Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Using two directory servers for User Management and Single Sign On

MarcelRabe
Advisor
Advisor
0 Kudos

Hi all,

I'm facing the scenario where a customer uses MS ADS for authentication of users but uses Novell eDirectory for Identity Management purposes. They want to connect eDir to a CUA system for ABAP role upload and user synchronisation and in addition use the groups and ou's in eDir to bind the users to Portal roles.

The users should access the Portal via SSO (so in my opinion ADS Kerberos authentication should be used) but all the additional info should be taken from the eDir (such as group memberships, ou's). So this is NOT the scenario for two LDAP servers as stated in help.sap.com

I know how to configure Kerberos SSO (via SPNego) but this means to modify dhe datasourceADS.xml file for the ADS, while all other details should be read from eDir.

Is it possible to configure the UME so it takes the Kerberos from ADS but all user related data from eDir, other than using IISProxy?

much obliged

Marcel Rabe

1 ACCEPTED SOLUTION

yonko_yonchev
Active Participant
0 Kudos

Hi Marcel,

Take a look at the information here:

http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/content.htm

For this UME configuration case you'll only need to modify a configuration XML for the eDir and you use one LDAP server (the eDir). You need to syncronize the user data in the ADS and the eDir, however. Also note that due to the syncronization requirement this is an advanced configuration case for enabling SPNego.

Hope this helps you.

Regards,

Yonko

3 REPLIES 3

yonko_yonchev
Active Participant
0 Kudos

Hi Marcel,

Take a look at the information here:

http://help.sap.com/saphelp_nw2004s/helpdata/en/43/4c3725aeaf30b4e10000000a11466f/content.htm

For this UME configuration case you'll only need to modify a configuration XML for the eDir and you use one LDAP server (the eDir). You need to syncronize the user data in the ADS and the eDir, however. Also note that due to the syncronization requirement this is an advanced configuration case for enabling SPNego.

Hope this helps you.

Regards,

Yonko

0 Kudos

Hi Yonko,

thanks. This is what I figured out also so far. I was hoping to do it without synchronizing but this seems inevitable.

I'm also still confused in regard to the status of IISProxy support in sapnote 886214. Is IISProxy really end-of-maintenance?

Cheers

Marcel

0 Kudos

Hi Marcel,

yes, the IISproxy support is phased out as of SP15, and replaced by the SPNego mechanisms for Kerberos authentication. Even if this wasn't the case, however, you'd still need a certain degree of syncronization between the directory for authentication and the UME data source.

You can still use an alternative reverse proxy and forward the user credentials in header variables from the proxy to the J2EE Engine (a case of Header Variable authentication). With SPNego you'll have end-to-end Kerberos though.

Regards,

Yonko