Netweaver Identity Management)?
Related links are:
Best Regards....
Hi Hande,
I can imagine implementing a password hook on your domain controller: PasswordChangeNotify callback function (Windows)
which would then update the SAP password for a user on all defined SAP instances via RFC call to BAPI_USER_CHANGE.
All the above would require some 200-300 lines of code, however from a security standpoint, I strongly discourage you of implementing that. Your active directory passwords are safe as long as you keep them on the domain controller and you do not touch them. Any attempt like above leads to compromise of user credentials.
Either keep the authentication separate or go for SSO. Do not synchronize the passwords.
Hynek
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Regarding 1. You can use an authentication product so that when a user logs onto the SAP system the SAP system (via the authentication product) is able to check the users password against Active Directory. This is much more secure than using the password hook to synchronise passwords between systems. If you want to you can configure some users to get SSO, whilst others are required to enter their Active Directory password each time they logon. Or you might want all users to enter AD credentials.
Thanks
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Hande,
The Kerberos SNC authentication options available with the product SAP Single Sign-On are documented on help.sap.com .
I'm pretty sure there will be a mode that fits to your scenario.
Best regards,
Christian
Hello Hande,
Well you reference old documents, but you don't mention what version of IDM is to be used. If it's 7.2, then the documents should be fairly relevant, but you might need to make a few tweaks. If it's version 8, then it's anybody's game. Documentation is coming at a slow, but steady pace. Your best bet in that case is to do your research and ask questions here.
Password management is pretty much the same. I'd suggest looking at and for the best information.
Finally, from a consulting point of view, I would want to understand why they don't want to use SSO (Several excellent reasons exist, but it's good to understand) SSO in some way, shape, or form should be a part of any long range Identity and Access Management plan.
Hope this helps!
Cheers,
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
89 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.