on 08-13-2013 8:18 AM
Hi all,
I'm investigation different options for single sign-on from the portal to our ECC system.
The requirements are as follows:
- We are using LDAP as data source for UME
- We would like a group of portal (LDAP) users to be connected to the same ECC user
- We would like to use user mapping, but not on user level (hugh administration) but rather on AD group
- We would like to use logon tickets to achieve single sign-on to avoid administration an security issues with passwords
I've read a lot in the help pages and in this forum, but is still a bit confused.
Is this possible to achieve?
Any input is most welcome!
Thanks!
No it's not possible not to mention that it would be a license violation. There needs to be a 1-1 mapping between UME users and backend users. If the users aren't the same you have to enable User Mapping. Each user accessing the backend has to be licensed.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am aware of the licensing agreement, and there is no difference if we use a group account in ECC or individual account - each user accessing the back end has to be licensed, as you say.
This is a question about administration and user maintenance. We have a situation where users change organizational units quite often, and this is reflected in the AD group assignments. If we could map a user group to a user account in ECC we would save a lot of administration in ECC. It would then be sufficient to reassign the users to a different AD group and that would automatically reassign which user account in ECC the user is mapped to and what he/she could see and do in ECC.
"You can map either a user, group, or role to a user ID in a system connected to the portal." as you can read here: http://help.sap.com/saphelp_nw70ehp1/helpdata/en/f8/3b514ca29011d5bdeb006094191908/frameset.htm
Now, my question is really related to the combination of user mapping using groups and SSO with logon tickets. http://help.sap.com/saphelp_nw70ehp1/helpdata/en/89/6eb8e1af2f11d5993700508b6b8b11/frameset.htm
I think it will work, but this sentence on the same page as the link above makes me confused: "With reference systems, you cannot map groups or roles to a user in the reference system. You can only map a user to a user."
But if I only want to map to one back en system I don't really need to set up a reference system, right?
Hi Emma,
Sorry for replying late, please know that when you loginto SAP portal, the authentication process generating MYSAPSSO2 cookie writes some info into it , viz: userinfo, issuing system, trusted system etc. So for ticket based single sign on to work you first need to enable trust between system (here, portal & backend (ECC) ), by this way you can SSO enabled multiple different backend system (ECC,CRM etc), sharing common username without having to set the reference system per user.Even you don't need to choose the reference system, if you maintain same user, so why worrying about huge administration overhead ?
If you only need to maintain at LDAP level , then there must be some IDP (identity provider) that authenticates different users ,issues assertion to backend system , here you don't need to have same users as in LDAP.(considering SAML 2 based SSO).
May be this can be of any help to your problem. Anyway whatever conclusion you draw please share your solution with SCN.
Regards,
Asad
Hi Asad,
Thanks for your reply!
We have today already configured SSO between portal and ECC, so that part is taken care of. But today we have the same username in portal and ECC. In the future we would like a group of users to be mapped to one user in ECC.
I thought as you said, that SSO would be possible without setting up a reference system. However - if I choose logon method as SAPLOGONTICKET I can't maintain user mapping for the system (the system is not visible in the drop down in the tab "User mapping for system access". If I change logon method to UIDPW it gets visible, but then I need to maintain both user name and password.
So it seems it is not possible to combine logon ticket with user mapping?
Any ideas?
Best Regards,
-Emma.
Hi again,
Yes, it works fine today, when the users have the same ID in portal and ECC.
My issues are when the user ID is not the same in portal and ECC (which will be the case if we want a group of users in portal to be mapped to a single user in ECC).
If I keep logon method as SAPLOGONTICKET I can't maintain user mapping for the system.
Best Regards,
-Emma.
Hi Emma,
You may want to consider maintaining an extra attribute against your user records in the LDAP (e.g. SAPUser) you can use that attribute to map and AD user to the corresponding SAP user name. You then need to configure your UME to use that new attribute. This note describes how to configure the UME to use an LDAP attribute for SSO:
https://service.sap.com/sap/support/notes/777640
Hth,
Simon
Hi Simon,
I've decided to go on your proposal, and it seems to work. However... We now have a new challenge
I want to map a ECC-user to an AD-group via an attribute in the AD using class inheritance. I think this part will work. But - user can belong to two different AD-groups with two different mapped ECC-users and we would like the user to choose wich of the two users to log on with.
My thought now is no use a JAAS logon module. Is it possible to make such a module that hands over the control to the user to make a choice and then continue its processing?
I know I'm being difficult... But challanges are fun, right?!
BR,
-Emma.
Hi Emma,
I think you are confused concerning SSO using SAPLogonticket. What I understand from your problem statement is you have same user in LDAP as in ECC. Please confirm on this , you don't have to maintain at each user level in portal, I'll explain.
Please confirm my point first.
Regards,
Asad
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Emma Johansson,
As per my knowledge in SSO area, I believe this is not possible at group level.
you can go for SSO of user mapping without password.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
78 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.