Skip to Content
avatar image
Former Member

SAP Single Sign-On help for different AD and SAP user

Hi Experts,

We have to implement SSO for one of our customers where we have ECC, EP, BI &GRC systems. They are looking to achieve this using

  • Kerberos with SNC for AS-ABAP
  • Kerberos with SPNEGO for AS-JAVA

Also the AD User and SAP User ID's are not the same.

So here's are my queries:

1. As the users are not the same in SAP and AD, I have to set the CN Name according to the AD User in SU01 of the respective SAP Id, but as I have around 1000 users is there any way that I can set it for all the users at one shot ?

2. One risk I could see is that if anyone who can edit the CN name of a SAP ID to his respective Kerberos Token ID, he would be able to access any user !!! so can this be avoided by any means ??

3. Are there any other disadvantages associated with the above approach with Kerberos for AS-ABAP and AS-JAVA and with different AD and SAP User ID's

Thanks in Advance !!!


Srikanth G

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • Best Answer
    Oct 13, 2014 at 06:39 PM

    You can use transaction SNC1 to map users, if the SAP user and AD user are same. if not, I suggest you use a scripting tool such as ECATT.

    The mapping is stored in a table called USRACL (maintained in SNC tab in su01). I believe you can limit access to this table so that only people who are allowed to change it's contents can do. This is something that an SAP authorization expert can help with.

    If you use Kerberos for both systems, you will find it easier and be sure the user is identified as the same user regardless of which system they logon to. For AS JAVA you need to consider mapping so that the user is mapped onto the same user that they are mapped onto when they logon to AS ABAP.

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 13, 2014 at 09:55 PM

    Hi Srikanth,

    In your case, I think you can create a custom attribute in AD, for instance named "SAPID" to store SAP user ID in AD. For SPNego SSO to AS JAVA, you can choose to map this attribute instead of standard "SAMAccountName" attribute.

    For Kerberos SNC to AS ABAP, I guess it may need extra effort for the mapping. You can either map the user manually, or find a tool to do the mapping.

    At last I don't think it would be a security issue for users to edit their SNC name in transaction SU01. Imagine you can also change someone else's password, it is a bigger issue you need to consider? 😊

    Best Regards

    Chenyang Xiong

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 17, 2014 at 03:47 PM


    Many Thanks for the inputs..

    For ABAP thinking of writing an LSMW to update the CN for all the users, let me know your view.

    However little concerned on JAVA side, is there any other alternative in case customer is not fine with the attribute creation in AD ?


    Srikanth G

    Add comment
    10|10000 characters needed characters exceeded