on 02-24-2015 8:04 PM
Hi,
I already have CUA configured to synchronize users with my LDAP Server. I'd to use authenticate SAP users at my LDAP Server. I saw the note 793191 - FAQ: User master synchronization with LDAP directories informing that is not possible to synchronize userPassword attribute. Is there a way to achieve LDAP Authentication? With Enterprise SSO is it possible?
Thank you.
Hi Bruno,
In your case, you perhaps need an Identity Management solution (rather than a SSO solution) to sync passwords among different applications, for instance SAP Identity Management (SAP IdM).
First of all you need to have an app to host all the user accounts. In your case, it should be Oracle LDAP.
Then when creating user account on Oracle LDAP or user changes its password on Oracle LDAP, this app should be able to catch this password and send it to IdM via API.
Next, IdM is able to send this password to all the systems it connects to, in your case, SAP ECC or Portal. SAP IdM is capable of provisioning productive password to SAP ABAP/Java and even Microsoft AD.
Best Regards
Chenyang Xiong
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Chenyang Xiong,
password synchronizatioin is not a supported feature for SAP ABAP application servers. Therefor SSO is the only choice, when you want a central token to be used for authentication. For SAP Java sever, you can authenticate against an LDAP server, so there neither SSO nor IDM would be required.
Regards,
Patrick
Hi Patrick,
Yes, however this is possible in IdM and it is a standard feature of SAP IdM.
Check this out.
There is one more about productive password provisioning
it says
To provision productive passwords to AS ABAP systems, see SAP Note 1575445.
Best Regards
Chenyang Xiong
Hi Chenyang Xiong,
not everything technically feasible should be used for productive systems.
Please see Note 376856 for details. This states:
Passwords are essentially considered as a "secret between the user and the (one) system" and are dealt with accordingly.
and
The reason for the desire to keep passwords at an identical value in different systems might be the request for a single sign-on (SSO ) mechanism.
Regards,
Patrick
OK. Thank you guys!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, for Java you can setup UME for LDAP user auth, but for ABAP user auth with LDAP or Kerberos (e.g. Active Directory) you need to buy a product as that functionality is not free.
We are planning to add LDAP auth to our product. At the moment, it can just be used to authenticate using Active Directory password and RSA SecurID passcode.
SAP SSO may fit well here. With Secure Login Server, you get an easy on-the-fly conversion of your LDAP user credentials into X.509 certificates, which then allow SSO or login with session wise re-authentication into ABAP and other PKI aware apps (which is the majority). So you have both, Kerberos and X.509, with AD and LDAP. Plug it together as required by your respective use cases.
-- Stephan
Active Directory's passwords are not synchronized with OID yet, but will be.
Thank you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It is easier to implement a solution where user gets to enter their Active Directory password when they logon to a SAP system with SAP GUI or a Web browser. Using LDAP out of the box is only possible on NetWeaver JAVA systems. For ABAP systems (GUI or Web logon) you need to buy a product to allow AD auth to be possible, and without SSO.
That's correct.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Is LDAP Server = Active Directory ?
Do you want to logon to your ABAP system using Active Directory credentials ? if so, via GUI or web browser, or both GUI and web browser ?
Thanks
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
94 | |
11 | |
11 | |
10 | |
9 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.