Configuring User Mapping with User ID and Password on a Portal

Prerequisites

The target system must exist in the portal system landscape. For the system to appear in the user mapping interface, you must have done the following:

You have created a system alias for the target system. The target system needs a system alias for the system to appear in the mapping interface.

Note
Changing the default system alias does not affect user mapping. However, if all system aliases are removed, user mapping is lost to that system, even if a new system alias is created with the same name as the previous default.
You have assigned end user permission to those users, groups, and roles, which access the system.

More Information

Context

Use this procedure to enable portal users to access back-end systems with Single Sign-On (SSO) with a different user ID and password.

For more information, see User Mapping and the Portal .

Recommendation

We recommend using SSO with logon tickets. Only use SSO with user ID and password if no other SSO method is possible. SSO with user ID and password has the following advantages:

It can be used for SSO to ABAP systems that do not support logon tickets (release lower than 4.0B).
Central User Administration (CUA) is not required. Users can have a different user ID and password in the ABAP system in question from the reference system used for the logon ticket.

When using SSO with user ID and password, the user ID and password are transmitted in plain text using HTTP POST. We strongly recommend that you protect the connections to the ABAP system using Secure Socket Layer (SSL) or SNC to keep malicious users from eavesdropping the user ID and password.

Note

SSO with user ID and password does not work for portal users whose ticket contains a user ID that exists in the back-end ABAP system if the following is true:

You use SSO with user ID and password over HTTP.
The AS ABAP system in the back end trusts logon tickets of the portal.

This is because, in an HTTP environment, the logon ticket is a cookie that is issued by the portal and contains the portal user ID and potentially a back-end system user ID. In adherence with the general HTTP rules for all cookies, the browser includes the ticket with every request to a system in the same domain name system (DNS) domain, even if the request also contains a user ID and password. So if the AS ABAP authenticates the logon ticket first SSO with user mapping cannot work. As a result, the portal user may be logged on as a different user in the back-end system and gain the wrong authorizations in that system. To avoid this, configure your back-end systems to authenticate user ID and password first.

Procedure

Configure the target system in the portal system landscape.

Under User Management:
- Set Logon Method to UIDPW .
- For the system to appear in the user mapping function, set User Mapping Type .
  
  For more information, see the following:
  - Editing System Properties
  - System Properties for User Mapping
Map users to back-end systems and users.

You have the following options for performing this mapping:
- The administrator maps the users to their users in the back-end system.
  
  This requires the administrator to keep track of user IDs in the portal and their user IDs and passwords in the back-end systems.
  
  For more information, see Configuring User Mappings on the Behalf of Users
- Let users map themselves.
  
  This requires users to know what systems they need to map to and their user IDs and passwords in those systems.
  Note
  To map their own user IDs, users require authorizations for self-management.
  
  For more information, see the following:
  - Configuring Self-Management
  - Setting Portal Preferences