on 07-31-2008 10:07 AM
We instalelled EP 70 , based on Abap+Java scenario.
We did the installation using the UME default userstore Abap.
Now we want to implement the SSO, using the Microsoft Active Directory. We read note 994791 about SPnego, but this note seems to refer only to Sap As Java systems.
Neverthless we are trying to apply it.
Anyway despite we configured the kerberos features (as for sdn weblogs and the LDAP connection is successfull, the J2EE cannot be started successfully.
Obviously all the users and roles are missing on the LDAP, and we need to clarify how to manage this.
Do we have to replicate into the LDAP all the previous Abap userstore elements ?
Or we have to do in a different manner ?
regards
up please
Pratically we would like to do that the users once they do the logon in the network, they are authotized to go in to the EP70 without a further logon.
How we can do that ?
The SSO should be already in place thanks to the SPNEGO, infact the EP logon page does not appear anymore.
BUt we recive erros due to missing roles.
Are there any way to map the EP roles/group to the AD roles/group ?
Obviously we would like to avoid to buy an Identity management tool.
regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Roberto,
I didnt understand your scenario completely to help you. Any how If you want to implement SSO for end users to the ABAP engine you can do this with the help of Kerboros or GSC API. if you want to configure SSO for end users to J2EE/EP system user kerboros and update key store (under services in visual admin tool) accordingly. LDAP configuraiton is different and SSO configuraiton is different. If you coonect UME to ADS (or any LDAP) you can centrally manage users. if you configure SSO users can logon to system with out entering username / password. download pdf https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/bc72b890-0201-0010-3a8d-e31e3e26...
in this pdf you may get required configuraiton.
Thanks,
Kiran.
Roberto,
Our portal point to LDAP w/ read-only. We customized AD, add few fields saproles, sapgroups etc. We synced R/3 users to LDAP (LDAPMAP, LDAP), SAP groups, roles are updated in the new custom fields in AD. Our AD folks wrote MIIS scripts to take the sapgroups to update standard AD groups field, so in portal user, group matching is done. Portal roles are local and assigned to groups so maintenance is just assigning portal roles sap groups. Hope this helps.
-RK
We have Ep70 with ABAp+Java and we followed the suggestions on the blog
and it seems working but I have some questions:
Please which is the final advantage to use the SPnego Wizard in an
Abap+Java scenario with an ABAP userstore ?
I mean, if we start from ABAP+JAVA instance with an ABAP datasource and
we are aware now that it cannot be changed, the logon to the EP is
always done via users created and managed in the ABAP stack.
That also using the SPnego wizard.
At the end we have to continue anyway to create and manage users in the
ABAP stack.
We did some test and seems it's possible to login to the EP only with
users created on the Abap Side.
If we try to acces using a pure LDAP user it cannot logon.
We did a mistake or we miss something ?
Hi Roberto,
We both have the same problem, i follow this post "Configuring SPNego with ABAP datasource -- Part 2" /people/holger.bruchelt/blog/2009/03/02/configuring-spnego-with-abap-datasource--part-2, but the J2EE is not runing yet since the configuration above, please tell us if your solve the problem.
Thanks
Carlos
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.