cancel
Showing results for 
Search instead for 
Did you mean: 

Password handling in FIORI with SSO - only change possible, no disable

Former Member
0 Kudos
1,079

Hi all,

is it possible to let the user decide what to do (change or disable) with his initial or expired password in Fiori, similar to the GUI with the parameter login/password_change_for_SSO=1?

We are aware of the other two not obstructive values for the above parameter 0 and 3 but neither is acceptable.

Another option would be the round trip to GUI for user which want to disable the pass, bit it is far from elegant and not always or not for all users possible.

I'm afraid, I know the answer, but let me know if I missed something.

Thank you

Robert

Accepted Solutions (1)

Accepted Solutions (1)

Colt
Active Contributor

Hey Robert,

here are my views on this. You wrote „We are aware of the other two not obstructive values for the above parameter 0 and 3 but neither is acceptable“ question is why?

I would never let the user decide whether to have a password or not. SSO and passwordless token-based AuthN should be the decision of the organization and part of the overall IAM strategy, SAP is just one of many applications that should follow this approach.

Handling of the authentication for internal and external users should be done via the Identity Provider. At the same time, it is still possible to use exceptions and allow password login for SAP GUI power users or developers/testers, etc.

I would rather recommend using SECPOLs and creating one e.g. ENDUSER_NO_PWD_LOGON with DISABLE_PASSWORD_LOGON = 1 and PASSWORD_CHANGE_FOR_SSO = 3. Target to disable PWDs for those users - they must use SSO and they must authenticate against a central managed system (the IdP/AD/Azure...)

In addition, create a second one SSO_EXCEPTIONS with DISABLE_PASSWORD_LOGON = 0 and PASSWORD_CHANGE_FOR_SSO = 1 and this way accept PWD management for those users (limited group - use case to be discussed/approved with IT Sec).

Also this depends on the SSO method used, in case of SAML I would no longer handle any PWDs in the SAP system, howevery besides ICF (Fiori) you may still have SAP GUI users on that system, so those settings make sense. And even with SAML you can still provide special access URLs that override ICF logon procedures if really required.

Hope that helps a bit

Cheers Carsten

Former Member
0 Kudos

Hello Carsten,

thank you for your time. So the answer is - not possible.

The rest is matter of taste.

"I would never let the user decide" - Well, I would also not let my underage kids decide e.g. if they go to school or not, but all our users are above 18.

SECPOL is useful, just it is not offering the same and is associated with more effort.

Regards Robert

Answers (0)