LDAP integration with Ep70 Abap+Java

Former Member · ‎07-31-2008

We instalelled EP 70 , based on Abap+Java scenario.

We did the installation using the UME default userstore Abap.

Now we want to implement the SSO, using the Microsoft Active Directory. We read note 994791 about SPnego, but this note seems to refer only to Sap As Java systems.

Neverthless we are trying to apply it.

Anyway despite we configured the kerberos features (as for sdn weblogs and the LDAP connection is successfull, the J2EE cannot be started successfully.

Obviously all the users and roles are missing on the LDAP, and we need to clarify how to manage this.

Do we have to replicate into the LDAP all the previous Abap userstore elements ?

Or we have to do in a different manner ?

regards

tim_alsop · ‎07-31-2008

Roberto,

As you know the SPNEGO login module (as well as other login modules) are installed in Java engine only, so you need a Java stack to support this kind of authentication. If you want to authenticate when logging onto ABAP applications via a browser you need to use SSO2 tickets with HTTP redirection. e.g. user opens URL of applicaiton on ABAP stack, the configuration of this application is such that it redirects to the Java engine so that the custom login module authenticates the user, and then the Java engine redirects the user back to the original application URL where the SSO2 ticket is accepted to determine who the user is.

Regarding roles - When you use SPNEGO you are only changing the "user authentication" to use Active Directory, not the authorisation/roles configuration. However, it is possible (not required) to sync user details with details in AD, e.g. name, address, phone number, and use use the AD users group membership to setup roles for the user inside SAP, but this requires a configuration of an LDAP connection between SAP server and MS AD, and might also involve the use of an identity management product - it depends on what you want.

Thanks,

Tim

Former Member · ‎08-01-2008

Thanks for the feedback.

The problem is that we supposed to authenticate the users against the J2EE stack, as this system is an EP portal, not the Abap stack, and we want to implement the SSO to the EP.

Pratically we would like to do that the users once they do the logon in the network, they are authotized to go in to the EP70 without a further logon.

How we can do that ?

The SSO should be already in place thanks to the SPNEGO, infact the EP logon page does not appear anymore.

BUt we recive erros due to missing roles.

Are there any way to map the EP roles/group to the AD roles/group ?

Obviously we would like to avoid to buy an Identity management tool.

regards

tim_alsop · ‎08-01-2008

Roberto,

It looks like you are already authenticating using SPNEGO, and the roles problem is not related to this. If you turn off SPNEGO and use BasicPasswordLoginModule instead, do you still get the same issue with missing roles ?

It seems to me that you are using UME for authenticating to Java engine (where EP is installed) and the users are not defined in UME. If you also use ABAP in your landscape, why don't you configure UME to use the ABAP user store, and then you can manage roles in same place for both ABAP and Java logon.

Thanks,

Tim

Former Member · ‎08-10-2008

We have Ep70 with ABAp+Java and we followed the suggestions on the blog

and it seems working but I have some questions:

Please which is the final advantage to use the SPnego Wizard in an

Abap+Java scenario with an ABAP userstore ?

I mean, if we start from ABAP+JAVA instance with an ABAP datasource and

we are aware now that it cannot be changed, the logon to the EP is

always done via users created and managed in the ABAP stack.

That also using the SPnego wizard.

At the end we have to continue anyway to create and manage users in the

ABAP stack.

We did some test and seems it's possible to login to the EP only with

users created on the Abap Side.

If we try to acces using a pure LDAP user it cannot logon.

We did a mistake or we miss something ?

tim_alsop · ‎08-10-2008

Roberto,

AFAIK you can only use one user store at a time in a particular J2EE engine, so if your users are defined in ABAP these are the users who will be able to logon to SAP using SPNEGO.

If I understand correctly, then you want to logon to Active Directory using a user account (e.g. roberto) and you don't have ROBERTO defined in ABAP user store ? If so, this is a mapping problem, since you need to map the externally authenticated Active Directory account name (roberto) onto a valid SAP user (e.g. RMARIANI). Is this correct ?

Thanks,

Tim

Former Member · ‎08-11-2008

hi,

yes I think you are in right. We are using AD from Microsoft.

How this mapping should be done ?

bye

tim_alsop · ‎08-11-2008

If you are using the SAP supplied SPNEGO login module, I understand the mapping is only possible (but very difficult) if you are using an LDAP datasource. If you are using an ABAP datasource then mapping of AD account name onto SAP user is not a feature provided by this login module.

However, if you want to implement an SPNEGO login module and require mapping with ABAP datasource there is a SAP certified partner product which will do this. The product is called TrustBroker Adapter. You can find details at http://www.sap.com/eapcatalog if you search for CyberSafe using the keyword search provided.

Thanks,

Tim