cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BPC 5 integration with AD and single sign on

Go to solution
Former Member

on ‎10-01-2007 9:21 AM

0 Kudos

Hi,

I'm wondering if someone is able to help me understand a little bit more about how the BPC product authenticates users. I noticed on an initial demonstration of the product that there seemed to be two places a user was authenticated

a) when connecting to Web interface the user was seemlessly logged in (ie user information appeared in the Action Pane.)

b) when accessing BPC for Office the user was prompted for user name and password.

I'm assuming the first login is being done by the IIS server due to the Integrated Windows Authentication being enabled on the IIS server (feel free to correct me if I'm wrong).

Its really the second layer of login that I am interested in understanding. I am assuming it is the BPC application itself which is prompting for the user / password combination and then takes this information and authenticates it against AD using NTLM/Kerberos?. Can someone confirm if this is the case?

If so is it possible to integrate these two components so the user is only authenticated once? Ideally I'd prefer to have the user prompted for username/password on initially accessing the web page and then not get prompted again, is this possible?

Greatly appreciate your help.

regards

Stephen Moore

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-01-2007 5:43 PM
0 Kudos

Hi Stephen,

Yes, web authentication is done to IIS, and from Office, authentication is done against the Application Server directly (end user repository is AD as you said).

Unfortunately it is not possible to have this as a ‘single’ sign on.

The only other thing you can do is there is a “SOX compliance” checkbox in Server Manager. If you do not have this ticked, passwords will be ‘remembered’ so users don’t have to type them in again (but note that this is not SOX compliant, so you need to be cautious about it).

Regards,

Ryan

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎10-01-2007 6:03 PM
0 Kudos

Also, see our Product Manager extraordinairre Laura DiTomasso's white paper on authentication within SAP BPC 5.x

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/8036032c-2e44-2a10-78a8-a252fcfd...

Cheers,

Prakash

Show replies
Show replies
Former Member
‎10-08-2007 5:36 AM
0 Kudos

Hi Prakash,

Hoping you can just quickly confirm something for me. In the authentication document that you sent it states that BPC uses SOAP to communicate between web and application layer but then in the firewall diagram states that there is SOAP communication being used between the client and application server.

Can you confirm if this is the case and if so does the SOAP communication use HTTPS or does it open its own communication?

thanks

Steve

Former Member
‎10-08-2007 10:56 PM
0 Kudos

Steve,

BPC 5 can support either HTTP or HTTPS for the logon. The credentials are either taken from the user OS or if an alternate ID is used it is provided by the user at the time of BPC logon. A stub is created to call the application server. A SOAP request is made to the application server with the credentials. The application server is set to use IIS Windows authentication. If the authentication is denied, an HTTP 401 result.

Does this answer your question?

Best Regards,

Laura Di Tomasso

Former Member
‎10-08-2007 11:51 PM
0 Kudos

Hi Laura,

Thanks for the reply. I was just trying to confirm that the only communication from the client to the Web/App tier is via HTTP/HTTPS. We are just concerned that SOAP is often clear text messages which potentially raises a security concern for us.

thanks

regards

Steve

Ask a Question