09-19-2007 5:15 PM
Hello Experts,
I need advice on a SSO problem:
We have an ERP2005 with approx. 500 users. On a seperate machine we have a dual stack Netweaver 7 with Portal and cProjects (on the NW ABAP stack).
Now that the prototype was accepted, all 500 users from the ERP system should be able to access the portal and cprojects.
How should I configure SSO in this case ?
Currently, the Portal UME is linked to the Netweaver ABAP stack. WE would need user authentification in the ERP system, but still I need the user to be also authenticated in the NW ABAP stack because cProjects is installed there. Do I need to configure CUA (central user administration) for this scenario ? Any other options ?
Your help on this topic is highly appreciated!
Johannes
09-19-2007 5:48 PM
Well, the usage of a Central User Administration (CUA) would ensure that the users (in the ABAP systems) have the same userID in the cProject and in the ERP system.
That is essential since SAP Logon Tickets (issued by the Portal) can contain only two "identities": an "ABAP userID" and an "EP user name". That implies that the "ABAP userID" is identical for all ABAP-based backend systems in the Portal landscape.
Regards, Wolfgang
09-19-2007 6:33 PM
Hi Wolfgang,
yes, this is my intentiion: the userID should be the same on both systems.
Still, I am not sure what to do, here my idea:
- activate CUA with ERP as central system
- distribute all userIDs to the child ABAP system
- link the portal UME to the ERP ABAP stack
- now authentication should be on the ERP ABAP stack, while the cProjects ABAP application on the netweaver should work with logon tickets
- hope that it works
Johannes
09-20-2007 8:54 AM
Well, you have mentioned that you are using a DualStack (NetWeaver Java: Portal, NetWeaver ABAP: cProjects). In that case it might make more sense to use the ABAP part of the DualStack as CUA master system.
Other than that, I agree with your idea.
09-20-2007 9:39 AM
Hi Wolfgang,
Yes I have a dual stack, but the authentication should happen in the ERP APAB stack, not in the NW ABAP stack - in this case the users can logon to the portal using their exisiting ERP credentials.
Actually I configured it as described above and it works now!
Only the CUA gave me some headaches, because it suddenly deleted all user roles in the ERP system, they were unrecoverable.
However, now it is ok.
Thanks for your messages!
Johannes
09-20-2007 10:19 AM
Of course, you can configure the UME (NW Java part of the DualStack) to use a different ABAP backend system as "user store". By default, it is using "its ABAP stack" - that's why I've recommended it (assuming that you have the free choice).
09-20-2007 9:39 AM