Skip to Content
avatar image
Former Member

Single Sign On

Hello,

I want to implement an SSO solution between our Active Directory LDAP and Windows SAPGui connecting to SAP R/3 system (hosted on a windows 2003 platform).

Could you explain me the simpliest way to synchronize user's password. It means that sap user's will type the same password as the Windows one and when users change their windows password changes will automaticaly be replicated on R/3.

Many thanks,

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • avatar image
    Former Member
    Sep 09, 2009 at 10:58 PM

    See if the following article and its PDF attachment answers your question:

    http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/e676ec90-0201-0010-cfa3-90b7c1291903

    Thanks.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 10, 2009 at 01:21 PM

    thank you for your reply. But that doc seems to explain how to set up SSO on a WAS but not on an ABAP 4.6C. Do you think it's possbile on SAP R/3 ?

    Regards

    Add comment
    10|10000 characters needed characters exceeded

    • You stated:

      "Could you explain me the simpliest way to synchronize user's password. It means that sap user's will type the same password as the Windows one and when users change their windows password changes will automaticaly be replicated on R/3."

      I believe you misunderstand how SSO works with the Windows SAPGUI. There is no password syncronization. When the user logs in to their Windows workstation (with their correct password), they will receive a kerberos ticket from AD. This ticket is then presented to the SAP application server when using SAPGUI. If it is valid and the application server is setup correctly for SNC, AND if the user record in SAP is associated with the correct SNC kerberos principle, then the user is either:

      Logged on immediately (without entering any password) if they are only valid in 1 client

      Given a popup box and asked to choose which client to log in to if they are valid in >1 client (again without entering a password) -- not having to enter the password again is of course the whole point to SSO.

      Part of setting up SSO will enable a new tab named SNC in SU01, and it is there that the SAP userid is associated with the kerberos principle. I am sure if you search this forum there are many posts about setting up SNC SSO on Windows.

      Again, to the best of my knowledge there is NOTHING which will synchronize passwords between AD and SAP. There is an LDAP connector for SAP, but that is used to simply pre-populate the users in SAP if they already exist in AD with certain criteria. I believe SAP adds some schema information to AD to flag whether a user is also an SAP user, but that whole topic is not needed for SSO. In any case, since the AD passwords are one-way hashed, there would be no way to copy them into SAP with SAP's hashing mechanism.

      Brian