Skip to Content
author's profile photo Former Member
Former Member

SSO Doubts !! Help required

Hello everybody,

I have few doubts implementing SSO with EP. Let me first briefly explain our design approach.

We have 5 SAP boxes (R/3, APO, BW, Portal, K-pro) in our landscape and we want to have the functionality of SSO via EP and Active directory to access them.

I guess i have read all blogs on SDN and lot of SAP documentation for it and below is high level design based upon my understanding.

1. For internal users(employee) create there user ID in SAP-HR and push it into Active directory using LDAP connector.

2. Portal and Basis admin to setup the security for these users so that the user can access only those boxes and transaction which they are suppose to access.

3. User will login into EP and it will authenticate it against Active directory and issue login ticket.(if successful).

4. This ticket will be used to access other SAP boxes.

Now below are my doubts:

1. At what level i will control access of various SAP boxes (APO, BW, R/3, Kpro) for a user ID. Can i control it at Enterprise Portal User management or should i do it in Acive directory. eg: a given user should have access only to portal and R/3 boxes and not to other SAP boxes.

2. How to handle external users (Customers and vendors) in this architecture, should i create a user id for them in each SAP box to handle security or is there a work around.

For employee's i am creating HR master in SAP and then planning to use LDAP and use infotype PA0105 for linking employee master with User ID. And then use this user ID to control security/authorization in various systems.

Though not sure about external users.

3. Should i allow External users and Internal users to share same Network domain, i mean what is the best practice.

4, How does companies having multiple SAP boxes achieve SSO, is my appraoch correct or is there a batter or easier way.

Thanks in advance.



Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • author's profile photo Former Member
    Former Member
    Posted on Dec 24, 2004 at 05:56 PM

    Please don't take any of this as a recommendation. I don't know enough about your environment for that. But I can give you some options to consider:

    Question#1) There are lots of options there: administer the roles in the portal and push them out, or administer in the backends and pull them intot the portal. Also, have you considered using Central User Administration to administer the authorizations in the various SAP systems. You can also use the CUA server as an authentication source in EP6.

    #2) To avoid creating userIDs in each system, you could write a trusted portal application that makes RFC connections to the various systems. It would have the authorization to look at any external users data, but would only do so for the session's authenticated userID.

    #3) External users can access the internal network as long as you have ensured that you are not open to attack from the internet (e.g., without a good firewall a distributed denial of service attack could overload the internal network).

    #4) At a minimum you will probably want a central authentication source (whether LDAP or CUA) and use SAP logon tickets from there. Whether you centralize authorization administration is a separate question, and you may do one without the other. Maybe break it into stages?



    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.