Hello everybody,

I have few doubts implementing SSO with EP. Let me first briefly explain our design approach.

We have 5 SAP boxes (R/3, APO, BW, Portal, K-pro) in our landscape and we want to have the functionality of SSO via EP and Active directory to access them.

I guess i have read all blogs on SDN and lot of SAP documentation for it and below is high level design based upon my understanding.

1. For internal users(employee) create there user ID in SAP-HR and push it into Active directory using LDAP connector.

2. Portal and Basis admin to setup the security for these users so that the user can access only those boxes and transaction which they are suppose to access.

3. User will login into EP and it will authenticate it against Active directory and issue login ticket.(if successful).

4. This ticket will be used to access other SAP boxes.

Now below are my doubts:

1. At what level i will control access of various SAP boxes (APO, BW, R/3, Kpro) for a user ID. Can i control it at Enterprise Portal User management or should i do it in Acive directory. eg: a given user should have access only to portal and R/3 boxes and not to other SAP boxes.

2. How to handle external users (Customers and vendors) in this architecture, should i create a user id for them in each SAP box to handle security or is there a work around.

For employee's i am creating HR master in SAP and then planning to use LDAP and use infotype PA0105 for linking employee master with User ID. And then use this user ID to control security/authorization in various systems.

Though not sure about external users.

3. Should i allow External users and Internal users to share same Network domain, i mean what is the best practice.

4, How does companies having multiple SAP boxes achieve SSO, is my appraoch correct or is there a batter or easier way.

Thanks in advance.

Regards,

Jeet