Skip to Content
0

Synchronize accounts and passwords with Azure Active Directory

May 31 at 03:14 PM

80

avatar image

Hi,

with MS AD is it possible to synchronize user accounts and passwords with SAP (ABAP) systems using 3rd party tools for instance.

Is there also something possible with Azure AD, without using MS AD. So direct link between Azure AD and SAP.

Note that I'm not looking for SSO, it really is the goal to get the same password into the ABAP UME.

Thanks

Marcel

10 |10000 characters needed characters left characters exceeded

Just because I'm curious - can you tell which 3rd party tool can sync the password between AD and SAP?

In my opinion this is a terrible idea. That's why you have products like SSO :)

0
Bartosz Jarkowski

I can see a situation in which SSO is not desired (maybe even forbidden by policy), in which case it may be desirable to enable an LDAP lookup for authentication; i.e. the user still has to enter a username and password to logon to SAP, but the check is against the LDAP (or Active Directory) to see if there's a match, rather than the ABAP UME. This would be better (and likely easier) than actually synchronizing the passwords between the two systems.

0

Excellent comment!

I agree LDAP lookup for authentication is a reasonable choice. I think it was (still is?) even a part of SAP IM/SSO. I asked about the 3rd party tool because I have never came across a solution that could retrieve passwords from AD. I still think that syncing passwords is a terrible idea :)

And author strictly said that the goal is to have same passwords in two places...

1
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Barnabas Zoltan Paksi
Jun 03 at 07:53 AM
0

Dear Marcel,


I think I am aware of the scenario that you would like to initiate. I deem you would like to use Azure AD as a datasource for your ABAP or Java systems (it is not obvious for me from the description. As Azure AD is a some kind of Microsoft AD and it uses LDAP protocol probably it is possible. LDAP as a datasource is supported in AS java and in a special way in AS ABAP (ABAP backend with LDAP synchronization). Both of the scenarios are described in the following SAP Help Document:


https://help.sap.com/saphelp_nw73/helpdata/en/48/d1d13f7fb44c21e10000000a1550b0/content.htm?no_cache=true


Additionally the Note describes all of the certified Directory Services: 983808 - Certified LDAP servers


See "This document refers to" part for MS Directory Services:


1016176 - UME configuration file for Microsoft ADAM
1168727 - LDAP Certification ABAP: Windows Server 2003 and 2008
1480838 - LDAP Certification ABAP: Windows Server 2008 R2
704895 - LDAP certification for Windows 2003 ADS and AD/AM


I deem the Azure Ad always uses the latest MS AD since I am not sure that it is on Win Server 2008, therefore I deem it is not supported. I have made a research and I could not find any other supported directory service e.g. for Win Server 2012.


For more information see note for additional questions:


2003135 - FAQ: LDAP Certification BC-LDAP-USR


By the way you can use the "workaround" SSO for which there are multiple scenarios to establish.


Best Regards,
Barnabás Paksi

Share
10 |10000 characters needed characters left characters exceeded
Wolfgang Janzen
Jul 11 at 09:27 PM
0

Frankly speaking I do not understand why you do not want to use a proper SSO solution (e.g. Kerberos: SPNego for http Clients and SNC for SAP GUI and RFC clients). Trying to keep passwords in synch is highly likely to fail - especially with regards to the different password policies.

Share
10 |10000 characters needed characters left characters exceeded