Skip to Content
avatar image
Former Member

AD to SAP authentication and user management for SAPGUI & WebBrowser

Dear Floks,

I would like to see your help to clarify an implementation for AD to SAP authentication and user management.

First of all, here is the landscape overview:

1. SuccessFactor on cloud

2. S/4 HANA premise

3. Windows AD

The requirements are:

1. automate the creation of user in S/4 HANA ABAP system (e.g. synchronize the user account from AD to SAP)

--> I think it can be done by setup of LDAP connector within S/4 and syhronize job, right?

2. synchronize the password of AD and SAP user account (most likely AD to SAP)

--> I did some research before and now also, seems it is still not feasible, right?

3. allow user to login S/4 via SAPGUI by inputting AD user name & password

--> Feasible? How to do so and what additional server/product/component required?

4. allow user to login S/4 via Web Browser by inputting AD user name & password

--> it should work with MS ADFS + SAML configuration in S/4, right?

--> also can make use of webdispatcher to let user to login from Internet, right?

Please kindly advise...many thanks!

Regards

Gary

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Jul 25, 2017 at 12:30 PM

    1) Yes, you can synchronize the users using LDAP.

    2) Syncing password may be challenging and honestly, I would not spend too much time on it.

    3 and 4) Read about single sign on solutions. If you are in a domain, you can configure SAP this way it won't even ask for a password, but it will use the trust between domain and SAP system. Depending on your requirements you can use Kerberos, certificates or SAML (but the las one won't allow you to connect through SAP GUI).

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jul 27, 2017 at 02:08 AM

    Does anyone know?

    Add comment
    10|10000 characters needed characters exceeded

  • Aug 02, 2017 at 07:58 AM

    Hi Gary,

    there are two products you should look into: SAP Identity Management and SAP Single Sign-On.

    1. Take a look at the SAP Identity Management solution, which centralizes user management across SAP and non-SAP systems in your landscape: https://www.sap.com/community/topic/identity-management.html

    2. Use SAP Single Sign-On. You can re-use your Windows logon to get SSO. Kerberos might be the best technology for you to look into: https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/

    3. Yes, see previous answer

    4. With SAP Single Sign-On

    The Web Dispatcher can act as a reverse proxy and allows you to access on-premise systems from the Web, see https://wiki.wdf.sap.corp/wiki/download/attachments/841582500/WebDispatcherOverview-External.pdf?version=1&modificationDate=1448990975000≈i=v2

    Kind regards

    Regine

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Dear Regine,

      I understand SAP SSO can fullfill certain scenarios but I still wonder if it can really help in my case.

      My requirement is user MUST inputting Windows AD user name & password" to login SAP system (by mean of both browser (to support webgui/fiori) & SAP GUI).

      I read many info and demo about SAP SSO product, it do not talk about this case exactly.

      And I think you mentioned "re-use your Windows logon to get SSO" = when user click on logon entry in SAP GUI it will logon without any prompt of login/pw, am I right? If yes, it cannot help and meet my customer requirment.

      May I ask you help to confirm if the solution is available from SAP?

      Thanks much for your help.

      Regards

      Gary