on 10-25-2021 10:20 PM
Dear Experts,
On SAP IDM 8 SP08, NW 7.5 SP22, I've followed the Configuration Guide to configure Password Reset feature, which works fine for the users in IDM JAVA UME. Then, followed the steps to connect an ABAP AS with CUA to IDM. The connection is OK, and I can see all the ABAP AS users under Idm UI manage tab.
To import ABAP AS users to IDM JAVA UME, IDM NW added to IDM as a ASJavaDB repository, and executed initial load successfully. Manually assigning *idm.authenticated and *JAVA:ONLY privileges to some users under the Manage Tab of Idm UI pushed them to IDM JAVA UME, but without their passwords in ABAP AS.
Is it possible to import ABAP AS users with their current passwords enabled in IDM JAVA UME so that users could login Idm UI with their active passwords in ABAP AS, define password reset questions, and able to reset their password, if needed?
Appreciate any hints, or links to some notes.
Kind Regards,
Yavuz
Hi Yavuz,
AFAIK this is not possible and from a security point of view it would be critical. Passwords must not be stored in reversible encrypted form. That's why you cannot import them from AS ABAP.
Also, you should keep that in mind when thinking about distributing productive passwords using SAP IdM. Please find details in SAP IdM Security Guide - Data Storage Security - Password Provisioning:
Regards,
Alex
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Yavuz,
if that is your goal - which I did not get in the first place... - you just have to change the UME Backend to ABAP DB. Details can be found here: Configuring the UME to Use an AS ABAP as Data Source
This is an issue of SAP NW AS Java and is called "Identity Management" as well, but it's not directly related to SAP IdM.
Regards,
Alex
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Yavuz,
actually there is a way to use your active ABAP passwords to authenticate to SAP IDM (e.g. SAP NW Java). The only thing you need to do is connect the local SAP NW Java UME to use ABAP as its identity store.
Then you would need some small adjustments to the initial load for the java repository and you are all set.
No need for initial passwords or anything leading to the fact that your users will have two different passwords in Java and ABAP.
BR,
Todor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alex and Todor,
It seems that the solution is to generate random passwords for each user -not sure if possible with built-in functionality of IDM, or custom development needed-, before importing them to JAVA UME, and then, send the password for IDM UI login via a notification. .
Kind Regards,
Yavuz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Yavuz,
you could use a javascript with internal function uGeneratePassword.
Regards,
Alex
Hi Alex,
I thought of switching the dataSource in UME as ABAP AS, which could work, as you've suggested, since CUA is active on the connected ABAP AS. For any ABAP AS not connected/authenticated through ABAP CUA, I guess I would still need the initial password set for users from other connected ABAP systems, as you suggested in your previous reply.
Kind Regards,
Yavuz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Todor,
Thanks for your response.
Any links I can follow to configure the JAVA UME to act as the ABAP IDStore, as you've suggested?
Kind Regards,
Yavuz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alex,
I understand that, contrary to my expectation, importing users from ABAP AS to IDM JAVA UME, keeping the same password for the users is not technically possible for password reset scenario of IDM. So, defining initial password for users before importing them from ABAP AS to JAVA UME is a must.
Thank you for your kind response.
Kind Regards,
Yavuz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.