Skip to Content

Synchronize accounts and passwords with Azure Active Directory

Hi,

with MS AD is it possible to synchronize user accounts and passwords with SAP (ABAP) systems using 3rd party tools for instance.

Is there also something possible with Azure AD, without using MS AD. So direct link between Azure AD and SAP.

Note that I'm not looking for SSO, it really is the goal to get the same password into the ABAP UME.

Thanks

Marcel

Add comment
10|10000 characters needed characters exceeded

  • Just because I'm curious - can you tell which 3rd party tool can sync the password between AD and SAP?

    In my opinion this is a terrible idea. That's why you have products like SSO :)

  • Matt Fraser Bartosz Jarkowski

    I can see a situation in which SSO is not desired (maybe even forbidden by policy), in which case it may be desirable to enable an LDAP lookup for authentication; i.e. the user still has to enter a username and password to logon to SAP, but the check is against the LDAP (or Active Directory) to see if there's a match, rather than the ABAP UME. This would be better (and likely easier) than actually synchronizing the passwords between the two systems.

  • Excellent comment!

    I agree LDAP lookup for authentication is a reasonable choice. I think it was (still is?) even a part of SAP IM/SSO. I asked about the 3rd party tool because I have never came across a solution that could retrieve passwords from AD. I still think that syncing passwords is a terrible idea :)

    And author strictly said that the goal is to have same passwords in two places...

  • Get RSS Feed

2 Answers

  • Best Answer
    Jun 03 at 07:53 AM

    Dear Marcel,


    I think I am aware of the scenario that you would like to initiate. I deem you would like to use Azure AD as a datasource for your ABAP or Java systems (it is not obvious for me from the description. As Azure AD is a some kind of Microsoft AD and it uses LDAP protocol probably it is possible. LDAP as a datasource is supported in AS java and in a special way in AS ABAP (ABAP backend with LDAP synchronization). Both of the scenarios are described in the following SAP Help Document:


    https://help.sap.com/saphelp_nw73/helpdata/en/48/d1d13f7fb44c21e10000000a1550b0/content.htm?no_cache=true


    Additionally the Note describes all of the certified Directory Services: 983808 - Certified LDAP servers


    See "This document refers to" part for MS Directory Services:


    1016176 - UME configuration file for Microsoft ADAM
    1168727 - LDAP Certification ABAP: Windows Server 2003 and 2008
    1480838 - LDAP Certification ABAP: Windows Server 2008 R2
    704895 - LDAP certification for Windows 2003 ADS and AD/AM


    I deem the Azure Ad always uses the latest MS AD since I am not sure that it is on Win Server 2008, therefore I deem it is not supported. I have made a research and I could not find any other supported directory service e.g. for Win Server 2012.


    For more information see note for additional questions:


    2003135 - FAQ: LDAP Certification BC-LDAP-USR


    By the way you can use the "workaround" SSO for which there are multiple scenarios to establish.


    Best Regards,
    Barnabás Paksi

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Barnabás,

      thanks for your answer. Actually the goal was not to use the LDAP as a (ABAP) UME source, the goal really is to sychronize passwords. It doesn't make much sense to me but this customer has implemented this for their landscape with the on-premise AD using a 3rd party-tool and now they are moving towards AzureAD. Currently there is a synch between the two but in the end only the AzureAD remains. I was curious if someone was already using this. The 3rd party-tool is not (yet) AzureAD compliant.

      Rgds

      Marcel

  • Jul 11 at 09:27 PM

    Frankly speaking I do not understand why you do not want to use a proper SSO solution (e.g. Kerberos: SPNego for http Clients and SNC for SAP GUI and RFC clients). Trying to keep passwords in synch is highly likely to fail - especially with regards to the different password policies.

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Wolfgang,

      yes of course that is the best route. This came from a specific customer request which I don't fully understand yet either. But I was suprised to find out that curently they are curently able to do this with the on-premise AD, so I was curious if this would also be possible with AzureAD.

      Thanks
      Marcel