cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD to SAP authentication and user management for SAPGUI & WebBrowser

former_member146669
Participant

on ‎07-25-2017 1:18 PM

0 Kudos

Dear Floks,

I would like to see your help to clarify an implementation for AD to SAP authentication and user management.

First of all, here is the landscape overview:

1. SuccessFactor on cloud

2. S/4 HANA premise

3. Windows AD

The requirements are:

1. automate the creation of user in S/4 HANA ABAP system (e.g. synchronize the user account from AD to SAP)

--> I think it can be done by setup of LDAP connector within S/4 and syhronize job, right?

2. synchronize the password of AD and SAP user account (most likely AD to SAP)

--> I did some research before and now also, seems it is still not feasible, right?

3. allow user to login S/4 via SAPGUI by inputting AD user name & password

--> Feasible? How to do so and what additional server/product/component required?

4. allow user to login S/4 via Web Browser by inputting AD user name & password

--> it should work with MS ADFS + SAML configuration in S/4, right?

--> also can make use of webdispatcher to let user to login from Internet, right?

Please kindly advise...many thanks!

Regards

Gary

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

RegineSchimmer
Product and Topic Expert
Product and Topic Expert
‎08-02-2017 8:58 AM
0 Kudos

Hi Gary,

there are two products you should look into: SAP Identity Management and SAP Single Sign-On.

1. Take a look at the SAP Identity Management solution, which centralizes user management across SAP and non-SAP systems in your landscape: https://www.sap.com/community/topic/identity-management.html

2. Use SAP Single Sign-On. You can re-use your Windows logon to get SSO. Kerberos might be the best technology for you to look into: https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/

3. Yes, see previous answer

4. With SAP Single Sign-On

The Web Dispatcher can act as a reverse proxy and allows you to access on-premise systems from the Web, see https://wiki.wdf.sap.corp/wiki/download/attachments/841582500/WebDispatcherOverview-External.pdf?ver...

Kind regards

Regine

Show replies
Show replies
former_member146669
Participant
‎08-14-2017 3:54 AM
0 Kudos

Dear Regine,

I understand SAP SSO can fullfill certain scenarios but I still wonder if it can really help in my case.

My requirement is user MUST inputting Windows AD user name & password" to login SAP system (by mean of both browser (to support webgui/fiori) & SAP GUI).

I read many info and demo about SAP SSO product, it do not talk about this case exactly.

And I think you mentioned "re-use your Windows logon to get SSO" = when user click on logon entry in SAP GUI it will logon without any prompt of login/pw, am I right? If yes, it cannot help and meet my customer requirment.

May I ask you help to confirm if the solution is available from SAP?

Thanks much for your help.

Regards

Gary

former_member146669
Participant
‎07-27-2017 3:08 AM
0 Kudos

Does anyone know?

Show replies
Show replies
BJarkowski
Active Contributor
‎07-25-2017 1:30 PM
0 Kudos

1) Yes, you can synchronize the users using LDAP.

2) Syncing password may be challenging and honestly, I would not spend too much time on it.

3 and 4) Read about single sign on solutions. If you are in a domain, you can configure SAP this way it won't even ask for a password, but it will use the trust between domain and SAP system. Depending on your requirements you can use Kerberos, certificates or SAML (but the las one won't allow you to connect through SAP GUI).

Show replies
Show replies
former_member146669
Participant
‎07-25-2017 1:51 PM
0 Kudos

Thanks guy for prompt response.

For Question 3 & 4, actually the scenario is a bit special here that we want to set it as a requirement for user must input their AD username and password to login SAP system (not skipping this step).

And if it is feasible, it will eliminate the problem that we cannot synchronize the password of AD and SAP user too since user dont even need to aware of their SAP user password.

I know that there is product called SAP Single Sign-On 3.0 which may help. So is it the only option to archive above goal? it require license i know.

BJarkowski
Active Contributor
‎07-25-2017 3:07 PM
0 Kudos

Sorry, but I'm not aware of any solution that will fulfill your requirements. However, you can check out following thread on SCN:

https://archive.sap.com/discussions/thread/1169459

Looks like there is a 3rd party add-on that can help you.

former_member146669
Participant
‎07-27-2017 3:10 AM
0 Kudos

thanks...the most unclear question for me is Q3..I dont find any solution example for such requirement..

Ask a Question