Skip to Content
0

AD to SAP authentication and user management for SAPGUI & WebBrowser

Jul 25, 2017 at 12:18 PM

170

avatar image
Former Member

Dear Floks,

I would like to see your help to clarify an implementation for AD to SAP authentication and user management.

First of all, here is the landscape overview:

1. SuccessFactor on cloud

2. S/4 HANA premise

3. Windows AD

The requirements are:

1. automate the creation of user in S/4 HANA ABAP system (e.g. synchronize the user account from AD to SAP)

--> I think it can be done by setup of LDAP connector within S/4 and syhronize job, right?

2. synchronize the password of AD and SAP user account (most likely AD to SAP)

--> I did some research before and now also, seems it is still not feasible, right?

3. allow user to login S/4 via SAPGUI by inputting AD user name & password

--> Feasible? How to do so and what additional server/product/component required?

4. allow user to login S/4 via Web Browser by inputting AD user name & password

--> it should work with MS ADFS + SAML configuration in S/4, right?

--> also can make use of webdispatcher to let user to login from Internet, right?

Please kindly advise...many thanks!

Regards

Gary

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Bartosz Jarkowski Jul 25, 2017 at 12:30 PM
0

1) Yes, you can synchronize the users using LDAP.

2) Syncing password may be challenging and honestly, I would not spend too much time on it.

3 and 4) Read about single sign on solutions. If you are in a domain, you can configure SAP this way it won't even ask for a password, but it will use the trust between domain and SAP system. Depending on your requirements you can use Kerberos, certificates or SAML (but the las one won't allow you to connect through SAP GUI).

Show 3 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thanks guy for prompt response.

For Question 3 & 4, actually the scenario is a bit special here that we want to set it as a requirement for user must input their AD username and password to login SAP system (not skipping this step).

And if it is feasible, it will eliminate the problem that we cannot synchronize the password of AD and SAP user too since user dont even need to aware of their SAP user password.

I know that there is product called SAP Single Sign-On 3.0 which may help. So is it the only option to archive above goal? it require license i know.

0

Sorry, but I'm not aware of any solution that will fulfill your requirements. However, you can check out following thread on SCN:

https://archive.sap.com/discussions/thread/1169459

Looks like there is a 3rd party add-on that can help you.

0
Former Member

thanks...the most unclear question for me is Q3..I dont find any solution example for such requirement..

0
avatar image
Former Member Jul 27, 2017 at 02:08 AM
0

Does anyone know?

Share
10 |10000 characters needed characters left characters exceeded
Regine Schimmer
Aug 02, 2017 at 07:58 AM
0

Hi Gary,

there are two products you should look into: SAP Identity Management and SAP Single Sign-On.

1. Take a look at the SAP Identity Management solution, which centralizes user management across SAP and non-SAP systems in your landscape: https://www.sap.com/community/topic/identity-management.html

2. Use SAP Single Sign-On. You can re-use your Windows logon to get SSO. Kerberos might be the best technology for you to look into: https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/

3. Yes, see previous answer

4. With SAP Single Sign-On

The Web Dispatcher can act as a reverse proxy and allows you to access on-premise systems from the Web, see https://wiki.wdf.sap.corp/wiki/download/attachments/841582500/WebDispatcherOverview-External.pdf?version=1&modificationDate=1448990975000≈i=v2

Kind regards

Regine

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Dear Regine,

I understand SAP SSO can fullfill certain scenarios but I still wonder if it can really help in my case.

My requirement is user MUST inputting Windows AD user name & password" to login SAP system (by mean of both browser (to support webgui/fiori) & SAP GUI).

I read many info and demo about SAP SSO product, it do not talk about this case exactly.

And I think you mentioned "re-use your Windows logon to get SSO" = when user click on logon entry in SAP GUI it will logon without any prompt of login/pw, am I right? If yes, it cannot help and meet my customer requirment.

May I ask you help to confirm if the solution is available from SAP?

Thanks much for your help.

Regards

Gary

0