Skip to Content
author's profile photo Former Member
Former Member

sso & identity

Hi, I have read in some document that identity mangament help to implement sso.

How help identity that implementation?

That means that identity management is central point to authenticate users ? What's happen with the windows initial authentication?

Any orientation about sso and idenitty are welcomed.

thanks in advanced.

Regards.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

7 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Mar 26, 2008 at 03:04 PM

    Hello,

    For SSO implementation, you need 2 factors:

    1. A single trustworthy authentication authority.

    2. Correlation between the user's identity in all involved systems.

    IDM is mostly usefull for the second requirement. It helps to ensure synchronization between the user's data in different systems.

    But IDM can answer the 1st requirement too. It is possible to use the Virtual Directory product as a central login service which will act as the first access point for all users.

    This is really on the tip of the needle.

    Eric

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Mar 26, 2008 at 03:40 PM

    Optima,

    It appears from your question that you are interested in using Initial Windows Authentication for SSO purposes, e.g. using the Active Directory domain authentication which already occurs when user logs onto their desktop ?

    If above is correct, then you can consider IdM as a tool to help you manage Active Directory accounts, and if you then use products to allow you to re-use the Active Directory credentials available on the workstation after domain logon, you can authenticate the user to SAP, giving an SSO experience to users, and providing a secure logon.

    Of course the IdM tool might need to help with provisioning so that when a user is given an account in AD they are also given a SAP user account, which can be configured at that time, to map onto their AD account and realm (e.g. SNC name if using SNC-based authentication with SAP GUI). When they logon to a Windows workstation and then logon to SAP they will then be recognised as the correct user in SAP system without having to re-authenticate, and if the IdM product allows, their respective SAP user which their AD user account is mapped onto can also be changed if required.

    I hope this is clear, but if you have any questions, please let me know.

    Thanks,

    Tim

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Mar 26, 2008 at 10:09 PM

    Hi Gurus,

    I would like the ADD some thing here. The Authoritative Source for IDM should always be the HR system. (in special cases it might not) ideally it should.

    IDM system just takes care of consistency if Identities in all the systems and Applications. There are SSO applications which are not part of the Domain and are third party. IDM can maintain the sync identities there as well which in essence becomes a "One User" "One password" scenario.

    Its all about what you want to do and how you want to CUSTOMIZE IDM connectors according to the business rules. I have seen scenarios where all identities are not coming from HR, like contractors or Temp staff; you can have source repositories which can then be amalgamated with the existing identities in the IDM store.

    So in conclusion Idm repository is not used for Authentication but is used to keep a consistent non-redundant environment for identities through out the organization.

    Cheers!

    Dev

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Mar 27, 2008 at 11:46 AM

    Hello everybody,

    I think it is important to clarify some terms. In general Identity Management covers various topics, e.g. user provisioning, role management, access management, authentication serivces, single sign-on, etc. Burton and Gartner list some 15 topics under the "IdM umbrella". Howerver most suppliers use "Identity and Access Management" as a synonym for their user provisioning solutions.

    It is also important to distinguish between user provisioning and single sign-on. User Provisioning gives the IT control over user identities in various systems and the related personel data. It synchronizes data changes, automates account and access management processes and provides for compoliance reporting.

    Single Sign-On only covers the authentication process and therefore it has only one small interface to user provisioning, and that is the fact that one NEEDS an account to log on (automatically through sso or manually!).

    One last comment: It is absolutely correct that HR should be the source for user provisioning processes. However in our various projects we have always used a second authoritative source for all the non-employees who needs accounts and access to xyz systems. In very rare cases, HR also takes over responsibility for Externals.

    I hope this helps

    best regards

    Erich Vogel

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Mar 27, 2008 at 09:28 PM

    Thanks Erich,

    You are correct that HR should be the AS but is not in some cases, exactly my point as contractors or Temp staff in my comments above.

    Interestingly I would like to share this with all of you in one scenario my clients told me that they would love to consider SAP Identity and Access management "IDM" system to be Authoritative for some Temp staff that are not handled by any source (HR or otherwise). The Temp staff is handled by Helpdesk and is created in LDAP by manual process, these identities are not known by any system other than the swipe card system.( I could use the ID system as the source but the clients did not prefer that)

    So i created a web workflow in SAP that created the user and used the same business rules to populate the IDstore which then provisioned into all the systems connected. This scenario will always keep track of the temp identity, there were tremendous amount of benefits (bidirectional flow) that could be reaped by HR , Financials or any other system that would like to use these identities.

    Cheers

    Dev

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Mar 28, 2008 at 11:25 AM

    Hi, I am optima with other user, I have some questions and doubts about your comments:

    Eric Labiner you say: "It is possible to use the Virtual Directory product as a central login service which will act as the first access point for all users."

    I have two doubts and questions about it:

    1. How do you do the Virtual directory will be the central login service? What is happen with the initial windows authentication? Or you think in a scenario with two authentication level, one for enter to the pc and the second in the virtual directory.

    2. In a customer we have a scenario with a central active directory for the global company and multiple distributed active directory for centers that are in differents location.

    The authentication in the centers (hotels) are with individual active directory that are inside. There are a process periodically of distribution of idenities from the central active directory to the local. My question is, is possible to replicate that scenario if we used identity as login central service? That I understand we would have to have a central identity management and multiple local identity management like now with active directory.

    Tim,about your question "you are interested in using Initial Windows Authentication for SSO purposes, e.g. using the Active Directory domain authentication which already occurs when user logs onto their desktop ?"

    Yes that is our purpose. But my doubt if we used that, idm is able to authenticate the user with NTLM or something like that?

    Erich Vogel, you say idm cover: "authentication services, single sign-on" Could you explain more about it?

    Thanks to all I think that discussion is very much productive to clarify ideas.

    Best Regards.

    Add a comment
    10|10000 characters needed characters exceeded

    • > Tim,about your question "you are interested in using Initial Windows Authentication for SSO purposes, e.g. using the Active Directory domain authentication which already occurs when user logs onto their desktop ?"

      > Yes that is our purpose. But my doubt if we used that, idm is able to authenticate the user with NTLM or something like that?

      Jose,

      The IdM product/solution DOES NOT authenticate the user and provide SSO functionality. The SSO product/implementation does that, and the IdM solution is required for managing the identities used for SSO purposes. The IdM is used for management of user identitities, this is what the "M" is for in the term "IdM".

      Your requirements for authenticating users to SAP with Active Directory are best satisfied using Kerberos. For logging on to SAP ABAP you need a Kerberos library that works with the SAP SNC interface, and for Web logon you need a solution which uses the Kerberos built into web browsers, aka SPNEGO/Negotiate protocol.

      My full time job involves working with SAP customers who want to use Active Directory / Kerberos for authentication/security. From your explanation, your requirements are no different to other companies I have worked with. Some of them use an IdM product as well, and others don't.

      Thanks,

      Tim

  • author's profile photo Former Member
    Former Member
    Posted on Mar 28, 2008 at 01:19 PM

    Lot of thanks Tim, now I have very clear the terms.

    Best Regards.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.