Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SSO Issue

Former Member
0 Kudos

Hello,

I'm running ecc6 on AIX 5.3.

the workstations which connect to the sap system through the sap gui are running windows.

i would like to enable SSO (through SNC) to the sap system - can it be done with AIX? - does anyone have a guide?

What should i put in the kerenl dir instead of the sso dll file

Regards,

Moshe

10 REPLIES 10

tim_alsop
Active Contributor
0 Kudos

Moshe,

You need to use a third party product, since SAP do not provide Kerberos GSS-API libraries for AIX. They are only provided for Windows. The best solution is to look at http://www.sap.com/eapcatalog and search for SNC Kerberos in the search box provided. Alternatively, seach in SDN for SNC AIX Kerberos and you will find many other people asking same question.

Regards,

Tim

Former Member
0 Kudos

Moshe,

SAP supports a number of options to implement SNC - see [http://help.sap.com/saphelp_nw04/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htm]. Kerboros is only one of them. It is true that you should look at the SAP software solution catalog for a SAP-certified solution, but look for SNC in general - otherwise you don't get a complete picture.

The decision which solution fits best to you should be based on your current and near-term requirements.

- what security needs do you have in addition to your SSO requirements

- how flexible should the solution be configurable (e.g. do you need to be able to trigger re-authentication from your application)

- do you want to use the same authentication technology also with SAP E-SOA based solutions

From my experience, client certificate are the authentication mechanism that offer broadest support in SAP environments: from SAPGUI / SNC to the E-SOA world. It can be easily combined with your Windows authentication infrastructure, and most importantly, it does not require to setup a PKI.

Peter

Former Member
0 Kudos

1.If I use third party solution , will require to set up a user in the sap system or can i use the user from the AD to log in to the sap system

2.i would also like to synchronize users from AD to the sap system along with the sso so that i wo'nt have to set up an AD user and a ssap user

is it possible?

Regards,

Moshe

0 Kudos

Moshe,

The user is needed in SAP for authorisation/role/profile, but the users password which is stored in SAP user store is not used. Instead it is normal to deactivate the users password in SAP so that only AD password can be used via SNC authentication.

There is no need to sync users between AD and SAP, but if you want this you need to consider a user management tool, e.g. SAP IdM.

Hopefully it is clear that users are needed in both AD and in SAP, but passwords are only required to AD authentication and SAP passwords are no longer used. The SAP USRACL table is used to map AD user onto a particular SAP user.

Thanks,

Tim

0 Kudos

Hello Tim,

i understand that i need both AD and sap users.

what i meant is can i control the whole process from a single point/sw

for example - when i create a user in the AD it will synchronize it to the sap system (i understand that i need to manage roles) but i want a central control - if i want to lock or delete the user - i will do it once and not in each system (if there are hundreds of users it will be very annoying to do it in more then 1 system)

Regards,

Moshe

0 Kudos

You can setup an LDAP connection between SAP ABAP and AD, which you can use to sync user info between AD and SAP, e.g. address, phone number, department. This cannot be used to sync password of user though. Therefore, using this LDAP sync as well as SNC make a good solution. I have worked with a few companies who have done this.

If you want to add a user to SAP with roles when you add the user to AD, then there needs to be a way to know what role to use when adding to SAP, and this is where an identity management product is required.

In summary, I think you need to use SNC for user authentication and network security between SAP GUI and SAP ABAP, and also consider an identity management product to help you with your requirements for central management of user admin.

Tim

0 Kudos

Hi Tim,

If i create ldap connection between cua system and AD, all users created in AD will be synchronized to the cua(according to a schedule i which i decide).

my question is - if i lock or delete a user from the AD will it be locked or deleted from the cua when it is synchronized with the AD?

Regards,

Moshe

0 Kudos

Moshe,

You need to configure the LDAP report which you run, so that the AD LDAP atttibute which is set when a user is locked in AD, is mapped onto the same attribute in the SAP user store. Then, when you lock an AD account the SAP user will be locked. However, I think you will find this will not be easy since AD sets binary bits in an attribute when an account is locked so it won't be a simple comparison when your report is checking if the account is locked.

I don't beleive you can (and it would not be sensible) delete a SAP user when you detect that the AD user is not present. Perhaps if your report detects that the user has been deleted, but they exist

Thanks,

Tim

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

>

> Hello Tim,

> i understand that i need both AD and sap users.

> what i meant is can i control the whole process from a single point/sw

> for example - when i create a user in the AD it will synchronize it to the sap system (i understand that i need to manage roles) but i want a central control - if i want to lock or delete the user - i will do it once and not in each system (if there are hundreds of users it will be very annoying to do it in more then 1 system)

>

> Regards,

> Moshe

Maybe it makes also sense to cross-posting your inquiry to the [SAP NetWeaver Identity Management|; SDN forum.

0 Kudos

> Wolfgang Janzen wrote:

> Maybe it makes also sense to cross-posting your inquiry to the [SAP NetWeaver Identity Management|; SDN forum.

Actually, the correct approach would be to move it to the IDM forum (please read the rules :-).

It would be really nice if we could mirror threads to other related or functionally connected forums, but that feature is not available (yet...).

Cheers,

Julius