If you use an LDAP directory as the data source for user data, you can use this procedure to enable portal users to access back-end systems with Single Sign-On (SSO) with a different user ID. The user ID for the back-end system is stored in the LDAP directory as a user attribute. When the portal creates the ticket for SSO, it writes both the portal user ID and the mapped user ID into the ticket.
This configuration enables you to map users automatically. The UMEsimply reads the user ID for the back-end system directly out of the LDAP directory. Either the user ID for the back-end system was already in the LDAP directory or you configured synchronization between the LDAP directory and an ABAP system. The synchronization process then enters the back-end user ID into the directory service.
The LDAP directory stores the back-end user IDs in unencrypted form. To prevent these IDs from being manipulated, you must make sure that no unauthorized users have write-access to the LDAP directory, in particular to the attribute containing the back-end user ID.
A malicious user could otherwise manipulate these IDs so that their ticket contain a different back-end user ID. This back-end user ID could have more extensive authorizations in the back-end system than the user should otherwise have.
For more information, see User Mapping and the Portal .
For more information, see Configuring Component Systems to Accept Portal Logon Tickets .
For the system to appear in the user mapping interface, you must have done the following:
The reference system needs a system alias for the system to appear in the mapping interface.
Changing the default system alias does not affect user mapping. However, if all system aliases are removed, user mapping is lost to that system, even if a new system alias is created with the same name as the previous default.
More Information:
Define the attribute mapping from the logical attribute REFERENCE_SYSTEM_USER to the physical attribute that actually stores the back-end user ID in your LDAP directory. By default the logical attribute is mapped to sapusername .
Depending on whether you make the LDAP directory read-only or read-write affects whether or not end users or administrators can maintain the user mapping information.
If the mapped user ID is stored in a read-only LDAP directory, the User field is disabled and cannot be modified.
For more information, see the following:
Set the UME property user.usermapping.refsys.mapping.type as follows:
ume.usermapping.refsys.mapping.type= attribute
For more information, see Editing UME Properties .
For more information, see Configuring the UME to Use an LDAP Directory as Data Source .
For more information, see the following:
In the User Management category, set Logon Method to SAPLOGONTICKET .
For more information, see Configuring User Management .
The following options for mapping users exist:
The options available to you for mapping users manually are dependent on the values you entered for the system for User Mapping Type.
If the mapped user ID is stored in a read-only LDAP directory, the User field is disabled and cannot be modified.
You have the following options for performing this mapping:
This requires the administrator to keep track of user IDs in the portal and their user IDs and optionally their passwords in the reference system.
When the administrator configures a mapping for a user, the UME by default checks the mapped user ID and password against the reference system. You can disable the check for administrators.
To disable the check, set the UMEproperty ume.usermapping.admin.pwdprotection= FALSE .
For more information, see Configuring User Mappings on the Behalf of Users .
This requires users to know which system is the reference system and their user ID and passwords in the reference system.
To map their own user IDs, users require authorizations for self-management.
For more information, see the following:
To map users automatically, configure synchronization between the LDAP directory and the reference system. Map the physical attribute to the logical attribute REFERENCE_SYSTEM_USER with the ABAP user ID.
For more information, see Synchronization of SAP User Administration with an LDAP-Compatible Directory Service