Using an LDAP Directory for User Mapping with Tickets for SSO

• Users have the same ID in all back-end systems that are configured to use tickets for SSO. Passwords can be different.
• The back-end system that are configured to use tickets for SSO accept tickets from the portal.

  For more information, see Configuring Component Systems to Accept Portal Logon Tickets .

• The UME uses an LDAP directory as the data source.
• This procedure requires you to restart the AS Java. Plan for the required downtime while the AS Java restarts.
• The reference system and any target systems must exist in the portal system landscape.

  For the system to appear in the user mapping interface, you must have done the following:

  • You have created a system alias for the reference system.

    The reference system needs a system alias for the system to appear in the mapping interface.

    Caution

    Changing the default system alias does not affect user mapping. However, if all system aliases are removed, user mapping is lost to that system, even if a new system alias is created with the same name as the previous default.

  • You have assigned end user permission to those users, groups, and roles, which access the reference system.

More Information:

• Creating Systems
• Maintaining a System Alias List
• Setting Permissions in the Permission Editor

1. Customize a data source configuration file to include the attribute containing the ABAP user ID.

   Define the attribute mapping from the logical attribute REFERENCE_SYSTEM_USER to the physical attribute that actually stores the back-end user ID in your LDAP directory. By default the logical attribute is mapped to sapusername .

   Note

   Depending on whether you make the LDAP directory read-only or read-write affects whether or not end users or administrators can maintain the user mapping information.

   If the mapped user ID is stored in a read-only LDAP directory, the User field is disabled and cannot be modified.

   For more information, see the following:

   • Customizing a UME Data Source Configuration
   • Example: User Mapping with LDAP and Tickets
2. Configure the UME to get the back-end user ID for users from the logical user attribute REFERENCE_SYSTEM_USER in the LDAP directory.

   Set the UME property user.usermapping.refsys.mapping.type as follows:

ume.usermapping.refsys.mapping.type= attribute

For more information, see Editing UME Properties .

1. Configure the UME to use the new data source configuration file.

   For more information, see Configuring the UME to Use an LDAP Directory as Data Source .

2. Restart the AS Java.
3. Configure the reference system in the portal system landscape.
   • In the User Management category:
     • Set Logon Method to SAPLOGONTICKET .
     • You must set User Mapping Type for the system to appear in the user mapping function.
   • In the Connector category, set System Type.

   For more information, see the following:

   • Editing System Properties
   • System Properties for User Mapping
4. Configure any target systems in the portal system landscape.

   In the User Management category, set Logon Method to SAPLOGONTICKET .

5. Start User Management Configuration.

   For more information, see Configuring User Management .

6. Choose the User Mapping tab page.
7. In the Reference System field, select the system alias of the back-end system to use as the reference system.
8. Save your entries.
9. Map users to back-end systems and users.

   The following options for mapping users exist:

   • Map users manually

     The options available to you for mapping users manually are dependent on the values you entered for the system for User Mapping Type.

     Note

     If the mapped user ID is stored in a read-only LDAP directory, the User field is disabled and cannot be modified.

     You have the following options for performing this mapping:

     • The administrator maps the users to their users in the back-end system.

       This requires the administrator to keep track of user IDs in the portal and their user IDs and optionally their passwords in the reference system.

       When the administrator configures a mapping for a user, the UME by default checks the mapped user ID and password against the reference system. You can disable the check for administrators.

       To disable the check, set the UMEproperty ume.usermapping.admin.pwdprotection= FALSE .

       For more information, see Configuring User Mappings on the Behalf of Users .

     • Let users map themselves.

       This requires users to know which system is the reference system and their user ID and passwords in the reference system.

       Note

       To map their own user IDs, users require authorizations for self-management.

       For more information, see the following:

       • Configuring Self-Management
       • Setting Portal Preferences
   • Map users automatically

     To map users automatically, configure synchronization between the LDAP directory and the reference system. Map the physical attribute to the logical attribute REFERENCE_SYSTEM_USER with the ABAP user ID.

     For more information, see Synchronization of SAP User Administration with an LDAP-Compatible Directory Service