Solved: SSO with Active Directory user mapping

former_member84399 · ‎12-19-2016

Hello all,

We want to implement SAP SSO 3.0 in our SAP landscape through Active Directory and Kerberos / SAPGUI and SAP Secure client. All our SAP servers are running on Unix.

We have a big number of users that have different user names in the AD and different in SAP. My understanding is that for the Kerberos token to be accepted from the SAP system, the usernames in AD and SAP must be identical. Is that correct?

What are my options for those users that have different names in AD and SAP? I read somewhere that we can use AD aliases for the users. However, the AD owners do not want to use aliases on AD and it is costly. Likewise, we would prefer not to have to manually change the users in SAP so that their username matches the one on AD. Are there any other options available for us?

Many thanks

Andreas

Colt · ‎12-20-2016

Hi Andreas,

your AD usernames must not match with the SAP usernames. That is quite normal and often the case.

If you use Kerberos you will always use the so called implicit UPN, which is ALWAYS in the form of sAMAccountName@<AD-Domain-FQDN>. You just need to map this information in the user master --> SNC name (field pname) the table USRACL using e. g. SU01. The system uses a function from the SNC library in order to convert this string into ASN.1 canonical name format. Once you have done that, you are fine for SAP GUI via Secure Login Client (SNC/Kerberos) as well as SAP Web AS via Browser (TLS/SPNego).

Cheers, Carsten

SSO with Active Directory user mapping

Accepted Solutions (1)

Accepted Solutions (1)

Answers (0)

How to use CopyProvider on Table created by TypeSc...

How to execute/fire onPost when user press enter o...

Re: Connecting SAP CAP with SAP Cloud ALM

Re: How can assign in Identity Authentication Serv...

Re: Are there plans to update the Spring framework...