Skip to Content
0

Synchronize accounts and passwords with Azure Active Directory

May 31 at 03:14 PM

109

avatar image

Hi,

with MS AD is it possible to synchronize user accounts and passwords with SAP (ABAP) systems using 3rd party tools for instance.

Is there also something possible with Azure AD, without using MS AD. So direct link between Azure AD and SAP.

Note that I'm not looking for SSO, it really is the goal to get the same password into the ABAP UME.

Thanks

Marcel

10 |10000 characters needed characters left characters exceeded

Just because I'm curious - can you tell which 3rd party tool can sync the password between AD and SAP?

In my opinion this is a terrible idea. That's why you have products like SSO :)

0
Bartosz Jarkowski

I can see a situation in which SSO is not desired (maybe even forbidden by policy), in which case it may be desirable to enable an LDAP lookup for authentication; i.e. the user still has to enter a username and password to logon to SAP, but the check is against the LDAP (or Active Directory) to see if there's a match, rather than the ABAP UME. This would be better (and likely easier) than actually synchronizing the passwords between the two systems.

0

Excellent comment!

I agree LDAP lookup for authentication is a reasonable choice. I think it was (still is?) even a part of SAP IM/SSO. I asked about the 3rd party tool because I have never came across a solution that could retrieve passwords from AD. I still think that syncing passwords is a terrible idea :)

And author strictly said that the goal is to have same passwords in two places...

1
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Barnabas Zoltan Paksi
Jun 03 at 07:53 AM
0

Dear Marcel,


I think I am aware of the scenario that you would like to initiate. I deem you would like to use Azure AD as a datasource for your ABAP or Java systems (it is not obvious for me from the description. As Azure AD is a some kind of Microsoft AD and it uses LDAP protocol probably it is possible. LDAP as a datasource is supported in AS java and in a special way in AS ABAP (ABAP backend with LDAP synchronization). Both of the scenarios are described in the following SAP Help Document:


https://help.sap.com/saphelp_nw73/helpdata/en/48/d1d13f7fb44c21e10000000a1550b0/content.htm?no_cache=true


Additionally the Note describes all of the certified Directory Services: 983808 - Certified LDAP servers


See "This document refers to" part for MS Directory Services:


1016176 - UME configuration file for Microsoft ADAM
1168727 - LDAP Certification ABAP: Windows Server 2003 and 2008
1480838 - LDAP Certification ABAP: Windows Server 2008 R2
704895 - LDAP certification for Windows 2003 ADS and AD/AM


I deem the Azure Ad always uses the latest MS AD since I am not sure that it is on Win Server 2008, therefore I deem it is not supported. I have made a research and I could not find any other supported directory service e.g. for Win Server 2012.


For more information see note for additional questions:


2003135 - FAQ: LDAP Certification BC-LDAP-USR


By the way you can use the "workaround" SSO for which there are multiple scenarios to establish.


Best Regards,
Barnabás Paksi

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Barnabás,

thanks for your answer. Actually the goal was not to use the LDAP as a (ABAP) UME source, the goal really is to sychronize passwords. It doesn't make much sense to me but this customer has implemented this for their landscape with the on-premise AD using a 3rd party-tool and now they are moving towards AzureAD. Currently there is a synch between the two but in the end only the AzureAD remains. I was curious if someone was already using this. The 3rd party-tool is not (yet) AzureAD compliant.

Rgds

Marcel

0
Wolfgang Janzen
Jul 11 at 09:27 PM
0

Frankly speaking I do not understand why you do not want to use a proper SSO solution (e.g. Kerberos: SPNego for http Clients and SNC for SAP GUI and RFC clients). Trying to keep passwords in synch is highly likely to fail - especially with regards to the different password policies.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Wolfgang,

yes of course that is the best route. This came from a specific customer request which I don't fully understand yet either. But I was suprised to find out that curently they are curently able to do this with the on-premise AD, so I was curious if this would also be possible with AzureAD.

Thanks
Marcel

0