05-11-2008 2:04 PM
Hello,
I wish to setup SPNEGO so users who logon to the microsoft network using active directory will be be able to perform a SSO to EP-7 with an ABAP UME. User name in ADS and ABAP is different.
I need some tips on how to approach this configuration. Documentation examples and maybe someone who can share with me his\hers experience in a similliar configuration.
Thanks
Boaz
05-12-2008 8:35 AM
Boaz,
This is not possible using the SAP supplied SPNEGO login module. Instead, you need to use a third-party, SAP certified login module that uses SPNEGO protocol, that has better support for mapping authenticated principal name of user onto a SAP user name. I work for a company that has such a product. It uses the same mapping information which is stored in ABAP engine and used for SAP GUI SNC-based authentication (administered via SU01 t-code). When a user authenticates via the J2EE login module, our product looks in this table (USRACL) on ABAP engine to find which SAP user to issue an SSO2 ticket for. If you also plan to implement SNC-based SSO for SAP GUI users, this means you can administer the mapping in one place (e.g. on ABAP engine).
Thanks,
Tim
05-16-2008 8:51 AM
Tim,
Actually there is a solution. Look in:
/people/holger.bruchelt/blog/2008/03/10/configuring-spnego-with-abap-datasource
Regards
Boaz