cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EP User Mapping

former_member18193
Explorer

on ‎03-25-2008 10:53 PM

0 Kudos

Hi there

We are implementating SAP Biller direct via EP 7.0 Portal. External users will authenticate against Webseal and then authenticated to the portal using iv-user authntication scheme. External users authenticate with long name up to 20 characters. We need to map these long IDs to SAP Ids for SSO to work properly. We will be using one the LDAP attribute for the SAP user ID (User Principale name), however UserpricipalName content is suffixed with "@company.co" and we would like to know how we can customize the portal to ignore the suffix.Mainaining LDAP is outsourced activity and cleaning up LDAP at this point is not an option. We would like to know where we can make this type of customizing.

Please advise.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎03-27-2008 11:52 AM
0 Kudos

Hello Lisandro,

even if you stated that cleaning up LDAP is not an option I would still consider it. My to suggestions for you to check with the outsourcer of the LDAP directory:

1) Change the content of the attribute "UserPrincipalName". Of course this only works if no other applications are using it. However it would be an easy task to write a little script to do so.

2) Use a different attribute. It is very simple to populate a new attribute with a little script that takes the upn and only usees everything before the "@'". You could then reconfigrue SAP to use this new attribute. i think this is a very easy task!

best regards

Erich Vogel

Show replies
Show replies
tim_alsop
Active Contributor
‎03-27-2008 12:28 PM
0 Kudos

Hi,

Adding an extra attribute into AD schema is going to add an extra point of administration.

Also, it is possible to do what Laisandro wants without the SAP system needing to communicate with the domain, and mapping can be done locally on each SAP system without adding any additional administration overhead. Clearly, the fact there is no need to connect to AD every time a user logs on improves performance.

Thanks,

Tim

tim_alsop
Active Contributor
‎03-25-2008 11:06 PM
0 Kudos

Lisandro,

I found info on the Login Module provided by SAP at [this location in SAP help library|http://help.sap.com/saphelp_erp2005/helpdata/en/68/5ddc40132a8531e10000000a1550b0/content.htm]. It appears that there is not an option to remove the domain after the @ as I thought. I was thinking of the domain option which is supported, but this will not do what you need.

So, in conclusion - looks like you have to write your own or find a vendor who provides a replacement HTTP Header Login Module. I know one such vendor and you can find the details in the [SAP Software Solution Partner Catalog|http://preview.sap.com/catalog/details.jsp?id=R141&ref=%2Fcatalog%2Fresults.jsp%3Fq%3Dcybersafe%26x%3D197%26y%3D39%26q_cat%3D%26ss%3D1].

Thanks,

Tim

Show replies
Show replies
tim_alsop
Active Contributor
‎03-25-2008 11:00 PM
0 Kudos

Lisandro,

You need to check the configured options on the HeaderVariableLoginModule in your SAP J2EE Engine. You can do this using Visual Administrator and looking at the ticket stack in Security Provider servivce. I am not 100% sure, but I think there is an option to remove everything after the @ and use the part before the @ as the SAP user id. If not, then you have two options; (1) write your own HTTP header login module, or (2) find a commercial software vendor who can provide you with a supported HTTP header login module with the functionality you need.

Thanks,

Tim

Show replies
Show replies
Ask a Question