Skip to Content
avatar image
Former Member

Is SAP IDM able to work with 2 AD

is SAP IDM able to work with 2 different AD's , which one is Master and the second will be secondary , but truly different ? and if yes, what will be the limitations? So can we provision business roles based on the Master AD, which through IDM can be managed to the secondary AD ( total different domains)

thank you

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • May 24, 2017 at 03:18 PM

    Hi Floriana,

    Yes it is. It's just a matter of setting up a repository for every AD system that you're looking to work with. Take a look at the documentation on the Provisioning Framework.

    Matt

    Add comment
    10|10000 characters needed characters exceeded

  • May 26, 2017 at 10:50 AM

    Yes it's possible. We had four different domains which were trusted to each other. Now we reduced them down to two. Still works quite fine.

    However, one thing I found to be a bit problematic:

    If you want to provision group assignments cross domain the IdM wants to create a second user in the other domain. We don't want that. Thus, I had to supress this. Now the cross-domain assignments are handled within a batch job and I also set the Only priv of the other domain hard in a ToIdentityStore with DIRECT_REFERENCE=1.

    If I understood correctly you have business roles with AD groups from both domains in them? Could even be a bit more tricky than my setup.

    Add comment
    10|10000 characters needed characters exceeded