cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Single Sign-On help for different AD and SAP user

Go to solution
Former Member

on ‎10-13-2014 7:30 PM

0 Kudos

Hi Experts,

We have to implement SSO for one of our customers where we have ECC, EP, BI &GRC systems. They are looking to achieve this using

  • Kerberos with SNC for AS-ABAP
  • Kerberos with SPNEGO for AS-JAVA

Also the AD User and SAP User ID's are not the same.

So here's are my queries:

1. As the users are not the same in SAP and AD,  I have to set the CN Name according to the AD User in SU01 of the respective SAP Id, but as I have around 1000 users is there any way that I can set it for all the users at one shot ?

2. One risk I could see is that if anyone who can edit the CN name of a SAP ID to his respective Kerberos Token ID, he would be able to access any user !!! so can this be avoided by any means ??

3. Are there any other disadvantages associated with the above approach with Kerberos for AS-ABAP and AS-JAVA and with different AD and SAP User ID's

Thanks in Advance !!!

Regards,

Srikanth G

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

tim_alsop
Active Contributor
‎10-13-2014 7:39 PM
0 Kudos

You can use transaction SNC1 to map users, if the SAP user and AD user are same. if not, I suggest you use a scripting tool such as ECATT.

The mapping is stored in a table called USRACL (maintained in SNC tab in su01). I believe you can limit access to this table so that only people who are allowed to change it's contents can do. This is something that an SAP authorization expert can help with.

If you use Kerberos for both systems, you will find it easier and be sure the user is identified as the same user regardless of which system they logon to. For AS JAVA you need to consider mapping so that the user is mapped onto the same user that they are mapped onto when they logon to AS ABAP.

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎10-17-2014 4:47 PM
0 Kudos

Hi,

Many Thanks for the inputs..

For ABAP thinking of writing an LSMW to update the CN for all the users, let me know your view.

However little concerned on JAVA side, is there any other alternative in case customer is not fine with the attribute creation in AD ?

Regards,

Srikanth G

Show replies
Show replies
Chenyang
Contributor
‎10-13-2014 10:55 PM
0 Kudos

Hi Srikanth,


In your case, I think you can create a custom attribute in AD, for instance named "SAPID" to store SAP user ID in AD. For SPNego SSO to AS JAVA, you can choose to map this attribute instead of standard "SAMAccountName" attribute.


For Kerberos SNC to AS ABAP, I guess it may need extra effort for the mapping. You can either map the user manually, or find a tool to do the mapping.


At last I don't think it would be a security issue for users to edit their SNC name in transaction SU01. Imagine you can also change someone else's password, it is a bigger issue you need to consider?


Best Regards

Chenyang Xiong

Show replies
Show replies
Ask a Question