It seems to me this should have been in the Fiori Setup and Configuration documentation, but if so, I've not been able to find it. We're in the sandbox phase of setting up a Fiori Front-End Server as a hub deployment. The intent is to have this system run Fiori Launchpad (and relevant apps) and sit between our ECC backend and our Employee Portal.
But, how do we manage users in the FES system? Do we need to recreate all our ECC users there? At present, our Portal uses the ABAP backend as its UME, so we don't maintain separate users in the Java environment, and this setup works very well. Users logon to the Portal, and they consume data and so forth from ECC transparently. My hope was to simply insert the FES and have it become the main application that our Portal users consume.
But I haven't figured out how to have FES use the ECC as its UME similar to how the Portal does.
I've seen plenty of blogs, wikis, and discussions about setting up SSO -- that isn't the issue. So far, all of those discussions assume that the users exist in the FES as well as the ECC system (and/or Portal). One discussion talked about user auto-creation in ABAP systems, but it wasn't clear how user invalidations would be handled.
We do not have a license for NWSSO (nor are we likely to buy one anytime soon). We have not implemented IdM (though perhaps we will one day). We are in a Windows Active Directory environment, and I'm familiar with setting up SPNEGO to enable SSO for our Portal (we do not have SSO for SAPGUI users, because... see above about licensing), and I'm familiar with using logon tickets for pass-through authentication from the Portal to ECC.
We have approximately 8000 users, and we have a lot of turnover. Almost every day someone is being hired or terminated or transferred. So, I'd really prefer to keep them all in one place, which today is the ECC ABAP system.
We're in primarily a NetWeaver 7.5 environment: Portal on NW Java 7.5, ECC on EhP8 / NW ABAP 7.5, and so far the sandbox FES 4.0 on ABAP 7.52. Everything runs in a single Active Directory domain. Most users will be inside the firewall and using domain member machines. Someday we'd like to extend to mobile devices, but that's not the first priority.
So what are our options? Do we have to implement yet another system first to be the identity provider? Will that even solve the issue of not wanting to duplicate all those users, and all that constant user management? Or is this unavoidable? Can implementing SAML2 help with this, or is that only going to manage SSO and not user provisioning, or mapping, etc? I haven't played with SAML2 yet.
Thanks, and cheers,