Our current portal landscape authenticates against an LDAP directory. We have also implemented user mapping within LDAP, since backend user id's can be different than the portal login id's. This is all working.
However, our landscape is changing (surprise!), and we may be adding a Sharepoint portal at the front end. The Sharepoint portal will authenticate against the domain controller, so will therefore be using Windows Integrated Authentication. Access to the SAP portal from Sharepoint should be done seamlessly, so I have to determine how to implement SSO.
If we were starting with a clean slate, I would just configure the portal to use Kerberos authentication, and authenticate against the same domain as Sharepoint - while not simple, this sort of configuration looks to be fairly straight forward, However, the landscape is already in place, so I have to work within the current constraints.
Do I have to change the UME data source for the portal to Active Directory to make this work? If I change from LDAP to Active Directory, I believe I have to reinstall the entire J2EE engine, since switching between these two data sources is not supported.
Or, is there a way to inject Kerberos authentication into the login stack, so it can co-exist with the other authentication? AD is currently being supplied user information from the LDAP repository (which is the master), so there should not be any difference between the user sets. However, the user mapping information is still required - if the user accesses the NW Portal from the Sharepoint portal, would this user mapping information need to be migrated into the AD repository as well?
Some guidance would be appreciated.