Authentication Using an LDAP Bind to a Directory Server (SAP Library - Pluggable Authentication Services for External Authentication)

Authentication Using an LDAP Bind to a Directory Server

Purpose

With this PAS option, the user is authenticated using an LDAP bind to a directory server. The PAS verifies the LDAP bind and then issues the user a logon ticket for access to further SAP services. Note that in this case, you can alternatively store the user’s ID to use for the logon ticket in the directory server instead of using the user external ID mapping table in the SAP system.

Prerequisites

For the prerequisites for using an LDAP bind for PAS, see the following topics:

Logon Tickets

Prerequisites for Using an LDAP Bind to a Directory Server

Secure Network Communications

Process Flow

See the graphic below:

Using an LDAP Bind to a Directory Server for Authentication

This graphic is explained in the accompanying text

The process is as follows:

The user accesses the PAS service for using the LDAP bind (for example, sapldap).

The user provides his or her user ID and password for the directory server.

The PAS attempts an LDAP bind on the directory server using the user's ID and password.

If the LDAP bind was successful, then:

If the user’s ID for the SAP system is stored in the directory, then the PAS passes this ID to the SAP system application server.
Otherwise, it passes the user’s ID for the directory server to the SAP system application server. The SAP system then searches for a matching user ID in the user external ID mapping table.

The PAS then creates a logon ticket for the user, which it sets in the user's Web browser.

The PAS redirects the user to the designated service (for example, myservice).

Result

The user accesses the SAP service after authenticating him or herself using an LDAP bind on the directory server.

When the user accesses further SAP services, the logon ticket is used for Single Sign-On access.