Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

sso and password - questions

former_member182675
Contributor
0 Kudos

Dear Friends


I have questions regarding SSO and password to mass users.


We are changed the way user login to SAP system to SSO
Now I have open questions That I need youradvise.

After we change the way the user work to SSO we want to map who from the user need to login with passwordand who is not and then we want to delete the password for the user that login with password.

1. I need to know list of users loginwith SSO and listof users login
with password?there is a way to know that?

2. incase I have user that login with SSO there is a way to know when
was the last time this user login with password?

Regards
Naor

1 ACCEPTED SOLUTION

LutzR
Active Contributor
0 Kudos

Hi Naor, as always it depends on what you want to achieve and how old your systems are.

Current systems can log the authentication method in Security Audit Trace so that you can trace and evaluate each and every logon event.

What I find more practical and less time consuming to evaluate is simply to use the following parameters for a smooth transition:

  • login/password_max_idle_initial = 2 means initial password get fully invalid after 2 days
  • login/password_max_idle_productive = 180 (we use 2x login/password_expiration_time) means a user has 90 days to change his password after it expired then it will get fully invalid
  • login/password_change_for_SSO = 0 means user is not prompted for changing expired passwords during SSO logon

So we let those parameters do their work. And in case users don't use their password their password will get fully invalid and this situation is quite comparable to a deactivated password.

To get an overview how this develops over time we once in a while use RSUSR200.

We find people like this example whose initial password was set in 2010 and never used but he obviously logs on regularly so he obviously uses nothing but SSO to authenticate:

So we could set his password to deactivated to make the situation clearer but we don't think it's necessary.

So if you need precise information on who logged on with which authentication method go for Security Audit Log (and update your system if necessary to get this functionality).

If this is more about getting an overview over how transition  to SSO is progressing, just let passwords get invalid and start RSUSR200 once in a while.

Regards,

Lutz

4 REPLIES 4

0 Kudos

Hi, have you seen and read this thread:

?

In my understanding, it is not logged in standard if SSO or PW authentication but you could check in BADI if SNC is active for current user or not...

Regards

Tobias

0 Kudos

Hi Tobias,

Can you please let us know the BADI name. Thanks.

Regards,

Surya

0 Kudos

Please read the Thread I wrote you. Exactly this Place

http://scn.sap.com/message/6864793#6864793


From Platinum

Assuming that you intend to simply log which user is using SNC when logging onto an ABAP system with SAPGUI, then there is a kind of solution for you:

you can use the existing SAPGUI logon user-exit (see SAP Note 37724) to call function module SNC_GET_MY_INFO in order to check whether your communication partner (= SAPGUI) has a (valid) SNC name (PNAME_USER NE SPACE). In that particular case, this is equivalent to "user has authenticated via SNC". And I assume that this is what you intended (notice: you cannot determine whether the user has logged onto the system using SAPGUI with SAP Logon Tickets, i.e. when using some Portal iViews).

LutzR
Active Contributor
0 Kudos

Hi Naor, as always it depends on what you want to achieve and how old your systems are.

Current systems can log the authentication method in Security Audit Trace so that you can trace and evaluate each and every logon event.

What I find more practical and less time consuming to evaluate is simply to use the following parameters for a smooth transition:

  • login/password_max_idle_initial = 2 means initial password get fully invalid after 2 days
  • login/password_max_idle_productive = 180 (we use 2x login/password_expiration_time) means a user has 90 days to change his password after it expired then it will get fully invalid
  • login/password_change_for_SSO = 0 means user is not prompted for changing expired passwords during SSO logon

So we let those parameters do their work. And in case users don't use their password their password will get fully invalid and this situation is quite comparable to a deactivated password.

To get an overview how this develops over time we once in a while use RSUSR200.

We find people like this example whose initial password was set in 2010 and never used but he obviously logs on regularly so he obviously uses nothing but SSO to authenticate:

So we could set his password to deactivated to make the situation clearer but we don't think it's necessary.

So if you need precise information on who logged on with which authentication method go for Security Audit Log (and update your system if necessary to get this functionality).

If this is more about getting an overview over how transition  to SSO is progressing, just let passwords get invalid and start RSUSR200 once in a while.

Regards,

Lutz