Start of Content Area

Function documentation User Mapping  Locate the document in its SAP Library structure

Use

User mapping is used for Single Sign-On to a backend system. As the name implies, user mapping is used to map a portal user ID to the user ID and password of the backend system. You can manage the user mapping yourself, or you can enable the users to manage their own user mapping for the systems you define. User mapping supports the following authentication methods:

     SSO using user ID and password

This method always requires user mapping.

     SSO using SAP logon tickets to SAP Systems

This method only requires user mapping if users have different user IDs in the portal and ABAP-based systems. Passwords are not mapped. To access more than one ABAP backend system, you can define an SAP reference system. As long as all the ABAP backend systems use the same user ID, the user can access all the systems by mapping their portal user ID to the user ID on the SAP reference system.

A user's portal user ID and the SAP user ID are stored in the user's SAP logon ticket. When the user tries to access a component system, the system extracts the user ID from the logon ticket.

Caution

User mapping requires you to communicate user and password information between the portal and backend system at least once (during the configuration of user mapping). When possible, avoid user mapping by using the same user ID in the portal and backend ABAP systems and enable SSO with logon tickets. If you cannot avoid user mapping, be sure to configure the connection to the backend system to use SSL. For more information, see Communication with Backend Systems.

As another option, you can store the user ID for the ABAP backend system in your LDAP directory. Under some circumstances, you do not need to configure user mapping at all. For more information, see Using an LDAP Directory Attribute as the ABAP User ID.

Prerequisites

     We recommend installing the full version of the SAP Java Cryptographic Toolkit on the SAP J2EE Engine. This toolkit enables you to store user mapping data with strong encryption. Without the toolkit, user mapping data is stored with weak encryption (base 64 encoding), which is not recommended for production systems.

For more information, see Using the SAP Java Cryptographic Toolkit for User Mapping.

     You must define User Mapping Type and (optionally) User Mapping Fields in the system properties of the systems for which you want to map user data. For details see System Properties for User Mapping.

     You must define a system alias for a system, otherwise the system is not available for selection when the administrator or users configure user mapping.

     If you are performing user mapping for Single Sign-On with logon tickets to ABAP-based SAP systems, define an SAP reference system. See Defining an SAP Reference System for User Data.

Features

     Either users or administrators can perform user mapping.

     Users must always enter a password to validate their mapped user ID. This password is not stored, but is used to confirm that the user is entering a user ID with which he or she has access to the ABAP-based system.

     Administrators can enter a password to validate their entries. The UME property ume.usermapping.admin.pwdprotection defines whether they must enter a password or not. By default they must enter one.

     You can map a user, group, or role to a user ID in a system connected to the portal.

Caution

With SAP reference systems, you cannot map groups or roles to a user in the SAP reference system. You can only map a user to a user.

If you map portal users to a single user in the backend system, do not map to a super user or administrative user. A malicious but otherwise legitimate user with an HTTP sniffer program could determine the user ID and password he or she is mapped to. If you must map to a single user, we recommend mapping to a guest user with the required rights. Do not map users to accounts which you would not want the portal users to see the user ID and password for.

     When a user tries to access an iView that requires data from a connected system that does not support SAP logon tickets, the procedure is as follows:

...

                            a.      The portal first checks whether the user has been mapped to a user for the corresponding system and if so, logs on with the mapped user data.

                            b.      If not, then it checks whether the group that contains the user has been mapped to a user and if so, logs on with the mapped user data.

                            c.      If not, then it checks whether any of the roles assigned to the user has been mapped and if so, logs on with the mapped user data.

                            d.      If not, the iView will normally prompt the user to enter mapping data (the iView developer needs to program the iView accordingly).

Activities

The following methods for entering mapping data are available:

     The portal administrator enters user mapping data for groups and roles when configuring the portal for use. See Mapping Users: Administrator Tool.

     The user enters his or her personal mapping data in the portal. See Mapping Users: User Enters Own Data.

     The user calls an iView that needs to connect to a component system. If there is no user mapping data stored yet, and the developer has programmed the iView accordingly, the user is redirected to the user mapping iView in order to enter his logon data for this system. After submit, the user mapping iView sends a redirect back to the calling application.

See also:

Single Sign-On with SAP Logon Tickets

Single Sign-On with User ID and Password

End of Content Area