cancel
Showing results for 
Search instead for 
Did you mean: 

SSO and Windows Authentication

Former Member
0 Kudos
64

Hi,

I'm configured my portal to authenticate against LDAP,

with NT Authentication,my SAP R3 systems is based with on employee number for example ( a field inside the ADS )

Is there away to create a SAPLOGON Ticket with another

attribute beside the Username ?? How can I configure the

value transfered to the SAPLOGON Ticket?

thanks

Amit Yosha

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Amit,

you can configure the portal to add (exactly one!) second user ID to a user's SAP Logon Ticket (the portal's ID will always be present). For logon attempts to SAP systems, this ID will be used instead of the defaul ID.

This second ID will always be a user's logon ID of a designated SAP ABAP sytem (e.g. R/3), called the SAP reference system.

To do so, create (if not already done) an entry for the system in the system landscape editor (use template SAP_R3_Dedicated or SAP_R3_LoadBalanced, whatever applies to your environment). Be sure to set the attribute "R/3 reference system" to 1 and to set the user mapping type to "user". Also, don't forget to assign an alias for the system object.

Now users can map their portal user ID to the reference system's ID by selecting "personalize" --> "user mapping" and then choosing the reference system.

For more information, see also the portal's security guide, available on service.sap.com/securityguide.

Regards,

Dominik

Former Member
0 Kudos

Hi,

How can I add mapped username to logon ticket for non-SAP Web Application?

Thank you,

Yuri

Former Member
0 Kudos

Yuri,

I regret you can't. The ticket holds a maximum of two user IDs: One for the portal and non-SAP applications, the second one (if a reference system has been defined) for SAP servers.

Thus, if you non-SAP system uses IDs different from the portal ID, you will have to perform the mapping on your own in the backend system.

Regards,

DOminik

Former Member
0 Kudos

Hi Dominik,

"the mapping on your own in the backend system" means to

extract portal's username from the logon ticket and to reset

it to another (mapped) value for that application?

Thank you,

Yuri

Former Member
0 Kudos

Yuri,

it means that you will retrieve the user ID from the ticket and perform a lookup (using some custom coding) against a mapping table, say a database or an LDAP directory. You won't change the ticket itself because

a) you would need the isssuing system's private kesy for this

b) you would need a "tickt creation API" for this

c) this would cause the ticket to become invalid for the portal.

Hope I could make things clear regarding the user mapping.

Bye,

Dominik