Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos - SSO btw Portal&R3 -combination of same & differing userids

Go to solution
Former Member

‎01-02-2009 10:45 AM

0 Kudos

Hello Experts,

Kerberos SSO is implemented between ADS and Portal with R3 in the landscape. As R3 was implemented earlier, for some users(around 1500 out of 8000 users), the R3 ids are already created and they are different from the ADS userids and now they do not want to create new R3 ids same as those of ADS/Portal ids.

SSO between ADS and Portal is working fine but for these specific users who have different userids on Portal and R3, SSO between Portal and R3 is not working. The JCos for data have SSO ticket as the security mechanism. Any idea how to approach this problem to enable SSO btw Portal also R3 with differing userids?

Your advice is highly appreciated.

Thanks.

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎09-23-2009 8:01 AM

0 Kudos

Answered, selected the radio button for very helpful answer but blog shows that no points are selected

3 REPLIES 3

Go to solution
tim_alsop
Active Contributor

‎01-02-2009 11:02 AM

0 Kudos

Hi,

You need to add a mapping login module to your ticket auth stack in J2EE engine (using visual administrator tool). The mapping login module would determine the correct user id from the authenticated user id (the AD account name and realm) and then the CreateTicketLoginModule would be used to create the SSO2 ticket for the mapped user id instead of trying to use the AD user id.

The above mentioned mapping login module would need to be developed, or purchased from a SAP partner.

Also, if you are interested in SAP GUI SSO for R/3 users, e.g. using MS AD credentials - then you will have to configure mapping information in SAP ABAP USRACL table (maintained using su01 t-code). This table is then used by SAP ABAP when SNC authentication is used for GUI users logging on. You could take advantage of this mapping information when developing the JAAS mapping login module (mentioned above). In fact, there is a commercial product available that includes a mapping login module designed to read the USRACL table on ABAP system, and includes all the components you need to implement SSO as described here. Of course you could develop this yourself if you prefer instead of buying a product.

Thanks,

Tim

Go to solution
Former Member

‎09-23-2009 8:01 AM

0 Kudos

Answered, selected the radio button for very helpful answer but blog shows that no points are selected

Go to solution
Former Member
In response to Former Member

‎09-23-2009 8:35 AM

0 Kudos

Hi,

I would strongly recommend going to the effort of aligning the 1500 AD and SAP user-ids. Either change the AD account or the SAP account. I have been through a similar exercise at 2 companies. In my opinion leaving the user with 2 user-ids will create an ongoing issue for you to manage into the future. For example, if you implement HCM, you would probably put the SAP user-id into Infotype 105. However, If HCM becomes the "leading" system for a SAP Identity management system then you will have added issues provisioning access to non-SAP systems. Alternatively, if your AD system is the leading system for SAP IdM, then you will have complications provisioning to SAP systems. Personally, I think it is worth the pain cleaning things up now. It is also important to have a corporate wide user-id naming standard with a single source for allocating user-ids for all your company's IT systems.

Regards,

Richard.