cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is it possible to do user mapping between AD group (LDAP) and ECC user using logon tickets?

former_member281143
Explorer

on ‎08-13-2013 8:18 AM

0 Kudos

Hi all,

I'm investigation different options for single sign-on from the portal to our ECC system.

The requirements are as follows:

- We are using LDAP as data source for UME

- We would like a group of portal (LDAP) users to be connected to the same ECC user

- We would like to use user mapping, but not on user level (hugh administration) but rather on AD group

- We would like to use logon tickets to achieve single sign-on to avoid administration an security issues with passwords

I've read a lot in the help pages and in this forum, but is still a bit confused.

Is this possible to achieve?

Any input is most welcome!

Thanks!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎08-14-2013 7:10 PM
0 Kudos

No it's not possible not to mention that it would be a license violation. There needs to be a 1-1 mapping between UME users and backend users. If the users aren't the same you have to enable User Mapping. Each user accessing the backend has to be licensed.

Show replies
Show replies
former_member281143
Explorer
‎08-15-2013 8:53 AM
0 Kudos

I am aware of the licensing agreement, and there is no difference if we use a group account in ECC or individual account - each user accessing the back end has to be licensed, as you say.

This is a question about administration and user maintenance. We have a situation where users change organizational units quite often, and this is reflected in the AD group assignments. If we could map a user group to a user account in ECC we would save a lot of administration in ECC. It would then be sufficient to reassign the users to a different AD group and that would automatically reassign which user account in ECC the user is mapped to and what he/she could see and do in ECC.

"You can map either a user, group, or role to a user ID in a system connected to the portal." as you can read here: http://help.sap.com/saphelp_nw70ehp1/helpdata/en/f8/3b514ca29011d5bdeb006094191908/frameset.htm

Now, my question is really related to the combination of user mapping using groups and SSO with logon tickets. http://help.sap.com/saphelp_nw70ehp1/helpdata/en/89/6eb8e1af2f11d5993700508b6b8b11/frameset.htm

I think it will work, but this sentence on the same page as the link above makes me confused: "With reference systems, you cannot map groups or roles to a user in the reference system. You can only map a user to a user."

But if I only want to map to one back en system I don't really need to set up a reference system, right?

Former Member
‎08-22-2013 8:30 PM
0 Kudos

Hi Emma,

               Sorry for replying late, please know that when you loginto SAP portal, the authentication process generating MYSAPSSO2 cookie writes some info into it , viz: userinfo, issuing system, trusted system etc. So for ticket based single sign on to work you first need to enable trust between system (here, portal & backend (ECC) ), by this way you can SSO enabled multiple different backend system (ECC,CRM etc), sharing common username without having to set the reference system per user.Even you don't need to choose the reference system, if you maintain same user, so why worrying about huge administration overhead ?

If you only need to maintain at LDAP level , then there must be some IDP (identity provider) that authenticates different users ,issues assertion to backend system , here you don't need to have same users as in LDAP.(considering SAML 2 based SSO).

May be this can be of any help to your problem. Anyway whatever conclusion you draw please share your solution with SCN.

Regards,

Asad

former_member281143
Explorer
‎08-23-2013 8:18 AM
0 Kudos

Hi Asad,

Thanks for your reply!

We have today already configured SSO between portal and ECC, so that part is taken care of. But today we have the same username in portal and ECC. In the future we would like a group of users to be mapped to one user in ECC.

I thought as you said, that SSO would be possible without setting up a reference system. However - if I choose logon method as SAPLOGONTICKET I can't maintain user mapping for the system (the system is not visible in the drop down in the tab "User mapping for system access". If I change logon method to UIDPW it gets visible, but then I need to maintain both user name and password.

So it seems it is not possible to combine logon ticket with user mapping?

Any ideas?

Best Regards,

-Emma.

Former Member
‎08-23-2013 9:27 AM
0 Kudos

Have you given system alias name when you created system object in portal  ? Give a alias name then check.

Regards,

Asad

Former Member
‎08-23-2013 9:33 AM
0 Kudos

One more thing , since you have same user in portal and in ECC even if you don't choose a reference system the SSO will work fine, provided you have configured the backend properly.

former_member281143
Explorer
‎08-23-2013 11:06 AM
0 Kudos

Hi,

Yes, I have created an alias.

Regards,

-Emma.

former_member281143
Explorer
‎08-23-2013 11:09 AM
0 Kudos

Hi again,

Yes, it works fine today, when the users have the same ID in portal and ECC.

My issues are when the user ID is not the same in portal and ECC (which will be the case if we want a group of users in portal to be mapped to a single user in ECC).

If I keep  logon method as SAPLOGONTICKET I can't maintain user mapping for the system.

Best Regards,

-Emma.

Former Member
‎08-26-2013 12:23 AM
0 Kudos

Hi Emma,

You may want to consider maintaining an extra attribute against your user records in the LDAP (e.g. SAPUser) you can use that attribute to map and AD user to the corresponding SAP user name. You then need to configure your UME to use that new attribute. This note describes how to configure the UME to use an LDAP attribute for SSO:

https://service.sap.com/sap/support/notes/777640

Hth,

Simon

former_member281143
Explorer
‎08-27-2013 12:56 PM
0 Kudos

Hi Simon,

Thanks for your reply!

Yes, I've read about that and it seems quite straight forward. But I have a question about this; would this then work with SSO with logon ticket?

BR,

-Emma.

Former Member
‎09-01-2013 11:19 PM
0 Kudos

Hi Emma,

Yes it would. I have done it this way once for a customer and it worked well.

Hth,
Simon

former_member281143
Explorer
‎09-12-2013 10:50 AM
0 Kudos

Hi Simon,

I've decided to go on your proposal, and it seems to work. However... We now have a new challenge

I want to map a ECC-user to an AD-group via an attribute in the AD using class inheritance. I think this part will work. But - user can belong to two different AD-groups with two different mapped ECC-users and we would like the user to choose wich of the two users to log on with.

My thought now is no use a JAAS logon module. Is it possible to make such a module that hands over the control to the user to make a choice and then continue its processing?

I know I'm being difficult... But challanges are fun, right?!

BR,

-Emma.

Former Member
‎08-14-2013 2:08 PM
0 Kudos

Hi Emma,

               I think you are confused concerning SSO using SAPLogonticket. What I understand from your problem statement is you have same user in LDAP as in ECC. Please confirm on this , you don't have to maintain at each user level in portal, I'll explain.

Please confirm my point first.

Regards,

Asad

Show replies
Show replies
former_member281143
Explorer
‎08-14-2013 4:16 PM
0 Kudos

Thanks for your replay!

No, we don't have the same user name in LDAP as in ECC. We would lite a group of portal users (with the source LDAP) to be connected to the same ECC user.

-Emma.

Former Member
‎08-17-2013 9:15 PM
0 Kudos

What do mean by the line "same ECC user" ? Can you explain ? Though SAML2 could have been a better choice.

Regards,

Asad

Former Member
‎08-13-2013 1:07 PM
0 Kudos

Dear Emma Johansson,

As per my knowledge in SSO area, I believe this is not possible at group level.

     you can go for SSO of user mapping without password.


Show replies
Show replies
former_member281143
Explorer
‎08-13-2013 2:04 PM
0 Kudos

Thanks for your reply!

I don't really get what you mean with "SSO of user mapping without password" - could you please explain?

Ask a Question