Sap Y Active Directory
André Fischer (andre.fischer@sap.com)
Project Manager CTSC
Michael Sambeth (michael.sambeth@sap.com)
NetWeaver Practice Unit Enterprise Portal
Agenda
Introduction User Management Single Sign On Conclusion
Agenda
Introduction User Management Single Sign-on Conclusion
What the user wants …
ERP Intranet
CRM WorkflowESS Internet
Groupware
...
Access Portal
Logon
What the administrator wants …
Central user management
Single point of administration Assign user rights in various applications with one keystroke Lock or Delete users centrally
Central user repository
Avoid redundant user information
What are the prerequisites ?
Integrated Cross-Application User Management
Centralstorage of user information
Group assignement Basic user data Application specific user data
Standard Access protocol Interoperability, Multi vendor and platform support
Solution: LDAP
LDAP Directories serve as central repository for user master data. Access to this data is provided using the standardized Lightweight Directory Access Protocol (LDAP). Applications from multiple vendors andplatforms can work as LDAP clients -> Interoperatibility Authentication
What are the prerequisites ?
Single Sign-On (SSO)
User authenticates once against a security system User is afterwards automatically authenticated to access other systems Authentication against external applications is transparent for the user Logon-Procedure for initial authentication must be secure
Solution
SAP LogonTickets
E.g. with SAP Enterprise Portal, SAP WebAS,...
… and how can it be realized in a Microsoft Environment !
SAP
Enterprise Portal / Web AS can use LDAP Directories as User Repository (User Persistence Store) Enterprise Portal provides SSO to SAP and MS backend systems using SAP Logon Tickets SAP provides a Directory Interface for User Management via LDAP
mySAP HR can create / updateusers in LDAP Directories SAP user data can be synchronized with user data in LDAP Directories
Microsoft Active Directory
Supports LDAP Active Directory is SAP certified (BC-USR-LDAP) Windows authentication can be used as external authentication for mySAP Enterprise Portal (SSO to EP)
The big picture
mySAP Systems CUA
Microsoft based 3rd party Applications applications
mySAP HRWebDynpro
Java Application
SAP ISAPI Filter
UME (Web AS Java) SSO SSO
User data SSO SSO SAP Enterprise Portal UME (Web AS Java)
SSO
SSO
Create and modify users
Use as user repository
Synchronize user data
Use as user repository
Active Directory SSO Authentication
Agenda
Interduction User Management Single Sign-on Conclusion
User Management (step 1)
mySAP HRCreate modify Directory users
mySAP HR WebDynpro
Java Application UME (Web AS Java)
mySAP Systems CUA
Active Directory
Assign groups and password
User data
SAP EP & SAP J2EE
Use Directory as user repository for EP and JAVA users
Create and modify users Use as user repository
SAP Enterprise Portal UME (Web AS Java) Synchronize user data Use as user repository
CUA
Create /Synchronize SAP ABAP users using BC-LDAP-USR interface
Active Directory
mySAP HR LDAP interface
Goal Create / modify users in the directory server automatically from employee data stored in mySAP HR Reason mySAP HR is master system for (basic) employee data
First name Last name Employee number Manager ….
Optimize Administration of users Reduction in operational costs Correctness of dataSpeed of the process Restriction Only export of data
User information in Active Directory
Attributes that can be provided by mySAP HR
distinguishedName: sn: givenName: employeeNumber: sAMAccountName userPrincipalName … CN=Andre Fischer, CN=Users, DC=MSCTSC, DC=SAP,DC=CORP; Fischer Andre 0123456 M0123456 andre.fischer@mstsc.sap.corp …
Attributes that are provided by Active Directory and...
Regístrate para leer el documento completo.